The shared function of Legal & Compliance in Spain and the United States. Is it possible to unify in the same person or department?
Despite the long history of criminal liability of legal entities, both in the United States and, to a lesser extent, in Spain, and the development of different self-regulatory norms and standards regarding ethical and regulatory Compliance, it does not exist today an explicitly positivized legal obligation that resolves the problem associated with the possibility or correctness of combining legal and Compliance functions in the same person or department.
In this sense, we have studied the different positions held by regulations, public authorities, academic doctrine and the main international standards and frameworks, both in the United States and in Spain, in order to reach a conclusion that sheds more light on the correct configuration of the Compliance function.
Firstly, it is worth analysing in general terms the main problems associated with the combination of legal and Compliance functions that may hinder the pursuit of the objectives that any Compliance System should pursue (prevention, detection and effective reaction to breaches of regulations). These problems are, among others, as follows:
- Potential conflicts of interest;
- Collision in the performance of their duties (“what can be done” versus “what must be done, even if it can be done“);
- Loss of attorney-client privilege.
Generally speaking, both the authorities and the academic doctrine in the United States and Spain recommend that the two functions should, as far as possible, be separated.
On the one hand, in relation to Spanish legislation, article 31 bis 2.2º of the Criminal Code establishes as a requirement, for the purposes of obtaining an exemption from criminal liability, that the supervision of the operation and compliance of the Compliance System must be entrusted to a body of the legal entity with autonomous powers of initiative and control. This is also provided for by the Attorney General’s Office which, in Circular 1/2016 on the criminal liability of legal entities following the reform of the Criminal Code through Organic Law 1/2015 of 30 March, establishes that, in order to ensure the highest levels of autonomy and avoid any conflict of interest, there must be an operational separation between the governing body and those involved in the Compliance function.
Thus, in Spain, although there is no express regulatory provision that prohibits the Compliance and legal functions to be carried out by the same person or department, this combination is not advisable from the perspective of ensuring that the Compliance System is assessed as effective.
On the other hand, in the same way, in the United States this issue is not positivised either. However, most of the resolutions and recommendations of judicial authorities and other public authorities, such as the Office of Inspector General (OIG), have clearly opted for the need to establish a separation between the two roles. Thus, Chapter 8 of the U.S. Sentencing Guidelines 2023 states that the Compliance function should be delegated to individuals in senior management who have appropriate resources and authority and direct access to the governing bodies.
In addition, it is common that, within the framework of the issuance by the OIG of a State Settlement Agreement and Release, companies are required, as was the case with the corporate integrity agreement reached by PFIZER INC. in 2009, to designate a Compliance Officer who meets certain requirements, including that he/she must not be the General Counsel or the Chief Financial Officer, nor be subordinate to him/her.
It seems clear, in this regard, that it must be concluded that the Compliance function and the legal function are complementary, but not equivalent, with serious benefits for both functions to be unbundled, as far as possible. In addition, in order to ensure proper collaboration between the two roles, it is recommended to
- include the legal function in the Compliance function’s reports to the governing body, provided that they do not involve it; and
- notify the legal function of those issues that may involve any type of liability for the legal entity, guaranteeing at all times the autonomy of the Compliance function.
If it is not possible to implement an absolute functional separation between the legal and Compliance functions, it is necessary to
- establish a direct vertical reporting line of Compliance issues to the governing body by the Compliance function;
- ensure that the Compliance function has its own resources, independent of the legal function; and
- engage external advisors for the development of certain issues that may involve a conflict of interest (e.g. management of the ethics or whistleblowing channel); and
Authors: Guillem Gómez & Annia Alventosa.
Department of Compliance of Molins Defensa Penal.