A few thoughts concerning Compliance systems

Key considerations covered in Circular Letter 1/2016 of the Spanish Public Prosecutor’s Office, on the criminal liability of legal persons in the current version of the Criminal Code

Francisco Aránega


Often, the first reaction when a compliance system is established is to perceive it as a series of rules, procedures and controls, as well as a group of persons, that may generate a high level of bureaucracy, which may prevent doing things that should be permitted and, in general, lead to operational difficulties for the company.

In reality, a properly designed and implemented compliance system should not only prove such a perception to be incorrect but could even represent significant advantages for the company, in aspects as relevant as:

  • the generation of confidence in front of third parties but also for the personnel of the company (for example, making it possible for the personnel of the company to consult and to know with certainty which conducts are adequate and permitted in the performance of their duties);
  • certainty regarding the steps to be followed and the roles and responsibilities that correspond to the personnel in the decision-making processes of the company (which, together with the systematisation of such processes, can speed up the adoption of decisions); and
  • the prevention and detection of non-compliant conducts, as well as the potential reduction of the effects of such conducts (both the effects for the company and for the members of its personnel who abide by the rules and procedures of the compliance system of the company).

In any case, in order to properly design and implement a compliance system, it is essential to know which should be its main characteristics, as well as the scope of the obligations whose compliance should be supervised and controlled. Obviously, the diversity and complexity of the today’s regulations does not make this to be an easy task.

In this context, it is good news that the Spanish Public Prosecutor’s Office has published a Circular Letter stating its interpretation of the regulations regarding criminal liability of legal persons Spain, as it can help companies to appropriately design and implement their compliance systems and, therefore, benefit from the advantages that may result from them.

Consequently, we understand that it is important to highlight the following considerations set out in Circular Letter issued by the Spanish Prosecutor’s Office:

Who may generate the criminal liability of the company?

Companies may be held criminally liable as a result of the behaviour of the following persons:

(a)          their directors or legal representatives, if they have been appointed to perform their duties or even if they do so without a formal appointment.

(b)          other persons authorised to adopt decisions on behalf of the company, including middle management, general and individual proxies, and persons to whom control and organisation functions have been delegated (including the compliance officer); and

(c)          those who are subject to the authority of the above-mentioned persons, including the employees of subsidiaries and persons with a commercial relationship with the company, such as self-employed individuals or subcontracted employees, provided that they are within the company’s corporate domain.

As a general rule, the company shall only be subject to criminal liability if the criminal behaviour of one of the above-mentioned persons was intentional and wilfully misconducted. Reckless behaviours may only result in the company being held criminally liable when involving crimes regarding “fraudulent insolvency”, “natural resources and environment”, “financing of terrorism” or “money laundering”.

Concerning the behaviour of legal representatives, persons authorised to take decisions on behalf of the company, or persons entrusted with control and organisation functions, the company shall be exempted from criminal liability if it proves that the criminal offence was committed fraudulently breaching the compliance system. In case of offences committed by persons subject to the authority of the above-mentioned persons, the exemption of liability does not require proving a fraudulent breach of the compliance system but the Spanish Prosecutor’s Office warns that the existence of a compliance system only exempts the company from liability if the system is effective and that, in general, any system that may be breached without committing some kind of fraud should be considered ineffective.

The benefit for the company is not a sine qua non condition

For a company to be held criminally liable it does not necessarily need to have obtained a benefit from the criminal offence committed by one of the above-mentioned persons, it is enough that the person who committed the criminal offence intended to benefit the company directly or indirectly. However, the Spanish Prosecutor’s Office acknowledges that the criminal liability of a company should not be assessed equally in cases where the main objective of criminal conduct is the benefit of the company and in cases in which such benefit is secondary to the objective of the person committing the crime.

The fact that a company may be held criminally liable for criminal offences that generate an “indirect benefit” for the company implies that companies may be held liable when the benefit is obtained through a third party or when the benefit is intangible.

Compliance systems

As regards the conditions and requirements that compliance systems must fulfil, the Circular Letter of the Spanish Prosecutor’s Office states that:

(a)          they must be clear, accurate, effective and set out in writing. Furthermore, they must have appropriate financial resources and senior management at the company must be unmistakably committed and must support the dissemination of a compliance culture to the rest of the company;

(b)          they must be supported by an appropriate risk assessment of the company’s operations and establish, apply and maintain effective management procedures for such risks;

(c)          they must not be developed and implemented solely to prevent criminal punishment; they must represent a firm commitment to discouraging criminal conducts and promote a genuine ethical corporate culture within the company. Thus, respect for the compliance system must be ensured in the decision-making process involving employees and management, and the so-called “make-up compliance” systems should be avoided. The Spainsh Prosecutor’s Office has therefore adopted a strong position against systems that merely seek to reproduce those adopted by other companies;

(d)       a compliance system may still be deemed to be valid and adequate, even it has been evaded and a criminal offence has been committed. However, for the company not to liable for such criminal offence, the company will have to prove that the system was, generally speaking, appropriate as regards the prevention and detection of such offence. Furthermore, the Spanish Prosecutor’s Office has also highlighted that the detection and reporting of a criminal offence by the company must be taken into consideration as a demonstration that a genuine culture of compliance is in place at the company and, therefore, in order to exempt the company from criminal liability;

(e)        for companies of a certain size (the Circular Letter does not clarify the criteria to be used to define the size of the company for this purposes) the compliance system must feature IT applications that exhaustively control the company’s internal business processes;

(f)        compliance systems have to include an appropriate whistleblowing channel. To this end, the company must implement regulations that protect the whistleblower; making it possible to report breaches whilst ensuring the confidentiality of the whistleblower’s identity and that no retaliation will be taken.

(g)        compliance systems must include a disciplinary system that appropriately punish infringements of the compliance system. A punishment should also be in place for failing to report breaches and conduct that contributes to preventing or hindering infringements coming to light. The Spanish Prosecutor’s Office also highlights that in order to assess the company’s commitment to detecting and preventing criminal offences, analysing its behaviour in terms of infringements of its compliance system is essential; and

(h)        compliance systems must provide for a periodic review, in addition to specifying the circumstances for immediate reviews. An immediate review is required when the system is significantly infringed, in the event of important changes to the organisation, its control structure or operations or when circumstances occur that may influence risk analysis at the company.

The Circular Letter points out that if defects are identified in the compliance system, or if the company can solely demonstrate a certain level of concern for the control of criminal offences, the existence of the compliance system shall not be sufficient to exonerate the company from criminal liability, although it may reduce the consequences of the declaration of such criminal liability of the company.

Furthermore, according to the Spanish Prosecutor’s Office, the certificates issued by companies or assessment or certification agencies, indicating that the compliance system fulfils the conditions and requirements set out in the Spanish Criminal Code, may be considered as an additional element of evaluation of the appropriateness of the systems, but shall not serve to prove its effectiveness.

Concerns regarding the compliance officer

As regards the compliance officer, the Spanish Prosecutor’s Office makes a number of comments that are worth a mention:

(a)        The compliance system must be supervised by a specific body, either an individual (compliance officer) or a group (compliance committee). In any case, the system must allow them to perform their functions in a fully independent manner.

(b)       The compliance officer must be involved in the creation of compliance systems and ensure they work correctly, establishing appropriate audit, supervision and control procedures. To this end, individuals with sufficient professional knowledge and experience must be involved, appropriate technical measures employed, and access to internal processes and information regarding the company’s operations ensured.

(c)          The compliance officer may delegate a number of his functions to other individuals or bodies, he may even outsource said functions (such as the management of the whistleblowing channel, regarding which the Circular states that such functions may be more effective when managed by an external company).

(d)          As we have seen previously, the action of the compliance officer may lead to the company being held criminally liable, just like the actions of other individuals authorised to take decisions.

On the other hand, according to the Prosecutor’s Office, if the compliance officer is grossly negligent in the control of his/her subordinates, both the company and the compliance officer may be held criminally liable. Having said that, the Prosecutor’s Office states that the compliance officer’s liability is no greater than the liability of the company’s other directors, clarifying that the special nature of the compliance officer is attributable to the fact that he may be more aware of unlawful acts being committed given his responsibility with regard to the whistleblowing channel and that, therefore, he is more able to prevent them from being committed.

In any case, it is worth remembering that individuals are held personally liable in cases of serious omission of their duty of control. The Circular highlights that, in general, this means that non-serious breaches are not considered a criminal matter.

Furthermore, according to the Prosecutor’s Office, the certificates issued by companies or the assessment or certification agencies indicating that the compliance system fulfils the conditions and requirements set out in the Criminal Code, may be considered an additional element of the system’s appropriateness, but shall not serve to accredit its effectiveness.


In conclusion, it is worth noting that for a company to be exonerated from criminal liability in Spain, it must demonstrate that its compliance system exists and works effectively, that it satisfies the conditions and requirements of the Spanish Criminal Code, that the criminal offence was committed eluding the compliance system and that there was no serious breach of supervision and control duties.

Notwithstanding the foregoing, it is also worth to mention that, although the interpretation of the Spanish Prosecutor’s Office reflected in the Circular Letter may be considered as mandatory for Spanish public prosecutors and may be a very useful guideline for companies to elaborate their compliance systems, it must not be interpreted as regulatory standards with a direct impact on third parties, in particular on judges and tribunals, who may follow different criteria or interpretation of the Spanish Criminal Code when adopting their decisions.

Uso de cookies

Este sitio web utiliza cookies para que usted tenga la mejor experiencia de usuario. Si continúa navegando está dando su consentimiento para la aceptación de las mencionadas cookies y la aceptación de nuestra política de cookies, pinche el enlace para mayor información. ACEPTAR

Aviso de cookies