Plan for the Prevention of Criminal Risks: We make the appropriate prevention protocol to the activity of your company. We analyze the risks, we design the internal surveillance, supervision and control system for the prevention of crimes and the detection of illicit behavior, and we define the correct reaction and action against them. That is to say, we advise you concerning prevention, detection and reaction in an integral way.
Periodic audit: In addition, we review the correct functioning of the Criminal Risk Prevention Plan, we control the appearance of variations or novelties in your company that may affect the implanted model, and we periodically monitor the effectiveness of the proposed protocol.
Compliance Officer: If your company does not have a person who can ensure the execution of the Criminal Risk Prevention Plan, from PL-LEGAL Estudio Jurídico we can provide the service of an external compliance supervisor that manages the prevention model , inform the company staff of the criminal prevention plan, review and modify it whenever necessary and manage the internal investigation and reporting channel.
FREQUENTLY ASKED QUESTIONS: Why can a company (or legal entity) be imputed? In 2015, the Government promoted a reform to ensure that companies assume their own criminal responsibility by forcing them to have a Criminal Risk Prevention Plan. Based on this reform, specifically on Article 31 bis of the Criminal Code, a legal entity will be criminally responsible, among others: "Of the crimes committed by workers, in the exercise of social activities and for their own benefit or for the company , when the proper supervision, surveillance and control has not been exercised over them. " What consequences can they suffer?
Economic fines, which can reach 5 times the profit obtained.
Dissolution of the legal entity and closure of the company.
Suspension of activities for a period of up to 5 years.
Closure of premises and establishments.
Definitive prohibition to carry out in the future the activities in whose exercise a crime has been committed, favored or covered up.
Judicial intervention for a period of up to 15 years.
Penalty jail for administrators.
In addition to the penalties imposed by law, collateral damage is extremely serious for the proper functioning of a company:
Material impossibility to obtain external financing
Loss of confidence of suppliers and customers
Disrepute of the commercial name
Demoralization of staff
Cancellation of works
How can you avoid it?
To avoid this problem, your company needs a Criminal Risk Prevention Plan. It will include a monitoring, supervision and control system to elude or minimize the criminal liability of the legal entity. From PL-LEGAL Estudio Jurídico we can adapt to your needs and can help you to develop this set of measures and good practices, called Corporate Compliance. Do not hesitate to contact us and ask for more information without obligation. These measures must be developed and menaged by specialist lawyers following a professional sequence:
Final evaluation and review of established controls.
Implementation of the Plan tailored to your needs
Preventive action plan
Review and improvement of procedures
And detection of the criminal risks to which you could be exposed.
The Compliance Officer in the business organization chart Where the Compliance Officer is located in the business organization chart is one of the biggest doubts that has arisen since the reform of article 31 bis of the Criminal Code. It is one of the topics where Corporate Compliance, commercial law and criminal law must be reconciled to provide an effective solution to a subject that is regulated in a dispersed manner. From the point of view of the Corporate Compliance, it is required that the function responsible for regulatory compliance (be it a Compliance Officer, Committee, or whoever acts under any other name) is governed by two fundamental principles: Independence and Autonomy. The greater the degree of independence and autonomy, the more effective its function and system will be considered. Regarding commercial law, the Capital Companies Act does not expressly include the figure of the Compliance Officer, but its functions can be found in at least two positions: 1. On the one hand, article 529 octies establishes as functions of the secretary of the board of directors "to ensure that the actions of the board of directors comply with the applicable regulations and are in accordance with the bylaws and other internal regulations". 2. On the other, article 529 terdecies states that the board of directors must constitute "at least one audit committee ...". Both figures -without prejudice to the residual supervisory and surveillance responsibilities that fall on the administrator- have attributions that can be assigned to the Compliance Officer. Finally, in the area of criminal law, we find that article 31 bis 2 2ª of the Criminal Code entrusts the supervision of the model to a "body of the legal entity with autonomous powers of initiative and control or that has the legal function of supervising the effectiveness of internal controls ... " As you can see, the legal mandate is quite general and dispersed. Nowhere is the configuration of the Compliance Officer or Compliance Committee function defined; it is not established who must designate it; his attributions, nor the degree of responsibility that will fall on his shoulders. However, it is perfectly possible to harmonize the different legal provisions to create not one, but several models of supervisory and control body within the company, a matter of which suits the operation of each. If you want to spin thin, you should take into account the principle of autonomy of the will, the capacity of the administrative body to delegate the function and the models that we are replicating from other jurisdictions. 1. Primacy of the principle of autonomy of will: Although the legislative framework requires the designation of those responsible for supervising and supervising the company, we must not forget that in commercial and civil matters the principle of autonomy of the will prevails. The companies are governed by a set of legal guidelines that aims to provide greater security to their own shareholders and regarding the actions of the legal entity vis-à-vis third parties. The Law on Capital Companies establishes a minimum of requirement. From that point forward, companies can freely determine the configuration of their performance. That is to say, a mercantile company can appoint its secretary of the board as Compliance Officer, who has the obligation to "ensure that the actions of the board of directors comply with the applicable regulations"; or he may designate another board member as a Compliance Officer (preferably not having responsibilities related to the administration of the business), with ad-hoc functions and harmonizing his management with that of the director. You can also appoint an Audit Committee, and within that Committee, appoint a Chief Compliance Officer, who is in charge of the supervision and control of all the operational management of the company, including the actions of the rest of the board of directors. You can even place the Compliance Officer as a dependent employee of the Board of Directors with the power of initiative and budgetary independence, in the case of legal persons of small dimensions and with the qualifications mentioned in the following point. In any case, there is no sacramental formula or mandate that forces one figure or another to be used. In all cases, the structure of the company, its statutes and Regulations must be taken into account in order to obtain the best fit for the function, always taking into account the principle of autonomy of the will, until there is a regulation that says otherwise. 2. Does the Criminal Code leave the door open for the Compliance Officer to be a delegate of the administrative body? In practice, it is discussed whether the Compliance Officer can be appointed by the management body and whether it can be an employee or even an external advisor. For this it is necessary to determine the extent to which said body is able to delegate the functions of supervision and control. In the cases provided for in articles 31 bis 1 (crimes committed by those who make the decision on behalf of the legal entity or have powers of organization and control within it) and 31 bis 4 (crimes committed by those subject to the authority of who make the decisions), the company can be exempted from responsibility if the supervision of the operation and compliance with the prevention model has been entrusted to a body with autonomous powers of initiative or control, or legally entrusted with the function of monitoring the effectiveness of internal controls. Can we speak of an organ with autonomous powers of initiative or control that depends organisationally on the administrative body? The willingness of the parties gives freedom for much, and the statutes or the regulation could create some fit, but it is difficult to speak of an effective mechanism if the supervised one decides the degree of autonomy of the one who supervises it. Regarding the second case, who has legally entrusted the function of monitoring the effectiveness of internal controls is the chairman of the audit committee, according to article 529 quaterdecies in the first paragraph of the fourth paragraph. After the filter of article 31 bis, it would seem that the Compliance Officer would have to be within the highest spheres of the company: Secretary of the board, non-executive board member, member of the audit committee or similar ... Otherwise it is put in cloth of judgment the autonomy of control and initiative. The more down in the organization or greater subjection to the decisions of the administrators linked to the operation of the company, the more difficult it will be to demonstrate the effectiveness of the system. However, the Criminal Code leaves an exit for the case of legal persons of small dimensions, in which case the supervisory functions can be assumed directly by the administrative body. In this case, a partial delegation of functions seems feasible, with the administrators always being responsible for monitoring the compliance of the system and the discharge of the Compliance Officer's management. 3. Following the example of the creators of Legal Compliance However, beyond the legal assumptions that outline some aspects of the supervision and surveillance function, it should not be ignored that the Compliance comes from the Anglo-Saxon culture, where the origin of regulatory compliance as a control mechanism is self-imposed by the printed ones themselves and does not derive from a legal mandate. The Sentencing Guidelines manual states that "high-level personnel" must have overall responsibility for the Compliance program, but does not make recommendations on who specifically should hold it. But apart from being a person of high level, the most important recommendation is that there is no possibility of a conflict of interest. When the role of the Compliance Officer coincides with the administrator or is imbued within the company's operations, there is a risk of an eventual conflict of interest. A CEO who is informed by his compliance officer about an irregularity that questions his management, will be able to decide what is best for the company? Does a management body that has committed a crime inform the shareholders of its actions? These are the issues that oblige to set the Compliance bar very high if a company wants to take regulatory compliance seriously. It is not enough to designate an employee who assumes supervisory functions and becomes a kind of puppet. The risk of the company transcends the prevention of crimes and the legal entity, therefore, if you really want to establish an effective ethical culture within a company, you must ensure that the Compliance Officer has independence, autonomy and even freedom to report to the shareholders when it detects that the administrative body is committing a crime. . Responsibilities of the Compliance Officer The responsibilities of the Compliance Officer in Spain start from the duty to inform of possible risks and breaches, but are not limited to it. This is a function that, in order to fully comply with this duty and be effective in its management, requires executing a series of monitoring, control, implementation, training and notification tasks for the company's governing bodies. Although there is no consensus on all responsibilities of the Compliance Officer, which may vary from company to company according to its organizational structure and sector, there are some general lines of action common to the function that are recently included in the ISO 19600 Standard. enunciative, the following stand out:
It must identify the obligations to which companies are subject, both from the legal point of view as well as those guidelines that derive from Sectorial Codes or their own policies or Ethical Codes. The doctrine refers to these two types of obligations as Hard Law and Soft Law, the former being those that derive from a legal mandate whose breach represents an infraction, while the latter are those that the company voluntarily decides to comply with as good sector or development practices. of good government.
It must understand the processes and procedures of the company, so that it can integrate the development of the same with the obligations in terms of regulatory compliance.
Front the employees, the Compliance Officer will be responsible for providing or coordinating the continuous training in matters of regulatory compliance, as well as the figure that will provide support in the case of doubts about how to proceed or if a certain conduct constitutes or is not a violation to the Compliance of the company.
The Compliance Officer should also contribute to the description of Compliance obligations that are inherent to each area or position within the company, as an objective parameter in the evaluation of staff performance.
Taking into account that one of the main responsibilities of the Compliance Officer is to report any breach, must implement the measures and controls that allow timely knowledge of the risks and incidents, either through the staff or inferred from the documentation that collects through internal processes. Examples of this are:
System of complaints, complaints and telephone support or by email.
Periodic meetings with those responsible for processes.
Periodical reports of incidents report.
Mechanisms of direct support to employees who have doubts about whether a conduct or does not represent a risk, before executing it.
Checkpoints and process controls in cases in which the normal operating parameters are exceeded in which the approval of the Compliance Officer is required (For example: Signature of contracts that exceed a certain amount, authorization of corporate gifts).
Indicators of performance and compliance with the measures established to guarantee regulatory compliance and that reflect the evolution of the risk prevention system.
Because one of the sectors that may generate risks for companies is their relationships with third parties, it is also the responsibility of the Compliance Officer to identify and address the risks derived from their relationships with customers, suppliers, distributors and external sales representatives, as well as any collaborator who could be considered representative of the company.
Monitor the functioning of the risk prevention system and take the preventive and corrective measures that guarantee its effectiveness and ensure the revision at the planned intervals.
Provide advice to the organization in matters of Compliance, either directly or through external experts.
As can be seen, this is a set of important responsibilities not only for the position but can affect the activity of the company, and that is why it must be guaranteed that whoever acts as a Compliance Officer or as a Committee for such purposes , be a person who demonstrates values such as integrity, commitment, leadership, effective communication, the ability to insist and convince about the acceptance of their recommendations and a deep knowledge (or access to experts in the field) on issues of regulatory compliance. It should be noted that failure to comply with these responsibilities may not only result in the criminal penalties established by the Criminal Code for the company, but also personal liabilities for the Compliance Officer who has not exercised his duty of diligent surveillance. Although the novelty of the issue in Spain does not yet have judicial pronouncements, there are precedents in the European environment, such as a Federal Court in Germany that sentenced the Compliance Officer of a garbage company in Berlin in 2009 for having incurred omissions regarding their duty of supervision and surveillance despite having notified the noncompliance. Case that, of course, will be the mirror in which our courts will look at soon as it has been happening in the field of Community Law of the European Union. 4. Compliance Officer or Committee? Up to now we have referred indistinctly to the Compliance Officer or the Committee, with the understanding that the functions must be executed by one or the other in the same way. However, one of the first questions that the company raises is how to define its Compliance structure. The decision to appoint a person who already performs another function in the company, create a new position, establish a committee or hire an external one that will be in charge of the subject will depend on the organizational complexity and size of the company, taking into account their singularities and it would be difficult to recommend a specific structure a priori. It is common for small companies to appoint a single person to perform these functions, as well as to decide to assign these responsibilities to another person who performs supervisory duties within the company. However, this last alternative, although acceptable in some cases, has its risks as long as a conflict of interest can be generated or the Compliance Officer is not given a true autonomy, calling into question one of the principles that should govern the function. Separate mention for legal entities of small dimensions, which, because they are authorized to leave oversight and supervision in the hands of the Administration body, may incur not only a conflict of interest (being subject to review their own actions), but in a lack of autonomy that could render the model ineffective. That is why, in this case, it is advisable that the person who exercises the function is a director or administrator who is not directly linked to the operational area, so that their work is not subject to the way in which the processes are executed. General recommendations We summarize below some that can serve as guidance to companies when defining their supervisory, monitoring and control function: The definition of the role of the Compliance Officer will be fundamental in demonstrating the effectiveness of the model, therefore it must be considered as a necessity and give it the relevance it has in charge.
The figure must be endowed with functional and budgetary autonomy.
Must have access to the General Board and right to voice in the administrative bodies.
Must be recognized as an authority in compliance, both by the staff and by the company's own administration.
Its designation must be, as far as possible, made by the General Meeting and not subject to revocation by the Directors
Quien ejerza las funciones debe tener suficiente tiempo para atender los asuntos relacionados al cumplimiento normativo.
Must have direct access to experts in matters of Compliance, Good Governance, Taxation, Criminal, as well as any other issue where a risk to the company could arise.
The Compliance Officer must be a participant in the strategic decisions, so that he can analyze the risks before the actions that may endanger the company are executed.