ESG and criminal compliance: how Article 31 bis CP can exempt a company from criminal liability in Spain

Criminal liability is no longer a matter for individuals alone. Since it was introduced into Spanish law, Article 31 bis of the Criminal Code has allowed the company itself to be placed in the dock for offences committed within it. Against that risk, the legislator offers a structural line of defence: an adequate organisation and management model — what we know as a compliance programme — can exempt the legal entity from liability. On top of that framework sits a new layer, that of ESG risks, which connects sustainability and governance with very specific criminal offences. We explain it from the firm's technical perspective, without alarmism and without promises.

What Article 31 bis CP establishes

Article 31 bis CP is the rule that articulates the criminal liability of legal entities. Its logic is clear: the company is criminally liable where the offence has been committed in its name or on its behalf and for its direct or indirect benefit. It is not, therefore, about any offence committed by someone who works in the organisation, but about those that project onto the entity itself and bring it an advantage.

Within that framework, the law distinguishes two grounds of attribution that are worth understanding clearly, because they shape the whole defence strategy.

The two grounds of attribution: managers and subordinates

The provision contemplates two ways for the offence to be transferred to the legal entity:

• Through managers: where the offence is committed by legal representatives or by those who, individually or as members of a body, are authorised to take decisions on behalf of the entity or hold powers of organisation and control within it.
• Through subordinates: where the offence is committed by someone under the authority of the above persons and was able to commit it because the duty of supervision, monitoring and control over their activity was seriously breached, in the specific circumstances of the case.

The distinction matters. In the first ground, the reproach is tied to senior management; in the second, to a control failure. And it is precisely that duty of control that the compliance programme is meant to cover.

The exemption: an adequate organisation model

This is the core of corporate defence. Article 31 bis CP provides that the legal entity will be exempt from liability if, before the offence was committed, it had adopted and effectively implemented an organisation and management model suitable to prevent offences of that nature or to reduce the risk of their commission significantly.

The key is that the programme exists and operates before the act. A model approved after the offence may be assessed as a mitigating factor, but it does not produce the exempting effect. That is why criminal compliance is, above all, a preventive tool: its value is measured by its prior implementation and its real application, not by its mere documentary existence.

In practice, this means that the exemption is not granted automatically by producing a binder of policies. The court will examine whether the model was genuinely embedded in the organisation, whether the controls relevant to the specific offence actually operated, and whether the conduct in question was carried out by circumventing those controls. The burden of demonstrating the existence and effectiveness of the model, and its prior implementation, is a recurring battleground in these proceedings, and it is best addressed long before any investigation begins.

The requirements of the compliance programme

For the model to produce its effect, Article 31 bis(2) and (5) CP requires it to contain a set of elements. A generic manual is not enough: the case law of the Supreme Court has insisted that the programme must be adequate and effectively applied. The essential requirements are:

• Risk map: identify the activities in whose context the offences to be prevented may be committed.
• Decision-making protocols: establish the procedures that give shape to the entity's policy-forming process and to the adoption and execution of decisions.
• Financial resource management: have suitable models to prevent the financing of the criminal conduct to be avoided.
• Whistleblowing channel: impose a duty to report possible risks and breaches to the body in charge of monitoring the model.
• Disciplinary regime: appropriately penalise breaches of the measures established by the model.
• Periodic verification: review the model and amend it when significant breaches come to light or when the organisation, the control structure or the activity changes.

Designing and keeping such a programme alive calls for the involvement of lawyers specialising in criminal compliance and ESG, able to translate each company's real risks into verifiable controls.

The supervisory body: the compliance officer

Article 31 bis CP requires that supervision of how the model operates and is complied with be entrusted to a body with autonomous powers of initiative and control, or to one legally tasked with overseeing the effectiveness of internal controls. This is the figure of the compliance officer or the compliance committee.

Its autonomy is decisive. It cannot be a subordinate role dependent on those who ought to be monitored: it needs sufficient resources, direct access to the management body and a real capacity to drive internal investigations and propose measures. In small companies, the law itself allows these functions to be assumed directly by the management body. Demonstrating that this body has acted diligently is often a central part of the defence.

The ESG layer: environment, occupational safety and governance

ESG criteria (environmental, social and governance) have ceased to be a reputational matter and connect directly with the company's criminal risk. In compliance terms, each letter of ESG points to specific Criminal Code offences that the programme must map and prevent:

• Environmental dimension (E): the environmental offences of Articles 325 onwards CP punish, among other conduct, emissions, discharges or deposits liable to seriously harm the balance of natural systems or people's health. Waste management, environmental permits and supply-chain control are focal points of criminal risk.
• Social dimension (S): the offences against workers' rights and occupational safety of Articles 316 to 318 CP punish those who, in breach of occupational risk-prevention rules and being legally obliged to do so, fail to provide the means necessary for workers to carry out their activity with adequate safety and health measures, seriously endangering their life, health or physical integrity.
• Governance dimension (G): private-sector corruption under Article 286 bis CP and money laundering are the core risks. Private corruption reaches anyone who, in the exercise of an economic or business activity, receives or promises a benefit in order to favour another unduly in the acquisition of goods or services.

Integrating these risks into the model is not a cosmetic matter: their materialisation can trigger the legal entity's criminal liability through Article 31 bis CP, so a compliance system that ignores the ESG dimension leaves a flank exposed.

Penalties on the company and mitigating factors (Arts. 33.7 and 31 quater CP)

Where the legal entity's criminal liability is established, the consequences are far from minor. Article 33.7 CP lists the penalties applicable to the company:

• Fine by quotas or proportional.
• Dissolution of the legal entity.
• Suspension of its activities for a period that may not exceed five years.
• Closure of its premises and establishments.
• Ban on carrying out in the future the activities in the exercise of which the offence was committed, favoured or concealed.
• Disqualification from obtaining grants and public aid, from contracting with the public sector and from enjoying tax or social security benefits and incentives.
• Judicial intervention to safeguard the rights of workers or creditors.

Against that picture, Article 31 quater CP recognises mitigating factors that the defence should assess and, where appropriate, activate: confession of the offence before learning of the proceedings, cooperation with the investigation by providing new and decisive evidence, repairing or reducing the harm, and putting in place effective measures to prevent and detect future offences. Adopting a compliance programme afterwards, although it does not exempt, can operate as a mitigating factor on this basis.

Criminal compliance and ESG with Alonso Sala

Anticipating criminal risk is always more effective than reacting to a charge. At Alonso Sala, a criminal-defence firm based in Madrid (calle Velázquez 27) with coverage across Spain, we advise companies and directors on the design, implementation and review of compliance programmes under Article 31 bis CP, with a specific ESG-risk module, and we defend them once an investigation is already under way. Each organisation is studied individually, taking account of its activity, its structure and the legal framework in force, in order to build the strategy that best fits its circumstances.