Corporate Criminal Liability In Spain: The Evolution Of Compliance From Legal Obligation To Governance Imperative
The Introduction Of Corporate Criminal Liability Under Spanish Law
The Spanish Criminal Code was amended by Organic Law 5/2010, effective in December 2010, to introduce for the first time the criminal liability of legal persons into the Spanish legal system. This reform was subsequently expanded and refined by Organic Law 1/2015, effective in July 2015, which substantially restructured Article 31 bis and introduced a detailed set of requirements for compliance programs capable of exempting the organization from criminal liability.
Under Article 31 bis, Spanish legal entities may be held criminally responsible for offenses committed in their name or on their behalf through two distinct pathways. The first pathway addresses offenses committed by individuals authorized to make decisions on behalf of the organization, to organize the organization, or to exercise control within it, commonly understood as senior officers, directors, and legal representatives. The second pathway addresses offenses committed by individuals subject to the authority and supervision of those senior officers when the offense was made possible by the failure to exercise adequate supervision, oversight, and control over their activities. This dual-pathway structure is fundamental to understanding how the law operates, because the standard of proof and the available defenses differ depending on which pathway applies.
The criminal liability of the legal person is independent from the criminal liability of the natural person who committed the offense. A criminal proceeding against the organization does not exclude proceedings against the individual perpetrator, and vice versa. This independence means that organizations face direct criminal exposure with consequences that extend well beyond fines to include judicial intervention, suspension of activities, closure of business premises, prohibition from contracting with the public sector, and dissolution in the most serious cases.
The Landmark Supreme Court Interpretation
The Supreme Court of Spain addressed the scope and requirements of corporate criminal liability in several significant rulings during the years following the 2010 reform. Among the early landmark decisions, STS 154/2016 of the Criminal Chamber in plenary session established foundational interpretive principles regarding the standard of proof, the role of compliance programs as a defense, and the conditions under which an organization could be exempted from liability. The Court emphasized that the mere existence of a compliance program is insufficient and that the program must be effective in practice, proportionate to the risks of the organization, and subject to genuine oversight.
Organizations should verify the specific case details, penalties, and Supreme Court rulings relevant to their sector through the jurisprudence database of the Consejo General del Poder Judicial, as the body of case law on corporate criminal liability continues to develop and as significant decisions have addressed diverse offense categories including fraud, tax offenses, money laundering, and environmental crimes.
The Legal Foundation For Compliance Programs
The 2010 reform responded to domestic and international pressure to hold corporate entities accountable for criminal offenses facilitated by deficient organizational structures and inadequate internal controls. The underlying legal concept, often referred to in Spanish doctrine as culpabilidad por defecto de organización or organizational culpability through defect of organization, assigns liability not on the basis that the organization intended to commit a crime but on the basis that its failure to implement effective compliance and oversight measures made the commission of the offense possible.
The 2015 reform under Organic Law 1/2015 substantially strengthened the compliance framework by introducing Article 31 bis paragraph 5, which sets out the specific elements that a compliance program must contain to provide a basis for exemption from criminal liability. These elements include the identification of activities within whose scope offenses that must be prevented are likely to be committed, the establishment of protocols and procedures that give concrete expression to the process of forming the organization's will and of decision-making and execution in relation to those activities, the allocation of appropriate financial resources to prevent the commission of offenses, the obligation to report potential risks and noncompliance to the compliance oversight body, the establishment of a disciplinary system that adequately sanctions noncompliance with the program's measures, and the periodic verification and modification of the program when relevant infringements of its provisions are detected or when changes occur in the organization, its control structure, or its activities that make such modifications necessary.
The compliance oversight function must be entrusted to a body within the organization, often referred to as the órgano de cumplimiento or compliance body, with autonomous powers of initiative and control. In organizations authorized to present abbreviated accounts under applicable accounting standards, the compliance oversight function may be performed directly by the governing body. This provision acknowledges the practical constraints of smaller organizations while maintaining the requirement for effective oversight.
The Interpretive Guidance Of The Fiscalía General Del Estado
Circular 1/2016 of the Fiscalía General del Estado provides the authoritative prosecutorial guidance for evaluating the effectiveness of compliance programs under Article 31 bis. This Circular explicitly distinguishes between programs that constitute a genuine expression of the organization's compliance culture and those that exist as superficial instruments designed solely to obtain an exemption from criminal liability. In Spanish compliance practice, the latter are commonly described as cumplimiento cosmético, (make up compliance, paper compliance), a concept equivalent to what English-language practitioners refer to as paper compliance or window-dressing.
The Circular establishes that prosecutors should evaluate not only whether the program contains the formal elements required by Article 31 bis paragraph 5 but whether the program is genuinely implemented, adequately resourced, effectively supervised, and demonstrably responsive to identified risks and incidents. This standard of evaluation is substantively aligned with the approach taken by the U.S. Department of Justice in its Evaluation of Corporate Compliance Programs, which similarly assesses whether compliance programs function effectively in practice rather than merely existing on paper.
The Expanding Scope Of Compliance In Spain
During the decade following the 2010 reform, the scope of compliance in Spain evolved significantly along several dimensions. The focus expanded from criminal offense prevention alone to encompass business ethics, organizational integrity, and stakeholder trust more broadly. The orientation shifted from exclusively external regulatory compliance to include internal compliance with organizational policies, codes of conduct, and values. And the ownership of compliance responsibilities moved beyond the legal department to involve internal audit, external auditors, boards of directors, risk management functions, information technology and security teams, and specialized compliance professionals.
The offenses expressly mentioned in the Criminal Code that can trigger corporate criminal liability represent a defined catalogue, following the numerus clausus principle, meaning that only the specific offense categories enumerated in the Code can give rise to organizational liability. These categories include, among others, bribery and corruption, tax fraud and offenses against the tax authority, market manipulation and insider trading, fraud and economic crimes, environmental offenses, offenses against personal data and privacy, money laundering and the financing of terrorism, and intellectual property infringement. The enumerated categories represent general compliance risk domains that apply across sectors and industries.
These risks can be managed through alignment with recognized international and national standards. ISO 37301, published in 2021, establishes the requirements for compliance management systems and replaced the former ISO 19600, which was a guidance standard rather than a requirements standard and has since been withdrawn. ISO 37001 provides the framework for anti-bribery management systems. ISO 31000 establishes the principles and guidelines for enterprise risk management, including the identification and assessment of compliance risks as part of the organization's internal context. At the national level, UNE 19601, published by the Spanish standardization body AENOR, provides a certifiable standard specifically designed for criminal compliance management systems under Spanish law and is widely adopted by Spanish organizations seeking to demonstrate the rigor and completeness of their compliance programs. Complementing these frameworks, effective compliance programs should include comprehensive codes of ethics, robust whistleblowing and reporting mechanisms aligned with the protections now required under EU Directive 2019/1937 on whistleblower protection and its Spanish transposition through Ley 2/2023, and risk-based internal controls proportionate to the organization's exposure.
The Rise Of The Chief Compliance Officer In Spain
The broad scope of criminal compliance obligations and the significant reputational and financial risks associated with corporate criminal liability created substantial demand for professionals capable of managing the design, implementation, and ongoing operation of compliance programs. The chief compliance officer emerged as a critical governance role across all types of organizations regardless of size or sector, including multinational corporations operating in Spain, domestic subsidiaries of foreign groups, political parties, trade unions, foundations, and professional sports organizations.
The professionalization of the compliance function in Spain led to the creation of ASCOM (Asociación Española de Compliance) and other professional associations including the World Compliance Association, which provide platforms for practitioners to share methodologies, develop professional standards, and promote the adoption of internationally recognized compliance frameworks. These associations have contributed significantly to raising the standard of compliance practice in Spain and to building the professional identity of the compliance function as distinct from and complementary to the legal, audit, and risk management disciplines.
The Path From Cosmetic Compliance To Genuine Governance
Spanish organizations have moved progressively from the early adoption of compliance programs motivated primarily by liability avoidance toward the development of programs that serve as genuine instruments of organizational governance and ethical culture. This transition remains incomplete, and the maturity of compliance programs varies significantly across sectors, company sizes, and organizational cultures.
The transition from cosmetic compliance to effective compliance requires a fundamental shift in how organizations conceive of the compliance function. Effective programs require professionals with a distinctive profile that combines legal knowledge with the ability to translate regulatory requirements into practical behavioral expectations, to design and implement risk-based and cost-effective preventive controls, and to build organizational cultures in which ethical conduct is reinforced by incentive structures, communication practices, and leadership behavior rather than imposed solely through rules and sanctions.
This challenge is not unique to Spain. Every jurisdiction that has introduced corporate criminal liability or enhanced compliance expectations faces the same transition from formal program adoption to genuine program effectiveness. What distinguishes the Spanish experience is the speed of the evolution, the breadth of the criminal offense catalog, the specificity of the compliance program requirements in Article 31 bis paragraph 5, and the interpretive rigor introduced by Circular 1/2016. Together, these elements have created a compliance environment that demands both technical sophistication and cultural commitment.
The organizations that navigate this transition successfully will be those that treat compliance not as a legal risk mitigation exercise but as a core component of corporate governance, strategic planning, and organizational sustainability.