The changing anti-bribery and corruption landscape in Spain

The anti-bribery and corruption landscape in Spain is changing. Following the introduction of corporate criminal liability in 2010 and amendments to the Penal Code in 2015 allowing corporates to raise a compliance programme defence to avoid or mitigate liability for corruption-related and other criminal offences, Spanish prosecutors have secured their first convictions for foreign bribery against senior executives at Spanish publishing company Aplicaciones Pedagógicas y Comercialización Editorial (APYCE). Corporate convictions, however, have yet to be tested, and Spain’s commitment to improving its anti-bribery and corruption enforcement record remains to be seen.

Spain joined the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (the Convention) in 2000. In December 2012 the OECD reported that it had “serious concerns” that Spain’s enforcement of its foreign bribery laws had been extremely low, with only seven investigations and not a single prosecution in the 13 years since Spain had joined the Convention. By the time of the OECD’s June 2014 update the total number of investigations had risen to nine but there were still no prosecutions. The OECD has emphasised that Spain must vigorously pursue foreign bribery allegations and strengthen its legal framework for fighting bribery by addressing gaps in its Penal Code.

In February 2017, almost two decades after joining the Convention, Spanish prosecutors have made their first convictions for foreign bribery against two individuals at Spanish publishing company APYCE in respect of bribes allegedly paid to a foreign public official to win contracts to sell school textbooks into Equatorial Guinea.

Two senior executives of APYCE, who had previously worked on contracts worth €6.7m to deliver textbooks to Equatorial Guinea between 2006 and 2008, allegedly diverted a €70,000 donation originally destined for Equatorial Guinea’s Education Ministry to its Deputy Education Minister in order to secure future contracts.

While the executives were sentenced to a year’s imprisonment, a fine, and a three-year prohibition from working on public contracts, ‎APYCE itself was left untouched due to the fact that corporate criminal liability in Spain was not introduced until 2010, after the improper payment in this case had been made.

Spain’s anti-corruption landscape has undergone significant changes since corporate criminal liability was introduced in 2010. Following certain piecemeal extensions to the 2010 law and the publication of a Criminal Code Bill in October 2013, Organic Law 1/2015 came into force on 1 July 2015 (the 2015 Organic Law) amending the Spanish Penal Code in several significant ways.

The 2015 Organic Law provides for a “dual regime” for attributing criminal liability to legal entities. Under the new law, legal entities will be criminally liable for:

1. offences committed in the legal entity’s name or on its behalf, for its direct or indirect benefit, by its managers or legal representatives or any persons authorised to take decisions on behalf of the legal person and hold powers of organisation and control within it (including compliance officers); and
2. offences committed, in the performance of corporate activities and on behalf and for the direct or indirect benefit of the legal person, by persons subject to the authority of the persons set out in (a) (i.e., managers/legal representatives), but who were able to commit the acts due to a serious breach by these managers/legal representatives of the duty of control of their activities in view of the particular circumstances of the case.

The most important part of the 2015 Organic Law, however, is that it introduced, for the first time, grounds for exemption from criminal liability for legal entities that can show that they possess and effectively implement a crime-prevention or compliance programme.

It also provided for a dual regime for exemption of liability depending on how criminal liability has been attributed to the legal entity (through legal representatives or those subject to the legal representatives’ authority). The requirements for exemptions in these two categories substantively overlap, however, and both involve the corporate entity adopting and effectively enforcing a compliance programme before the commission of the offence.

Article 31 of the 2015 Organic Law sets out the six prerequisites for a compliance programme that will be familiar to all anti-bribery and corruption compliance officers and practitioners:

1. carrying out a risk assessment;
2. establishing anti-bribery and corruption policies and procedures;
3. using financial controls to detect and prevent criminal offences;
4. establishing an effective reporting and whistleblowing function;
5. instituting an appropriate disciplinary system that adequately sanctions compliance breaches; and
6. carrying out periodic evaluations of the compliance programme and modifying it where necessary.

In January 2016, Spain’s State Prosecutor issued guidance to Spanish prosecutors on the criminal prosecution of legal entities in general and on the assessment of compliance programmes adopted by companies in particular, highlighting nine points to be taken into consideration:

1. A compliance programme does not in itself guarantee an automatic safe-harbour from criminal liability. Off-the-shelf products that have not been tailored to the company’s risks and needs will not be considered as a valid defence to criminal liability.
2. Compliance programmes should cultivate and reflect a true compliance culture, and not merely be used as instruments to avoid criminal liability.
3. External certificationby consultants and third parties can be used as evidence of the efficacy of a compliance programme, but do not establish its effectiveness per se.
4. Tone from the top is key. Any indication that the compliance programme does not have the full engagement and support of management and directors, and/or any involvement of a director or executive officer in specific compliance breaches, will be central in assessing whether or not the company has adopted a robust compliance programme.
5. The compliance programmes of companies receiving a direct profit from criminal conduct will be evaluated more strictly than where the company only receives an indirect profit (i.e., where the director or employee who committed the crime is the primary beneficiary).
6. Extracredit will be given to companies whose compliance programmes are capable of detecting when a director, manager, or employee may have committed a crime, allowing the company to report breaches to regulators.
7. The commission of an offence does not automatically indicate the ineffectiveness of a compliance programme. Prosecutors should take into account the rank and number of the persons involved, the number of times that the crime has been committed and for how long the criminal conduct has occurred.
8. The company’s response to previous potential breaches of the compliance programme will also be taken into account, with timely and appropriate sanctioning viewed favourably.
9. The measures adopted by the organisation in the aftermath of committing an offence will also be taken into consideration, including immediate and effective investigation, disclosure and cooperation with the prosecutor and the judge.

The guidance also sets out the functions that compliance officers should undertake-including taking part in carrying out risk assessments, setting up compliance programmes, and establishing appropriate audit and monitoring systems. It emphasises that it is important for legal entities to have compliance personnel with sufficient knowledge and experience for the role, with sufficient access to internal processes and technical means in order to achieve this. Where appropriate, companies should make use of external resources, such as independently-run whistleblowing hotlines.

Following the amendments to Spanish anti-corruption legislation in recent years, Spain’s first convictions for foreign corruption in February 2017 are further signs that Spain’s anti-bribery and corruption landscape is changing. Given that Spain’s first prosecution for corporate criminal liability has yet to be carried out, however, and that the compliance-programme defence has yet to be tested, the extent to which these prosecutions represent a sea change in Spanish anti-corruption enforcement remains to be seen.