Corruption reform in Spain: the key differences from UK Bribery Act
Often when people think of corruption they think of it as a problem of emerging markets; however, a recent study by the European Union (Special Eurobarometer 397 on Corruption) showed that corruption is considered to be a significant problem throughout Europe.
Often when people think of corruption they think of it as a problem of emerging markets – something that does not happen in the “old world”; however, a recent study by the European Union (Special Eurobarometer 397 on Corruption) showed that corruption is considered to be a significant problem throughout Europe.
By Andrew Henderson, The Red Flag Group, London
In Spain, the vast majority of respondents to the study thought that corruption was widespread in their country (95 percent). Most had been personally affected by it (63 percent), and many thought that it was getting worse (77 percent).
While Spain has been a signatory to the Organisation for Economic Co-operation and Development (OECD) Convention on Combating Bribery of Foreign Public Officials since 2000, and the United Nations Convention against Corruption since 2006, the primary focus of corruption prosecutions in Spain has been against the domestic bribery of government officials.
Since 2000, there have been no convictions for overseas bribery and no investigations against corporate entities. Partly in response to pressure by the OECD, in September 2013 the Spanish government approved a reform of the Spanish Criminal Code, which changes the law relating to corruption. Under Spanish constitutional law, it is now for the Spanish Parliament to approve the reform by absolute majority. Once approved, the new law will come into force six months after publication on the Boletín Oficial del Estado.
The reform introduces substantial modifications to the existing law. For the first time, criminal liability lies with the company and the board or any representatives acting on the company’s behalf unless they can prove that they implemented the necessary risk controls (i.e. compliance programmes). The reforms also make it easier to prove bribery where the intention of the recipient is not known.
This reform is a continuing evolution of the law, as prior to 2010 there was no corporate criminal liability for corruption as part of the Spanish Criminal Code. The 2010 changes provided the transfer of liability from the legal representatives personally to the legal entity jointly or separately if the crime was for the company’s benefit. The board of a company was then responsible for any crimes committed on behalf of the company, irrespective of whether they were directly responsible. Three years later, and following many cases of corporate corruption (though no successful prosecutions), the Spanish government agreed to implement new changes to the Criminal Code.
What are the changes?
Under the proposed amendments, companies will be criminally liable for the crimes committed in their name (or on their behalf) that benefit the company, either by their authorized representatives or by those not authorised but able to commit the crime due to a lack of controls. Companies may be exempted from liability, however, if it can be shown that:
– The board has adopted and effectively implemented organisational and management measures that include monitoring and controls to prevent offences supervision and monitoring of the newly-implemented measures have been allocated to an independent body (i.e. a compliance function) within the company with powers to control it (which can remain with the board in smaller organisations)
– An individual committed the crime by evading the company’s controls there have been no omissions and no inadequate controls by the compliance function.
– The penalties proscribed to the entity are related to the lack of implementation of a compliance programme rather than as a result of the crime; however, they seem to need to be linked to a successful prosecution of an individual.
Differences from the United Kingdom Bribery Act’s “adequate procedures”
At the conclusion of the risk assessment,the compliance function should prioritise the areas that need attention. The next step is to determine a plan to manage those risks. At a minimum, the legislation suggests that the controls (called prevention guidelines) must:
- Establish protocols and procedures to be able to make decisions and execute them
- Include adequate financial resources to help avoid the crimes
- Include a hotline or similar communication channel for reporting any potential misconduct or risk to the compliance body
- Establish a disciplinary system that punishes breaches of the guidelines
- be verified and modified periodically, for example when any misconduct arises or when there are significant changes in the organisation, its structure or activities.
In some ways these changes are aligned with the United Kingdom Bribery Act and its offence of “failure to prevent bribery”and concept of “adequate procedures” for preventing bribery. There are areas where the Spanish regime is lacking behind the British, however.
Firstly, the amendments to the Spanish legislation do not include a requirement for senior management to show their commitment to compliance programmes other than by funding them. While funding of programmes is important, “tone from the top” needs to be far wider than financial support. In best-practice programmes, senior management actively promote the need for compliance in all of their communications and actions. Resourcing of programmes should also be more than purely financial – access to resources such as personnel and systems within the firm is vital to a programme’s success.
Secondly, there is no explicit mention of the concept of associated persons or third parties in the Spanish regime.There is wording about authorized persons and people acting on behalf of the company, but it is not clear whether this includes third parties (whether acting as agents or otherwise) and whether only natural people and legal entities are included. In contrast, other sections in the penal code relating to foreign bribery specifically mention intermediaries. A bribery programme that does not actively consider the risks of bribes being channelled through third-party intermediaries is not likely to be considered adequate. At a minimum, the management of third parties requires a level of due diligence based on the risks posed by the partner (for example, based on the service they provide, their location or their industry) and the follow up of any issues found.
Finally, the amendments do not include a clear requirement for training and communication. Although this might be considered implicit in the requirements, without a carefully-considered plan for training and communications the training will fail – either not enough information will be delivered or the information that is delivered will not be focused enough to effect real change.
The threat of disciplinary action in the event of a breach, while necessary, should not be the key message. A compliance programme should aim at preventing bribery rather than enforcing punishment after the fact. Since there is no specific guidance associated with the proposed legislation, the desire to implement only what is necessary without excess is likely to be a key issue for many companies. In this situation, help can be sought from external guides (like the United Kingdom Ministry of Justice or the OECD) to provide general direction. Practitioners at these organisations can also offer more specific direction or stipulate benchmarks based on their previous experience with similar companies.
Once a set of adequate procedures has been drafted, costs can be estimated and provided to the board for approval. At this point, the process considered by the legislation seems to be unclear.
If the board approves the plans but the compliance team fails to properly implement them, in the event of an incidence of bribery the company would not be held responsible. So, by failing in their duty to either recommend adequate procedures or implement them, the compliance team would have saved the company from liability (though what punishment would be meted out to the compliance team for this “successful” failure is uncertain).
If the board doesn’t approve the plans and there is an issue, the argument will become whether the proposed plans would have avoided the bribery. If the proposal for funding was excessive, the board would have been correct to reject it. But, if it was reasonable, then the rejection could lead directly to liability. It is not clear, however, whether a board would be in a better position than a compliance team to determine the adequacy of a compliance programme. The board must select its compliance team well in order to trust the risk assessment and plans that compliance proposes. The compliance team, on the other hand, must be careful to propose measures that are reasonable and achievable so as to not fail in their scope, adequacy or implementation.
What does a Spanish company need to do?
So what is likely to be considered adequate as a proposal for an antibribery compliance programme? Like most risk-based programmes, the nature of the work needed will depend very much on the type of company. Local Spanish companies will have far lower obligations placed on them than large multinationals. However, as a minimum, there should be:
- a comprehensive risk assessment and subsequent board approval, as previously discussed, to provide a plan for the compliance programmes needed, including the metrics and goals that will be used in the annual review process – this can either be performed internally or by using outside resources to facilitate, benchmark or review
- a code of conduct that sets out the company’s standards, the disciplinary impact of breaches and the ethical expectations on management and employees while also containing a strong message from executive that corruption will not be tolerated
- demonstration that the senior management actively endorse the programme in their communications and actions to complement the message from executive in the code of conduct
- documentation in the form of policies and procedures to ensure that all staff and partners are aware of what is expected of them
- a training and communication campaign to inform staff about the code, policies and procedures
- a hotline facility to allow reporting of suspected breaches (anonymously if needed)
- some level of due diligence carried out on any companies that work in locations outside of Spain – due both to the legal positions in the other jurisdictions and, more importantly,to mitigate the reputational impact of any corruption breaches (domestic Spanish companies should also consider a due diligence programme as a method of better understanding their partners)
- active monitoring of the compliance programme and a regular comprehensive review to ensure that it still meets the needs of the company.
While there are a number of questions raised by the wording of the new legislation that will need to be clarified, in effect it imposes no greater burden on Spanish companies than that imposed on foreign companies by the legislation of their countries. It is essential that companies in Spain build on the experiences of those foreign companies that have created successful corruption programmes in response to their own countries’ legislations.
The key message is to take the new legislation seriously in the boardroom and at the executive-management level. If there is no genuine support from the top, any actions proposed by a compliance function will be ineffective. This support may come from directors, who may have been through investigations in the past, or from those who understand the impact to reputations and to their business.
More information at www.redflaggroup.com