Compliance 360º: how to shield your company from criminal liability and corporate risks in the 21st century
A single episode of fraud, corruption, environmental crime, technological failure or misuse of data can trigger millions in fines, media investigations, loss of trust and even the demise of the company. This raises a crucial question: can compliance, when well designed and executed, really save a company?
Responsible party
Following the reform of the Criminal Code in 2010, Spain introduced the possibility of holding legal persons criminally liable for offences committed for their benefit or in their interest. This transformation represented a radical shift in the conception of economic criminal law: the company ceased to be a mere passive instrument and became a responsible entity capable of being tried, punished and subjected to such serious measures as suspension of activities, temporary closure, judicial intervention or even dissolution. This is not an abstract theory; numerous subsequent rulings have confirmed that companies can be held criminally liable even if there is no direct economic benefit, provided that the offence was committed in the course of their business and was facilitated by systemic failures in internal controls.
The company's liability rests on three essential elements: the commission of a crime by a person linked to the organisation; the existence of a functional connection between that crime and the company's interests; and the finding that the company lacked adequate mechanisms to prevent, detect or react. The absence of controls—or the existence of merely formal controls—is interpreted as a lack of ethical culture and diligence, which can significantly aggravate the company's position in criminal proceedings.
Legal and strategic shield
In this context, compliance ceases to be a mere internal protocol and becomes a true legal and strategic shield. The legislation allows that, if the company can prove the existence of an effective organisational and management model to prevent crimes—and not just in writing, but operational, real and adapted to its risk—it may even be exempt from criminal liability. But effectiveness is not presumed: it must be demonstrated with evidence, adequate resources, constant supervision, an ethical culture and diligent actions. In addition to its ability to avoid sanctions, a good compliance model professionalises processes, strengthens governance, improves internal traceability and sends a clear signal to customers, investors and authorities: the company is committed to integrity.
The role of the compliance officer then takes on particular importance. Although they are not criminally liable simply for holding this position, they may be liable when they participate in the commission of a crime or when they seriously breach their supervisory duties. For their work to be credible and effective, the organisation must provide them with independence, resources, training, real authority and the ability to issue recommendations that cannot be ignored by senior management. A compliance officer without tools is, in reality, a risk disguised as a solution.
Beyond the familiar legal framework, there are emerging trends that are completely transforming the role of compliance. One of these is the emergence of algorithmic compliance. With the growing implementation of artificial intelligence in processes such as recruitment, customer scoring, automated decision-making and internal surveillance, new risks are emerging that were unthinkable a decade ago. A poorly trained algorithm can lead to automatic discrimination, bias, rights violations, security breaches or even facilitate cybercrime. New European regulations, such as the AI Act, will require companies to integrate algorithmic audits, traceability of automatic decisions and specific controls on the use of data and AI models.
Emerging corporate crimes are also emerging that go far beyond traditional economic fraud. Companies must now prevent issues such as punishable greenwashing (manipulated sustainability reports or false environmental metrics); environmental crimes derived from digital infrastructure, such as technological pollution or the illegal use of energy; manipulation of big data; creation of deepfakes that may cause harm to third parties; or cybercrimes committed from corporate servers without direct human involvement. This requires broadening the focus to multidisciplinary compliance that encompasses ESG, technological, privacy and cybersecurity aspects.
At the same time, a decisive trend known as "digital proof of compliance" is emerging. Today, it is not enough to claim that employees have been trained or that controls have been implemented. Judges are looking for traceable evidence: automatic logs, access histories, audit records, forensic analysis, digital reports, activity captures, traceability of internal decisions and any objective indication of ethical behaviour. The compliance of the future will, by necessity, be digitised, monitored and backed up by data.
Behavioural compliance
This approach is complemented by the rise of behavioural compliance. The most advanced companies are incorporating knowledge of psychology and behavioural sciences to understand how decisions are actually made in the organisation, where biases occur, why controls are breached, and what incentives can be redesigned to minimise errors. Rather than relying solely on protocols, they analyse how people interact with them, making compliance a natural—rather than forced—part of corporate culture.
For all this to work, a manual of hundreds of pages is not enough. The process must begin with a specific risk analysis tailored to the sector; continue with the implementation of real and effective controls; be reinforced through ongoing training, reliable reporting channels and an authentic ethical culture; be kept alive through audits, periodic reviews and regulatory updates; and be activated quickly when an incident arises, through internal investigation protocols and proportionate corrective measures. None of this will work if senior management does not demonstrate a real, visible and consistent commitment, because culture radiates from the top down.
The conclusion is simple but powerful: in a world where criminal risks are expanding, where technology introduces new dangers and where social expectations demand ethics and transparency, compliance ceases to be a cost and becomes a strategic asset. Companies that understand this will be in a position to avoid sanctions, attract investment, retain talent and strengthen their reputation. Those that do not risk any incident, however small, becoming a point of no return. In this new corporate era, not having an effective compliance programme is not only imprudent: it is probably the greatest criminal risk an organisation can face.
Read the full article written by Lydia García, associate in the Economic Criminal Law department at El Derecho.com here.
