Criminal Compliance Spain: Construction Group Case | BMC

Client Background

A construction group with 450 employees operating across three provinces had built its position over two decades as a specialist in civil infrastructure and commercial building projects. The business was profitable and had a diversified contract portfolio spanning both private developers and public works. What it lacked was a formalised governance framework for managing third-party risk — a gap that became acutely visible when a judicial investigation into a subcontractor’s conduct drew attention to the group’s procurement practices.

The company had maintained an ongoing commercial relationship with a subcontractor that was the primary subject of the investigation into fraud in public works contracts. While the group itself was not the principal target, the investigating judge’s proceedings revealed that its managers had approved contracts and invoices from this subcontractor without any documented due diligence. Under Art. 31 bis of the Spanish Penal Code, the absence of adequate controls was a direct factor in assessing the company’s potential corporate criminal liability.

The Challenge

The situation presented three compounding risk vectors. First, the complete absence of a criminal risk map specific to the construction sector, which carries particular exposure to offences relating to corruption in public procurement, money laundering, tax fraud, and offences against workers’ safety. Second, the lack of an independent compliance body with genuine supervisory authority over the business. Third, the absence of any internal whistleblower channel that might have detected the subcontractor’s conduct before it escalated to the criminal courts.

The 2015 reform of the Spanish Penal Code definitively introduced corporate criminal liability in Spain. Article 31 bis establishes that a company may be criminally convicted for offences committed in its name or on its behalf, but it also creates a route to exemption from liability if the entity had in place, at the time of the events, a sufficiently robust organisational and management model to prevent offences of that type. Without such a model — which this group entirely lacked — there was no legal shield.

The group’s legal counsel identified six months as the critical timeline: if a certifiable compliance programme could be documented and submitted to external audit within that window, it could be placed before the court as material evidence supporting the liability exemption. The clock was running.

Our Approach

The project was structured in three overlapping phases designed to produce a certifiable programme within the six-month deadline.

Sector-specific criminal risk mapping. The first phase involved a comprehensive analysis of the group’s business processes against the catalogue of offences listed under Art. 31 bis. For the construction sector, the priority risks identified were: private-sector bribery and public official corruption in the procurement of contracts and licences, fraud in subsidies and public contracts, money laundering through transactions with partners or clients without due diligence, tax offences in treasury operations, and offences against workers’ rights and occupational safety. Each risk was assessed by likelihood and impact and assigned to a specific business process and functional owner responsible for the corresponding controls.

Organisational and management model. Drawing on the risk map, we drafted the full documentary package required by the standard: the Corporate Code of Ethics, the Criminal Compliance Manual with specific controls by process, third-party due diligence protocols covering suppliers, subcontractors, and intermediaries, and authorisation procedures for sensitive transactions. We designed the Compliance Body structure, defining its functions, information access rights, reporting frequency to the board, and guaranteed functional independence — including a direct reporting line to the non-executive board members, bypassing executive management in cases involving the latter.

Whistleblower channel compliant with the Whistleblowing Directive. We implemented an internal reporting channel that simultaneously satisfied the requirements of Spanish criminal compliance and Directive (EU) 2019/1937, transposed into Spanish law by Act 2/2023. The channel was configured with guaranteed anonymity, management by an independent third party for cases involving senior management, statutory response deadlines, and a full audit trail. Staff training on the use of the channel and the prohibition of retaliation was cascaded through the organisational hierarchy, with documented attendance records.

AENOR certification. The final phase involved submitting the programme to external certification audit against the UNE 19601 standard. The AENOR audit assessed the design of the model, the effectiveness of the implemented controls, the adequacy of the compliance body, and the documentary evidence of genuine training and rollout across the organisation. The programme was certified without major findings.

Results

The criminal compliance programme became fully operational within six months of the project start. The AENOR certification was submitted by the group’s defence team in the judicial proceedings as evidence of the existence of adequate controls prior to the events under investigation — a key element in sustaining the criminal liability exemption under Art. 31 bis.4 of the Penal Code.

During the first year of operation, the whistleblower channel received seven reports. Three related to minor administrative irregularities that were corrected internally. Two flagged non-compliant practices by a different subcontractor that did not meet the established due diligence criteria, enabling the contract to be terminated preventively before any risk materialised. The remaining two turned out to be misclassified procedural queries that were redirected to the appropriate internal department.

The group now has a corporate governance structure whose level of criminal compliance maturity, according to the AENOR audit, exceeds the sector average in Spain. The compliance body meets quarterly with the board and produces an annual risk report — practices that did not exist before the project.

Key Takeaways

Criminal compliance in Spain is not a documentation exercise — it is a governance infrastructure project. Courts assessing the Art. 31 bis exemption look at whether controls were genuinely operative, not just whether they were written down. The two cases in this engagement where that distinction mattered most were precisely the cases where the channel worked: a second subcontractor fraud was prevented in year one because an employee used the reporting system to flag concerns before they reached the level of a criminal investigation. The investment in building a real programme — rather than a paper shield — produced operational benefits that extended well beyond the original legal crisis.