Skip to content


Experts in compliance and economic crime

  • Punishable insolvencies
  • Asset concealment
  • Money laundering
  • Conflicts between majorities and minorities
  • Fraudulent management
  • Account falsification
  • State Treasury crimes
  • Social Security crimes

Compliance FAQs

What is compliance or regulatory compliance?

Compliance encompasses all legal activity within a company aimed at alignment with the legal system. Compliance means adhering to legislation that affects business undertakings. Compliance and regulatory compliance are interchangeable terms.

In Spain, reform of the Criminal Code in 2010 and subsequent legislative development and consolidation in 2015 led to the emergence of compliance. Nonetheless, the concept of compliance existed previously in many sectors which, given their technical nature, were widely regulated, e.g., the banking and pharmaceutical sectors.

Origins of compliance

The criminal liability of legal persons has been a concept that especially developed in the second half of the 20th century as a result of judicial rulings against companies. Some recent cases are Enron, Siemens, and Dieselgate.

As a result of this expansion of corporate criminal liability, also called criminal compliance or criminal regulatory compliance, a number of universities worldwide have become teaching pioneers, e.g., Fordham University in the USA with its compliance degree, and, in Spain, the postgraduate course in compliance taught at the BSM-School of Management at Pompeu Fabra University in Barcelona.

The inclusion of the concept of criminal liability of the legal person in the Spanish legal system breaks with the classic aphorism of societas delinquere non potest, i.e., that companies could not commit crimes as they were not natural persons.

The new legislation completely reformulates the attribution of criminal responsibility, introducing elements of exemption from or mitigation of criminal responsibility in cases of liability attribution to corporations.

Compliance programmes develop compliance functions in the company so they are not limited exclusively to criminal law, as corporate criminal liability is also crucial to good corporate governance.

Who is the compliance officer?

One of the key figures in the development of compliance programmes is the compliance officer, i.e., the person in charge of compliance. Since responsibilities can take many different directions depending on the size of the corporation, it is advisable to appoint a chief compliance officer to coordinate compliance functions in the company and the appointment of different supervisors, depending on the area. One such appointment is the criminal compliance officer.

The Compliance Officer plays crucial role in the compliance programme. Therefore, to guarantee compliance at all levels of the corporation, they need to be awarded the greatest possible autonomy and also should have access to the most senior ranks in the company. To avoid any retaliation for the performance of their duties, any reasons for sanction must be strictly assessed in the most transparent way possible.

The Compliance Officer must have specific training in order to be able to develop their legal compliance function. In relation to possible company criminal issues, they need to have a solid background in Spanish criminal law and excellent analytical abilities. In supervising implementation and compliance with protocols governing designated processes in the company, they must act as the watchdog who ensures company alignment with the legal system.

What is a regulatory compliance plan?

A correctly configured compliance programme needs to cover certain basic elements. One fundamental pillar is the Code of Ethics (also called a Code of Conduct). This document, in which the company describes its basic lines of action, is configured as the framework for developing the rest of the compliance programme.

  • Since the code of ethics needs to be taken into account in business decisions, it should not be understood as a mere declaration of good intentions, but must express the corporate culture and so guide its actions. Some examples of a code of ethics can be found here.
  • Once a Code of ethics has been drawn up, the functioning of the corporation and of its different processes need to be reviewed in terms of risk. The purpose of this risk analysis is to identify legal risks, in our case criminal risks, that the company may face through its business activity. Using a risk map, priorities for the company in relation to risks are established in terms of probabilities of occurrence and impacts on the organization. To create the risk map, control measures that already exist need to be analysed and modified, and new control measures may need to be implemented.
  • Once the risks implied by the company’s operations have been analysed, steps must be taken so that any inherent risk is reduced and company operations are ultimately fully aligned with regulatory compliance. This procedure results in action protocols that regulate processes reflecting detected risks. A culture of compliance needs to be included in the company’s internal sanction regime, in such a way that any action that involves a compliance risk needs to be sanctioned, irrespective of the foreseen consequences.
  • A final cornerstone of the compliance programme is what are called complaint channels or ethics channels, through which employees, suppliers or third parties with compliance functions can report any dysfunction of the compliance programme. A specific protocol needs to be created to analyse these communications, which can be anonymous, and the compliance officer must be kept fully informed. An example can be found here.

At this point we need to ask ourselves why a compliance programme is important. Compliance supposes a thorough analysis of the company operations, which in itself is necessary to be able to comply with regulations, but is also very useful in detecting deficiencies in the organization in terms of potential sources of risk.

The main reason why compliance programmes fail is the lack of a culture of compliance. If the board of directors and management do not set an example with their actions, it will not be possible to expect that employees or suppliers comply with the values that the corporation claims to respect. This underpins one of the principles of action of compliance: tone at the top.

Another reason why compliance programmes fail is lack of company investment in the compliance function. The diffusion of values that are not implemented in reality, i.e., fake or makeup compliance, renders a compliance programme as not worth the paper it is written on.

Compliance: how to manage regulatory risk for a company

A suitable compliance programme that responds to the needs of the company can be genuinely effective in terms of regulatory compliance, as it can ultimately exempt it from criminal liability or at least operate as a mitigating factor.

Below we explain the most important areas of compliance:

  • Criminal compliance: Criminal compliance was established in Spain in 2010 and became especially relevant from 2015. A company can be considered criminally responsible for a crime committed within its organization, with the corresponding legal consequences. One consequence is dissolution, equivalent to the death penalty for a company, while other measures are closure of premises or judicial intervention in the business.
  • Tax compliance: Non-compliance with tax obligations potentially has a major economic impact on a company. This area is, furthermore, becoming increasingly relevant due to the complexity of changing tax regulations governing companies.

Other regulatory compliance areas

  • Compliance and data protection: Due to the European General Data Protection Regulation, now transposed to Spanish legislation, data that companies collect on employees, customers, suppliers and third parties must be appropriately processed according to the implications of the held data. For this reason it is important to implement the procedures described above aimed at identifying potential risks and defining protocols for their correct management.
  • Compliance and regulated sectors: Some sectors, due to specific regulatory frameworks, require a very detailed analysis of the regulations that affect them, e.g., they may be subject to strict money laundering prevention regulations and obligations.
  • Compliance and cybersecurity. One example of a specifically regulated sector is companies that operate exclusively in the digital realm. as they are additionally required to guarantee the traceability of operations and the identity of contracting parties. Cases of scams based on phishing and identity theft, for instance, are increasingly common.

Compliance and Covid-19. Meriting special mention is Covid-19, given the impact on the economy and the shift in habits in commercial and even personal activities. As a consequence, the development of disease prevention protocols has acquired particular importance, based on an in-depth analysis of the risks entailed by an activity in relation to Covid-19.

Similarly, a company’s response to Covid-19 has shaped one of the most important non-legal aspects of compliance, namely, business reputation. Reputation, a valuable intangible corporate asset, can be damaged by a sanction or by the mere fact of being immersed in a judicial investigation. A company’s proper response to a pandemic strengthens their reputation regarding the treatment of employees, customers and suppliers, and sets an example of a good business culture.

Well-known sanctions

It is estimated that, in some 50 rulings since 2015, judges have imposed around 2,450 million euros in sanctions for company non-compliance with regulations, mainly by directors in relation to financial or tax fraud. This points to the importance of specific protocols governing those issues.

The most famous sanction, due to its importance in terms of initiating criminal liability for legal persons, was the early 20th century case of NY Central & Hudson River Railroad v. US.

Also famous, in the first decade of the 21st century, is the sanction on Enron, responsible for a massive accounting fraud that led to one of the largest bankruptcies in history.

In Europe, a recent case with worldwide impact was the Dieselgate fraud, involving manipulation of engines, with massive consequences for society and prison sentences for those responsible.

Recent cases in Spain include the Bankia or Vitaldent cases. Due to the idiosyncrasy of the cases prosecuted, most sanctions have affected smaller companies than those mentioned.

Specialist criminal compliance lawyers

In Castellarnau, experience has taught us that developing compliance programmes for companies is a meticulous process, through which we come to understand internal operations as if we were an employee. We respond to each commission by preparing legal prevention tools appropriate to the dimensions and operations of the company.

With our actions, we want to provide added value in terms of detecting criminal risk and creating specific protocols based on risk and other analyses. We not only defend and protect the company as a possible active subject in the law (obligee), but also as a possible passive subject in the law (obligor).



and opinions