As regulators and prosecutors across many jurisdictions increasingly cooperate in cross-border anti-corruption enforcement efforts, the importance of an effective, globally oriented anti-bribery compliance program cannot be overstated. Parallel enforcement actions along with greater scrutiny of corporate compliance programs serve as a sobering reminder of the persistent efforts of regulators. With the enactment of new legislation on March 26, 2015 (effective July 2015), Spain has joined the U.S. and other countries in promulgating a high standard for effective corporate compliance programs. This article will highlight how the new Spanish law compares to the U.S. and other regulatory regimes, as well as those of several multi-lateral institutions.
U.S. Compliance Program Requirements
The importance of corporate ethics and compliance programs has been emphasized in U.S. law since the early 1990s, when the U.S. Sentencing Commission first issued guidelines designed to incentivize companies through the use of reduced penalties in exchange for effective corporate compliance programs. More recently, in November 2012, the U.S. Department of Justice (“DOJ”) and the Securities & Exchange Commission (“SEC”) jointly issued “A Resource Guide to the U.S. Foreign Corrupt Practices Act” (the “FCPA Guide”), designed to highlight, among other things, the hallmarks of an effective anti- corruption compliance program and the expectations of DOJ and SEC with respect to compliance best practices. These hallmarks include:
- Commitment from senior management and clearly articulated policy,
- Code of conduct and compliance policies and procedures,
- Oversight, autonomy and resources for the implementation of a compliance program,
- Risk assessment,
- Training and continuing advice,
- Incentives and disciplinary measures,
- Third party due diligence and payment oversight,
- Confidential reporting and internal investigations,
- Continuous improvement of the program through testing and review, and
- Pre-acquisition anti-corruption due diligence and post-acquisition integration.
These hallmarks are largely reflected to one degree or another in other similar pronouncements from inter-governmental and non-governmental entities, including the 13 “Good Practices on Internal Controls, Ethics, and Compliance” from the 2010 Organization for Economic Co-operation and Development, the United Nations Global Compact’s Ten Principles , the World Bank’s “Integrity Compliance Guidelines” and the World Economic Forum’s “Partnering Against Corruption – Principles for Countering Bribery.”
Compliance Program Requirements in Other Countries
Not only is it desirable to have a comprehensive compliance program containing certain key elements, in several countries it is mandatory. The UK Bribery Act of 2010, for example, imposes criminal liability on corporations that fail to prevent bribery. The Act does provide a defense, however, for organizations that can prove they had “adequate” compliance procedures in place to prevent the offense at issue. In contrast, the U.S. does not provide an affirmative defense for companies that demonstrate they implemented adequate compliance procedures, although the U.S. Sentencing Guidelines do allow for mitigation of penalties where adequate compliance programs are shown to be in force. Brazil’s recently-enacted Clean Company Act similarly seeks to incentivize companies to demonstrate an effective compliance program through the mitigation of potential fines. On March 18, 2015, President Roussef issued a Decree outlining, among other things, the hallmarks of a compliance program under Brazilian law, including: (i) “tone at the top” in the form of commitment from senior executives and directors, (ii) written policies and procedures for employees and business partners; (iii) periodic training on the compliance program; and (iv) periodic risk assessments. The Decree addressed the factors that Brazilian authorities should consider when addressing the effectiveness of a company’s compliance program, similar to those factors enumerated Chapter 8 of the U.S. Sentencing Guidelines. This trend seems to be aligned with the growing recognition in many countries that strong compliance represents a positive factor toward promoting the business mission. For example, in 2013, the Russian Ministry of Labor outlined recommended anti-corruption compliance guidelines for commercial and non-commercial entities in Russia.
Spanish Criminal Code Will Now Regulate the Content of Compliance Programs
Spain has now joined the growing number of countries which effectively regulate corporate compliance programs. Pursuant to amendments to the Spanish Criminal Code approved on March 26, 2015 by the Spanish Congress and scheduled to take effect on July 1, 2015, a company’s directors are legally obligated to adopt a compliance program and the program must be supervised by a body or individual authorized to exercise high-level control. The amended code provides companies with an exemption from criminal liability for crimes committed by their officers or employees, provided the company meets certain requirements set forth under the new law. Specifically, Article 33 of the amended code exempts companies from criminal liability under the following conditions:
- the directors have adopted a compliance program that meets the legal requirements under Spanish law,
- the supervision of the program is entrusted to a company´s body or individual with authorized powers of initiative and control (Compliance Body),
- the officers or the employees have committed a crime by intentionally violating the compliance program, and
- the Compliance Body did not neglect its duties of supervision, oversight and control.
The amended Spanish code also lists six key elements that a compliance program must include in order to insulate a company from criminal liability (provided that the compliance program has been adopted before a crime was committed by any of its officers or employees). These six elements, as enumerated in Article 33 bis 5, are:
- Risk assessment,
- Standards and controls to mitigate any criminal risks detected,
- Financial controls to prevent the crimes,
- Obligation to report to the Compliance Body any violations of the standards and controls (a whistleblowing channel),
- Disciplinary system to sanction violations of the compliance program by officers and employees, and
- Periodic review of the compliance program, making the necessary adjustments when serious violations occur or when the company undergoes organizational, structural or economic changes.
Since the amended code requires an effective compliance program, companies will also need to demonstrate that their officers and employees have received proper training. Prior to this development, in 2010, Spanish legislation introduced corporate liability for a number of crimes, including corruption. Directors could be held criminally liable if a crime was committed that could have been avoided. However, that legislation did not address the consideration a judge could give to a company’s compliance program. The 2015 Spanish legislation now places great weight on effective compliance programs, following the global trend toward mandating compliance programs reflecting core elements for such programs. Additionally, much like in the U.K., the recent Spanish legislation is designed to provide an affirmative compliance defense for companies that can demonstrate the six elements of an effective compliance program described in the new law. While not identical to the U.K., the steps outlined by the amended Spanish Criminal Code are also consistent with the factors considered by U.S. enforcement agencies in evaluating organizational compliance and ethics practices. While the number of “essential elements of corporate compliance” varies from one regime to another, the five common denominators across all regimes are the following:
- risk assessment;
- standards and controls;
- training and communication; and
- monitoring, audit and response.
Trend Toward Globally Accepted Standards of Compliance
The new Spanish legislation reveals an emerging international consensus on compliance best practices, and on the essential elements of an effective compliance program. Multi-national organizations are now subject to an increasing number of anti-corruption regimes in the various markets in which they operate and must therefore ensure that all policies and procedures conform to all applicable laws and regulations. Spain’s new Criminal Code serves as yet another reminder of the need for constant monitoring of corporate compliance programs not only to ensure effectiveness but also legal sufficiency in all respects.