Compliance, a term that, in the business world, and necessarily linked to the legal world of companies, is fashionable. And so much so that a new profession has even been created, the compliance officer, a figure that, for the time being in our country, is linked to large companies. However, although with different figures in the performance of these functions, in small and medium enterprises, the obligation is the same.
What is compliance?
Compliance consists of establishing appropriate and sufficient policies and procedures to ensure that a company, including its officers, employees and related agents, comply with the applicable regulatory framework.
And not only the legal regulations, binding on all, but also protocols or internal standards and codes, agreements with customers or third parties or agreed business decalogues.
How did it come about in Spain?
The need to ensure compliance with all regulations in Anglo-Saxon financial institutions, which is sometimes quite complex, and with very high sanctions in the event of non-compliance. That is why they are beginning to employ departments dedicated exclusively to ensuring compliance. Prior to this figure, the legal advisors were in charge of them.
In Spain, we’re late. It is beginning to be established so that large foreign companies based in Spain can provide security and “protection” to their foreign partners against a possible “guilty” conduct of any of the managers, administrators or employees here.
With the advent of new laws affecting most business sectors, small and medium-sized enterprises are becoming increasingly aware of the importance of their security, for example in the area of data protection, rules for good corporate governance or various directives or ISO standards specific to certain sectors.
How is it applied?
This function is carried out through five sets of actions, which need to be coordinated and carefully planned:
Identification: the risks faced by the company must be identified, taking into account their severity and impact and the likelihood of their occurrence.
Prevention: knowing the risks, control procedures must be designed and implemented to protect the company.
Monitoring and detection: the effectiveness of the controls implemented must be supervised, informing management of the company’s exposure to risks, and carrying out periodic audits as necessary.
Resolution: when in spite of everything some problem of fulfillment arises, it must be worked for its solution.
Advice: managers and workers must receive all the necessary information to carry out their work in accordance with current regulations.
Because with the reform of the Criminal Code, the criminal liability of legal entities and its implementation, compliance has become a way of exempting them from criminal liability for a crime.
Basically, article 31 bis of the Criminal Code establishes that the legal person is exempt from criminal responsibility if it has carried out a series of suitable surveillance and control measures to avoid committing crimes or reduce the risk of being able to commit them.
Criminal liability has been the clear driver of compliance.
Who can do it?
Traditionally, these functions fell to legal departments, at least at a general level. But due to greater regulatory complexity, people have emerged who specialize in this function, either from within the company as in-house counsel, or as part of companies specializing in compliance.
This is why large law firms and audit firms are strengthening their areas of compliance to provide this function to companies that require it.
It is important that these departments, whether centralized or decentralized, internal or external, are articulated and implemented in such a way that they are endowed with sufficient independence and authority to be able to direct indications to all spheres of power of the company, and sufficient resources for their work to be effective and not merely illusory, avoiding becoming a department with only advertising effects for third parties. This responds to considering compliance as an element that generates value in the company, avoiding risk and contributing to a better business culture, and not only as an expense.
Currently, prevention programs enjoy the rank of exempt in terms of criminal liability of legal persons.
Legal persons cannot commit crimes, that is to say, they cannot commit actions with “guilt” as such. They are not the ones who commit the crimes. Legal persons can be punished. Legal persons are criminally liable for certain offences (art. 31 bis 1). They do not commit crimes, but are punished for crimes committed by other persons “guilty” of it.
From my point of view, and as Don Antonio del Moral García, magistrate of the Supreme Court, wisely says, in order to impose a penalty on a legal person, it is necessary that another person (a natural person) commits a crime.
Legal persons cannot even commit a crime on their own.
Legal persons can neither offend on their own, nor be guilty in the sense that we preach that category of natural persons.
The situation in small and medium-sized enterprises
In Spain the vast majority of companies belong to the famous group of SMEs. What about SMEs? Many times they do not have enough economic resources to develop a specific department in the matter or to entrust an external management of this regulatory compliance.
The legislator is aware of this, so that the regulatory framework to which I referred is usually applicable only to larger companies, in addition to including exceptions dedicated to smaller companies. But it is important that, at least, managers have a familiarity with the concept, with a view to their dealings with larger companies, and that they try as far as possible to create a climate conducive to regulatory compliance.
These legal changes place on companies the responsibility incurred by their managers or employees, unless they can demonstrate that they have put in place the necessary means to avoid such inappropriate conduct, for example, in compliance with tax laws, transparency of accounting information, actions with an impact on the environment or practices that may be discriminatory in personnel hiring policy.