Spain:
Spain Sets A New Milestone With Its Corporate Compliance Statute
27 August 2015
Foley & Lardner
To print this article, all you need is to be registered or login on Mondaq.com.
As of July 1 of this year, Spain becomes the latest in a string
of nations with a corporate compliance defense. Article 33 of
Spain's criminal code will provide an exemption from corporate
criminal liability where the company adopts a qualifying compliance
program prior to the occurrence of the conduct at issue. An
interesting feature of Article 33 is that it goes further than
other countries have gone with their corporate compliance defenses
in that it actually mandates specific features that compliance
programs must contain in order to qualify.
This is noteworthy for several reasons. First, this further
evidences the trend toward imposing corporate responsibility for
policing the corrupt activities of officers and employees around
the world. Second, the content of Spain's law reflects a
growing international consensus about how corporate compliance
programs should be structured. Compared with just a few years ago,
global multinationals now have a very good sense of how a
compliance program ought to look. Finally, Spain has taken the
unique step of actually embedding a specific list of compliance
program requirements right into its statute, rather than deferring
promulgation to an enforcement body or placing them in a
non-binding source, such as sentencing guidelines or a
prosecutorial manual.
It's this last point that is in many ways the most
significant. Article 33 is notable not so much for what its law
actually mandates, but for the fact that Spain has seen fit to
actually enshrine those requirements in its statute. It suggests a
permanence that we have not seen before.
Until now, most countries have been unwilling to statutorily
commit to a set of compliance concepts. This is most likely born
from a desire to remain flexible and from the practical recognition
that legislative processes are highly unpredictable and, once
adopted, statutes are difficult to change. Instead, counties have
delegated the responsibility to opine on what will qualify to a
relevant enforcement body (as is the case in the UK) or have fallen
back on general compliance concepts that should be relevant in
determining what charges to be brought or fines to be levied
against a corporate defendant (as is the case in the U.S. and
Brazil).
The result of this flexibility has been a lack of clarity that,
on the whole, is bad for compliance. How can a company know that
the resources it invests in its global compliance program will
yield concrete benefits when an employee circumvents the program
and violates the law, as will almost inevitably happen? How can a
compliance officer effectively advocate for increased investments
in a program that is not guaranteed to insulate the company from
criminal charges? And once resources are available, how does a
compliance officer decide to allocate them in a way that will be
viewed most favorably by regulators who might scrutinize the
compliance program years down the road?
Article 33 does not necessarily provide definitive answers to
these questions. However, Article 33 is significant in that it
establishes as a matter of statute what a compliance program must
have. Specifically, it requires companies:
- To conduct risk assessments of its business;
- To establish policies and procedures designed to mitigate risks
identified by those assessments;
- To implement financial controls intended to prevent criminal
conduct;
- To establish a whistleblowing policy that obligates employees
to report misconduct;
- To adopt a system of disciplinary sanctions applicable to
officers and employees for violations of the compliance program;
and
- To undertake periodic reviews of the compliance program and
make modifications to it when serious violations occur, new
weaknesses are noted, or the company undergoes significant
organizational changes.
Beyond these specifics, Article 33 also states that, to qualify
for the exemption from corporate criminal liability, the compliance
program be managed by a body or individual within the company that
has sufficient authority and control and that those in charge did
not neglect their duties.
None of Article 33's concepts are new. Indeed, many of them
date back to corporate compliance discussions from the 1980s and
can be found in the commentary to the 1991 U.S. Sentencing
Guidelines. In addition, all of Article 33's compliance
requirements have been discussed extensively in other sources
– such as the Bribery Act Guidance published by the UK's
Ministry of Justice and the Resource Guide to the U.S. Foreign
Corrupt Practice Act published by the U.S. Department of Justice
(DOJ) and Securities and Exchange Commission (SEC).
But these documents are merely advisory and often resort to
vague, non-committal statements (e.g. "The question of whether
an organisation had adequate procedures in place to prevent bribery
in the context of a particular prosecution is a matter that can
only be resolved by the courts taking into account the particular
facts and circumstances of the case." Bribery Act Guidance p.
6. "In assessing whether a company has reasonable internal
controls, DOJ and SEC typically consider whether the company
devoted adequate staffing and resources to the compliance program
given the size, structure, and risk profile of the business."
FCPA Guidance p. 58.) While these advisory sources recite that each
of the enumerated concepts are "considered" and are
important, they never go so far as to mandate that specific things
be done.
Article 33 effectively requires companies to prove each of the
enumerated compliance activities in order to qualify for the
defense. None are optional. Indeed, that none of the six
requirements are in the least bit controversial speaks to the rapid
evolution of corporate compliance best practices. Compliance
professionals everywhere seem to accept that these are the
hallmarks of an effective compliance program and that they know
what each of the enumerated requirements means. What remains
unknown – and it is a very big unknown given how many
resources companies are investing in compliance – is exactly
how much is enough. Until Spanish prosecutors or courts render
opinions on that subject, companies will have to look elsewhere for
guidance.
Given that Spain has stuck with consensus regarding the features
of an effective compliance program, it seems unlikely that it would
require something radical in terms of the level of activity.
Ironically, the only good example so far of a compliance defense
clearly working comes from the United States, a country many
commentators continue to incorrectly claim does not even have a
corporate compliance defense. When the DOJ declined to prosecute
Morgan Stanley in 2012 it explicitly referenced the company's
compliance program as the reason for the declination. The DOJ
called specific attention to Morgan Stanley's detailed
compliance policies, its extensive training on those policies, its
massive worldwide compliance resources (with more than 500
compliance officers worldwide, for a company with $32.3 billion in
revenue the prior year), the extensive compliance messaging from
senior leadership to all employees, and the transaction-specific
diligence conducted on the transaction at issue.
It is hard to image such a dedication of compliance resources
would not also have satisfied Spanish authorities (or UK or
Brazilian authorities for that matter). The practical question
– to which there is no definitive answer for now – is
how much less could a company get away with and still qualify?
Article 33 obviously does not provide a minimal threshold and it
would be unwise to conclude that a minimal program will satisfy
Spanish authorities.
Indeed, for compliance officers charged with implementing a
global compliance program, Article 33 provides another loud voice
in the international chorus of nations proclaiming the importance
of corporate compliance. By promulgating a list of specific, first
of their kind statutory requirements, Spain has made clear that any
debate over what elements compliance programs should have is
essentially over and the only question that now remains is the
level of resources and activity necessary to take advantage of the
rapidly growing corporate compliance defense.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Corporate/Commercial Law from Spain