The Spanish Criminal Code was amended in 2010, and subsequently reformed in 2013, to introduce the concepts of criminal liability of legal persons. Many domestic legal entities are now criminally responsible for penal offenses committed in their name or for their benefit by those being empowered to manage and to control the business, and by their employees or contractors due to the lack of adequate controls. The responsibility of a legal person does not exclude any criminal proceeding against a natural person, such as the perpetrator of a criminal offense, but it significantly increases the compliance risks and affects the corporate sustainability. The first prosecuted case was recently confirmed by the Supreme Court to ratify a €776M imposed penalty to a machinery rental company for drug trafficking from Venezuela to Spain.
This law responded to local business crime trends and it was focused on assigning moral culpability for the commission of serious offenses to the corporate entities lacking effective compliance surveillance and ethical measures. Companies are excepted to be criminally liable if they provide evidence of effective supervision policies over their administrators and staff. The law provides a detailed description of an appropriate compliance management system, domestically known as "corporate compliance", "corporate defense", "compliance program" or "crime prevention plan".
During the past five-year period, the scope of compliance evolved from the criminal offenses to include business ethics in general, from external compliance to internal compliance, and it moved from the legal departments to the internal and external auditors, boards, shareholders, risk managers, consultants, information technology and security areas. The offenses expressly mentioned by the Criminal Code are general key compliance risks, such as bribery, tax evasion, market abuse, fraud, environmental crime, personal data breach, money laundering, and intellectual property infringement. They can all be treated by accepted international standards including the ISO 19.600 guiding the compliance systems, the ISO 37.001 for anti-bribery controls, the ISO 31.000 to identify compliance risks, best practices to manage whistleblowing reports, or just having comprehensive codes of ethics.
The wide scope of compliance and the greater reputation and financial risks increased the need of professionals managing the implementation of compliance programs, the chief compliance offices, in all kinds of businesses and organizations whatever their size or activity sector, including multinationals, domestic subsidiaries, political parties, unions, and even soccer clubs. The compliance officers created a new association called CUMPLEN to share practices to implement accepted international frameworks.
Spanish companies are moving from "makeup compliance" to create effective compliance programs in order to ensure the business sustainability and to improve the overall corporate governance. These new ethical objectives require much more professionals and with a new profile being able to translate legal requirements into comprehensive ethical behavior while designing and building risk-based cost-effective preventive controls. This is the real challenge for Spain.
Get the latest in corporate governance, risk, and compliance on Twitter