ComplianceKeys#25: The origins of Compliance in Spain.
Compliance could be defined as the set of procedures and best practices adopted by companies and organisations to identify and manage the legal risks inherent in their activities, in order to ensure compliance with current regulations and prevent crimes from being committed in the course of their operations. Although it is a broad term with scope in multiple areas, in Spain, criminal compliance, which focuses on the criminal liability of legal persons, is particularly important.
In recent years, the concept of Compliance has become a key tool in managing legal, ethical and reputational risks in the business context. Its evolution has had an impact on corporate compliance culture, becoming an essential pillar of good corporate governance.
To understand this concept and its relevance, it is essential to know its origin, its consolidation in the Spanish legal framework, its regulatory evolution, its link to international standards and its practical importance in the business environment.
Compliance background:
At the international level, the origins of modern Compliance can be traced back to US anti-corruption legislation, specifically the Foreign Corrupt Practices Act (FCPA), enacted in the 1970s. This legislation was a milestone in requiring companies to implement effective internal controls and Compliance programmes to prevent corrupt practices both inside and outside the United States.
The influence of the FCPA was decisive in prompting other international organisations, such as the Organisation for Economic Co-operation and Development (OECD), to promote the adoption of regulatory compliance policies as an essential part of good corporate governance. Thus, Compliance became established as a key element in the prevention of legal risks and the promotion of a corporate culture of ethics.
Legal framework in Spain:
Before the concept of Compliance was formally incorporated into Spanish law, certain Compliance practices already existed, especially in highly regulated sectors such as finance and insurance. Some entities had already adopted internal measures to manage risks, protect their reputation and ensure compliance with legal obligations. However, these initiatives did not have a unified and mandatory legal framework.
The real turning point came with Organic Law 5/2010 of 22 June, which amended the Criminal Code to introduce for the first time the possibility of attributing criminal liability to legal persons (companies, associations, foundations, etc.). This reform marked a break with the principle of societas delinquere non potest and transferred to organisations the obligation to implement effective crime prevention mechanisms.
Subsequently, Organic Law 1/2015 reinforced this regime with the introduction of Article 31 bis of the Spanish Criminal Code, which establishes that a legal entity may be exempted from criminal liability if it demonstrates that it has implemented an adequate organisational and management model to prevent or reduce the risk of criminal offences arising from its activity. This provision makes Compliance a legal requirement with specific procedural and criminal effects.
The criminal liability regime for legal persons is not universal, but is limited to a closed list of offences (numerus clausus) for which a legal person can be convicted, including: economic crimes, corruption, environmental crimes, money laundering, etc. This means that a legal person can only be held criminally liable if one of the offences committed by its decision-making and control bodies or employees is included in this list.
Along the same lines, the Prosecutor General’s Office, through Circular 1/2016, detailed the requirements that an effective Compliance system must meet, emphasising the importance of it being well designed, implemented and supervised. This doctrine was reinforced by Supreme Court Ruling 154/2016 of 29 February, which established that the criminal liability of a legal entity requires not only the formal existence of control measures but also their correct application and effectiveness in preventing criminal conduct by those acting on its behalf.
Reflection in technical standards:
The regulations contained in the Criminal Code establish a minimum legal framework for the implementation of Compliance systems, always in relation to the criminal liability of legal persons. However, in order to assess the real effectiveness of these systems, it is essential to also refer to technical standards and international standards, which provide objective and methodological criteria for their design, implementation and evaluation.
At the national level, UNE 19601:2017 is the main reference for criminal Compliance management systems, in line with Article 31 bis of the Spanish Criminal Code and the doctrine of the Prosecutor General’s Office. At the international level, ISO 37001 stands out, focusing on the prevention of bribery in public and private organisations.
Although these standards do not replace the law, they allow the effectiveness of the implemented system to be measured, making certification possible and facilitating accreditation in the event of any investigations or legal proceedings.
Relevance of Compliance:
Compliance has gone from being a voluntary practice inspired by international standards to becoming an essential element of the Spanish legal framework, especially following the introduction of criminal liability for legal entities. Today, having a Compliance System reflects an organisation’s ethical commitment and is also a legal requirement with direct consequences in terms of criminal liability, reputation and business continuity.
Understanding the origin and evolution of Compliance allows us to understand its strategic relevance and the need to adopt effective models of law enforcement. In this context, companies must commit to a solid compliance culture, backed by procedures, controls and active supervision.
In short, having a well-designed and implemented Compliance system is not only a guarantee against legal risks, but also a competitive advantage in an increasingly demanding and regulated business environment.