Skip to content

Criminal compliance vs regulatory compliance: criminal is mandatory for survival, regulatory for operation

Comparison between criminal compliance under Article 31 bis of the Spanish Criminal Code and general regulatory compliance. Scope, risks and how to build an integrated programme for companies in Spain.

Criminal Compliance (Article 31 bis Spanish Criminal Code)

Advantages

  • Shield against corporate criminal liability: Article 31 bis allows a company to be fully exempt from all criminal penalties if the programme effectively prevents the listed offences
  • Personal protection for directors and executives: the programme demonstrates they exercised the required supervisory duty of care — critical in liability by omission cases
  • Legally defined specific exemption: the legal framework specifies with precision the programme requirements that activate the exemption — no ambiguity about what is needed
  • Mitigates the most severe risk in the legal system: corporate criminal penalties range from fines equal to five times the benefit obtained to dissolution of the company and prohibition from public contracts
  • Effectively mandatory for mid-sized and large companies: FGE Circular 1/2016 and Supreme Court case law make its absence indefensible in court

Disadvantages

  • Requires a formal programme: criminal risk analysis, written policies, independent compliance body, whistleblowing channel and ongoing training — a statement of intent is not sufficient
  • The compliance officer must have genuine independence and effective supervisory powers: a CEO or board subordinate without real authority to act makes the programme ineffective
  • Closed catalogue of offences: Article 31 bis only covers the specifically listed crimes — it does not protect against regulatory breaches, administrative sanctions or civil liability
  • Requires periodic updates: the criminal risk map must be reviewed when the business changes, new activities are added or the Criminal Code is reformed
  • Paper compliance risk: a programme that exists formally but is not genuinely applied can worsen the procedural situation by demonstrating awareness of the risk without real action

General Regulatory Compliance

Advantages

  • Comprehensive scope: covers all regulatory obligations of the company — tax, labour, environmental, data protection, competition, consumer law, advertising, AML/CFT
  • Prevents everyday administrative sanctions: labour, tax or data protection violations are statistically far more frequent than corporate criminal offences
  • Operational integration: a good regulatory compliance programme becomes part of the company's operating model — affecting how decisions are made in contracts, HR, finance and operations
  • Process improvement and efficiency: systematising regulatory obligations reduces errors, avoids duplications and clarifies internal responsibilities
  • Reputational improvement and ESG rating: regulatory compliance is the substrate of governance indicators in sustainability ratings and investor due diligence processes

Disadvantages

  • Does not address corporate criminal liability: without a specific criminal compliance module, the regulatory programme does not activate the Article 31 bis exemption
  • Can become unmanageable without a risk priority framework: a mid-sized company's regulatory obligations may exceed 200 requirement lines — without risk prioritisation, the programme dilutes
  • Less legally defined: regulatory compliance has no single legal standard of reference — each area (tax, labour, data, environmental) has its own regulatory logic
  • Tick-the-box risk: without a genuine culture of compliance, regulatory compliance can become a formal checklist that does not change risk behaviours

Our verdict

Criminal compliance is a subset of regulatory compliance, but its importance is disproportionate: it is the only defence against the existential risk of corporate criminal conviction and personal liability of directors. Companies should start with criminal compliance — it is the highest-impact risk even if not the most probable — and then expand to full regulatory compliance from an integrated risk map. The most frequent mistake is investing heavily in visible regulatory compliance (GDPR, ESG, tax) and neglecting criminal compliance until an incident occurs. An integrated compliance programme covers both dimensions with shared resources: a single whistleblowing channel, unified training and a supervision body that is valid for both.

The most expensive compliance confusion in Spanish business

In practice, one of the most frequent — and costly — confusions in advising Spanish companies is the equation of general regulatory compliance with the specific criminal compliance of Article 31 bis of the Criminal Code.

The typical mistake sounds like this: “We already have compliance — we have GDPR policies, an anti-harassment protocol and an internal code of conduct.” None of these elements constitutes a crime prevention programme within the meaning of Article 31 bis CP. They are elements of regulatory compliance, not criminal compliance. And that difference matters critically when a company faces a prosecutor.

The compliance architecture: two layers

Corporate compliance has a layered structure:

Layer 1 — Criminal compliance (Article 31 bis CP)

This is the basic, non-negotiable layer. It covers the existential risk: the possibility that the company will be convicted of a criminal offence and its directors imprisoned. This layer has a precise legal framework (Article 31 bis CP and FGE Circular 1/2016) and generates a specific legal exemption if the programme meets the requirements.

Layer 2 — General regulatory compliance

This is the operational layer. It covers the totality of the company’s regulatory obligations: tax, labour, data protection, environmental, competition, consumer law, anti-money laundering and all applicable sector-specific regulations. It has no single legal framework — each area has its own regulatory logic — but together they determine the company’s regulatory risk profile.

A complete compliance programme has both layers. A programme with only Layer 2 leaves the company unprotected against the highest-impact risk. A programme with only Layer 1 ignores dozens of everyday regulatory obligations.

The risk catalogue: criminal vs regulatory

Risk typeCriminal ComplianceRegulatory Compliance
Corruption and briberyYes (bribery, commercial corruption)Yes (anti-corruption policy)
Tax fraudYes (offences against Tax Authority > EUR 120K)Yes (tax compliance)
Labour breachesYes (offences against workers’ rights)Yes (labour law, LRJS)
Data protectionNot specificallyYes (GDPR, LOPDGDD)
Money launderingYes (if obligated entity)Yes (AML/CFT for all)
Environmental breachYes (environmental offences)Yes (sector environmental regulation)
Competition breachNot specificallyYes (competition and unfair practices law)
Consumer violationsNoYes (consumer protection law)
Product liabilityNot specificallyYes (product safety regulation)

The table illustrates why both layers are necessary: criminal compliance covers the most severe risks in depth but leaves critical everyday regulatory areas uncovered.

The three elements both programmes share

An efficient integrated compliance design leverages the fact that both programmes share three fundamental elements:

1. Whistleblowing channel: mandatory for criminal compliance (FGE Circular 1/2016) and for regulatory compliance in companies with more than 50 employees (Law 2/2023 on whistleblower protection). A single well-designed channel serves both purposes.

2. Ongoing training: both criminal and regulatory compliance require periodic staff training. An integrated training programme covers the specific criminal risks and sector regulatory obligations through a single organisational effort.

3. Supervision body: criminal compliance requires an autonomous supervision body. That same body — whether the external compliance officer, the audit committee or the board in small companies — can assume supervision of the full regulatory compliance programme.

Integrating the two programmes into a single system reduces maintenance costs by 30-40% compared to managing them as separate programmes.

The priority order: criminal first

When a company decides to invest in compliance and resources are limited, the priority order must be:

  1. Criminal compliance first: it is the existential risk. A criminal conviction can destroy the company. The implementation cost is reasonable and fixed, and generates the maximum available legal exemption.

  2. Data compliance (GDPR): the probability of an AEPD inspection is high in data-intensive sectors, and sanctions can be significant. Additionally, data compliance is required by clients and commercial partners in due diligence processes.

  3. Labour compliance: labour inspections are frequent and sanctions for breach of collective agreements, employment contracts or occupational health and safety regulations have high operational impact.

  4. Tax and sector compliance: complete the map with the specific obligations of the company’s economic activity.

The mistake is investing in visible compliance areas (GDPR, ESG) and neglecting criminal compliance until it is too late.

FAQ

Frequently asked questions

The difference is qualitative, not just quantitative. An administrative sanction — a Tax Agency fine, an AEPD penalty or a Labour Inspectorate infringement notice — is an economic cost the company can absorb, which, however serious, does not threaten its existence or the freedom of its directors. A corporate criminal conviction can include: a fine equal to two to five times the benefit obtained, suspension of activities for up to five years, closure of premises, prohibition from contracting with the public sector for 3-5 years, disqualification from obtaining subsidies and public grants, judicial intervention, and in the most serious cases, dissolution of the company. For individual directors, personal criminal liability can include imprisonment and individual fines. No administrative sanction has equivalent impact on business viability.
Article 31 bis establishes a closed catalogue of offences for which a legal entity can be criminally liable. The most relevant in business practice are: bribery (of national and international public officials), human trafficking, terrorism financing, money laundering, offences against the Tax Authority and Social Security (tax fraud above EUR 120,000), fraud, fraudulent insolvency, offences against workers' rights (illegal working conditions, accidents through gross negligence), environmental offences, private-sector corruption (commercial bribery), offences against intellectual and industrial property, and breach of trade secrets. The most common mistake is assuming these offences only occur in large corporations: labour offences, commercial corruption and tax fraud are equally applicable to SMEs.
No. General regulatory compliance may include compliance with regulations that overlap with criminal offences (tax, labour, environmental), but regulatory compliance alone does not activate the Article 31 bis Criminal Code exemption. For the crime prevention programme to operate as an exemption from criminal liability, the company must demonstrate: that the programme was adopted before the offence, that it was effectively implemented, that supervision was entrusted to an autonomous body, and that the offender fraudulently circumvented the programme's controls. A regulatory compliance programme not specifically designed to meet these requirements cannot be invoked as a defence in criminal proceedings. The two are complementary but not substitutable.
Cost depends primarily on company size and activity complexity. For a company with 50-150 employees and domestic activity: initial criminal compliance implementation EUR 15,000-25,000 (risk map, policies, whistleblowing channel, training); additional regulatory compliance layer (GDPR, AML where applicable, HR policies) EUR 5,000-15,000; annual maintenance of the integrated programme EUR 8,000-18,000. For companies with 150-500 employees or international activity, costs multiply by a factor of 2-3. The alternative — carrying the risk without a programme — has an expected cost that, weighted by incident probability, substantially exceeds these figures in most sectors with meaningful criminal exposure.
The integrated compliance map is the central document of any serious compliance programme: it relates each identified risk (criminal, tax, labour, regulatory, reputational) to the applicable regulation, existing controls to mitigate it, the responsible control owner, and the review frequency. It is built in three stages: first, an activity inventory covering all relevant company processes from procurement to client management and financial operations; second, identification of the legal risks of each activity (which rules can be breached and what the consequences are); and third, assessment of the adequacy of current controls against each risk. The result is a unified view of the company's legal risk profile that enables compliance investment to be prioritised by likelihood and impact of each risk category.

Related service

criminal-compliance →

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Free consultation
Call Contact