How to Implement an Effective Corporate Criminal Compliance Programme in Spain: Practical 2026 Checklist

Corporate criminal compliance in Spain has moved from a theoretical best-practice aspiration to an operational imperative. Article 31 bis of the Spanish Penal Code (Código Penal) establishes that legal persons can face criminal liability for offences committed on their behalf, and, crucially, that an adequate crime-prevention model (modelo de prevención de delitos) may exempt the company entirely. With prosecutors demanding demonstrable, documented effectiveness and multiple EU transposition deadlines converging in 2026, compliance officers, general counsel and business owners operating in Spain face an urgent need to build, test or remediate their corporate compliance programmes. This guide delivers a jurisdiction-specific, step-by-step implementation checklist designed for that purpose.

Executive Summary: What This Guide Delivers

This article is a practitioner-level roadmap for any company with operations in Spain, from consolidated multinationals to micro-enterprises, that must design or strengthen a crime prevention model in line with Article 31 bis. Here is what you will find:

• The legal foundation. A concise explanation of corporate criminal liability Spain provisions under Article 31 bis, including the statutory tests for exemption.
• 2026 enforcement context. The prosecutorial trends, EU transpositions (pay transparency, tax reporting, data protection updates) and regulatory signals that make documented compliance non-negotiable this year.
• A practical 12-point implementation checklist. Covering risk mapping, policy design, governance, training, whistleblowing, monitoring and evidence, with separate tracks for companies that have no existing model and those remediating an existing one.
• Evidence templates and KPI benchmarks. Including a compliance checklist Spain practitioners can use to prepare for prosecutorial scrutiny, plus a sample KPI tracker and audit calendar.

Who should read this: General counsel, compliance officers, HR and operations directors, and SME owners responsible for preventing corporate criminal exposure in Spain.

Legal Framework: Corporate Criminal Liability in Spain and Article 31 bis

Spain introduced corporate criminal liability through Organic Law 5/2010, later reformed by Organic Law 1/2015, which reshaped Article 31 bis of the Penal Code. The provision establishes that a legal person may be held criminally liable for offences committed, on its behalf or for its benefit, by its representatives, administrators or by employees acting under insufficient supervision. The article also sets out the conditions under which a company can be fully exempted from liability if it proves it had adopted and effectively implemented an adequate modelo de prevención de delitos before the offence occurred.

What Article 31 bis Requires

Under Article 31 bis, an effective crime prevention model must satisfy several cumulative requirements to qualify for exemption. The governing body must have adopted and effectively implemented a supervision and control model designed to prevent or significantly reduce the risk of offences of the kind committed. A compliance body, with autonomous powers of initiative and control, must have been entrusted with overseeing the model’s operation. The individual who committed the offence must have acted by fraudulently evading the model’s controls. And there must be no evidence that the compliance body exercised deficient or insufficient oversight.

For offences committed by subordinate employees, the standard is slightly adjusted: the company must show that an adequate model existed that could have prevented the conduct, given its nature and context.

Types of Offences That Commonly Trigger Corporate Liability

The Penal Code defines a closed catalogue of offences for which legal persons can be held liable. The most frequently relevant to corporate operations in Spain include:

• Fraud and misappropriation, including commercial fraud and corporate insolvency offences.
• Bribery and corruption, both domestic and international corruption offences, including influence peddling.
• Tax offences, including offences against the Public Treasury and Social Security.
• Money laundering, a frequent trigger in sectors with complex financial flows.
• Labour exploitation and trafficking offences, increasingly scrutinised in supply-chain contexts.
• Environmental offences, relevant for industrial, construction and energy companies.
• Data-protection and privacy offences, discovery of personal data, with enforcement guided by the Agencia Española de Protección de Datos (AEPD).
• Computer and cybercrimes, including unauthorised access and interference with data systems.

2026 Enforcement Environment and Urgent EU Transpositions to Watch

The compliance landscape in Spain is being reshaped by both domestic prosecutorial trends and EU-level regulatory deadlines that converge in 2026. For companies operating a corporate compliance program in Spain, this means the bar for what constitutes an “effective” model is rising materially.

Top 2026 Enforcement Priorities

• Prosecutorial demand for documented effectiveness. The Fiscalía General del Estado has progressively tightened its stance on evaluating compliance models. Industry observers expect prosecutors to scrutinise not just the existence of policies but the evidence of their operational application, training records, investigation files, board minutes and remediation logs.
• EU Pay Transparency Directive transposition. The European Commission’s Pay Transparency Directive requires member states to transpose its provisions, and early indications suggest Spain’s implementation will create new compliance obligations around pay-equity reporting, audit trails and internal controls, all of which feed into the corporate compliance programme.
• Tax reporting and financial transparency. Ongoing reforms to EU tax-reporting frameworks, including public country-by-country reporting, affect large Spanish companies and require updated compliance controls for fiscal risk management.
• Data-protection enforcement. The AEPD continues active enforcement of the GDPR and Spain’s Organic Law 3/2018 (LOPDGDD), with particular attention to whistleblowing channel data handling, employee monitoring and cross-border data transfers.

Practical Impact on Compliance Programmes

The combined effect of these developments is that a static, paper-only crime prevention model Spain companies may have adopted years ago is no longer sufficient. Prosecutors, courts and regulators are aligned in demanding living, tested and continuously improved compliance systems with auditable evidence trails. Any company that cannot produce indexed documentation of its model’s effectiveness faces significantly greater liability exposure in 2026.

Risk Assessment and Criminal Risk Mapping: How to Do It in Spain

The criminal risk assessment is the foundation of every effective modelo de prevención de delitos. Without a properly scoped and documented risk map, policies and controls lack direction and prosecutors will question the entire programme’s credibility. Here is the step-by-step methodology.

Scope and Materiality

Begin by defining the scope of the assessment: all legal entities, business lines, geographies and material third-party relationships within the Spanish perimeter. For consolidated groups, the risk map should cover the parent and all relevant subsidiaries. Materiality should be determined by reference to the closed catalogue of offences in the Penal Code, the company’s sector, transaction volumes, regulatory history and jurisdictional exposure (for example, cross-border payments that increase money-laundering risk).

Methodology: Workshops, Interviews and Data Sources

1. Desktop review. Analyse existing policies, prior audits, litigation history, regulatory correspondence, insurance claims and sector-specific guidance.
2. Structured interviews. Conduct confidential interviews with key function heads, finance, HR, procurement, IT, operations and legal, to identify process weaknesses and risk perceptions.
3. Cross-functional workshops. Bring together stakeholders to map criminal risks to specific processes, scoring each by likelihood and impact. Use the Penal Code’s catalogue of corporate offences as the reference framework.
4. External data. Supplement internal findings with sector benchmarking, Fiscalía guidance, Chambers & Partners practice guide commentary and industry association alerts.
5. Heat-map output. Produce a risk matrix that grades each identified risk (high / medium / low) and links it to specific controls, owners and monitoring frequencies.
6. Board sign-off. Present the risk map to the governing body for formal approval. Ensure the minutes of the board meeting record the presentation, discussion and approval, this is critical evidence for prosecutors.

Example Red-Flag Matrix

Policies and Internal Controls: Designing the Modelo de Prevención de Delitos

With the risk map approved, the next phase is designing the policy architecture and internal controls that form the operational core of the crime prevention model. Alignment with UNE 19601, the Spanish compliance management standard published by AENOR, is strongly recommended, not because certification is legally required, but because it provides a structured framework that prosecutors recognise as evidence of best practice.

Core Policies

Financial Controls and Segregation

Financial controls are the most common area scrutinised by prosecutors when assessing a compliance programme’s effectiveness. Minimum requirements include segregation of duties for payments above defined thresholds, dual authorisation for significant expenditures, regular reconciliations, and independent internal or external audit coverage. Document every control, its owner and test results.

Third-Party Due Diligence (TPDD)

Third-party risk is a major vector for corporate criminal liability Spain proceedings, particularly in bribery, money laundering and tax cases. Every company should maintain a risk-based TPDD process that includes: screening against sanctions and PEP lists, verification of beneficial ownership, assessment of the third party’s own compliance controls, and contractual compliance and audit clauses. For high-risk relationships (agents, intermediaries, consultants in sensitive sectors), enhanced due diligence with periodic refresh is essential. Retain the full TPDD file for each third party as part of the compliance evidence pack.

Governance, Responsibilities and Resourcing

A compliance programme’s credibility depends on who owns it and how authority and accountability flow through the organisation. Article 31 bis is explicit: the governing body must adopt and oversee the model, and a compliance body with autonomous powers must be responsible for its day-to-day operation.

Board Oversight and Minutes

The board of directors (or equivalent governing body) must formally approve the risk map, the policy framework and the appointment of the compliance function. Board minutes should record substantive discussion of compliance matters, not just a perfunctory sign-off. Schedule compliance reporting as a standing agenda item at least quarterly. Prosecutors routinely request board minutes as primary evidence of governance commitment.

Compliance Function Role and Independence

The compliance officer (or compliance body, which may be a committee) must have genuine independence, direct reporting access to the board, sufficient budget and resources, and the authority to investigate, escalate and recommend sanctions without management interference. Where the compliance officer reports to the CEO or general counsel, ensure formal safeguards are in place to prevent conflicts and guarantee escalation rights.

Resourcing Benchmark: SME vs Corporate

For SMEs, Article 31 bis allows the governing body itself to act as the compliance body, but the obligation to maintain documented, proportionate controls remains. The standard is substance, not size.

Training, Communications and Whistleblowing Systems

Policies without training are inert documents. The effectiveness of any corporate criminal compliance Spain programme depends on whether employees understand their obligations and know how to report concerns. Training, internal communications and whistleblowing together form the programme’s operational nervous system.

Role-Based Training Plan

• All employees. Annual general compliance training covering the code of conduct, key risk areas, whistleblowing channels and the consequences of non-compliance. Delivered via e-learning with a completion assessment (minimum pass score).
• High-risk roles. Targeted modules for procurement, finance, sales, HR and IT, covering bribery, fraud, data protection and labour risks specific to each function. Delivered semi-annually, with case-study assessments.
• Board and senior management. Annual briefing on the compliance environment, risk map updates, enforcement trends and governance responsibilities. Documented in board minutes.
• New joiners. Induction compliance module within 30 days of start date, with signed acknowledgement of the code of conduct.

Retain all training records, attendance, completion rates, assessment scores and remediation for employees who fail, as key evidence for prosecutors.

Whistleblowing in Spain: Legal Requirements and Protections

Spain transposed the EU Whistleblower Protection Directive through Law 2/2023 on the protection of persons who report regulatory infringements and the fight against corruption. Companies with 50 or more employees must maintain an internal reporting channel. The channel must guarantee confidentiality (and, where possible, anonymity), protect reporters against retaliation, and comply with AEPD data-protection requirements for processing whistleblower personal data. A dedicated compliance checklist for evaluating your whistleblowing channel should address:

• Accessibility (available to all employees, and where appropriate, external parties).
• Confidentiality safeguards and data-protection compliance (GDPR and LOPDGDD).
• Acknowledgement of receipt within seven days and substantive response within three months.
• Anti-retaliation protections communicated to all staff.
• Record-keeping (reports, investigations, outcomes) with appropriate retention periods.
• Regular testing (e.g., simulated reports) to verify channel functionality.

Internal Communications and Tone From the Top

The governing body and senior management must visibly champion the compliance culture. Practical steps include CEO-signed communications endorsing the compliance programme, regular compliance bulletins, town halls addressing real (anonymised) case studies, and recognition of compliance-positive behaviour. Document these communications as evidence of “tone from the top.”

Monitoring, Auditing and KPIs: How to Measure Effectiveness

A compliance model that is not monitored, tested and measured cannot be “effective” in any meaningful legal or operational sense. Monitoring and auditing convert the crime prevention model from a static document into a living system that prosecutors and courts will recognise.

KPI Tracker Sample

Audit Calendar and Sample Tests

Establish a risk-based audit calendar. High-risk areas (payments, procurement, agent relationships) should be tested at least annually. Medium-risk areas every 18–24 months. Sample audit tests include: transaction testing for segregation-of-duty compliance, review of gifts-register entries against policy limits, spot-check of TPDD files for completeness, and simulated whistleblowing reports to test channel responsiveness. Document test plans, results and corrective action tracking in a central compliance management system.

Internal Investigations in Spain: Procedure, Privilege and Evidence Preservation

When a compliance concern materialises, whether through a whistleblowing report, an audit finding or external intelligence, the company’s response is critical. A well-executed internal investigation can demonstrate that the crime prevention model is working; a botched one can destroy evidence and deepen liability. Internal investigations in Spain require careful attention to procedure, legal privilege and data-protection rules.

Triage and Investigation Plan

1. Initial triage. The compliance function assesses the report’s credibility, urgency and severity within 48 hours. Categorise as: immediate action, full investigation, or monitoring.
2. Investigation plan. Define scope, timeline, investigation team, evidence sources (documents, emails, IT systems, interviews) and reporting lines. For serious matters, consider appointing external counsel from the outset.
3. Notification. Determine whether any immediate regulatory notifications are required (e.g., data breach to AEPD within 72 hours, or suspicious-transaction reports).

Evidence Preservation and IT Forensics

• Preserve first, investigate second. Issue a litigation hold notice to prevent destruction of relevant documents, emails and electronic records.
• Chain of custody. Maintain a documented chain of custody for all physical and digital evidence collected. Use forensic imaging for electronic devices where necessary.
• Data protection. Ensure that evidence collection complies with the GDPR, LOPDGDD and employee-monitoring guidelines issued by the AEPD. Disproportionate or unlawful evidence gathering can render findings inadmissible and expose the company to separate liability.
• Interview protocols. Conduct witness and subject interviews with appropriate warnings (Upjohn-style notices where the company’s privilege is at stake), documentation and, where relevant, trade-union or legal-representative rights.

When to Involve External Counsel or Report to Authorities

Involve external counsel at the earliest stage where the matter may involve criminal exposure for the company, its directors or senior officers, or where legal privilege over the investigation is strategically important. Consider self-reporting to the Fiscalía or other authorities where cooperation may mitigate liability, but take legal advice before any disclosure, as the decision is irreversible and must be weighed against the specific facts.

Documentation, Recordkeeping and Proving Effectiveness to Prosecutors

Documentation is the currency of compliance. Without an indexed, accessible evidence file, even a well-designed model will fail the prosecutorial test. The following ten-item evidence checklist summarises what every company should maintain:

1. Board-approved risk map (signed, dated, with revision history).
2. Board and compliance-body meeting minutes (showing substantive discussion and decisions).
3. Complete policy set with version control and employee acknowledgement records.
4. Training records: attendance, completion rates, assessment scores, remediation actions.
5. TPDD files for all material third parties (screening results, approvals, periodic reviews).
6. Whistleblowing channel records: reports received, investigation outcomes, response timelines.
7. Internal audit reports and control-test results with corrective-action tracking.
8. KPI dashboards and trend analyses (quarterly and annual).
9. Investigation files: triage records, investigation plans, evidence logs, findings, remediation.
10. External audit or certification reports (e.g., UNE 19601 certification reports from AENOR-accredited bodies).

Compile these into a structured evidence folder, indexed by category with an executive summary and timeline, that can be presented to prosecutors or inspectors on short notice. Retain records for a minimum period aligned with the applicable statute of limitations for the relevant offences (typically five to ten years for most corporate offences in Spain, depending on their severity).

Practical 12-Point Implementation Checklist and Remediation Playbook

Whether you are building a corporate criminal compliance Spain programme from scratch or remediating an existing model, this 12-point checklist provides a structured path. Use the 90-day remediation plan for immediate risk reduction and the 12-month roadmap for full implementation.

90-Day Remediation Plan (If You Already Have a Model)

1. Gap analysis. Benchmark your existing model against Article 31 bis requirements and UNE 19601.
2. Critical-risk triage. Identify and remediate the highest-severity gaps immediately (e.g., missing whistleblowing channel, absent board oversight).
3. Evidence audit. Verify that all ten documentation items listed above exist and are current.
4. Board briefing. Present findings to the board and obtain a formal remediation mandate, recorded in minutes.

12-Month Implementation Roadmap (If You Have No Model)

1. Month 1–2: Scoping and risk assessment. Conduct the full criminal risk mapping exercise described above.
2. Month 2–3: Policy design. Draft and approve the core policy set, code of conduct and governance framework.
3. Month 3–4: Governance and compliance function. Appoint the compliance officer or body, establish reporting lines and secure budget.
4. Month 4–5: Whistleblowing channel. Deploy an internal reporting channel compliant with Law 2/2023, the GDPR and AEPD requirements.
5. Month 5–7: Training rollout. Launch role-based training across the organisation; achieve initial completion targets.
6. Month 6–8: TPDD deployment. Implement third-party due diligence procedures for high-risk and critical suppliers.
7. Month 7–9: Control testing. Begin first-cycle audit tests on high-risk controls; document results and remediation.
8. Month 9–12: Monitoring, KPIs and continuous improvement. Operationalise the KPI dashboard, run a programme-wide review, present a comprehensive report to the board and document the full evidence file.

For a downloadable version of this compliance checklist Spain practitioners can adapt to their organisation, along with a KPI tracker spreadsheet, contact our team via the lawyer directory.

Sources

1. Spanish Official State Gazette (BOE), Código Penal (Article 31 bis)
2. AENOR, UNE 19601 Compliance Management Systems
3. Fiscalía General del Estado (Spanish Public Prosecutor)
4. Agencia Española de Protección de Datos (AEPD)
5. Escura, Corporate Criminal Compliance in Spain (PDF)
6. CaixaBank, Corporate Penal Policy (PDF)
7. Chambers & Partners, Anti-Corruption 2026: Spain Practice Guide
8. European Commission, EU Directive Transposition Information
9. LetsLaw, Corporate Crime Prevention (Spain)