Who wants to be a compliance officer?


Financier Worldwide Magazine

February 2018 Issue

In 2010, Spain joined a group of countries, including the UK, France, Belgium, Portugal and others, where legal entities can be found criminally liable. Given the disruption of the classical legal schemes generated by this new legal framework and the uncertainties raised, the legislator found it necessary to more accurately define companies’ liability for criminal offences. Thus Law 1/2015, amending the Spanish Criminal Code (SCC), came into force on 1 July 2015.

By virtue of this new law, companies can be exempted from criminal liability if an “effective compliance programme” is put in place. The guidelines for an effective compliance programme are defined by the law and, among other things, necessitate the creation of an autonomous body to monitor and perform surveillance on the company’s controls – in other words, they require companies appoint a compliance officer (CO).

This was rapidly implemented by many companies and the debate at the time was on specific powers, the skill set, background and role that the CO should have. But the question that no one asked was whether the CO could be criminally liable for offences committed within the company.

Initially, this was left to academic discussion, but in May 2017 the scenario changed. In the Falciani List investigation, Central Investigative Court no. 5 of Madrid summoned seven managers from Banco Santander and three from BNP to give testimony in June 2017 as defendants. Some of these managers were or had been directly involved in compliance matters such as AML, risk prevention and others. Although the court’s decision did not explicitly detail the legal grounds for investigating the defendants, its impact in the legal and corporate fields has been considerable. Who would take up a position if it could involve personal exposure to criminal risks?

Leaving aside situations in which a CO is directly or indirectly involved in a crime – where there would be no doubt of his or her criminal involvement – the question is whether a CO can be liable for any malfunction of controls set up by the company, leading to the commission of a criminal offence.

In this matter there are strong opposing arguments. On the one hand, academics claim that COs can be liable given their ‘guarantor’ position. Pursuant to Article 11 of the SCC, crimes can be committed by omission when an individual breaches a specific legal or contractual duty, which creates a risk that can be linked to the commission of a crime. Given the definition of the role the CO must have, which can be found in Article 31.2.2 SCC – “autonomous body to monitor and perform surveillance on the company’s controls” – they argue that a lack of surveillance or any malfunction of the monitoring of the company’s controls could lead to individual liability of a CO.

Legal experts and practitioners, on the other hand, argue that under criminal law, liability is limited to the individual who commits the offence and a company that fails to implement measures or controls to prevent that offence being committed. Hence, if the company delegates to the CO the specific task of performing the surveillance and this proves to be inefficient or insufficient, it is the company that has to bear the consequences. In addition, controls are to be set by the company itself as COs do not have the power to implement controls by themselves. Generally, COs have very few executive powers, and in Spain they can be seen as a specific kind of adviser. We believe that their role goes beyond that of an adviser, as they are meant to be a permanent and autonomous body within the company, but their monitoring faculties cannot be interpreted as a substitute for a director’s powers.

In other words, COs are required to check whether the company has implemented reasonable controls on its activity and periodically verify the functioning of those controls. This can be illustrated by providing an example. A large international company pays taxes in various European jurisdictions. The EMEA CO of the company must be aware that tax evasion is an offence in Spain and the risk map applicable to Spain would have to cover – among others – this issue. The CO is obliged to verify that the Spanish branch is not at risk on tax issues, so he or she can rely on the auditors or an expert to certify that the company is compliant with local tax laws. But what if there is a reasonable risk regarding the way the company pays tax in Spain? What if the CO is aware of such risk? Here, the duty of this CO is to report to the directors that there is a reasonable risk in Spain, and to advise on the specific measures to mitigate it; however, it is clear that the final decision belongs to the directors. Therefore, it will be the directors, if they decide to bear the risk, and the company, if controls are not efficient enough to prevent the commission of the crime, who are liable, but never the compliance officer, even if he or she knew of the potential risks.

This is what the Law was meant to do. The aim of Law 1/2015 was to set up efficient control arrangements within companies to reduce the commission of crimes. What the law did not intend was to increase the number of individuals exposed to criminal liability. The latter would not involve any progress on criminal prevention, but rather just the opposite; no one would be willing to take up the position of the CO, and even if they were, every CO, in order to mitigate their personal exposure, would endeavour to have the most limited role or powers possible.

Given that the court decision did not provide any legal grounds, and we do not know the details of the investigation, we cannot say if this is a fair decision or not. But what we can say is that if this is to be repeated in the near future, the effect that the Law seeks on companies could be jeopardised. COs should not be targeted by criminal courts merely because a crime could have been committed within the company. To avoid generating widespread alarm among COs, their involvement in criminal proceedings must be the subject of a well thought-out and well-grounded decision.

Unfortunately, all of this depends on the interaction of two separate worlds, namely the corporate and the judicial. From our experience, in the judicial world there is a general lack of understanding of and, indeed, little interest in learning about how companies are managed, but the truth is that the future of the CO role is in their hands.


Miguel Gadea Muñoz is a senior associate at DLA Piper Spain. He can be contacted on +34 917 887 381 or by email:

© Financier Worldwide

©2001-2019 Financier Worldwide Ltd. All rights reserved.