Does Compliance end with a CCS?

Juan NunezThe Criminal Compliance System is increasingly adopted by Spanish companies to avoid the economic consequences of offences that may be committed within the companies by employees being extended to the members of the board of directors; this objective responsibility stems from a criminal conception according to which the company’s top management must have done everything possible to prevent offences from occurring, from which the company would obtain some benefit.

This concept exists in a similar way in France with the Sapin II Law, and also in Germany, albeit in the administrative field.

It should not be assumed, however, that elsewhere the consequences of negligent management or lack of control over the activities of employees are totally alien to the directors: the responsibility, in one way or another, falls, at the end of the day, on those who are ultimately responsible for an economic activity.

This work goes even further, indicating that the work does not end with the adoption of the System, but it must be followed by its implementation.


The incorporation of Criminal Compliance System in companies is a practice that is becoming more widespread, both because of the consequences of not doing so and because of the extension of the ethical culture in business activity.

On the one hand, the consequences focus on the fact that the directors (CEO) of a company must implement a control of the activity and its processes, so that if, due to the absence of this control, a person linked to the company were to commit an offence, the directors would be responsible for the financial damage caused. This result is based on the principle that those responsible for the company must do everything possible to prevent wrongdoing.

On the other hand, the CCS, together with the codes of good governance and ethics that derive from them, sometimes oblige companies to relate only with companies that have implemented their own, so that not having them in place will lead, to an increasing extent, to lost business opportunities.

It has to be kept in mind, and has been often emphasised, that the CCS in itself is not sufficient.  Some Supreme Court rulings have been very clear in determining that the CCS cannot be a simple copied protocol, poorly adapted; it cannot be a cover to avoid the application of Art. 31 and 129 of the Spanish Criminal Code, but must be consciously implemented so that it fulfils its regulatory and controlling function in those cases in which it could be used to commit offences. Rule 1/2016 of the State Attorney General’s Office has been particularly explicit in relation to the implementation in organisations of merely „aesthetic” crime compliance systems, leaving aside the true spirit that CCSs must contain, and which therefore would not serve their intended purpose. Therefore, a Criminal Compliance System shall be configured as an absolutely individualised service designed for the specific characteristics of each company, and its development as well.

Many companies and entrepreneurs, however, only understand Compliance as an imposed necessity and not as an advantage. Consequently, with this concept of necessity, they often stick to the CCS, considering that a facelift will be enough to keep them in the club of excellence.

On the contrary, companies should understand that, in addition to being a legal obligation under art. 31 bis Spanish Penal Code, implementing these plans is what the Anglo-Saxons call a ‘business benefit’. However, in order to obtain this result, it is necessary to develop the CCS so that it can truly unfold its effects: the CCS is a declaration of intent; a desideratum of conduct and controls that shall be duly disseminated among all the components of the company. But, what then? Can it be considered sufficient to indicate what shall not be done, or shall controls really be put in place to detect and prevent contraventions of these indications?

We understand that all means must be put in place to prevent the omission of wrongdoing, which requires more than a CCS: its development.

In order to develop the CCS, it is necessary to analyse the aspects to be controlled and to implement these controls, to determine the information routes, to appoint the controllers.

To this end, specific protocols and policies are implemented, such as, for example, those regulating conflicts of interest, the preservation of business secrets, the use of digital certificates, the selection of suppliers, the circulation of information and documentation, the prevention of money laundering, tax policy, sales policy, digital disconnection policy, … all those that may be considered necessary to successfully implement a CCS and for it to be a real and effective tool.

It is obvious that a company correctly equipped with these instruments will not only be more appreciated in its daily operations and in the eyes of its suppliers and customers (the business benefit), but will also be much more highly valued by potential investors.

Juan Núñez –

AEA-EAL is committed to handling your Personal data in ccompalince with applicable data protection laws, including the General Data Protection Regulation ("GDPR"). If you have any questions, please contact us at Our privacy policy and cookies policy are available here.
AEA-EAL aisbl - siege social/headquartes: Avenue Louise 235 - 1050 Bruxelles/Brussels - Belgique/Belgium KBO/BCE 0465.302.664
phone: +32 (0)2 467 34 24 e-mail:

Copyright 2023 AEA-EAL