Criminal Compliance: Protect Your Company from Criminal Liability

Corporate criminal liability in Spain was introduced by Organic Law 5/2010, which reformed Article 31 bis of the Spanish Criminal Code (Código Penal) to establish that legal entities can be directly held criminally liable for a catalogue of offences — including corruption, money laundering, tax fraud, environmental crimes, and cybercrime — when committed by their directors, employees, or representatives acting on the company's behalf. A company can exonerate itself from criminal liability, or significantly mitigate sanctions, by demonstrating that it had an adequate criminal compliance programme in place before the offence occurred, meeting the requirements validated by the Supreme Court and the standards of UNE 19601 and ISO 37001. Sanctions for convicted companies include unlimited fines, dissolution, disqualification from public contracts, and temporary or permanent closure.

Our criminal compliance team combines criminal law specialists and corporate governance experts to design programmes that are genuinely effective: not shelf documents, but living tools for prevention and defence.

This service is part of our legal advisory practice.

Corporate Criminal Liability: A Risk Most Directors Have Not Fully Assessed

The 2015 reform of Spain’s Criminal Code fundamentally changed the legal landscape for companies. Legal entities can now be criminally convicted for offences committed by their directors, managers, or employees acting on behalf of the company. The sanctions are severe: fines up to five times the criminal benefit obtained, dissolution of the company, suspension of activities for up to five years, disqualification from public procurement, and court-ordered closure. For companies with public contracts or regulated licences, a criminal conviction is existential.

The reform also created the path to exemption. Under Article 31 bis, a company can be exempt from criminal liability — or have it significantly mitigated — if it had an effective compliance programme in place before the offence was committed, and the offence was carried out by fraudulently circumventing the controls. The burden of proof on the programme’s adequacy falls on the company. This is where the quality of the documentation, the governance structure, and the evidence of implementation become legally decisive.

What Separates an Effective Programme from a Paper Exercise

The Supreme Court and the Attorney General’s Office have been explicit: a compliance programme that exists as a document but is not implemented, monitored, and enforced is not a valid exemption. Courts examine whether the Compliance Body had genuine autonomy and resources, whether the whistleblowing channel was accessible and its reports were investigated, whether employees received meaningful (not tick-box) training, and whether the controls identified in the risk map were actually operating.

Our programmes are built for effectiveness first and documentation second. The criminal risk map is not a generic list of offences: it is a specific analysis of how each offence could plausibly be committed in your company’s operations, by which roles, and through which processes. The controls are designed to interrupt those pathways, not merely to reference them. Training is role-specific: the procurement team understands bribery risk; the finance team understands tax-fraud and financial-statement fraud risk; management understands director-liability exposure.

The Whistleblowing Channel Under Law 2/2023

Spain’s transposition of the EU Whistleblowing Directive created mandatory requirements that go significantly beyond the Criminal Code’s compliance channel. Companies with 50 or more employees must have a confidential reporting channel that is accessible to both internal and external reporters, that protects against retaliation, and that manages investigations within defined timelines. The channel must be managed by a designated independent function — which for most SMEs means an outsourced provider. Non-compliance with Law 2/2023 attracts its own administrative sanctions, independent of any criminal compliance issue.

We design and operate whistleblowing channels that meet both the Criminal Code and Law 2/2023 requirements, with documented investigation procedures, response timelines, and reporting to the Compliance Body.

Criminal Compliance in Corporate Transactions

When a company is acquired, the buyer inherits its criminal compliance programme — or the absence of one. As part of due diligence, we assess the adequacy of the target’s programme, identify the gap between the documented controls and their actual implementation, and advise on the post-closing remediation plan. For transactions where the target operates in high-risk sectors (construction, infrastructure, public procurement, financial services), criminal compliance due diligence is not optional.

Offences Attributable to Legal Entities Under Article 31 bis of the Criminal Code

Article 31 bis of the Spanish Criminal Code does not attribute criminal liability to legal entities for every offence committed within the company, but only for those offence types in which the legislature has expressly provided for corporate liability. The catalogue is broad and expanding. The offences with the greatest practical relevance for the Spanish business environment include:

Tax fraud and Social Security offences (Articles 305-310 bis and 307-307 ter of the Criminal Code). Tax fraud exceeding EUR 120,000 per tax year, wrongful obtainment of refunds or tax credits, and Social Security fraud are among the offence types with the highest corporate exposure. Article 310 bis expressly extends liability to legal entities. A robust tax compliance programme, aligned with the AEAT’s guidelines on tax compliance, significantly reduces this risk.

Money laundering (Articles 301-304 of the Criminal Code). Money laundering is one of the offences most frequently generating criminal proceedings against legal entities, particularly in sectors such as real estate, financial services, and professional advisory. The criminal compliance programme must be articulated with the Anti-Money Laundering Programme (AMLD) required by Law 10/2010, as integrated documents rather than separate systems.

Bribery and corruption between private parties (Articles 419-427 bis and 286 bis of the Criminal Code). Active and passive bribery, corruption in international commercial transactions (relevant for companies with export activity or foreign subsidiaries), and private-sector corruption generate direct corporate liability. The US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act can apply extraterritorially to Spanish companies with activity in those markets.

Environmental offences (Articles 325-331 of the Criminal Code). Companies in industrial, energy, agri-food, and waste management sectors face significant exposure to criminal environmental offences, including serious contamination of soil, water, or air and the unlawful management of hazardous waste. Sanctions can include temporary or permanent closure of facilities.

Cybercrime (Articles 197 bis-197 ter of the Criminal Code). Unauthorised access to computer systems, interception of communications, and computer damage can be attributed to the legal entity when committed on its behalf or for its benefit. The proliferation of remote working and technology outsourcing has substantially expanded the risk surface in this area.

Requirements for an Effective Criminal Compliance Programme

The Attorney General’s Circular 1/2016 is the most relevant interpretive reference for assessing the effectiveness of a criminal compliance programme. It establishes that the programme must be genuinely effective and not merely formal. The following elements are indispensable:

Criminal risk map (risk assessment). The starting point is a specific criminal risk map that identifies the Article 31 bis catalogue offences with the highest probability and impact for the specific company, taking into account its sector, business model, corporate structure, markets, and counterparty profile. The risk assessment is not a static document: it must be updated following significant changes in the business or regulatory environment.

Ethics code and internal policies. The corporate ethics code translates the company’s values into enforceable conduct standards, complemented by specific policies: anti-corruption, gifts and entertainment, conflicts of interest, relationships with public administration, and donations and sponsorships. These documents must be known and formally accepted by all employees and directors.

Whistleblowing channel (Law 2/2023). The whistleblowing channel must guarantee confidentiality or anonymity, independence in management, acknowledgement of receipt within 7 calendar days, resolution within a maximum of 3 months, and effective protection for reporters against retaliation.

Compliance body: composition, independence, and resources. Article 31 bis requires supervision of the programme to be entrusted to a body with autonomous powers of initiative and control. Circular 1/2016 underlines that lack of genuine autonomy of the compliance body is a serious defect that undermines the programme’s exonerating effect.

Periodic review and continuous improvement. The Supreme Court’s case law emphasises genuine effectiveness over time. Periodic efficacy audits — at least annually — verify that controls are working, the risk map remains valid, and personnel are effectively applying the procedures. Audits must be documented to be evidenced in potential criminal proceedings.

We support companies seeking certification under UNE 19601, Spain’s technical standard for criminal compliance management systems — compatible with ISO 37301. Certification by an accredited body adds a layer of programme credibility before prosecutors and courts.

Criminal compliance and director liability

Directors and senior managers of Spanish companies face personal criminal exposure for corporate offences where they have not implemented effective prevention programmes. Article 31 bis CP creates a clear incentive structure: the organisation benefits from exemption or mitigation, and the individual directors benefit from the same protection, if the programme was properly designed, implemented, and supervised. Conversely, if a criminal offence is committed in the absence of an effective compliance programme, directors may face criminal prosecution under Article 31 CP (acting on behalf of a legal entity) or for specific director liability offences under the Ley de Sociedades de Capital (LSC).

The most frequent criminal offences triggering corporate criminal liability in Spain are: fiscal offence (delito fiscal) for unpaid taxes exceeding EUR 120,000; social security fraud (delito contra la Seguridad Social); money laundering (blanqueo de capitales) under Articles 301-304 CP; bribery and corruption of public officials (cohecho) and private sector bribery (corrupción entre particulares); unfair administration (administración desleal); and environmental offences (delitos contra el medio ambiente) under Articles 325-331 CP.

The three-lines model applied to criminal compliance

Effective criminal compliance programmes in Spain increasingly apply the Three Lines of Defence model advocated by the IIA (Institute of Internal Auditors) and adapted to the Spanish criminal framework:

First line — operational compliance: business units own and operate day-to-day controls. Commercial teams apply anti-corruption procedures in client engagement. Procurement teams apply anti-bribery procedures in supplier selection. Finance teams apply fiscal controls that prevent or detect tax offences.

Second line — compliance oversight: the compliance function (whether internal or outsourced to BMC) provides oversight, guidance, and the whistleblowing channel. It monitors first-line control effectiveness and reports to the compliance body (órgano de vigilancia y control).

Third line — internal audit: independently assesses the design and operating effectiveness of both first-line and second-line controls, and reports its findings to the governing body.

Our criminal compliance service can occupy any of the three lines depending on your organisation’s structure and existing capabilities — designing programme architecture, operating the compliance oversight function, or conducting the third-line audit assessment.

Self-diagnostic: is your criminal compliance programme effective?

Spanish courts and the Fiscalía Anticorrupción assess programme effectiveness against substantive criteria, not formal criteria. A programme that exists on paper but is not embedded in daily operations will not provide the Article 31 bis mitigation that management may be relying upon.

Assess your programme against these indicators:

• Has the criminal risk map been updated in the last 12 months to reflect changes in your business activities, geographic footprint, and commercial relationships?
• Has at least one training session on the programme been delivered to all staff with relevant risk exposure in the last 12 months — with attendance records maintained?
• Has the whistleblowing channel received at least one report — whether substantive or de minimis — demonstrating that it is functioning and known to employees?
• Has the compliance body met formally (with documented minutes) at least four times in the last 12 months?
• Have the controls in the highest-risk programme areas been independently tested — through internal audit or external review — with findings documented and remediated?

If any of these indicators is not satisfactory, the programme’s exonerating effectiveness is materially impaired. Contact our criminal compliance team for an independent programme assessment.

UNE 19601 certification: the Spanish standard

UNE 19601:2017 is Spain’s national technical standard for criminal compliance management systems, developed by AENOR and aligned with the requirements of Article 31 bis CP. It provides a detailed requirements framework for designing, implementing, maintaining, and improving a criminal compliance management system — and a basis for independent certification by accredited certification bodies.

Certification under UNE 19601 does not guarantee criminal exoneration, but it provides a powerful evidential basis demonstrating to prosecutors, courts, and prosecutors that a genuine, audited compliance programme existed at the time of the offence. For publicly tendering companies, UNE 19601 certification is increasingly specified as a requirement in public procurement qualification criteria. Our criminal compliance team supports companies through both the programme design process and the certification audit preparation.