The term "compliance" has penetrated Spanish business vocabulary rapidly in recent years, but its generic use creates confusion. When a director says their company "has compliance", they could be referring to very different realities: a crime prevention programme, a sectoral regulatory compliance system, a whistleblowing channel or simply a code of conduct handbook. Understanding the difference between criminal compliance and regulatory compliance is essential for knowing what your company is protected against and what risks remain exposed.
Criminal compliance: preventing corporate criminal liability
Criminal compliance has its origins in the reform of Article 31 bis of the Spanish Criminal Code, which introduced the criminal liability of legal persons for certain offences committed in their name and for their benefit. The 2015 reform consolidated this regime and established the conditions under which a company can be exonerated from liability: having adopted and implemented, before the commission of the offence, an organisation and management model that includes adequate supervision and control measures to prevent offences of the same nature.
Criminal compliance has a specific and defined scope: the catalogue of offences for which legal persons can be prosecuted under the Criminal Code. This catalogue includes corruption, money laundering, fraud, offences against the public treasury, environmental offences and others. But it does not include administrative, employment or data protection infringements — those are the domain of regulatory compliance.
Regulatory compliance: a broader universe
Regulatory compliance — the concept expressed in English in the Spanish-language literature — is the set of legal and regulatory obligations that a company must respect in carrying out its business: employment law, data protection (GDPR and the Spanish LOPDGDD), anti-money laundering regulations, sectoral regulation (financial services, healthcare, telecommunications), environmental regulations, product safety, equality plans, and much more.
Failure to meet these obligations generates administrative liability: financial penalties, withdrawal of licences, suspension of activity, director disqualification in some cases. But it does not generate criminal liability in itself, unless the conduct also constitutes a criminal offence.
The key differences in practice
Consequences of non-compliance
Criminal compliance prevents the criminal prosecution of the company and its directors, with penalties that include criminal fines, dissolution, suspension of activities and disqualification from public procurement. Regulatory compliance prevents administrative sanctions and, in the regulated sector, loss of the operating licence.
Voluntary vs mandatory nature
Criminal compliance is not legally mandatory, but its absence has direct consequences if a criminal offence occurs. Regulatory compliance is mandatory by definition: every regulation governing the company’s activity is binding, and non-compliance generates an infringement regardless of whether or not the company had a compliance system.
Programme scope
A criminal compliance programme must map the offences in the Article 31 bis catalogue that are possible given the company’s activity, and design specific controls for each identified risk. Regulatory compliance is broader and cross-cutting: it covers all regulations applicable to the company, which can be extensive in regulated sectors.
Integrated compliance: the efficient solution
Best practice is to integrate criminal compliance and regulatory compliance under a single management system: a single risk map, a single whistleblowing channel, a single supervisory body (compliance officer or compliance committee) and a single training and control system. Integration avoids duplication, reduces the cost of the system and ensures there are no blind spots between the two frameworks.
When to prioritise criminal compliance
Although no company is immune from criminal risk, certain business profiles concentrate greater exposure:
- Companies that contract with the public sector or participate in tenders
- Companies in highly regulated sectors (financial services, healthcare, construction, environment)
- Corporate groups with international operations
- Companies that manage third-party funds or have activities involving significant cash handling
- Companies with high director turnover or with distribution models using third parties
The compliance integration model in practice
The most efficient compliance architecture for a mid-sized Spanish company is a three-layer model:
Layer 1 — Foundation documents: Code of Conduct (covering both criminal risks and general compliance obligations), Compliance Policy and supporting policies (anti-corruption, gifts and hospitality, conflict of interest, data protection).
Layer 2 — Risk management: Integrated risk map covering criminal offences under Article 31 bis alongside regulatory obligations (GDPR, anti-money laundering, employment law). A single document with a common methodology and consistent risk ratings.
Layer 3 — Governance and monitoring: A single compliance officer or external provider with responsibility for both frameworks. A single whistleblowing channel meeting the requirements of both Law 2/2023 and Article 31 bis.5.4 CP. An annual review cycle covering both criminal risk and regulatory compliance status.
This architecture is not theoretical: it is the structure that the Supreme Court will evaluate when assessing whether a company’s compliance programme is genuine and effective.
How BMC can help
Our criminal compliance team designs and implements crime prevention programmes adapted to the risk profile of each company. We coordinate the preparation of the compliance risk map and the implementation of the whistleblowing channel within an integrated system that covers both criminal risk and general regulatory compliance.
If your company does not have a formal compliance programme, or wishes to review the adequacy of its existing one, contact us for an initial assessment. The investment in compliance has a tangible return: protection of directors’ personal assets and reduction of the company’s reputational and operational risk.
