Start of main content

Intrusiveness in the implementation of Compliance Programs

| News | Litigation

Benjamín Prieto and Elena Aupí analyse what skills a professional who prepares a Compliance Program must possess and explain that lack of such skills can turn the person who prepares it into a real intruder in the field in Diario la ley

The reform of the Penal Code amended by the June 22nd Organic Law 5/2010, leads the introduction, for the first time in Spanish law, to the criminal responsibility of the legal persons, when within the Organization, their employees or administrators committed certain crimes that could bring some direct or indirect benefit to the legal person. 

This liability regime was amended by 30th March Organic Law 1/2015, which introduced in article 31 bis (2) of the Criminal Code, the exemption from criminal liability for those legal persons that had adopted an organizational and management model that included surveillance and control measures suitable to prevent or reduce the risk of committing the crimes, provided that:

  1. In addition to the development of this organizational and criminal risk management model, it would have been effectively executed or implemented within the Organization. 
  2. An autonomous and independent body has been designated within the company to supervise and control the model. 
  3. This compliance body has not omitted or insufficiently exercised its supervision, monitoring and control functions. 
  4. The employee who committed the offence did so by fraudulently evading the controls effectively in place. 

The intention behind this regulation is clear: to allow those Organizations that have taken on the real commitment to mitigate the risk of committing crimes in their company and have implemented effective compliance standards, known by their employees and diligently supervised, to avoid criminal prosecution, despite the fact that some of their members may, on some occasion, manage to circumvent compliance with any of the existing controls. 

In turn, the Penal Code has provided in articles 31 bis 2 in fine, the possible mitigation of the penalty when the legal person proves the above circumstances only partially, which will happen, for example, when the Organization has implemented an effective Compliance Program, but failures in monitoring and control are detected. Similarly, Article 31c of the Criminal Code provides for the mitigation of the penalty for those legal entities that, although at the time a crime was committed by an employee they had not developed a Compliance Programme, they had designed and implemented it effectively before the start of the trial.

With respect to the requirements that a Compliance Program must meet for this exemption from liability to operate, Article 31 bis. 5) of the Penal Code provides that:

  • It will identify the activities in the context of which the crimes to be prevented may be committed.
  • It will establish the protocols or procedures that specify the process of formation of the will of the legal person, of adoption of decisions and execution of the same in relation to them.
  • It will have models for the management of adequate financial resources to prevent the commission of the crimes to be prevented. 
  • It will impose the obligation to report possible risks and non-compliance to the body responsible for monitoring the operation and observance of the prevention model. 
  • It will establish a disciplinary system that adequately sanctions the failure to comply with the measures established by the model.
  • It shall periodically verify the model and any changes to it when relevant breaches of its provisions become apparent, or when changes occur in the organisation, control structure or activity carried out that make this necessary.

Circular 1/2016 of the Attorney General's Office deepens the analysis of the criminal liability of legal entities and sets guidelines for the configuration of Compliance Programs, establishing that they must also be an indispensable mechanism for establishing a true corporate culture of compliance within the company. This requires that the Program necessarily includes:

  • A Compliance Policy that reflects the Organization's zero tolerance for criminal acts within the company and its commitment to compliance with the Compliance Program.
  • A training plan for employees and managers that allows them to properly understand what the Compliance Program is, what it is for, what their obligations are as employees and how they can properly carry them out. 
  • The development of procedures that, in addition to preventing crimes, make it possible to detect criminal conduct and provide the Compliance Body with the appropriate means to be able to react diligently to such conduct.

With this legal regulation, innumerable legal operators have launched themselves into the market to offer their services to implement Compliance Programmes, not only law firms (which sometimes do not have real specialists in the field), but also auditors, criminologists, advisors, etc., many of whom are not qualified to draw up a Compliance Programme, becoming impostors that the businessmen who hire their services are unable to detect.

Let's make it clear that in order to implement a Compliance Program it is essential to have in-depth knowledge of criminal law, both in its substantive and adjective aspects, and very specifically of the criminal liability of the legal entity.

It is evident that a Compliance Program has gains that go far beyond the mere avoidance of criminal responsibilities, since it will allow the company to have a better knowledge of itself, enabling it to improve its management and control systems. It should also be taken into account that Article 529 3rd. of 2nd July Royal Legislative Decree 1/2010, which approved the revised text of the Law on Corporations, establishes that one of the non-delegable powers of the Administrative Body is to determine the risk control and management policy, and therefore the implementation of a Compliance Programme, will be indispensable for the Administrative Body to be able to shield itself from those corporate liability actions that, in the event of a criminal conviction of the legal entity, could be exercised by the shareholders or members with the aim of repeating to the Administrative Body the damages arising from the conviction that, with due diligence, could have been avoided.

An adequate Compliance Program will allow the company to obtain insurance with lower premiums, because the insurance companies are aware that a company that has implemented a Compliance Program has a higher willingness to comply with regulations than one that does not have one, and statistically it will be less likely to have a compensable loss. For the same reason, the implementation of a Compliance Program generates greater trust in the company by the banks, allowing them to access certain lines of financing more easily. 

Increasingly, the Administration "rewards" companies that have Compliance, and in certain tenders, having the Risk Management Program gives the company additional points. Similarly, it will be easier to access subsidies and public aid for those companies that have shown their commitment to regulatory compliance. Finally, when the Administration sanctions in administrative proceedings, it positively values that the company has implemented a Compliance Program, reducing in these cases the sanction finally applied.

On the other hand, many large companies and multinationals require their suppliers to have a compliance program in place or, if not, force them to take on their own (with the negative consequences of having to accept the compliance of a third party because they have to accept certain unexpected contractual conditions). Similarly, criminal due diligence is becoming increasingly frequent in company transformation and merger procedures, as article 130.2 of the Criminal Code establishes that in these cases criminal liability will be transferred to the entity or entities into which the Organization is transformed. If the company or companies to be transformed, absorbed, or merged had a Compliance Program, the contingencies resulting from such Due Diligence would be considerably reduced, thus facilitating the viability of the business restructuring operation.

All this, without counting on the prestige before the market, employees, customers, and public opinion of those companies that show a clear commitment and willingness to comply with regulations with respect to those that do not.

But all things considered, the goal that a proper Compliance Program should protect is to enable the company to avoid criminal liability if necessary. And this is where the preparation of those who implement these Compliance Programs is crucial, because without the knowledge mentioned above, we will be building a giant with feet of clay, and it is necessary to avoid the so-called "make up compliance", or make-up Compliance Programs, which are not a real tailor-made suit for the company but a crude appearance of regulatory compliance.

It is necessary to design a Compliance Program that takes into account both the substantive criminal law that affects the company (to collect all possible conducts that the company, given its activity and organizational structure, may commit and that have criminal implications) and the adjective criminal law (given that, if it is finally necessary to resort to criminal proceedings, the Compliance Program must have foreseen it in order to achieve the objective of exoneration from liability).

1.     The importance of knowledge of substantive criminal law for the development of a Compliance Program.

Although value can be added to Compliance Programmes from all professional fields and sectors of activity, not all these professionals are qualified to offer among their services the complete design of Criminal Compliance Programmes and their translation into Management Systems, as we cannot lose sight of the fact that the essential core and starting point of any Programme must necessarily be approached from a strictly legal-criminal perspective. 

In this way, the preparation of a Criminal Compliance Program implies carrying out a task of anticipation of all those criminal conducts whose risk of commission is inherent to the activity or organizational structure of the company, a task that can only be adequately carried out by those professionals who have exhaustive knowledge of the catalogue of crimes that can generate criminal liability for the legal entity, as well as the assumptions of the typology of each of these crimes. 

Although the guarantee function of criminal law requires that criminal conduct be written in a language that is understandable to all citizens, the truth is that the legislator has to provide a legal response to an increasingly complex reality, where the ways of committing crimes are reinvented and the means used to do so are increasingly sophisticated. In this sense, the Criminal Code has been evolving to become an incredibly detailed compilation of crimes, in some cases including technical concepts, which are difficult to understand for those not specialized in the subject. 

Similarly, the generality or ambiguity of some of the terms used by the legislator has required the courts to clarify and nuance many of the elements that make up criminal law. It is essential to be familiar with this jurisprudence to be able to discern which behaviour developed within an organization may have criminal relevance, with respect to those that simply constitute administrative infractions or contractual breaches. 

It seems clear that criminal lawyers have an advantage over other types of professionals: their experience in the field and in the handling of criminal matters allows them to know in advance what is the relationship of potential criminal risks linked to the specific activities of the company and its departmental areas. This knowledge is also an instrumental guide for verification that is extremely useful in the development of the investigation.

This research work requires that the professional who designs the Compliance Program does an immersion in the company, gathering all the necessary documentation to obtain a deep knowledge of the activities that the Organization develops, the procedures or controls with which it works and the structure of operation and decision making that it has implemented. All the information obtained must, in turn, be analysed to determine what scope the Compliance Programme must have in order to be effective and on what aspects personal interviews must be held with those responsible for the departmental areas and all those workers who participate in the Organisation's decision-making. 

When conducting these interviews, these employees often redirect the interview to business issues that concern them or affect their job, but that are not necessarily related to the Criminal Compliance Program. If the professional who is going to prepare the Program is capable of visualizing, with all the information gathered, the potential risks that may occur in each of the Organization's work areas, he or she will be able to ask the right questions during the interview, orienting it towards the specific objectives of the Program and adequately discriminating the information obtained, in order to confirm the risks that must be mitigated, taking those that are less than low risk to a remote location. 

In turn, all information obtained as a result of the interviews and documentation provided by the client must be recorded in the Compliance Program's record of documented information, which requires the subsequent preparation of an analysis compiling the risks identified and assessing the risk of each crime.

The preparation of the various risk events requires careful work on location and wording adapted to the specific characteristics of each crime, given that these risk events will determine the content and prioritisation of the controls and protocols to be implemented by the company. 

For example, the professional who develops a Compliance Program must be able to distinguish when the identified crime risk responds to a mere activity crime or an outcome crime. The difference is important, given that the advancement of the punitive barrier in crimes of activity or abstract danger, such as environmental crimes, requires giving priority to the development of its control protocols, given that it is not necessary for any injury to occur for the crime to be understood as completed. 

Similarly, when defining a risk event, the professional must know in advance what crimes contemplate its possible commission due to serious negligence. This will avoid the mistake of describing reckless conduct in relation to offences that do not expressly provide for that modality, as is often the case, for example, with offences against public health, where the Criminal Code does provide for the reckless modality, but the liability of the legal person does not extend to it. 

At the same time, knowing which crimes admit imprudent modality will allow to make an adequate control for the mitigation of the risk, since these demand the implantation within the Organization, not only of a policy of prohibitions, but also the concretion of guidelines of suitable action to avoid any negligence in this respect. A good example of this can be found in the crimes of money laundering and financing of terrorism, with respect to which, even in cases where the customer is not a taxable person under the April 28th 10/2010, Prevention of Money Laundering and Financing of Terrorism Act, it is always advisable to develop a policy that ensures that employees are aware of what these behaviours consist of and thus prevent the company's services from being used by third parties for such purposes.

It is also especially important to ensure that the risk event that is drafted coincides with the budgets of the crime in which it is located. This is a common error when the professional who prepares the Compliance Program does not know the differences between similar criminal modalities or does not know how to distinguish the protected good in each one of them. Thus, for example, not every crime of deceptive advertising scam will be a crime of misleading advertising, nor will every crime of unauthorized use of seized property also be a crime of misappropriation.

On the other hand, in order to produce a complete criminal risk identification and analysis report, it is necessary to master the general provisions on offences, persons responsible, penalties, security measures and other consequences of the criminal offence regulated by Title I of the Criminal Code. 

Thus, for example, in order to avoid gaps in the risk identification report, it is necessary for the professional to be aware of the different types of competition of crimes and which are usually the most common competitions, especially if there is a non-jurisdictional plenary agreement of the Second Chamber of the Supreme Court in this respect, as happens, for example, with the competition between tax crime and the crime of money laundering.

Similarly, all forms of participation in a crime should be covered, not only those in which the employee acts as a perpetrator. The possibility of commission by induction is very frequent in those companies that carry out advisory work for clients. 

Once all the risks have been identified, it is necessary to assess the likelihood and impact of the risks to calculate the risk posed by the crime within the Organization. While there is no single system of calculation, it is essential to know the typology of penalties applicable to both legal and natural persons to weigh up the impact that each crime could have on the Organization properly. Similarly, failure to detect a specific risk in any area of the Organization will result in an erroneous calculation of the probability of the commission of that crime and its impact on the Organization, which may affect both the content of the mitigating controls and the time frame for their implementation.

The professional who prepares a Compliance Program must also be able to detect within the company which controls are effective in mitigating specific risks in the procedures already implemented. Again, knowledge of the budgets of each of the offences is fundamental to understand when a control covers the entire risk generating event.

Finally, the professional who prepares the Programme, once it has been drawn up, must provide adequate training to both the governing and management bodies and the employees of the Organization so that they understand the importance of their commitment to the Programme and the role they must play in this regard. In-depth knowledge of criminal law is essential to establish a true culture of compliance within the Organization, ensuring that this training is effective for the purposes of the Program, i.e. that all employees understand what criminal liability is for the legal entity, what criminal behaviour their team could potentially commit and how they can identify them. In addition, the professional must be trained to resolve during the training all doubts that may arise regarding the criminal relevance that certain forms of work or business practices may have.

In short, only an expert in criminal law with up-to-date knowledge of the state of affairs will know how to determine precisely, when drawing up the Compliance Programme of a particular company, which specific behaviours are likely to be criminalised (given its activity, clientele, specific characteristics, organisation, etc.) and can potentially be carried out, in order to introduce the specific controls that mitigate such risks. The development of Compliance Programs by those who lack expertise in criminal law can only be described as intrusive.

2.     The importance of knowledge of the criminal process for the development of a Criminal Compliance Program.

Those professionals who prepare Criminal Compliance Programs must also be familiar with the rules of criminal procedure ("CCP"), since the fact that the ultimate aim of any Criminal Compliance Program is precisely to ensure that the legal entity is declared exempt from liability when it is called upon to take part in criminal proceedings cannot be forgotten. This requires that all the documents that make up the Compliance Programme are drawn up in such a way that they can serve this purpose. 

In this way, when the documents of the different phases of the Programme are designed and a register of documented information is established, it is essential to draw it up without losing sight of the fact that all this documentation may be used as evidence in criminal proceedings in the future. 

When the professional who prepares the Program forgets this aspect and prepares the Program for the sole purpose of serving the internal functioning of the Organization, or to undergo certification, he or she may make important mistakes, such as the lack of traceability of the actions, because an investigation procedure has not been documented; or errors in the structuring of the documentation, forcing the Organization to contribute internal information to the procedure that is not directly related to the cause; or even to face the dilemma of not being able to present documentation that proves the adequate preparation and implementation of the Program within the Organization because such documentation contains some element that may be detrimental to the company itself or to some of the individuals who are part of it.

Similarly, in order to adequately prepare procedures aimed at detecting and investigating criminal conduct, the professional has to be fully aware of the legal and jurisprudential requirements that must be met in order for an investigation to be valid evidence in criminal proceedings. This requires that such procedures adequately determine which rights will assist complainants and persons concerned during the development of the investigation, as well as which investigation mechanisms may invade workers' rights and, therefore, must be known and previously agreed to by the employees, as is the case, for example, with the investigation of the content of computers, corporate mail or any mass storage device of information. 

Furthermore, this necessary knowledge of criminal procedure is essential for the professional who writes the Programme to be able to inform the Organization of the legal framework of the legal proceedings in which he or she may be involved. The preparation of a Compliance Programme requires providing the client with information on which crimes may be committed, or what the liability regime of legal entities is, but also information on certain procedural assumptions, such as the legality of entries and registrations in the company and how to act in such situation, or the specific rights that make up the procedural status of legal entities in the framework of an investigation.

On the other hand, there are many other aspects that must be configured when drawing up the Compliance Programme, bearing in mind the impact that its contribution to the criminal proceedings in progress may have on the future of these proceedings. 

Therefore, those professionals who are experts in criminal procedures know that one of the first requirements to be carried out in a court of law will be to identify the person directly responsible for the control or protocol, which will oblige the Program to incorporate an adequate distribution of roles and responsibilities, at the risk that the Organization will not have the means to justify an adequate fulfilment of the supervision and control tasks.

In the same way, the evaluation and prioritization of risks must be constituted on a logical system, with clear and determined variables that can be defended before a court; not taking this into account can lead to incorporating into the Program, calculations of risk made by computer systems that have not been developed by the professional himself or whose variables are not known, and therefore impossible to justify in the framework of a criminal procedure. 

Once again, the lack of expertise in criminal procedural law by those who develop Compliance Programs will cause the Program to suffer from defects that, in course of criminal proceedings, could be lethal for the company under investigation.

3.     Conclusion

In short, the professional qualification of those professionals who draw up a Compliance Programme will determine its effectiveness in serving as an element to exonerate the legal entity from criminal liability, because such a Programme will be adequate to meet the objectives of the Compliance Programme. 

The first and most immediate, although certainly not the only one, is the Programme's capacity to adequately prevent the commission of crimes within an organization, which requires that the experience and knowledge of the professional who is going to prepare it should include adequate handling of criminal legislation in order to correctly identify and restrict criminal risks, on which the relevant controls and procedures should be established.

The second, and end goal of the Programme, is the exemption of the legal entity from criminal liability, or at least the mitigation of the penalty, through a correct design and execution within the Compliance Programme Organization. Knowledge of the Criminal Prosecution Law, and in particular familiarity with the dynamics of criminal proceedings against a legal entity, is fundamental in order not to lose sight of this objective during the preparation of all Programme documents, thus ensuring that the Organisation will have at its disposal the appropriate tools to test the effectiveness of the design and implementation of its Compliance Programme.

Lacking this double professional aptitude prevents being properly qualified to implement Compliance Programs, making the person who does so a true intruder in the discipline.

You can read the article in Diario la ley.

End of main content