Corporate criminal liability in Spain, regulated under Article 31 bis of the Penal Code, has undergone intense jurisprudential evolution since its introduction in 2010. What was initially met with some scepticism regarding its practical application is today a consolidated reality: Spanish courts have convicted legal entities, have rigorously examined their prevention models, and have established a doctrine that requires companies to treat criminal compliance with the same seriousness they apply to any other major corporate risk.
This whitepaper analyses the current state of criminal compliance in Spain, the Supreme Court’s requirements, the catalogue of offences most relevant to the business sector, and best practices for Spanish companies to build effective and verifiable prevention models.
Regulatory Framework: The Legal Architecture of Criminal Compliance
Organic Law 5/2010 introduced corporate criminal liability into the Spanish Penal Code through Article 31 bis. The reform introduced by Organic Law 1/2015 consolidated and clarified that model, establishing explicitly that the adoption and effective execution of prevention programmes can constitute grounds for full exemption from criminal liability — not merely mitigation.
Article 31 bis in its current wording establishes two routes of imputation for the legal entity: commission of the offence by legal representatives or de facto or de jure directors (the “high road”), and commission by employees or subordinates due to failure to exercise adequate control over them (the “low road”). In both cases, the key to exemption is demonstrating that the legal entity adopted and effectively executed a model of organisation and management suitable for preventing offences of the type committed.
Circular 1/2016 of the State Attorney General’s Office established the assessment criteria that prosecutors apply to these programmes and remains the most important practical reference for designing criminal compliance models capable of withstanding scrutiny from the public prosecution. Its requirements go beyond mere documentary design: the Circular emphasises that the programme must be operationally effective and must have demonstrated the capacity to detect and react to irregularities in the past.
Supreme Court Requirements: Consolidated Case Law
The Supreme Court’s case law on corporate criminal liability has matured considerably since Ruling 154/2016 of 29 February (known as the “Manos Limpias case”), which was the first resolution of the High Court to address in depth the suitability standard for compliance programmes.
Subsequent rulings — including STS 221/2016 of 16 March and the doctrine consolidated in the years that followed — have clarified that the prevention model must meet four basic conditions to be invoked as grounds for exemption: it must have been adopted and implemented before the commission of the offence (adopting it after learning of an investigation is not sufficient); it must identify the company’s activities within which the offences it aims to prevent could be committed; it must establish protocols or procedures that give concrete expression to the process of forming the legal entity’s will, adopting decisions, and executing them in relation to those activities; and it must have effective monitoring and control mechanisms to reduce the risk of non-compliance with the preventive measures.
The Supreme Court has also emphasised that the programme must be “genuine”, as opposed to paper models designed to appear compliant without real implementation. The indicators that courts examine to assess genuineness include: the existence of documented and periodic training; the effective functioning of the whistleblowing channel (number of communications received, response times, measures adopted); and periodic audits or reviews of the programme itself.
Catalogue of Offences Applicable to Legal Entities
The Penal Code does not make the legal entity liable for every possible offence, but only for those in which the legislature has expressly provided for that consequence. The catalogue currently includes more than 30 types of offence, but the most practically relevant for the Spanish business sector are the following:
Economic and financial offences. Tax fraud (Article 305 CP), accounting offences (Article 310 CP), money laundering (Articles 301–304 CP), and criminal insolvency (Articles 259–261 CP) are the most frequent in proceedings against legal entities. The tax quota threshold that triggers criminal liability is €120,000 — within reach of companies with turnover from €2–3 million.
Corruption and bribery. Active bribery (Article 424 CP), corruption between private parties (Article 286 bis CP), and corruption in international commercial transactions (Article 286 ter CP) are especially relevant for companies operating in public procurement, regulated sectors, or international markets with elevated corruption risk. The FCPA and UK Bribery Act equivalents are Article 286 ter for cross-border scenarios.
Offences against workers. Offences against workers’ rights (Articles 311–318 CP) — including imposition of abusive working conditions, human trafficking for labour exploitation, and safety risk offences — are receiving increasing attention from prosecutors, particularly in construction, temporary employment, and hospitality sectors. The supply chain dimension is critical: liability can extend to principals for conditions at their subcontractors.
Environmental offences. Environmental crimes (Articles 325–331 CP) affect particularly industrial companies, waste management firms, and the energy sector. The 2015 Penal Code reform introduced the offence of contamination by serious negligence, extending the scope of liability beyond intentional conduct to cover situations of gross operational failure.
Technology offences. Unlawful access to computer systems (Article 197 bis CP), computer damage (Article 264 CP), and intellectual property offences in digital environments (Article 270 CP) are relatively recent additions to the corporate criminal liability catalogue, with growing relevance in the context of the digital economy. These risks intersect with cybersecurity obligations under the NIS2 Directive.
Essential Components of the Criminal Compliance Model
An effective criminal compliance programme — capable of withstanding judicial and prosecutorial scrutiny — must be structured around six interdependent components:
1. Criminal risk map. The starting point is identifying and assessing the specific criminal risks of the company’s activity. It is not possible to design effective controls without knowing which offence scenarios are most probable given the business model, the sectors in which the company operates, its geographic markets, and its organisational structure. The risk map must be updated periodically (at least annually, or when significant changes in the business occur) and must be documented with evidence of the assessment process.
2. Control protocols and preventive procedures. For each risk identified as relevant, the model must establish concrete procedures that reduce the probability of commission: segregation of duties, payment authorisation limits, due diligence processes for third parties (suppliers, agents, distributors), treasury controls to detect irregular payments, and approval procedures for hospitality expenses and dealings with public officials.
3. Whistleblowing channel with guarantees. EU Directive 2019/1937 on the protection of persons who report breaches of Union law (the Whistleblowing Directive), transposed into Spanish law by Law 2/2023 of 20 February, obliges companies with 50 or more employees to have an internal reporting channel meeting specific confidentiality requirements, with acknowledgement deadlines (7 days) and response deadlines (3 months), and prohibition of retaliation. This channel is not just a legal requirement: it is the central mechanism for early detection of irregularities within the organisation.
4. Documented periodic training. Personnel training is a critical component that courts examine to assess the genuineness of the programme. Incorporating a code of ethics into the employment contract is not sufficient: the company must be able to demonstrate that it has provided specific and periodic training on the criminal risks relevant to each function and hierarchical level, and that employees have understood the policies and procedures applicable to their work.
5. Compliance body with genuine autonomy. Article 31 bis requires that the legal entity has entrusted supervision of the model to a body with autonomous powers of initiative and control, or one legally entrusted with the function of supervising the operation and compliance of the prevention model. The genuine autonomy of this body is a determining factor: a compliance officer who reports hierarchically to the same executive whose decisions they must supervise does not meet the required standard. In mid-sized companies, the function can be exercised by a board committee (where one exists) or by an external compliance officer.
6. Periodic audit of the model. The programme must be subject to periodic review to verify that the controls remain adequate to the company’s current risks and are operationally implemented. This review can be internal (conducted by the compliance body itself) or external (by a specialist auditor), but must generate a documented report identifying deficiencies found and the measures adopted to correct them.
Sectors with Greater Exposure
The financial, real estate, construction and healthcare sectors have shown the greatest historical exposure in Spain, but experience over recent years has demonstrated that no sector is immune.
Construction and property development. The most frequent offences include corruption in public works procurement, offences against workers (abusive working conditions, workplace accidents through omission of safety measures), and environmental offences related to construction waste management. Compliance programmes in this sector must pay particular attention to the subcontracting chain, where the risk of labour and environmental non-compliance is transferred to third parties.
Financial sector and fintech. Financial entities face specific sectoral compliance obligations (banking supervisors, CNMV, AML regulations), but criminal compliance extends beyond sectoral regulation. Money laundering, internal fraud, corruption and computer crime risks require an integrated model coordinating regulatory and criminal compliance.
Healthcare and pharmaceutical sector. Corruption between private parties in dealings with doctors and hospital procurement managers (Article 286 bis CP), offences relating to falsified or adulterated medicines, and public health offences are the main risk areas. Industry codes of conduct must be integrated with each company’s criminal compliance model.
Mid-sized companies in unregulated sectors. A common mistake is assuming criminal compliance only affects large corporations or financial sectors. Recent case law shows that SMEs and mid-sized companies have also been charged as legal entities — particularly for tax offences, labour violations, and environmental crimes. The €120,000 threshold for tax fraud is within reach of companies with turnover from €2–3 million.
Cost and ROI of Criminal Compliance
The cost of implementing a criminal compliance programme for a mid-sized company ranges from €8,000 to €35,000, depending on the size of the organisation, the complexity of its activity, and the number of risks identified. Annual maintenance programmes (risk map updates, training, audit, and whistleblowing channel management) cost approximately €3,000–€10,000 per year.
Against that cost, the consequences of not having an effective programme include: fines of up to five times the benefit obtained (with no minimum limit); disqualification from contracting with public administrations (devastating for companies with public sector contracts); temporary or permanent closure of premises; and the reputational cost associated with a criminal conviction of the legal entity. In any realistic risk scenario, the ROI of criminal compliance is not in doubt.
Implementation Roadmap
Phase 1 — Diagnosis and risk map (4–6 weeks). Analysis of the company’s activity, structure and exposure; identification and assessment of specific criminal risks; review of existing controls and identified gaps.
Phase 2 — Model design (6–8 weeks). Drafting of the code of ethics and corporate policies; design of control protocols for each relevant risk; definition of the whistleblowing channel model compliant with Law 2/2023; design of the training plan.
Phase 3 — Implementation and training (8–12 weeks). Formal approval of the model by the governing body; internal communication of the programme; delivery of initial training to personnel; operational launch of the whistleblowing channel.
Phase 4 — Maintenance and continuous improvement (ongoing). Annual review of the risk map; updating of protocols in response to changes in activity or legislation; management of communications received via the channel; periodic audit of the model and reporting to the governing body.
Conclusions and BMC Recommendations
Criminal compliance has moved from being a practice reserved for large corporations to becoming a necessity for any Spanish company that wishes to responsibly manage its legal risks. The Supreme Court’s case law has raised the standard of requirements: paper programmes are no longer sufficient, and courts examine whether the model was genuinely implemented and operational before the commission of the offence.
The time to act is now — not when the company receives its first notification of an investigation. A programme adopted reactively does not serve as a defence, and the implementation cost is invariably lower than the cost of facing criminal proceedings without adequate corporate defences in place.
At BMC we design tailored criminal compliance models for each organisation, from initial diagnosis through to annual programme maintenance, with a team that combines legal expertise, sectoral knowledge, and the technological tools necessary to make compliance operationally effective and verifiable. See our criminal compliance services.
