Start of main content

El Economista: Criminal compliance, a programme tailored to each company

| News | Corporate Compliance

Iñaki Planas and Esmeralda Iranzo analyse the recent changes in Spanish law relating to the criminal liability of legal persons

Spanish law is undergoing a genuine revolution with regard to the criminal liability of legal persons. Lawmakers and courts are currently applying concepts and doctrines that were unthinkable in Spanish criminal law until only a few years ago. Scandals such as the case of Volkswagen and the emissions of its cars have accelerated the incorporation of US/UK practices into the Spanish compliance system, which will be accepted over the medium term by courts in order to assess the effectiveness of a crime prevention plan. The damages for the German car giant amount to 22.6 billion euros, with the company pleading guilty to several charges and accepting the appointment of an independent monitor, Larry Thompson, former U.S. Deputy Attorney General under President George W. Bush, to supervise the company for at least three years.

There are two key elements that a judge or, as the case may be, a public prosecutor if responsible for the judicial investigation, as is the case in the US model, will take into account when determining whether the criminal compliance programme has worked: the existence of an effective compliance programme and cooperation with the authorities. Spain will eventually accept the “all or nothing” principle, whereby the company either provides “all” the information on its investigations with regard to “all” the possible persons involved or it will receive “nothing” as cooperation credit when a crime has been committed in the company.

In the US, the Yates Memo, a guide for federal prosecutors, details what is understood by cooperation: (i) the company must disclose all relevant facts about individual misconduct; (ii) the company must identify all individuals involved in or responsible for the misconduct at issue, regardless of their position, status or seniority; (iii) the company must provide all facts relating to that misconduct. The Department of Justice or the judge will value factors such as the timeliness of the cooperation, the diligence, thoroughness and speed of the internal investigation and the proactive nature of the cooperation.

The result will be that the legal person is considered a police force within the organisation with the requirement to carry out diligent and thorough investigations focusing on identifying the persons responsible and obtaining evidence so as to remain free from criminal liability after an offence has been committed within the company.

As the compliance programme is specific to a particular company, we like to describe it as a “tailored” programme. The guidelines and criteria implemented in one company cannot be generically applied to another company, even one from the same sector. That is the first error to be avoided: each compliance and crime prevention programme must analyse the company in detail, and the person drafting the prevention plan must have comprehensive knowledge about the company.

In order for a programme to be considered as tailored, it will be necessary to have the new UNE Standard that the Spanish Association of Standardisation and Certification is currently processing. From what we have gathered to date, the new UNE 19601 contains essential parameters that a crime prevention programme must contain, without which the programme may not be described as tailored, but rather empty promises that might be sold by those who lack the appropriate specialisation and training.

The backbone and key component of a compliance programme is the Code of Ethics, which will be the utmost expression of the values and principles that must be respected, both by the components of the entity and by the agents related to it.

The second key element is the entity’s Compliance Policy, in which its governing bodies must state their commitment to establishing the appropriate mechanisms to avoid the existence of conduct resulting in regulatory breaches, corrupt practices or any other conduct that might be considered unlawful, as well as its intolerance of any lack of ethics or poor professional conduct.

The third element on which a compliance programme must focus, from what we know to date about the UNE 19601 standard, is risk identification. It is essential to draw up a documented inherent risk matrix specifying the criminal offences that the legal person might commit, bearing in mind the departments in the organisation, the probability of the risks arising in the organisation and the impact that they would have.

Once the risks have been identified and the inherent risk matrix has been drawn up, it will be time to establish the fourth element, which is made up of the essential controls for preventing those risks from arising in the organisation. This will inevitably lead us to a residual risk matrix for our organisation.

The fifth element will be the necessary training for both the company’s executives and its employees in order to learn about the protocols and policies that have been implemented. Lastly, the sixth element will be the complaints channel, which is essential for guaranteeing transparency and the management’s commitment to the crime prevention programme.

In conclusion, we can state that compliance programmes which do not have measures taken in accordance with the elements presented above will not be specific and exclusive for an organisation, and will not therefore be able to fulfil the intended objective: ethical compliance, regulatory compliance, and the two possibilities resulting from the latter, avoiding or paying reduced penalties.


For further information, please contact:

Iñaki Planas

Esmeralda Iranzo

End of main content