Criminal Compliance for Companies in Madrid: Compliance Programmes That Protect Your Directors

Criminal compliance for companies in Madrid is the implementation of the internal prevention and control programme required by Article 31 bis of the Spanish Criminal Code (Código Penal) to exempt or mitigate corporate criminal liability for offences committed by directors or employees acting on the company's behalf. Spain's Anticorruption Prosecutor's Office and the Economic Crime Prosecutor, both headquartered in Madrid with nationwide jurisdiction, actively prosecute corporate offences including corruption, money laundering, tax fraud, and market manipulation. Law 2/2023 on whistleblowing protection additionally requires companies with 50 or more employees to operate a fully compliant internal information channel — extending the compliance perimeter for Madrid-based businesses.

Why criminal compliance in Madrid is a genuine priority, not a formality

The Anticorruption Prosecutor’s Office is headquartered in Madrid. The National High Court — which tries the most significant economic crimes of national scope — is in Madrid. The Central Investigating Courts, before which the most serious corporate corruption cases are investigated, are in Madrid. This is not coincidental: Madrid is Spain’s principal centre of economic activity and, with it, the country’s main focal point for corporate criminal risk.

Since the 2015 Criminal Code reform, companies can be found directly criminally liable for offences committed on their behalf or for their account, with penalties ranging from multi-million-euro fines to activity suspension, premises closure, or judicial administration. The 2019 reform introduced certification of compliance programmes by accredited bodies, and the Supreme Court has issued case law clarifying what elements a programme must have to be recognised as an exemption or mitigating factor.

In this context, criminal compliance in Madrid is not an image document. It is a management system that needs to be designed, implemented, known across the organisation, periodically audited, and updated. When the tax investigation or criminal charge arrives, that system — or its absence — is decisive.

Our Madrid criminal compliance team: programmes that protect your directors

Our criminal compliance team in Madrid combines the legal perspective — Article 31 bis CP, Supreme Court case law, Prosecutor criteria — with practical implementation capacity in organisations of different sizes and sectors. We do not just design the programme: we accompany its implementation, train the teams, act as external compliance officer when needed, and if criminal proceedings are initiated, we defend.

For companies that are also obligated entities under anti-money laundering regulations, we coordinate both programmes into an integrated management system that avoids duplication and ensures comprehensive coverage. The same applies to the whistleblowing channel required by Law 2/2023: we integrate it into the criminal compliance programme as one of its components, not as a standalone addition.

For companies with multi-jurisdiction presence, we work with correspondents in the relevant countries to ensure the compliance programme is consistent with each jurisdiction’s requirements.

What the Supreme Court requires for a compliance programme to be effective

The Supreme Court case law — particularly Judgments 154/2016 and 221/2016 — has established the criteria a criminal compliance programme must meet to be recognised by the courts as an exemption or mitigating factor:

• Identification of specific criminal risks for the company’s activity — not a generic catalogue.
• Concrete action protocols for each identified risk, with designated responsible persons and defined timescales.
• Operational whistleblowing channel enabling any employee to report irregularities without retaliation.
• Compliance body with genuine autonomy, with full information access and direct board reporting capability.
• Documented effective training for employees with relevant exposure to identified risks.
• Periodic audit and update of the programme in response to regulatory or organisational changes.

A programme that does not meet these requirements is not an exemption: it is simply a document that the Prosecutor will use to demonstrate that the company attempted to appear compliant without genuinely complying.

What our criminal compliance programme for Madrid companies includes

Phase 1 — Diagnostic: identification of applicable offences from the Article 31 bis CP catalogue, exposure assessment by activity and employee profile, current compliance status analysis and gap identification.

Phase 2 — Design: documented criminal risk map, action protocols per risk, code of ethics, conflict of interest policy, gifts and hospitality policy, and whistleblowing channel management procedure.

Phase 3 — Implementation: training for directors, executives and key employees, whistleblowing channel deployment in line with Law 2/2023, compliance officer designation or assumption of the function, and audit plan establishment.

Phase 4 — Maintenance: annual programme audit, board report, regulatory update, and management of channel reports received.

Phase 5 — Defence: if a criminal investigation is initiated, we represent the company before the Prosecutor and the Investigating Courts in Madrid, with capacity to litigate through to the National High Court.

Request an initial diagnostic meeting with our Madrid criminal compliance team. We will assess your current programme’s status, identify the most urgent gaps, and propose a concrete action plan. The consultation is free and confidential. Contact us through our Madrid office.

Regulatory Framework: Article 31 bis CP and Supreme Court Standards

Corporate criminal liability in Spain is governed by Articles 31 bis to 31 quinquies of the Organic Law 10/1995 Criminal Code (Código Penal), as amended by Organic Law 1/2015. The regime establishes direct criminal liability for the legal person for a closed catalogue of offences. The exemption from criminal liability requires the governing body to have adopted and effectively implemented, before the commission of the offence, an organisation and management model that includes adequate surveillance and control measures — the criminal compliance programme.

Organic Law 1/2015 introduced two distinct exemption pathways: the first applies when the offence is committed by the legal representatives or those acting on the company’s behalf (Art. 31 bis.2 CP); the second applies to offences committed by persons under the authority of those representatives (Art. 31 bis.4 CP), requiring additionally that those in authority failed to exercise adequate supervision. This distinction matters practically: the documentary standards required to demonstrate compliance differ for executive-level versus operational-level offences.

The UNE 19601 standard (published by AENOR in 2017) provides the technical specification for criminal compliance management systems and is recognised by the CNMC and the Spanish courts as a reference benchmark. ISO 37001 (anti-bribery management systems) and ISO 37301 (compliance management systems) complement UNE 19601 for internationally operating companies or those in sectors with elevated anti-bribery risk.

The Anticorruption Prosecutor and Madrid-Based Companies

The Special Prosecutor against Corruption and Organised Crime (Fiscalía Anticorrupción) is headquartered in Madrid and has nationwide jurisdiction to investigate and prosecute offences of corruption, fraud against public funds, tax offences with an amount exceeding EUR 120,000, and organised economic crime of particular significance. Cases investigated by the Anticorruption Prosecutor are tried before the National High Court (Audiencia Nacional) or its Central Investigating Courts — all located in Madrid.

The intensity of the Anticorruption Prosecutor’s activity creates specific risks for Madrid-based companies in sectors with elevated public contract exposure: construction, infrastructure, energy, defence, and technology services to the public administration. In these sectors, the combination of public procurement activity and the Anticorruption Prosecutor’s focus on bid rigging and corruption in public contracting makes a robust criminal compliance programme a genuine operational necessity.

Sectors Affected in Madrid

Construction and real estate development: bid rigging in public tenders, corruption in urban planning processes, and tax fraud through undeclared construction are the most prosecuted offences in this sector by the Anticorruption Prosecutor and ONIF.

Financial services and fintech: money laundering (Art. 301 CP) and terrorist financing (Art. 576 CP) remain the most frequently charged corporate offences in the sector. The FATF and Moneyval evaluations of Spain’s AML framework have led to intensified scrutiny of financial intermediaries.

Technology and data: cybercrime (Art. 197 bis and ter CP), fraud through information systems (Art. 248.2 CP), and data protection offences under Organic Law 3/2018 (LOPDGDD) create specific criminal risk for technology companies operating at scale.

Hospitality and retail: labour rights offences (Art. 311 CP), tax fraud through undeclared revenue, and consumer fraud (Arts. 281-282 CP) are the highest-frequency risk categories for companies in these sectors with Madrid operations.

Company Size Segmentation

SMEs with 50-249 employees are the target group for the Law 2/2023 whistleblowing channel obligation that entered into force on 1 December 2023. Many companies in this size range still lack a compliant channel. Fines of up to EUR 1,000,000 under Law 2/2023 apply to companies that fail to implement the channel or that obstruct whistleblower reporting.

Medium-to-large companies (250+ employees) require a full criminal compliance programme meeting the Art. 31 bis CP exemption requirements, including a compliance body with autonomous powers, documented training, an operational channel, and an annual audit. These companies are also typically within scope of the CSRD reporting obligations, where compliance governance is a required disclosure element.

Corporate groups present a specific challenge: criminal liability is assessed at the level of the individual legal entity, not the group. Each subsidiary with Spanish operations must have its own compliance programme adapted to its specific activity profile.

Common Mistakes We Fix

1. Treating the compliance programme as a legal department document. A compliance programme that lives in the legal department’s file and has never been communicated to employees, trained in, or integrated into operations does not meet the Art. 31 bis CP exemption standard. Courts look for evidence of genuine implementation: training attendance records, channel logs, audit reports, compliance body minutes.

2. Failing to adapt the programme to the company’s specific risk map. Generic, sector-agnostic compliance programmes that list all CP offences without prioritisation based on the company’s actual activity are regularly dismissed by courts as insufficient. The programme must identify the specific offences relevant to the company’s business and the specific control measures in place for each.

3. Appointing the compliance officer with insufficient autonomy. Art. 31 bis CP requires the compliance body to have autonomous powers of initiative and control and to be able to act independently of management on compliance matters. A compliance function reporting to the legal director or the CEO without a direct line to the board does not satisfy this requirement.

4. Not coordinating the criminal compliance programme with AML obligations. For obligated entities under Law 10/2010, the AML prevention programme and the criminal compliance programme cover overlapping territory. Running them as completely separate systems generates duplication, inconsistency, and gaps.

5. Updating the programme only after a regulatory change, not after an organisational change. New product lines, new geographies, new joint ventures, and senior management changes all alter the company’s criminal risk profile. Programmes that are updated only when legislation changes are frequently out of date relative to the company’s actual risk exposure.

Limitation Periods and Procedural Timeline

Criminal proceedings against legal persons in Spain are subject to the general prescription periods applicable to the offence charged, which run from the date the offence was committed. For serious offences (those carrying penalties of more than 5 years’ imprisonment for the equivalent natural person offence), prescription is 10 years; for less serious offences, 5 years; for minor offences, 1 year.

An investigation by the Anticorruption Prosecutor can last years before formal charges are brought. The existence of a robust, documented compliance programme is most valuable at the earliest stage of an investigation, when the Prosecutor is deciding whether to charge the legal person. Companies that can demonstrate immediately — with complete documentation — that a genuine compliance system was in place before the alleged offence can significantly reduce the probability of being charged or, if charged, can invoke the exemption or substantial mitigation under Art. 31 bis.2 or 31 bis.4 CP.

Corporate Criminal Defence: When the Investigation Arrives

When an investigation or criminal charge is initiated against a company or its directors in Madrid, the response in the first 48-72 hours is critical. The company’s legal representative must be designated before the investigating court or the Prosecutor, the compliance programme documentation must be immediately assembled and presented, and the company’s response strategy — cooperation, contest, or a combination — must be decided before any substantive contact with investigators occurs.

Our criminal defence practice in Madrid integrates the compliance advisory function with the criminal defence capacity. The lawyers who designed the compliance programme are the same lawyers — or work directly alongside the lawyers — who will defend it in court. This continuity is a material advantage: the programme designer knows every element and can explain and defend every decision. External defence counsel who encounter the programme for the first time when a charge arrives are inevitably at a disadvantage relative to those who helped design it.

We represent companies and their directors before: the Central Investigating Courts (Juzgados Centrales de Instrucción) in Madrid for Anticorruption Prosecutor cases, the National High Court (Audiencia Nacional) for cases of particular national significance, the Madrid Provincial Court (Audiencia Provincial) for standard corporate criminal cases, and the Madrid Criminal Courts (Juzgados de lo Penal) for minor offences. We also manage voluntary cooperation processes with the Prosecutor where this strategy — combined with programme evidence — maximises the probability of avoiding charges or securing the mitigating factors established in Art. 31 bis.4 CP.

CSRD and Criminal Compliance: the Emerging Intersection

The Corporate Sustainability Reporting Directive (CSRD, EU Directive 2022/2464), transposed into Spanish law with obligations applying from 2024 (large public-interest entities) and extending to medium companies from 2026, requires companies to disclose information on governance, risk management, and compliance governance. The CSRD reporting standards (ESRS — European Sustainability Reporting Standards) include specific requirements for anti-corruption and anti-bribery policies (ESRS G1), whistleblowing channels, and the existence of compliance programmes.

For Madrid-based companies subject to CSRD reporting, the criminal compliance programme is no longer purely a criminal law matter — it is also a sustainability disclosure element. A programme that does not meet Art. 31 bis CP standards will generate adverse CSRD disclosures that affect the company’s ESG ratings and its access to sustainable finance instruments. We advise on the coordination between criminal compliance programme design and CSRD governance disclosure requirements, ensuring that both objectives are met with a single integrated system.

Initial Diagnostic: What the First Meeting Covers

The initial diagnostic meeting with our Madrid criminal compliance team is structured to give the company a concrete, actionable assessment within the first session. We cover: the company’s current compliance programme status (documented review of existing documentation, if any), the most relevant offence categories for the company’s sector and activity, the whistleblowing channel implementation status against Law 2/2023 requirements, the compliance officer function status and its independence from management, and the main gaps identified relative to the Art. 31 bis CP exemption standard.

The outcome of the initial meeting is a gap report with a prioritised action plan and timeline. We distinguish between critical gaps that require immediate remediation (typically: absence of a whistleblowing channel, absence of a compliance body, and absence of training records) and improvements that can be addressed over a 6-12 month implementation plan. The initial consultation is free of charge and confidential. Contact us to arrange the meeting at our Madrid office or by video conference for companies based outside Madrid.