ComplianceKeys#31. Compliance Officers in Spain: role, scope, and responsibilities of the Compliance function
As explained in ComplianceKeys#25, the introduction of criminal liability for legal entities into our legal system, following the reform of the Criminal Code brought about by Organic Law 5/2010 and consolidated by Organic Law 1/2015, represented a structural change in the way companies must approach the management of their legal risks. Since then, the implementation of organisational and management models aimed at crime prevention — also referred to as Compliance Systems or Models — has taken centre stage in the legal and corporate strategy of organisations. In this context, the role of the Compliance Officer has become one of the most visible — and, at the same time, most controversial — elements of Compliance Systems.
Despite their growing prominence, Compliance Officers continue to be surrounded by a certain degree of conceptual and legal ambiguity (i). Hence the importance of rigorously analysing their function and role within the organisation (ii), as well as the scope of their responsibility (iii).
(i) A key figure without a clear legal definition
The Spanish Criminal Code does not contain any express reference to the figure of the Compliance Officer, limiting itself to requiring that supervision of the Compliance Model be assigned to a body with autonomous powers of initiative and control. It is therefore this supervisory function, now referred to as the Compliance function—and not a specific role—that acquires legal relevance for the purposes of Article 31 bis, with its organisational structure left open to the internal design of each entity.
In this context, the Compliance Officer is only one of the possible organisational structures through which the Compliance function can be articulated within an organisation. In practice, this function may fall exclusively to a person appointed as Compliance Officer, be assigned to a collegiate body — usually called a Compliance, Compliance or Ethics Committee — or be configured through the coexistence of both structures, with an internal distribution of functions. This diversity of models responds to the absence of closed legal regulations defining the professional profile, specific functions or hierarchical position of the Compliance Officer, which has given rise to a notable heterogeneity of configurations under the same name.
Technical regulations and reference standards, such as UNE 19601 on Criminal Compliance Management Systems, help to define the material content of the compliance function, identifying the compliance officer as the guarantor of the supervision, monitoring and control of the compliance system. However, these references do not have regulatory status and leave some room for each organisation to configure the role. Consequently, the actual scope of the role will depend, to a large extent, on the internal design of the System and the functions that are effectively assigned to it.
In our opinion, this indeterminacy should not be interpreted as carte blanche for arbitrariness or a licence to justify disorganisation, but rather as a requirement to adapt to the reality of each company and a new call for increasing corporate self-regulation. The risk arises when this discretion translates into improvised designs that are merely formal or inconsistent with the organisational structure and the real risks of the activity. In such cases, the Compliance Officer ceases to be a strategic player and becomes a figurehead or, worse still, an additional source of risk.
(ii) Functions and organisational role of the Compliance Officer
The Compliance Officer is not, nor should be, a direct enforcer of disciplinary or corrective measures. Their main function is not to direct business activity or assume senior management responsibilities, but rather, among other things, to supervise the operation of the Compliance System with leadership, detect deficiencies, report risks and escalate information to the decision-making bodies that are responsible for the risk area.
From a functional point of view, their tasks should essentially revolve around three (3) main areas: communication and training in compliance matters, advising the organisation, and supervising and reporting on the System. This omnipresent position requires them to have a sufficient degree of autonomy and independence, as well as direct access to the administrative body, so that they can effectively perform their alert and reporting function.
The correct organisational fit of the Compliance Officer is therefore crucial. An appropriate design requires providing them with sufficient resources (such as the advice of an external expert, as indicated in UNE 19601), avoiding functional incompatibilities that compromise their independence, and placing them at a hierarchical level that allows them to obtain the collaboration of the entire organisation. When these lines become blurred and the Compliance Officer assumes executive functions that do not correspond to them, or when they are deprived of real autonomy and resources, the System loses its effectiveness and becomes powerless.
(iii) Scope and responsibility in criminal matters
One of the most sensitive aspects of the role of Compliance Officer is that relating to their potential criminal liability.
Firstly, the Compliance Officer is not, by definition, a ‘criminal lightning rod’ designed to absorb the liability of the company or its directors. Nor is he or she immune. His or her position must be analysed in terms of the powers that have actually been delegated or entrusted to him or her and the degree of control he or she has over the sources of risk. In general terms, his or her liability does not derive from the mere existence of the position, but from serious failure to perform the duties that have been validly assigned to him or her.
On the other hand, from the perspective of the two (2) ways of attributing criminal liability to legal entities under Article 31 bis 1 of the Criminal Code, the role of the Compliance Officer is situated in an intermediate and grey area that still generates some debate. They are not necessarily a person with organisational and control powers in the strict sense, nor a subordinate who carries out operational activities, but rather the person functionally responsible for supervising the proper functioning of the Compliance System.
It should be emphasised in this regard that the role of the Compliance Officer should be limited to supervising, monitoring and promoting the proper functioning of the Compliance System, but not to the actual prevention of crimes within the organisation. Thus, direct or primary supervision and compliance with the System is primarily the responsibility of the governing body and, at the operational level, of the managers and persons responsible for each area of risk, insofar as they are the ones who have the operational decision-making and control capacity over the processes and activities that generate risk.
In this sense, the Compliance function is necessarily cross-cutting and requires the active participation of the different levels and areas of the organisation in the application of prevention and control mechanisms, with Compliance being a duty shared by all members of the organisation, regardless of their hierarchical position or functions.
It is therefore essential to avoid simplistic approaches. An effective compliance system is not limited to appointing a compliance officer or a specific compliance body, but rather precisely defines its functions and establishes clear channels of information and reporting. Only in this way can the person in charge of the compliance function fulfil its purpose: reinforce the culture of compliance through leadership, detect risks in a timely manner and supervise the proper functioning of the System as a whole.
In short, the role of Compliance Officers is not a mere formal requirement or an accessory element of the Compliance System. When well designed, it is a key component in the management of legal risks and the criminal protection of any organisation. When poorly configured, it can become a factor of inefficiency and additional exposure.