Compliance body, internal or external?
In the last #ComplianceKeys we have offered a brief analysis of some of the main characteristics of a prominent figure of any Compliance System: the Compliance body. Thus, previous publications have dealt with issues such as its configuration as a unipersonal or collegiate body (ComplianceKeys17) or its main functions and responsibilities (ComplianceKeys18).
This ComplianceKeys will address another equally essential issue with regard to this body: its configuration as an internal or external body in relation to the legal entity in question.
Firstly, it should be pointed out that, as with other characteristics relating to the Compliance body, the legal-criminal regulation in this area is relatively sparse. Thus, Article 31 bis 2.2 of the Criminal Code only establishes that: “the supervision of the functioning and compliance of the prevention model implemented has been entrusted to a body of the legal person […]“.
Thus, the Criminal Code only establishes that the governing bodies of legal entities (as they are originally responsible for preventing crime in the entities they manage) must assign the duty to supervise the operation and compliance of the Compliance System to a body of the legal entity.
The wording of this precept, by referring to “an organ of the legal entity”, might seem to indicate that the functions and responsibilities (ComplianceKeys18) of the Compliance bodies can only be carried out by internal bodies. However, the practical interpretation of this provision has not been so restrictive.
As can be seen in the Circular of the State Attorney General’s Office 1/2016, although an internal body of the legal entity must be designated to exercise a general oversight function of the Compliance System, this does not imply that this body must itself perform all the tasks that characterise the Compliance function of a legal entity.
Moreover, the Circular expressly states that there is also no objection to legal entities being able to outsource the different compliance activities.
Thus, as a conclusion, from a joint reading of Article 31 bis 2.2ª of the Criminal Code and its interpretation contained in Circular 1/2016 of the State Attorney General’s Office, it can be argued that, although legal entities must necessarily have an internal body responsible for the Compliance function in order to have a Compliance System that can be considered effective, this does not imply that each and every one of the tasks that make up this function must be carried out by this body.
Moreover, it should be taken into consideration that the outsourcing of some of the responsibilities of the Compliance function (such as, among other issues, the analysis of the criminal legal risks associated with the activities carried out by an entity, the development of certain internal regulations, the execution of training, among others) may be of greater benefit than its internal development. This is simply because of the objectivity and specialised knowledge that a third party external to the legal entity in question may have.
Compliance Department of Molins Defensa Penal.