The Criminal Compliance is a group of tools of preventive nature which is used to prevent the infringement of criminal law as well as avoid possible sanctions that generate some responsibility for the company.

The Criminal Compliance is based on article 31 bis of the Criminal Code. Due to the 2010 reform, legal entity must have a criminal risk prevention model, nevertheless until 2015 there is no extensive and specific content how this obligation should be fulfilled (it is necessary to indicate Circular 1/2016 of the State Attorney General’s Office issued on the reform operated by Organic Law 1/2015 regarding the criminal responsibility of the legal entity, in which the basis and effectiveness of Criminal Compliance are expressed).

Before the Criminal Code (hereinafter, «CP») reform (2010) if a crime was committed within an entity with legal entity, the criminal responsible would have been the person who had committed the crime, remaining in this way exempts the legal entity; However, after the 2010 reform, the commission of the same previous crime by a member of the entity would make the company as the immediately subject responsible and therefore sanctioned. The current article 31 bis establishes the possibility of evasion about criminal responsibility for the company as follows: “the company will be exempt from liability if, before committing the crime, it has effectively adopted and executed a model of organization and management which is adequate to prevent crimes of the nature of which he was committed or to significantly reduce the risk of his commission ”[article 31 bis section 4 CP]

But… What crimes can a legal entity commit?

The crimes that legal entity can commit are more than 27. Among which we can point out: illegal trafficking of human organs (art 156 bis CP), trafficking in human beings (art 177 CP bis), prostitution (art 189 bis CP). economic crimes (fraud, punishable insolvency, money laundering, illegal financing of political parties …), crimes related to intellectual properties (against the market, against consumers, disclosure of company secrets, corruption in business …), etc.

Implementation of the Compliance system: What requirements and elements must a compliance system have?

One of the elements that the State Attorney General emphasizes in its Circular is the «corporate ethical culture», whose existence and validity would be a kind of essential requirement which is not written in article 31 bis CP, of such importance that, in their absence, prosecutors must have the model as ineffective (page 52 of Circular 1/2016 of the State Attorney General’s Office). Furthermore, article 31 bis CP establishes that the organization and management models must meet the following requirements:

1.º Identify the activities in which the crimes that must be prevented can be committed. For this purpose, it will be needed make a diagnosis or risk analysis.

2.º They will establish the protocols or procedures which specify the process of formation of the will of the legal person, of decision-making and execution of the same in relation to them. Hence, a compliance program must be developed: code of conduct, corporate policy to mitigate the risks detected.

3.º They will have adequate financial resources management models in order to prevent the commission of crimes that must be prevented. A compliance officer must be assigned depending on the type of the company. This agent is an individual or collegiate body which ensures regulatory compliance and dissemination of the compliance plan in the legal entity or entity.

4.º They will impose the obligation of reporting possible risks and breaches to the organization which controls the operation as well as theobservance of the prevention model. An internal control system must be established in order to detect and prevent any behavior or incident that could represent a risk. For this aim a reporting system of complaints, through appropriate channels (ethical channel) is created.

5.º  They will create a disciplinary system which adequately sanctions the violation of the measures that were established by the model.

6.º They will carry out a periodic verification of the model and its eventual modification when relevant infractions of its provisions are revealed, when changes occur in the organization, in the control structure or in the activity carried out that make them necessary.

Therefore, it is necessary to establish a diagnosis of risks since, knowing the weak points makes it possible to understand the eventual potentials that may affect the achievement of the entity’s objectives. Once the risks have been identified, it will be necessary to analyze and assess them and finally establish their treatment on a risk map. The risk map is the sum of the diagnosis of all identified risk behaviors.

La imagen tiene un atributo ALT vacío; su nombre de archivo es prison-553836_960_720.jpg

All these ways will help us to create a business ethical code that will fulfill a legal-defensive function (STS 154/2016, of February 29, establishes the need to create a corporate ethical culture). Moreover, it will also be essential to establish a complaints channel or ethical channel for employees or third parties have the possibility of communicating criminal acts, breaches or irregularities that infringe the ethical values of the organization.

Thus, all these mechanisms should not create a “copy and paste” general compliance system, but it is necessary to consider the characteristics of the company in which the organization and management model is to be installed (as established by the Office of the Prosecutor in Circular 1/2016 when it recommends that a compliance model should be developed taking into account the uniqueness of the specific business organization).


There are Compliance Management Systems (SGC) developed by the International Organization for Standardization (ISO), around worldwide, and the Spanish Association for Standardization (UNE); that is to say, in the absence of specific normative criteria, these norms are taken as reference that allow establishing or implementing a compliance system in a certain entity (Iso 19600 «Compliance management system. Guidelines», UNE 19601 «Management systems of criminal compliance Requirements with guidance for its use ”etc).

La imagen tiene un atributo ALT vacío; su nombre de archivo es laborlawlawyerlegaltechnology.jpg


Criminal Compliance can be conceived as a set of norms, procedures and control mechanisms tending to guarante the firm compliance of the legality within the organization. They identify corporate risks, regulate aspects of daily business management and the behaviors of the individuals that make up the organization. The main objective is to prevent, detect and react to the commission of crimes or the occurrence of risks and breaches of possible criminal significance.

The practical consequence of not having a business criminal prevention model is that if a crime is committed for the direct or indirect benefit of the company, the latter may be criminally liable and may also be sentenced to the different penalties provided by the Criminal Code for Legal persons.

The compliance system ensure reputational value to the company, so it is an added reason that makes it completely advisable to have a criminal risk prevention plan not only in large companies, but its implementation in SMEs is also important (See “Guide to Compliance Implementation for SMEs ”, World Compliance Association).

Creation of the publication:

Fátima Amboage Santos


Studen at Máster de Asesoría Laboral y Recusos Humanos. Student at Máster de Liderazgo (Gade Bussiness School, online).

Partner at Iuris Fácil.


Hola, 👋 si no quieres perderte las últimas publis en el blog y todo el contenido adicional que podemos ofrecerte cada semana...👇

Regístrate aquí para recibir este contenido en tu bandeja de entrada todos los lunes a las 10:00 (sin SPAM, prometido).

Enviando este formulario aceptas nuestra política de privacidad . Léela aquí para obtener más información.

No hay comentarios

Deja una respuesta

Escanea el código