
Criminal Due Diligence in M&A Transactions Lawyers
Target criminal risk assessment, criminal successor liability analysis (Art. 130.2 CP) and design of criminal representations in SPA/APA.
Last updated:
Why Critical in M&A
Criminal due diligence is the great forgotten in many corporate transactions. However, the legal person's criminal liability (Art. 31 bis CP) and successor liability (Art. 130.2 CP) mean that the acquirer inherits contingencies for offenses committed before closing. Fines that can exceed €9 million, asset forfeiture and corporate dissolution are real risks that must be assessed, contractually mitigated and addressed in the post-closing plan.
Critical Review Areas
- Open criminal proceedings.
- Communications from AEAT, Public Prosecutor, CNMC, CNMV, Bank of Spain, SEPBLAC or Labor Inspectorate.
- Implemented Art. 31 bis compliance program.
- Tax offenses (review last four years).
- Money laundering and SEPBLAC compliance.
- Transnational bribery (Art. 286 ter CP) and FCPA exposure.
- Workers' rights offenses and accident rate.
- Personal data breaches and trade secrets offenses.
Successor Criminal Liability
Art. 130.2 CP establishes that transformation, merger, absorption or split does not extinguish criminal liability, which is transferred to the resulting entity. This succession even operates in asset deals when the operation has been designed to evade criminal liability.
Criminal Reps & Warranties
Typical criminal representations include: absence of active or latent criminal proceedings, regulatory compliance over last 5 years, existence of operative compliance program with UNE 19601 certification, absence of communications from authorities, absence of unaddressed internal reports through whistleblower channel (Law 2/2023).
Compliance Integration
The 100-day plan must align acquirer's and target's prevention models, appoint the new compliance officer, integrate the whistleblower channel, train inherited workforce and, above all, shield the Art. 31 bis CP exemption for any post-closing offense.
Succession of criminal liability in M&A: Art. 130.2 CP as the engine of due diligence
The legal reason that makes criminal due diligence an indispensable part of any corporate transaction lies in Article 130.2 of the Spanish Criminal Code. This provision establishes that the transformation, merger, absorption or division of a legal person does not extinguish its criminal liability: that liability transfers to the entity or entities resulting from the operation or that absorb it. The legislator thereby closes the escape route of reorganising the company in corporate terms to make the charged entity disappear. The criminal risk does not vanish with the deal; it travels with the assets.
The same provision adds a modulation rule: the court may moderate the transfer of the penalty to the resulting entity according to the proportion that the originally liable legal person bears to it. This modulation reflects the economic reality of the succession, but does not suppress it. As a result, an acquiring company that fails to audit the target's criminal past may inherit fines, the measures of Art. 33.7 and even ongoing criminal proceedings, without having taken part in the facts.
The practical consequence is that the compliance audit must verify open criminal litigation, prosecutorial investigations, preliminary proceedings, the legal person's record and the existence and effectiveness of its organisational model. The transaction does not extinguish the contingency: it allocates it. Detecting the risk before closing allows the price to be adjusted, specific guarantees and indemnities to be put in place, closing to be conditioned on remediation or, where appropriate, the scope of the acquisition to be reconsidered.
It should be noted that the criminal liability of the legal person is autonomous from that of the natural persons. Article 31 ter CP allows the company to be convicted even where the specific natural person who committed the offence has not been identified or cannot be proceeded against, and even where that person has died or evaded justice. This autonomy reinforces the importance of due diligence: the target's criminal contingency exists independently of the procedural fate of its individual directors.
The six requirements of an effective organisation and management model (Art. 31 bis 5 CP)
The core of criminal due diligence in M&A is not merely to check whether the target has a compliance programme, but whether that model meets the conditions Article 31 bis 5 CP requires in order to produce exempting or mitigating effects. A document that exists on paper but is not effectively implemented does not protect the resulting entity. The audit must test the real adequacy of the model against the six statutory requirements.
The first is the identification of the activities within which the offences to be prevented may be committed, that is, a criminal risk map tailored to the sector and to the company's specific operations. The second is the establishment of protocols or procedures that set out the process for forming the legal person's intent, taking decisions and executing them. The third is having models for managing the financial resources adequate to prevent the commission of the offences to be prevented, with particular attention to the areas of greatest exposure.
The fourth requirement is the obligation to report possible risks and breaches to the body in charge of overseeing the functioning and observance of the model: the whistleblowing channel or internal information system. The fifth is the establishment of a disciplinary system that adequately sanctions non-compliance with the measures of the model. The sixth is the periodic verification of the model and its modification where relevant breaches come to light or where changes occur in the organisation, in the control structure or in the activity carried out.
For the succession effects of Art. 130.2 CP, this analysis is doubly relevant. On one hand, it measures the exposure inherited by the resulting entity. On the other, it sets the roadmap for post-deal integration: the acquiring company must extend or rebuild its own model over the absorbed perimeter, because the effectiveness of the model is assessed by reference to the time of the offence and to the new organisational reality arising from the transaction, not by reference to an inherited and neglected document.
The autonomous oversight body and the burden of proving the exemption
Article 31 bis 2 CP conditions the exemption, where the offence has been committed by directors or representatives, on the supervision of the functioning and observance of the model having been entrusted to a body of the legal person with autonomous powers of initiative and control, or legally charged with supervising the effectiveness of internal controls. Due diligence must verify the real existence of that compliance body, its independence from management, its resources, its direct access to the administrative body and the absence of any omission or insufficient exercise of its supervisory functions, which the provision itself requires as a condition.
In small legal persons, Article 31 bis 3 CP allows the supervisory functions to be assumed directly by the administrative body, a possibility the audit must consider when assessing the target according to its size. In any event, the mere formal existence of a compliance officer is not enough: what is decisive is that the functions have been exercised effectively and that there has been no omission or insufficient exercise of the duties of supervision, monitoring and control.
A technical point essential to assessing the transaction is where the burden of proving the adequacy and effectiveness of the model lies. The exemption under Art. 31 bis operates as a circumstance that the legal person's defence bears the burden of establishing; the model is not presumed effective simply because it exists. The prosecution must prove the criminal act and the attribution requirements of Art. 31 bis 1, but it falls to the entity to show that it adopted and effectively implemented, before the offence, an adequate model. This allocation conditions the assessment of risk in M&A.
For that reason, due diligence should not stop at confirming the documentary existence of the programme, but should anticipate its evidentiary strength: minutes of the oversight body, evidence of periodic verifications, training delivered, disciplinary files processed, traceability of the whistleblowing channel and records of risk-map review. Where the offence is committed by subordinates, Art. 31 bis 1.b) and 4 CP tie liability to a serious breach of the duties of supervision, monitoring and control, and the exemption requires having adopted and effectively implemented an adequate model before the commission: the quality of the available evidence is, for the purpose of assessing inherited risk, as important as the existence of the model.
Internal information system (Ley 2/2023), the penalties of Art. 33.7 and the investigated company
The whistleblowing channel that Art. 31 bis 5 CP includes among the requirements of the model now connects with Ley 2/2023, of 20 February, regulating the protection of persons who report regulatory breaches and the fight against corruption. This law obliges certain entities to maintain an internal information system with guarantees of confidentiality, a prohibition on retaliation and a designated system officer. Due diligence must check that the target has this system in place, that it complies with the legal deadlines and safeguards and that its internal policy is coherent with the criminal compliance model, since a non-existent or merely formal channel weakens one of the pillars of Art. 31 bis 5.
The audit must also size the catalogue of penalties that may fall on the legal person under Art. 33.7 CP, because these are the consequences that may transfer to the resulting entity through Art. 130.2. That provision contemplates, among others, the fine by quotas or proportional fine, the dissolution of the legal person, the suspension of activities, the closure of premises and establishments, the prohibition on carrying out certain activities in the future, the disqualification from obtaining subsidies and public aid, from contracting with the public sector and from enjoying tax or social security benefits and incentives, and judicial intervention. The potential gravity of these penalties explains why the criminal contingency may affect the very viability of the acquired business.
On the procedural plane, due diligence must assess the target company's position should it become investigated. The legal person enjoys its own status as an investigated party, with a right of defence, the right not to testify against itself and not to confess guilt, exercised through a representative appointed for that purpose and, where appropriate, distinct from the natural persons also under investigation, so as to avoid conflicts of interest. The entity may also reach its own settlement, autonomous from that of the natural persons, which opens avenues for managing the inherited criminal risk that should be anticipated in the negotiation.
Finally, the quality and lawfulness of evidence obtained in internal investigations is a critical point that due diligence cannot ignore. Internal inquiries into employees must respect their fundamental rights, in particular privacy, secrecy of communications, data protection and a proportionate duty to inform, as well as the possible bearing of the right against self-incrimination where an interview may lead to criminal consequences. A poorly conducted internal investigation can taint the evidence and compromise both the exculpatory effectiveness of the model and its usefulness in any proceedings, a risk the acquiring entity must weigh when inheriting the target's compliance history.
Penalties & Consequences: Criminal Due Diligence in M&A Transactions Lawyers
| Type / Scenario | Criminal Penalty |
|---|---|
| Successor liability (Art. 130.2 CP) | Full transfer of criminal liability to entity resulting from merger, absorption or split. |
| Proportional fine | Up to fivefold the benefit obtained, with absolute ceiling depending on offense type. |
| Asset forfeiture | Forfeiture of crime proceeds and instruments, against the acquired company. |
* Penalties shown are indicative. The actual penalty depends on case circumstances, applicable mitigating and aggravating factors.
Defense Strategy: Criminal Due Diligence in M&A Transactions Lawyers
Red flag report
Executive report with critical risks that may discard the operation or renegotiate price.
Contingency carve-out
Exclude assets or subsidiaries with high criminal risk to limit successor liability.
Criminal-specific escrow
Retention of part of price in escrow account to cover criminal contingencies until warranty period.
Post-closing plan
Compliance integration roadmap with milestones at 30, 60 and 100 days from closing.
Economic Criminal Law in Spain: Tax Fraud, Money Laundering and Corporate Crimes
Economic criminal law encompasses the most severe financial penalties in the Spanish Criminal Code. Tax fraud over €120,000 (Art. 305 CP), money laundering (Art. 301 CP), and corporate crimes (Art. 290-297 CP) are complex offenses where defense requires a combination of criminal law expertise and deep accounting/financial knowledge.
Penalty Comparison: Economic Offenses
| Offense | Threshold | Penalty |
|---|---|---|
| Tax Fraud (Art. 305) | >€120,000 | 1 – 5 years + fine x6 |
| Aggravated Tax Fraud | >€600,000 | 2 – 6 years |
| Money Laundering (Art. 301) | Any amount | 6 months – 6 years |
| Aggravated Laundering | Organized/financial system | Up to 9 years |
| Corporate Crime (Art. 290) | Balance sheet falsification | 1 – 3 years |
| Punishable Insolvency (Art. 259) | Fraudulent bankruptcy | 1 – 4 years |
Key Defense Strategies
Tax Regularization Defense (Art. 305.4 CP)
Pay the full tax debt before charges are formally filed and the crime is extinguished. This is the most powerful complete defense in tax fraud cases.
Challenge the €120K Threshold
The tax authority's calculation method is often contestable. Independent forensic accounting can challenge the assessed figure below the criminal threshold.
Money Laundering 'Self-laundering' Issues
Spanish courts have debated whether the primary offender can also be convicted of laundering their own proceeds. Challenge the double jeopardy implications.
Corporate Crime: Harm to Company vs. Shareholders
Art. 295 corporate crimes require actual financial harm to the company or its members. Demonstrate that any loss was speculative or absent.
Why Choose Us?
Need a criminal defense lawyer for this type of offense? Here's how we work:
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.