Skip to content

Criminal compliance: the only complete defence against corporate criminal liability in Spain

Compare having a formal criminal compliance program (modelo de prevención penal, art. 31 bis CP) versus operating without one. Corporate liability shield, directors' personal liability, FGE Circular 1/2016, insurance implications, and implementation cost.

With a Criminal Compliance Program — Crime Prevention Model

Advantages

  • Complete exemption from corporate criminal liability when the programme meets the requirements of art. 31 bis.2 CP and FGE Circular 1/2016
  • Significant mitigation of penalties even when the programme does not prevent the specific offence, if it existed beforehand and was genuinely applied
  • Protection for directors and executives: the programme evidences they exercised due diligence and fulfilled their supervisory obligations
  • Improved credit rating and access to financing: banks and investment funds increasingly require evidence of compliance systems in their due diligence
  • Competitive advantage in public tenders: the Public Sector Contracts Act may exclude criminally convicted companies — the programme reduces this risk
  • Ethical organisational culture: the implementation of reporting channels and action protocols prevents offences before they occur

Disadvantages

  • Implementation cost: criminal risk analysis, policy drafting, compliance body training and staff — EUR 15,000-50,000 depending on size
  • Annual maintenance cost: risk map update, internal audit, ongoing training — EUR 5,000-20,000/year
  • Risk of 'paper compliance': a programme that exists but is not genuinely applied can aggravate the procedural situation by demonstrating knowledge of the risk without real action
  • Requires an independent compliance body with real supervisory powers — cannot be the board of directors itself in medium and large companies
  • Appointing a Compliance Officer creates specific legal obligations that must be clearly defined to avoid creating additional exposure

Without a Criminal Compliance Programme

Advantages

  • No initial implementation cost and no programme maintenance cost
  • No operational friction from authorisation protocols and reporting channels that can slow internal processes
  • Less internal bureaucracy: no compliance committee meetings, no periodic reports to the governing body
  • For very small companies (fewer than 10 employees), the criminal risk may be low enough that the cost-benefit ratio does not justify a formal programme

Disadvantages

  • Direct corporate criminal liability without structural defence: fines of up to five times the benefit obtained, activity suspension, dissolution
  • Personal liability of directors and executives who cannot demonstrate they exercised adequate controls
  • Inability to invoke the art. 31 bis.2 CP exemption — only generic mitigations remain (cooperation, damage repair)
  • Exclusion from public tenders: criminal conviction can result in a prohibition on contracting with the public sector for 3-5 years
  • Loss of D&O insurance coverage: directors and officers policies typically exclude coverage when no certified compliance programme exists
  • Irreparable reputational damage: a corporate criminal conviction destroys relationships with clients, suppliers, banks and employees in ways that rarely recover

Our verdict

A criminal compliance programme is not optional for companies with more than 50 employees, companies that contract with the public sector, or companies in regulated sectors (financial, healthcare, construction, food). It is the only complete defence available against corporate criminal liability established in Article 31 bis of the Criminal Code. The implementation cost — between EUR 15,000 and EUR 50,000 — is irrelevant compared to a criminal fine or exclusion from public tenders. The question is not whether to implement compliance, but how to make the programme genuinely effective.

Corporate criminal liability in Spain: a real risk

Since the Criminal Code reform of 2010 (Organic Law 5/2010) and its subsequent development in 2015 (Organic Law 1/2015), legal entities can be criminally convicted in Spain. Not just the individuals who commit offences: the company itself can be fined, suspended, placed under judicial administration, or even dissolved.

This reality continues to be underestimated by many business owners and directors. Criminal compliance — the implementation of a crime prevention model — is not just a good governance recommendation: it is the only complete legal defence available to exempt the company from liability when one of its employees or directors commits an offence for the organisation’s benefit.

The legal framework: Article 31 bis of the Criminal Code

ElementWith compliance programmeWithout compliance programme
Corporate criminal liabilityPossible complete exemptionDirect liability
Directors’ liabilityMitigated by due diligenceFull personal liability
Applicable penaltiesNone (exemption) or mitigatedFine, suspension, dissolution
Public tendersUnrestrictedProhibition on contracting
D&O insuranceCoverage maintainedPossible exclusion
Investor due diligencePositive assessmentRed flag for investors
FGE Circular 1/2016Demonstrable complianceNo structural defence

The liability exemption: the exact requirements

Article 31 bis of the Criminal Code establishes two exemption scenarios:

Scenario 1: the offence is committed by someone with representative or control authority The exemption requires simultaneously demonstrating that: (a) the governing body adopted and effectively implemented the prevention model before the offence; (b) supervision of the model was entrusted to an autonomous body; (c) the author committed the offence by fraudulently circumventing the model’s controls.

Scenario 2: the offence is committed by a subordinate employee The exemption is more accessible: it suffices to demonstrate that the hierarchical supervisors exercised due diligence in their supervisory duties. If the programme existed and functioned, the company does not bear responsibility for the criminal behaviour of a subordinate employee.

The distinction is crucial: for offences by top management, the standard is very high (the programme must be genuinely effective). For offences by employees without decision-making power, a basic but real programme may be sufficient.

FGE Circular 1/2016: the Prosecutor’s Office standards

The Fiscal General of the State Circular 1/2016 remains the most detailed reference document on what a criminal compliance programme must contain to be considered “effective” by the courts. Its requirements include:

1. Criminal risk map: identification of the company’s activities where there is real risk of committing offences from the Article 31 bis CP catalogue.

2. Action protocols: specific procedures for identified risk areas (public procurement, commercial relationships with third parties, payment management, employment relations, environmental compliance, etc.).

3. Financial resources: fund management control systems to prevent their use in illicit activities.

4. Reporting channel: accessible, confidential communication mechanism with reporter protection and independent management.

5. Disciplinary system: clear and implemented consequences for non-compliance with the compliance model by any member of the organisation.

6. Periodic review: risk map update and programme revision at least annually or when significant changes occur in the company or regulatory environment.

The Compliance Officer: who and how

The appointment of the Compliance Officer is a critical decision that many companies approach incorrectly. The most common errors:

Error 1: Appointing the CFO or HR Director as CO without granting genuine independence. If the CO reports to the CEO and the CEO commits an offence, the CO has a structural conflict of interest that nullifies the model’s utility.

Error 2: Outsourcing without real internal involvement. An external CO can provide independence and expertise, but if there is no internal counterpart with dedication and authority, the programme remains on paper.

Error 3: Failing to define the CO’s scope of responsibility. A Compliance Officer who does not know exactly what they can and cannot investigate, and when to escalate to external parties, is in a position of vulnerability both towards the company and third parties.

The most balanced solution for companies with 50-250 employees: a part-time internal compliance officer (can be the Legal Director or similar profile) supported by an external specialist firm for periodic reviews, regulatory updates and internal investigation cases.

Impact in regulated sectors

Some sectors have additional compliance requirements that go beyond the Criminal Code:

  • Financial sector: The CNMV and the Bank of Spain require compliance programmes covering not only criminal law but also MiFID II, GDPR and AMLD (anti-money laundering). Non-compliance can result in licence revocation.
  • Healthcare sector: Compliance regarding relationships with healthcare professionals (Criminal Procedure Act + pharmaceutical industry regulations).
  • Construction and public works: Corruption risk in public procurement is particularly elevated — compliance programmes are practically required by corporate buyers.
  • Food and environment: Environmental and public health offences are among the most frequently investigated in the Spanish corporate context.

Cost and return on investment

A well-implemented criminal compliance programme for a company with 50-200 employees costs:

  • Initial implementation: EUR 15,000-30,000 (risk analysis, policy drafting, training, reporting channel)
  • Annual maintenance: EUR 5,000-12,000 (updates, ongoing training, compliance body review)

The comparison with the cost of a criminal conviction makes this investment obvious:

  • Minimum criminal fine for a bribery offence: EUR 120,000-600,000
  • Exclusion from public tenders: loss of contracts for 3-5 years (potentially millions of euros for companies with significant public sector business)
  • Reputational damage: not quantifiable, but potentially fatal for business continuity

Criminal compliance is not an expense: it is an insurance policy with a predictable annual cost against a risk of exponentially greater magnitude.

FAQ

Frequently asked questions

Article 31 bis of the Criminal Code, introduced by Organic Law 5/2010 and further developed by Organic Law 1/2015, establishes a closed catalogue of offences for which a legal entity can be criminally liable. The most relevant in business practice are: bribery (of domestic and international public officials), fraud, culpable insolvency and fraudulent asset concealment, offences against the Tax Authority and Social Security, money laundering, terrorist financing, environmental offences, offences against workers' rights, influence peddling, corruption between private parties, and offences against intellectual and industrial property. The most common error is assuming these offences only occur in large corporations: corruption between private parties, labour offences and tax fraud are equally applicable to SMEs.
Article 31 bis.2 of the Criminal Code and Fiscal General of the State Circular 1/2016 establish the requirements: first, the governing body must have adopted and effectively implemented the organisation and management models before the offence was committed; second, supervision of the model's functioning must have been entrusted to a body with autonomous powers of initiative and control; third, the authors of the offence must have fraudulently circumvented the model's controls; and fourth, there must not have been an omission or insufficient exercise of supervisory functions by the compliance body. FGE Circular 1/2016 adds that the programme must include: identification of risk activities, authorisation and decision-making protocols, financial resource management to prevent illicit use, a reporting channel and ongoing training.
The Compliance Officer (CO) must be a person with genuine independence from the company's executive management. In medium and large companies, the CO must have direct access to the board of directors without going through the CEO. FGE Circular 1/2016 accepted that in smaller companies the board of directors itself can assume supervisory functions over the model, but this has been qualified in subsequent judgments: if the offence is committed by a board member, the board cannot be the body supervising prevention. The CO does not need to be a lawyer, but must have training in corporate criminal law and applicable sector regulations. Outsourcing the CO function to a specialist firm is a valid and common option for SMEs.
The reporting channel (whistleblowing channel) is the mechanism that enables employees, directors and third parties to report potentially illegal conduct confidentially or anonymously. Since the transposition of Directive (EU) 2019/1937 through Law 2/2023 of 20 February, companies with 50 or more workers are legally required to maintain an internal reporting channel. For companies with fewer than 50 workers, the channel is not legally mandatory but is an essential component of an effective criminal compliance programme. The channel must guarantee the confidentiality of the reporter, expressly prohibit retaliation, have an independent management responsible, and document all reports received and actions taken.
Directors and Officers (D&O) policies cover the personal liability of directors and executives for acts or omissions in the exercise of their duties. However, most D&O policy general conditions exclude coverage when the company has not implemented adequate control systems or when directors have knowingly failed their supervisory obligations. The absence of a criminal compliance programme can be used by the insurer as a grounds for coverage exclusion against claims arising from corporate offences. Additionally, many insurers already request in the D&O policy underwriting phase information about existing compliance systems, and may increase the premium or reduce coverage limits if none exist.

Related service

Prevention, compliance, and defense at every stage →

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Free consultation
Call Contact