Skip to content
AS
Alonso Sala
CRIMINAL LAWYERS
ES

Criminal Lawyers in Criminal Compliance for SMEs

Criminal compliance is no longer just for large corporations. Programs tailored to the reality of Spanish SMEs to prevent criminal liability for the company and its directors

Last updated:

Criminal Compliance for SMEs: Concept, Modalities, Benefits and Defense (Art. 31 bis CP)

Criminal compliance for SMEs is the adaptation of crime prevention models from Art. 31 bis CP to the dimensions, resources and specific risks of small and medium-sized enterprises. Since the introduction of corporate criminal liability by Organic Law 5/2010, reformed by Organic Law 1/2015 and expanded by Organic Law 14/2022, SMEs are fully exposed to fines, closure, contracting prohibition and even dissolution for crimes committed within them. Supreme Court doctrine has consolidated the principle that a real, effective and living compliance model exonerates the legal entity from criminal liability, even if the crime was committed. The UNE 19601 standard establishes technical standards and ISO 37301 offers the international framework.

Adapted Modalities for SMEs

The compliance modalities adapted to SMEs contemplate simplified but effective structures. Art. 31 bis 3 CP expressly allows that, in small-sized companies (those that may present an abbreviated profit and loss account under Art. 258 of the Consolidated Text of the Corporate Enterprises Act), the supervisory body functions be assumed by the governing body itself. Adapted modalities include: sectoral risk map focused on typical crimes of the SME sector (construction: labor/environmental/urban planning; hospitality: labor/cash money laundering; technological: cybercrime/intellectual property; industry: environmental/labor safety); simplified decision-making protocols; internal whistleblowing channel (mandatory for companies with more than 50 workers under Act 2/2023); code of ethics and anti-corruption, anti-money laundering and data protection policies; periodic training of employees and managers.

Benefits for the SME

The technical benefits for the SME are significant and quantifiable. First, exoneration or attenuation of criminal liability: a compliance program meeting the six requirements of Art. 31 bis 5 CP can completely eliminate the SME's criminal liability. Second, director protection: compliance documents the due diligence of the governing body, serving as exculpatory evidence in individual investigations for unfair administration, tax fraud or labor crimes. Third, access to public contracting: Public Sector Contracts Act 9/2017 prohibits contracting with convicted companies; without compliance, a conviction destroys the business. Fourth, contractual requirements: banks, large clients, insurers and digital platforms already require compliance programs via contractual clauses. Fifth, compliance with GDPR, LOPDGDD and Act 2/2023 on whistleblower protection, unavoidable for companies with more than 50 employees.

Defence Strategy

The technical defense in criminal investigations of SMEs rests on four consolidated axes. First, proof of ex ante effectiveness of compliance: documentation of program adoption prior to the criminal act (governing body minutes, allocated budget, training delivered, active whistleblowing channel). Second, fraudulent circumvention of the model: case-law admits exoneration when the individual perpetrator fraudulently circumvented the model's controls. Third, autonomy and sufficiency of the supervisory body: even in SMEs where the director assumes these functions, it must be proven they acted with criteria of functional independence and diligence. Fourth, external certification under UNE 19601 and ISO 37301: although it does not exonerate per se, it significantly reinforces the presumption of effectiveness at trial.

Current Forensic Practice

In current forensic practice, SMEs are increasingly the target of criminal investigations by the AEAT, the Labor Inspectorate, the SEPRONA, the UDEF and the Anti-Corruption Prosecutor's Office. Act 2/2023 on Whistleblower Protection, Organic Law 14/2022 reforming embezzlement, Organic Law 1/2025 on Justice Service Efficiency, the EU Regulations DSA, MiCA, AI Act and NIS2 and consolidated Supreme Court case-law on cosmetic compliance configure a demanding regulatory framework. The cost of implementing a compliance program in an SME ranges between €3,000 and €30,000 depending on size, against criminal fines that can reach five times the benefit obtained or several hundred thousand euros. At Alonso Sala, with more than 15 years of experience in economic criminal law, we design compliance programs adapted to SMEs from a forensic perspective: we know how they are attacked at trial and configure them to withstand the most demanding judicial scrutiny. We accompany the SME in risk audit, implementation, training, periodic monitoring and, when necessary, defense in criminal investigations.

Most Common Criminal Risks in SMEs by Sector

Sector Main Criminal Risks
Construction Labor, environmental, urban planning crimes, tax fraud
Hospitality / Catering Labor exploitation, cash fraud, money laundering
International Trade Money laundering, bribery of officials, customs evasion
Technology / Software Cybercrime, intellectual property, data misuse
Manufacturing Environmental and labor crimes, damages
Financial Sector Money laundering, tax crimes, fraud, insider trading

Our SME Compliance Program

1

Risk Audit

Identification of the specific criminal risks of your company according to sector, size, and activity.

2

Program Drafting

Drafting of the Organization and Management Model (MOG) and prevention policies tailored to your company.

3

Training

Specific training for directors and employees on crime prevention and the internal reporting channel.

4

Supervision

Designation of the compliance body and periodic monitoring of the program to maintain its effectiveness.

Economic Criminal Law in Spain: Tax Fraud, Money Laundering and Corporate Crimes

Economic criminal law encompasses the most severe financial penalties in the Spanish Criminal Code. Tax fraud over €120,000 (Art. 305 CP), money laundering (Art. 301 CP), and corporate crimes (Art. 290-297 CP) are complex offenses where defense requires a combination of criminal law expertise and deep accounting/financial knowledge.

Penalty Comparison: Economic Offenses

OffenseThresholdPenalty
Tax Fraud (Art. 305)>€120,0001 – 5 years + fine x6
Aggravated Tax Fraud>€600,0002 – 6 years
Money Laundering (Art. 301)Any amount6 months – 6 years
Aggravated LaunderingOrganized/financial systemUp to 9 years
Corporate Crime (Art. 290)Balance sheet falsification1 – 3 years
Punishable Insolvency (Art. 259)Fraudulent bankruptcy1 – 4 years

Key Defense Strategies

Tax Regularization Defense (Art. 305.4 CP)

Pay the full tax debt before charges are formally filed and the crime is extinguished. This is the most powerful complete defense in tax fraud cases.

Challenge the €120K Threshold

The tax authority's calculation method is often contestable. Independent forensic accounting can challenge the assessed figure below the criminal threshold.

Money Laundering 'Self-laundering' Issues

Spanish courts have debated whether the primary offender can also be convicted of laundering their own proceeds. Challenge the double jeopardy implications.

Corporate Crime: Harm to Company vs. Shareholders

Art. 295 corporate crimes require actual financial harm to the company or its members. Demonstrate that any loss was speculative or absent.

quiz

FAQs on SME Criminal Compliance

Are SMEs required to have a criminal compliance program? expand_more
There is no direct legal obligation. However, Art. 31 bis CP establishes that the company can be exempt from criminal liability if it had an organization and management model that prevented the type of crime committed. Without compliance, the company faces criminal liability with no possibility of exemption.
What happens if my company is criminally convicted? expand_more
The consequences are devastating: fines up to four times the profit obtained, temporary or permanent closure, prohibition from public contracts, judicial intervention, and reputational damage. A criminal conviction can destroy a company.
Does criminal compliance also protect the director? expand_more
Yes. An effective compliance program not only protects the legal entity, but can also serve as an exemption or mitigating factor for the individual director investigated for the same facts, as it demonstrates that reasonable supervision and prevention measures were adopted.
What crimes are most common in SMEs? expand_more
The most common crimes in the SME context are: tax and accounting fraud, money laundering (especially in cash-heavy businesses), labor crimes, private corruption (commercial bribery), environmental crimes, and cybercrime.
How can I prepare for a tax inspection that could become criminal? expand_more
The key is to anticipate. Before receiving an inspection: review accounting with an independent auditor, document all transactions, know the sector-specific risks. If the tax inspection has already begun and there is a risk of criminal referral, urgently hire a criminal defense lawyer before making any statements.
Do SMEs need criminal compliance? expand_more
Yes. Corporate criminal liability (Art. 31 bis CP) applies to all companies regardless of size. A tailored program reduces risks.
Is an SME's compliance different from a large company's? expand_more
Yes. The program must be adapted to the SME's size, sector and specific risks. The law allows the management body to take on the supervisory functions.
Can the sole director be the compliance officer? expand_more
In small companies, the management body itself can supervise the prevention model, avoiding the need to outsource this function.
Is a whistleblowing channel mandatory for SMEs? expand_more
Law 2/2023 makes it mandatory for companies with more than 50 employees. Smaller ones are not obliged, but it is highly advisable.
What criminal risks does an SME face? expand_more
Tax offences, offences against workers, environmental offences, fraud, money laundering, private corruption and intellectual property offences are the most common risks.
Does compliance protect against the manager's personal liability? expand_more
Compliance protects the legal entity. The personal liability of a manager who takes part in the offence is not excluded by having compliance.
Do subcontractors need compliance? expand_more
Yes. Contracting companies may require compliance from their subcontractors. Not having it can block access to important contracts.
Is the risk map mandatory? expand_more
It is the core element of compliance. It identifies the company's specific criminal risks and allows adequate controls to be designed.
Do I need criminal law advice to implement compliance? expand_more
Yes. The design of the program should be supervised by a criminal lawyer who correctly identifies the risks and designs the appropriate prevention protocols.

Advanced Criminal Defense

Our firm approaches each procedure with rigorous evidentiary analysis and proactive defense strategy.

Do you need specialised legal assistance?

The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.

call