Criminal Compliance: Protect Your Company from Criminal Liability

Corporate criminal liability in Spain was introduced by Organic Law 5/2010, which reformed Article 31 bis of the Spanish Criminal Code (Código Penal) to establish that legal entities can be directly held criminally liable for a catalogue of offences — including corruption, money laundering, tax fraud, environmental crimes, and cybercrime — when committed by their directors, employees, or representatives acting on the company's behalf. A company can exonerate itself from criminal liability, or significantly mitigate sanctions, by demonstrating that it had an adequate criminal compliance programme in place before the offence occurred, meeting the requirements validated by the Supreme Court and the standards of UNE 19601 and ISO 37001. Sanctions for convicted companies include unlimited fines, dissolution, disqualification from public contracts, and temporary or permanent closure.

Our criminal compliance team combines criminal law specialists and corporate governance experts to design programmes that are genuinely effective: not shelf documents, but living tools for prevention and defence.

Corporate Criminal Liability: A Risk Most Directors Have Not Fully Assessed

The 2015 reform of Spain’s Criminal Code fundamentally changed the legal landscape for companies. Legal entities can now be criminally convicted for offences committed by their directors, managers, or employees acting on behalf of the company. The sanctions are severe: fines up to five times the criminal benefit obtained, dissolution of the company, suspension of activities for up to five years, disqualification from public procurement, and court-ordered closure. For companies with public contracts or regulated licences, a criminal conviction is existential.

The reform also created the path to exemption. Under Article 31 bis, a company can be exempt from criminal liability — or have it significantly mitigated — if it had an effective compliance programme in place before the offence was committed, and the offence was carried out by fraudulently circumventing the controls. The burden of proof on the programme’s adequacy falls on the company. This is where the quality of the documentation, the governance structure, and the evidence of implementation become legally decisive.

What Separates an Effective Programme from a Paper Exercise

The Supreme Court and the Attorney General’s Office have been explicit: a compliance programme that exists as a document but is not implemented, monitored, and enforced is not a valid exemption. Courts examine whether the Compliance Body had genuine autonomy and resources, whether the whistleblowing channel was accessible and its reports were investigated, whether employees received meaningful (not tick-box) training, and whether the controls identified in the risk map were actually operating.

Our programmes are built for effectiveness first and documentation second. The criminal risk map is not a generic list of offences: it is a specific analysis of how each offence could plausibly be committed in your company’s operations, by which roles, and through which processes. The controls are designed to interrupt those pathways, not merely to reference them. Training is role-specific: the procurement team understands bribery risk; the finance team understands tax-fraud and financial-statement fraud risk; management understands director-liability exposure.

The Whistleblowing Channel Under Law 2/2023

Spain’s transposition of the EU Whistleblowing Directive created mandatory requirements that go significantly beyond the Criminal Code’s compliance channel. Companies with 50 or more employees must have a confidential reporting channel that is accessible to both internal and external reporters, that protects against retaliation, and that manages investigations within defined timelines. The channel must be managed by a designated independent function — which for most SMEs means an outsourced provider. Non-compliance with Law 2/2023 attracts its own administrative sanctions, independent of any criminal compliance issue.

We design and operate whistleblowing channels that meet both the Criminal Code and Law 2/2023 requirements, with documented investigation procedures, response timelines, and reporting to the Compliance Body.

Criminal Compliance in Corporate Transactions

When a company is acquired, the buyer inherits its criminal compliance programme — or the absence of one. As part of due diligence, we assess the adequacy of the target’s programme, identify the gap between the documented controls and their actual implementation, and advise on the post-closing remediation plan. For transactions where the target operates in high-risk sectors (construction, infrastructure, public procurement, financial services), criminal compliance due diligence is not optional.