Criminal Lawyers in Criminal Compliance
Comprehensive protection of the legal entity: prevention models, whistleblower channel and corporate criminal defense (Art. 31 bis CP).
Last updated:
Criminal Compliance: Legal Framework, Modalities, Penalties and Defense (Art. 31 bis CP)
Criminal compliance (Art. 31 bis CP) is the central pillar of corporate criminal liability, introduced by Organic Law 5/2010 and consolidated by Organic Law 1/2015. The protected legal interest is the proper ethical functioning of commercial traffic and the protection of third-party interests (consumers, competitors, Tax Administration, workers, minority shareholders) against the instrumental use of corporate structures for criminal purposes. Spanish Supreme Court doctrine has consolidated the "cosmetic compliance" doctrine: merely formal, ornamental or unapplied programs do not exonerate the legal entity. A real, effective and living model is required, aligned with UNE 19601 standard and ISO 37001 and ISO 37301 standards.
The modalities of the crime prevention model (MPD) must cover, under Art. 31 bis 5 CP, six essential requirements: (i) a risk map identifying activities where crimes may be committed; (ii) decision-making protocols; (iii) adequate financial resources to prevent, detect and react; (iv) the obligation to report incidents to the control body; (v) a disciplinary regime sanctioning non-compliance; and (vi) periodic review of the model. To these are added the legal obligation of internal whistleblowing channel (Act 2/2023 on whistleblower protection), applicable to companies with more than 50 workers, political parties, unions and public sector entities. The most demanding sector modalities are anti-money laundering compliance (Act 10/2010), anti-tax fraud (Art. 305 CP), anti-bribery (Art. 286 bis), competition (Act 15/2007) and data protection (GDPR and LOPDGDD).
The statutory penalties for legal entities are dissuasive and can compromise business viability. Art. 33.7 CP lists the catalogue: fine proportional to the benefit (up to five times the benefit in economic crimes); dissolution of the legal entity (corporate "death penalty"); suspension of activities up to five years; closure of premises up to five years; prohibition of the activities in which the crime was committed; disqualification from obtaining subsidies, contracting with the public sector (Art. 71.1.b LCSP) and enjoying tax benefits; and judicial intervention. Additionally, conviction entails automatic loss of solvency for public contracts (Art. 71 LCSP) and serious reputational, commercial and financial consequences.
The technical defense rests on four essential axes. First, proof of ex ante effectiveness: the model must have been adopted, implemented and supervised before the crime, with traceable documentation (board minutes, allocated budgets, training delivered, whistleblowing channel records). Second, fraudulent circumvention: case-law admits exemption when the individual perpetrator fraudulently circumvents the model, requiring proof of "bypassing" operational controls. Third, the autonomy and sufficiency of the Compliance Officer: this figure must enjoy hierarchical independence, own resources and direct access to the governing body; ineffective dependence of the Compliance Officer is one of the most habitual weak points. Fourth, external certification under UNE 19601 and ISO 37301, which does not exonerate per se but significantly reinforces the presumption of effectiveness.
In current forensic practice, criminal compliance has shifted from option to operational requirement. Act 2/2023 on whistleblower protection, transposition of Directive 2019/1937, Organic Law 14/2022 reforming embezzlement and unfair administration, Organic Law 1/2025 on Justice Service Efficiency, the EU AI Act and the NIS2 Directive on cybersecurity have widened the perimeter of obligations. Banks, major clients and public administrations already require, via contractual clauses, certification of robust compliance programs. At Alonso Sala, with more than 15 years of experience in economic criminal law, we approach compliance from the forensic perspective: we design models knowing how they are attacked at trial, subsequently defending the model's effectiveness before the investigating judge and the chamber. We coordinate criminal lawyers, auditors, forensic experts and IT specialists in each implementation, ensuring the model survives the most demanding judicial scrutiny.
Why does your company need Criminal Compliance?
- Liability Exemption: Only legal way for the company not to be convicted for employee crimes.
- Prestige and Reputation: Differentiate in the market as an ethical and secure company.
- Third-Party Demand: Banks and major clients already require Compliance to contract.
- Director Protection: Prevents personal liability derivations due to lack of supervision.
"We don't do shelf compliance. We create living systems that breathe the operational reality of the company, ensuring that the administrator can sleep soundly knowing their organization is armored."
Our methodology integrates international ISO 37301 and ISO 37001 standards, ensuring that the model is robust before any judicial inspection. In addition, we implement whistleblowing channels that strictly comply with Law 2/2023.
Compliance Management System Phases
Prevention Models (MPD)
Custom design of protocols to exempt the company from criminal liability (Art. 31 bis CP).
Whistleblowing Channel
Legal implementation of the internal information system according to Law 2/2023. Confidentiality.
Internal Investigations
Advisory on the discovery of internal irregularities, guaranteeing worker rights.
Compliance Officer
External support and technical training for the internal control body of the legal entity.
Why Alonso Sala for your Compliance?
We understand Compliance from the criminal trench. We know how to defend an MPD before a Judge because we are, first and foremost, criminal lawyers.
- check Multidisciplinary teams (criminal lawyers, auditors, and IT experts).
- check Agile and pragmatic implementation, without paralyzing the company.
- check Secure whistleblowing channel hosted on external servers.
- check Legal defense of the legal entity against real imputations.
Economic Criminal Law in Spain: Tax Fraud, Money Laundering and Corporate Crimes
Economic criminal law encompasses the most severe financial penalties in the Spanish Criminal Code. Tax fraud over €120,000 (Art. 305 CP), money laundering (Art. 301 CP), and corporate crimes (Art. 290-297 CP) are complex offenses where defense requires a combination of criminal law expertise and deep accounting/financial knowledge.
Penalty Comparison: Economic Offenses
| Offense | Threshold | Penalty |
|---|---|---|
| Tax Fraud (Art. 305) | >€120,000 | 1 – 5 years + fine x6 |
| Aggravated Tax Fraud | >€600,000 | 2 – 6 years |
| Money Laundering (Art. 301) | Any amount | 6 months – 6 years |
| Aggravated Laundering | Organized/financial system | Up to 9 years |
| Corporate Crime (Art. 290) | Balance sheet falsification | 1 – 3 years |
| Punishable Insolvency (Art. 259) | Fraudulent bankruptcy | 1 – 4 years |
Key Defense Strategies
Tax Regularization Defense (Art. 305.4 CP)
Pay the full tax debt before charges are formally filed and the crime is extinguished. This is the most powerful complete defense in tax fraud cases.
Challenge the €120K Threshold
The tax authority's calculation method is often contestable. Independent forensic accounting can challenge the assessed figure below the criminal threshold.
Money Laundering 'Self-laundering' Issues
Spanish courts have debated whether the primary offender can also be convicted of laundering their own proceeds. Challenge the double jeopardy implications.
Corporate Crime: Harm to Company vs. Shareholders
Art. 295 corporate crimes require actual financial harm to the company or its members. Demonstrate that any loss was speculative or absent.
FAQs - Compliance
What is Criminal Compliance? expand_more
Why is it vital for the director? expand_more
Is the Whistleblowing Channel mandatory? expand_more
What crimes does it prevent? expand_more
Does any model downloaded from the internet work? expand_more
Who is the Compliance Officer? expand_more
What if a crime is discovered and we have Compliance? expand_more
How does it protect the shareholder? expand_more
What is ISO 37301? expand_more
Is it expensive to implement a Compliance system? expand_more
Is the compliance officer criminally liable? expand_more
When is the effectiveness of the compliance programme reviewed? expand_more
How is a company under investigation summoned to testify? expand_more
Does an SME need the same compliance programme as a large company? expand_more
What documentation does a judge weigh when assessing a model's effectiveness? expand_more
Economic Criminal Defense: Firm Approach
Economic criminal law is a technically demanding area where the frontier between legitimate business activity and criminal conduct has narrowed due to European and Spanish regulatory sophistication. Our firm combines classical legal expertise with economic-financial analysis, forensic accounting and parallel-proceedings coordination (administrative, tax, civil). For smaller organisations we design proportionate criminal compliance programmes for SMEs under Art. 31 bis CP.
Criminal Compliance
Dedicated pages for criminal prevention programs and corporate defense in the main jurisdictions:
Defending the Company Under Investigation: The Criminal Process Step by Step
When a Spanish court directs proceedings against a company, the case follows specific procedural channels that should be understood from day one. The summons of the legal entity is served at its registered office (Article 119 LECrim, the Spanish Criminal Procedure Act), requiring the company to appoint a specially designated representative, together with a lawyer and a court agent (procurador). If it fails to do so, a lawyer and court agent are appointed ex officio and the proceedings continue: passivity never halts the case; it merely leaves the company without its own voice in it.
At the first appearance, the judge informs the representative —or, failing that, the lawyer— of the facts attributed to the entity, in writing or by handing over a copy of the complaint. The company's testimony is channelled through that representative (Article 409 bis LECrim), who enjoys the same rights as any individual suspect: to remain silent, not to testify against the entity and not to confess guilt; non-appearance is treated as exercising the right to remain silent. The representative also attends investigative measures and advance evidence (Article 120 LECrim), and a search of the company's centre of management —its registered office or the establishment where its reserved documentation is kept— requires the safeguards of a dwelling search (Article 554 LECrim).
Strategy is set in those first hours. Three decisions shape the rest of the proceedings: (i) the choice of representative, which should not fall on the executive personally under investigation for the same facts, to avoid conflicts of interest between the company's defence and their own; (ii) the coordination of separate defences for the company and the individuals, because their interests may diverge: it may suit the company to prove that the perpetrator fraudulently circumvented its controls; and (iii) the early filing of the prevention model with all its supporting documentation, aiming to argue for dismissal during the investigation phase rather than at trial. Art. 31 quater CP adds specific mitigating circumstances for legal entities: confession before learning of the proceedings, cooperation with new and decisive evidence, repairing the damage and adopting effective prevention measures before trial. After Organic Law 1/2025, the plea agreement (conformidad) regime has also been reformed —the previous sentencing cap disappears and a specific preliminary hearing is introduced—, opening negotiation avenues that we assess case by case, always with the entity's express authorisation. See also our page on corporate criminal liability.
Criminal Compliance for SMEs: The Proportionate Model of Art. 31 bis 3 CP
The Spanish Criminal Code does not demand from a small business the same compliance architecture as from a listed company. Art. 31 bis 3 CP provides that in small legal entities the supervisory functions of the model may be assumed directly by the management body, and defines them as those entitled, under applicable accounting legislation, to file an abbreviated profit and loss account. In practice, an SME needs neither a compliance committee nor a dedicated compliance officer: it is enough for the director to assume that function expressly, in a documented and effective manner.
Proportionality does not mean a lower standard. The requirements of Art. 31 bis 5 CP are the same for every entity: identification of risk activities, decision-making protocols, adequate management of financial resources, the duty to report risks and breaches, a disciplinary regime and periodic review of the model. What changes is the scale: in a fifteen-employee company, the risk map may run to a few pages if it reflects the real activity of the business. A three-hundred-page manual copied from a template protects less than ten pages the workforce actually knows and applies every day.
The internal reporting channel is mandatory under Act 2/2023 from 50 employees; below that threshold it is not required, but voluntary implementation is one of the most highly valued indicators of compliance culture. The mistakes we see most often in SMEs are recurrent: buying a generic model without adapting it to the business, failing to document training, leaving the system unreviewed for years and keeping no records of its operation. We devote a dedicated page to criminal compliance for SMEs detailing the proportionate implementation process.
What the Supreme Court and the Prosecution Expect from a Prevention Model
Settled Supreme Court case-law distinguishes between a genuine culture of compliance and paper compliance: a model that exists only on paper does not exempt the legal entity. What matters is not the document, but whether the organisation has internalised an effective culture of respect for the law, translated into operating controls, documented decisions and real reactions to detected incidents.
Recent Supreme Court doctrine (2025) has focused particularly on proving effectiveness: exemption is not obtained by exhibiting the manual, but by showing that the model was implemented and working before the offence. Effectiveness is assessed ex ante, looking at how the system actually operated rather than at the specific outcome. The company seeking exemption must put forward the elements allowing that assessment —minutes, training, channel files, sanctions, reviews—, without this reversing the burden of proof: it remains for the prosecution to establish the grounds of corporate liability.
The Spanish Public Prosecutor's Office, in its circulars on corporate criminal liability, points in the same direction: scepticism towards off-the-shelf programmes, the relevance of senior management commitment (tone from the top) and the particularly significant value of the company itself detecting and reporting the offence. In forensic practice, the indicators judges and prosecutors examine are recurrent:
- Management body commitment: formal approval of the model, an allocated budget and periodic monitoring reflected in board minutes.
- Effective training: sessions delivered, attendees recorded and assessments; merely handing out the code of ethics is not enough.
- A channel that works: reports received and processed with documented files; a channel at zero for years is a warning sign, not a sign of health.
- A disciplinary regime actually applied: real sanctions for breaches, including when they affect executives.
- A living review: updating the model after incidents, changes in activity or legal reforms.
Criminal Compliance from Madrid
Our firm, at Calle Velázquez 27 in Madrid, implements and defends prevention models for companies based in Madrid and across the country. Defending legal entities regularly takes us to the Investigating Courts of Plaza de Castilla and the Madrid Provincial Court, which concentrate a large share of the capital's economic crime proceedings; in cases of particular complexity —money laundering, corruption, large-scale fraud—, jurisdiction lies with the Central Investigating Courts and the Audiencia Nacional, also seated in Madrid.
That proximity is operational: it allows us to react quickly to a corporate summons, a search at the registered office or a documentary requirement, and to maintain direct interaction with the courts handling the case. If your company has received a summons or wants its prevention model reviewed, call us on +34 91 078 65 74 or write to us through our contact page.
Looking for a Criminal Compliance Lawyer in Spain?
We offer specialized criminal defense in courts across Madrid and the rest of Spain. We handle each Criminal Compliance case with the urgency and technical rigor it requires from day one.
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.