Internal Investigations: From Whistleblower Report to Legally Sound Findings

Corporate internal investigations are the structured process by which a company examines, with legal and forensic methodology, the facts reported through its whistleblowing channel (Spanish Law 2/2023, transposing EU Directive 2019/1937) or detected through any other internal control mechanism — internal audit, compliance alerts, cybersecurity incidents, or ad hoc reports. Their proper execution is a requirement of an effective criminal compliance programme under article 31 bis of the Spanish Criminal Code and a standard demanded by Supreme Court jurisprudence for the programme to exempt or mitigate the criminal liability of the legal person.

Internal investigations under Law 2/2023: the difference between processing a report and genuinely investigating it

Spanish Law 2/2023 of 20 February on the protection of persons who report regulatory breaches — transposing Directive (EU) 2019/1937 of the European Parliament and of the Council — establishes specific procedural obligations for the responsible person of the Internal Information System: acknowledgement within 7 calendar days, resolution or report within 3 months (extendable to 6 months in complex cases). But the law goes further than timelines: it requires that reports be investigated genuinely and effectively, regardless of outcome. Companies that acknowledge receipt and archive reports without investigating are technically non-compliant and run the risk that the AIPI — the Autoridad Independiente de Protección del Informante created by the same law — classifies the conduct as obstruction, a very serious infringement carrying fines of up to EUR 1,000,000.

The most common error we encounter in audits of internal information systems is the confusion between administrative processing of a complaint (assigning a reference number, sending acknowledgement, closing within the deadline) and the real investigation of the reported facts. A whistleblowing channel that processes formally but does not genuinely investigate is a system that does not serve the purpose for which it was designed: detecting and correcting irregularities before they cause greater harm, and documenting that the compliance programme works in practice.

Digital chain of custody in corporate investigations: why without it evidence does not hold up in court

Most corporate irregularities leave a digital trail — emails, messages on corporate messaging applications, access logs to financial systems, transfer records, documents in document management systems. Digital evidence is fragile: it can be modified, deleted, or overwritten without leaving any visible trace. If the company does not act quickly and with the right methodology at the moment the irregularity is detected, the most relevant evidence may disappear irreversibly.

The digital chain of custody is the set of procedures that guarantee the authenticity, integrity, and reliability of electronic evidence from its identification through to its eventual presentation before a court. In practice, this means applying the ISO/IEC 27037:2012 standard — generating a cryptographic hash of each file at the moment of acquisition, maintaining a reliable record of the date and time of acquisition, storing evidence in write-protected systems with audited access controls, and maintaining detailed documentation of the status of each item of evidence at every stage of the process.

Without a properly documented chain of custody, the subject under investigation — or, in a subsequent criminal process, their defence — can successfully challenge the authenticity of the digital evidence presented, arguing that it may have been altered or fabricated after the relevant events. This challenge, if successful, can collapse the entire investigation. Our evidence preservation protocol is activated within the first hours of the investigation, before any interviews or document review that might alert the subject.

Internal investigation to criminal proceedings: managing the transition without destroying evidence

When an internal investigation reveals facts that may constitute a criminal offence, the company faces one of the most complex decisions in corporate law — whether to file a criminal complaint with the judicial authorities, the optimal timing, and how to preserve the evidence generated during the internal investigation so that it is admissible as documentary evidence in criminal proceedings.

The most frequently detected corporate offences in internal investigations in Spain include unfair administration (art. 252 CP), misappropriation (art. 253 CP), fraud (art. 248 CP), tax offences (arts. 305 et seq. CP), active and passive commercial bribery (arts. 286 bis et seq. CP in the private sector, arts. 419 et seq. CP where public officials are involved), and money laundering (art. 301 CP).

The coordination between the internal investigation and criminal proceedings raises real tensions. The internal investigation is not a process governed by criminal procedural guarantees — the subject does not have the right to remain silent in the procedural sense, nor the right to assigned defence counsel — and if materials from the internal investigation are used in criminal proceedings without adequate precautions, they may be challenged as unlawfully obtained evidence and excluded. Our team, with the participation of Raúl Herrera García as Of Counsel, designs the coordination protocol between the internal and judicial phases to maximise the usefulness of the evidence obtained and minimise the risk of procedural nullities.

Rights of the investigated party and the reporting party: the balance that determines judicial viability

An internal investigation is designed to find the truth of the facts, not to confirm the guilt of someone management has already decided is responsible before any evidence has been reviewed. This principle, obvious as it sounds, is frequently violated in corporate investigations that are implicitly oriented towards confirming a predetermined conclusion.

From the reporting party’s perspective, Law 2/2023 establishes robust protection under articles 16 and 17: absolute confidentiality of identity, an express prohibition on retaliation, and a legal presumption that any subsequent adverse measure — dismissal, change of working conditions, exclusion from promotion — is retaliation unless the employer proves otherwise. This reversal of the burden of proof is significant: in practice, the company must document that any measures adopted in respect of the reporting party have an objective cause entirely independent of the report. Management personnel who take adverse measures against a reporting party may incur personal liability in addition to corporate liability.

From the investigated party’s perspective, the principles of contradiction and fair hearing require that they be informed of the facts attributed to them at the appropriate stage of the process and given a genuine opportunity to present their account and supporting evidence before any conclusions are reached. If disciplinary measures — suspension with or without pay, dismissal — are adopted without following the procedure required by the Workers’ Statute (art. 55 ET for disciplinary dismissal) and without respecting the employee’s rights, the measures will be void or unfair as a matter of employment law, regardless of whether the investigated conduct is real and serious.

Internal investigations in the art. 31 bis CP criminal compliance programme: Supreme Court jurisprudence

Article 31 bis of the Spanish Criminal Code, as amended by Organic Law 1/2015, provides that the legal person shall be exempt from criminal liability if, prior to the commission of the offence, it adopted and effectively implemented organisational and management models that include supervisory and control measures adequate to prevent offences of the same type or to significantly reduce the risk of their commission.

The jurisprudence of the Spanish Supreme Court — particularly STS 154/2016 of 29 February and the subsequent judgments building on it — has defined the requirements a compliance programme must meet to have exempting effect: identification of activities within which the offences sought to be prevented may be committed (criminal risk map); protocols or procedures governing the decision-making process of the legal person; financial resource management models adequate to prevent criminal financing; obligations to report potential risks and breaches to the supervisory body; a disciplinary system that adequately sanctions non-compliance with the measures established in the model; and periodic review of the model with modification where relevant breaches are identified or where changes in the organisation, control structure, or activity so require.

The sixth requirement — periodic review and modification where relevant breaches are detected — is precisely where internal investigations fit. A compliance programme that has never investigated anything, that receives reports and archives them without consequence, is not conducting periodic reviews or modifying its model in response to detected irregularities. This deficiency, documented in the court file, is sufficient for a court to conclude that the programme is a formal document without operational substance, and to deny the exemption.

Sectors with heightened internal investigation exposure

Certain sectors present an elevated risk profile that makes internal investigations more frequent and more complex:

Financial and insurance sector. Entities regulated by the Banco de España and the CNMV are required to maintain robust internal control systems. DORA (Regulation (EU) 2022/2554) adds specific incident management and notification obligations. Internal investigations involving fraud, money laundering, market manipulation, or insider trading require coordination with the CNMV and, frequently, the Anticorruption Prosecution Service.

Construction and public contracting. Bribery in public tender processes (art. 286 bis CP and arts. 419 et seq. CP), misappropriation of funds in publicly financed contracts, and irregularities in cost management in works projects are the most frequent risk vectors. Investigation requires forensic analysis of cost accounting and procurement processes.

Multinational groups operating in high-risk jurisdictions. The US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act impose extraterritorial obligations on companies with relevant nexus to their jurisdictions, with internal investigation standards more demanding than those of Spanish law.

Healthcare and pharmaceutical sector. Conflicts of interest in relationships with healthcare professionals, incentives in pharmaceutical prescribing, and irregularities in clinical trials are areas of particular sensitivity, with AEMPS oversight and criminal liability risk under art. 286 bis CP.

Engagement models

The internal investigation service is offered under two engagement models:

Fixed-fee investigation. For investigations of defined scope — a specific complaint, bounded facts — we provide a fixed-fee proposal covering all phases: triage, investigation plan, evidence preservation, interviews, analysis, and final report. The fee is established following an initial scoping meeting, at no cost to the company.

Retainer service. For companies with high complaint volumes or a need for rapid response capability, we offer a retainer arrangement guaranteeing investigation team availability within a maximum of 24 hours of activation, with a monthly fee covering an agreed number of hours and reduced rates for excess work. This model is most suitable for companies where BMC manages the outsourced whistleblowing channel, integrating channel management and internal investigation into a single coordinated process.

In either model, where the investigation requires specialised digital forensic analysis — disk imaging, RAM analysis, mobile device examination — we coordinate with specialist providers in our network under specific confidentiality agreements and service levels established for corporate environments.