As of July 1 of this year, Spain becomes the latest in a string of nations with a corporate compliance defense. Article 33 of Spain’s criminal code will provide an exemption from corporate criminal liability where the company adopts a qualifying compliance program prior to the occurrence of the conduct at issue. An interesting feature of Article 33 is that it goes further than other countries have gone with their corporate compliance defenses in that it actually mandates specific features that compliance programs must contain in order to qualify.
This is noteworthy for several reasons. First, this further evidences the trend toward imposing corporate responsibility for policing the corrupt activities of officers and employees around the world. Second, the content of Spain’s law reflects a growing international consensus about how corporate compliance programs should be structured. Compared with just a few years ago, global multinationals now have a very good sense of how a compliance program ought to look. Finally, Spain has taken the unique step of actually embedding a specific list of compliance program requirements right into its statute, rather than deferring promulgation to an enforcement body or placing them in a non-binding source, such as sentencing guidelines or a prosecutorial manual.
It’s this last point that is in many ways the most significant. Article 33 is notable not so much for what its law actually mandates, but for the fact that Spain has seen fit to actually enshrine those requirements in its statute. It suggests a permanence that we have not seen before.
Until now, most countries have been unwilling to statutorily commit to a set of compliance concepts. This is most likely born from a desire to remain flexible and from the practical recognition that legislative processes are highly unpredictable and, once adopted, statutes are difficult to change. Instead, counties have delegated the responsibility to opine on what will qualify to a relevant enforcement body (as is the case in the UK) or have fallen back on general compliance concepts that should be relevant in determining what charges to be brought or fines to be levied against a corporate defendant (as is the case in the U.S. and Brazil).
The result of this flexibility has been a lack of clarity that, on the whole, is bad for compliance. How can a company know that the resources it invests in its global compliance program will yield concrete benefits when an employee circumvents the program and violates the law, as will almost inevitably happen? How can a compliance officer effectively advocate for increased investments in a program that is not guaranteed to insulate the company from criminal charges? And once resources are available, how does a compliance officer decide to allocate them in a way that will be viewed most favorably by regulators who might scrutinize the compliance program years down the road?
Article 33 does not necessarily provide definitive answers to these questions. However, Article 33 is significant in that it establishes as a matter of statute what a compliance program must have. Specifically, it requires companies:
To conduct risk assessments of its business;
To establish policies and procedures designed to mitigate risks identified by those assessments;
To implement financial controls intended to prevent criminal conduct;
To establish a whistleblowing policy that obligates employees to report misconduct;
To adopt a system of disciplinary sanctions applicable to officers and employees for violations of the compliance program; and
To undertake periodic reviews of the compliance program and make modifications to it when serious violations occur, new weaknesses are noted, or the company undergoes significant organizational changes.
Beyond these specifics, Article 33 also states that, to qualify for the exemption from corporate criminal liability, the compliance program be managed by a body or individual within the company that has sufficient authority and control and that those in charge did not neglect their duties.
None of Article 33’s concepts are new. Indeed, many of them date back to corporate compliance discussions from the 1980s and can be found in the commentary to the 1991 U.S. Sentencing Guidelines. In addition, all of Article 33’s compliance requirements have been discussed extensively in other sources – such as the Bribery Act Guidance published by the UK’s Ministry of Justice and the Resource Guide to the U.S. Foreign Corrupt Practice Act published by the U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC).
But these documents are merely advisory and often resort to vague, non-committal statements (e.g. “The question of whether an organisation had adequate procedures in place to prevent bribery in the context of a particular prosecution is a matter that can only be resolved by the courts taking into account the particular facts and circumstances of the case.” Bribery Act Guidance p. 6. “In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” FCPA Guidance p. 58.) While these advisory sources recite that each of the enumerated concepts are “considered” and are important, they never go so far as to mandate that specific things be done.
Article 33 effectively requires companies to prove each of the enumerated compliance activities in order to qualify for the defense. None are optional. Indeed, that none of the six requirements are in the least bit controversial speaks to the rapid evolution of corporate compliance best practices. Compliance professionals everywhere seem to accept that these are the hallmarks of an effective compliance program and that they know what each of the enumerated requirements means. What remains unknown – and it is a very big unknown given how many resources companies are investing in compliance – is exactly how much is enough. Until Spanish prosecutors or courts render opinions on that subject, companies will have to look elsewhere for guidance.
Given that Spain has stuck with consensus regarding the features of an effective compliance program, it seems unlikely that it would require something radical in terms of the level of activity. Ironically, the only good example so far of a compliance defense clearly working comes from the United States, a country many commentators continue to incorrectly claim does not even have a corporate compliance defense. When the DOJ declined to prosecute Morgan Stanley in 2012 it explicitly referenced the company’s compliance program as the reason for the declination. The DOJ called specific attention to Morgan Stanley’s detailed compliance policies, its extensive training on those policies, its massive worldwide compliance resources (with more than 500 compliance officers worldwide, for a company with $32.3 billion in revenue the prior year), the extensive compliance messaging from senior leadership to all employees, and the transaction-specific diligence conducted on the transaction at issue.
It is hard to image such a dedication of compliance resources would not also have satisfied Spanish authorities (or UK or Brazilian authorities for that matter). The practical question – to which there is no definitive answer for now – is how much less could a company get away with and still qualify? Article 33 obviously does not provide a minimal threshold and it would be unwise to conclude that a minimal program will satisfy Spanish authorities.
Indeed, for compliance officers charged with implementing a global compliance program, Article 33 provides another loud voice in the international chorus of nations proclaiming the importance of corporate compliance. By promulgating a list of specific, first of their kind statutory requirements, Spain has made clear that any debate over what elements compliance programs should have is essentially over and the only question that now remains is the level of resources and activity necessary to take advantage of the rapidly growing corporate compliance defense.