This post is the result of a collaboration with Manuel Alverez Feijoo, a friend and lawyer in the important law-firm Uría Menéndez. What we discuss below is also the topic of many lectures Manuel delivers within my business ethics and compliance courses in IESE business school.
I believe that two main broad considerations can be done before entering in the technical-legislative discussion.
First, the 2015 amendment of the Spanish Criminal Code is a major change in the compliance practice of the Spanish realm and it follows the European trend of the last fifteen years.
Second, and most interesting, Spanish prosecutors, as well those of many countries, highlight more and more the importance of ethics as critical precautionary variable to prevent criminal activities inside organizations. Said in other words, ethical training and education is a requirement requested by the law that is expected to go well beyond the “pure compliance” strategy. (If you did have the possibility to read the first post, I encourage you to read the article “Cosmetic vs. Substantial Compliance” posted on January 25).
A 2015 amendment of the Spanish Criminal Code (SCC) introduced a criminal liability exemption (affirmative defence) for those companies able to prove they had in place crime prevention and detection measures or compliance programs in the event that a crime is committed within the organization by their directors, representatives, employees, agents, etc. and to their benefit.
In the case of offences committed by employees, the company may be exempted of any criminal liability if, before the commission of the crime, the management body (i.e. board of directors) had adopted and effectively implemented an organization and management model (compliance program) suitable to prevent crimes of the same nature or significantly reduce the risk of their commission.
In the case of offences committed by company representatives, directors or managers, in addition to the requirement above, the company may be exempted if the following requirements are also fulfilled:
- The monitoring of the prevention model had been entrusted to a compliance officer or a supervisory body with autonomous initiative and control powers or to a corporate body legally entrusted with the supervision of the effectiveness of internal controls;
- The offender had committed the crime fraudulently avoiding prevention controls; and
- There had been no omission or insufficient oversight by the compliance officer or supervisory body.
In any case, the SCC sets forth that the company’s organization, management and control model (the compliance program) should comply with the following requirements:
- Identify the activities in which offences might be committed (i.e. risk mapping).
- Establish policies, protocols and proceedings that specify how the company’s decisions are adopted and executed in relation to crime prevention (i.e. anti-bribery policy).
- Design adequate financial resources management models to prevent the commission of crimes (i.e. accounting and audit controls).
- Impose the obligation to report to the compliance officer or supervisory body about risks and violations of the prevention model (i.e. whistleblowing channel).
- Establish a disciplinary regime that adequately punishes infringements of the prevention model.
- Carry out periodic verifications and updates of the prevention model, especially: (i) when relevant infringement of the compliance program occurs; and (ii) when organizational changes or changes in the activities or control structure take place in the company.
And this is all about how corporate compliance programs should look like in Spain. As seen, the letter of the law is strictly focused on the prevention angle of compliance efforts when it comes to define the affirmative defence. There is no mention to compliance programs being aimed at founding a corporate culture of business ethics as the source of any crime prevention initiative.
This approach contrasts with the US’ standards on corporate liability -which constitute an international key reference in this area of law- as Chapter 8 of the United States Sentencing Guidelines (USSG) expressly establishes that “to have an effective compliance and ethics program […] an organization shall […] promote an organizational culture that encourages ethical conduct and commitment to compliance with the law”.
However, and fortunately, Spanish law enforcers have already looked beyond the letter of the law to the spirit of the law. In this regard, the Public Prosecutor’s Office, through its Memorandum 1/2016 on corporate criminal liability, considers that “corporate compliance programs are not aimed at preventing the company from being sanctioned but at promoting a true business ethics culture”.
More importantly, the Spanish Supreme Court shares the same interpretation of the SCC’s provisions in its Judgment 154/2016 of 29 February, stating that corporate criminal liability must be determined by assessing whether “the crime committed by an individual within the organization has been possible, or facilitated, due to the lack of a culture of compliance with the law as a source of inspiration for all corporate activity”.
We believe that the interpretation of the Spanish Supreme Court is extremely important because it highlights the importance of corporate culture and the role of ethics in shaping corporate activities.
It is evident that a culture of compliance and ethics cannot be nurtured just delivering an online-compliance course and adopting in a mechanical way some control practices. In this sense, it is important to highlight the importance of the active engagement of the whole top management for the creation of an organizational environment that nourishes the individual and organizational sense of responsibility.
At the end, the mission of each company is delivering a service to society for its improvement. The sense of ethics and responsibility is the key of such view of corporate life.