By: Carlos Galán, PhD in Informatics and Attorney specialized on TIC Law. Adviser in Addalia
As we pointed out on the first post of this series, the new Criminal Code, at the same time that was categorizing certain corporate conducts as constitutive of a felony, was also embracing the possibility of establishing surveillance measurements and control to prevent and detect criminal behaviours, understanding that the existence of such measures (called management systems), could constitute the foundation to exonerate an eventual criminal responsability.
Of course, it seems obvious that the most innovative aspect of the Criminal Code of 2015 is the regulation of the 31st article regarding the normative compliance (also called Compliance Guides), as in models of organization and management.
What is Compliance, KYC (Know Your Customer) and Digital Client Onboarding
We are reproducing the quoted article because of its significance. The underlined text -which is ours- emphasizes the most important fragments for our purposes, especially the part related to the management models and benefits.
1. As laid down under this Law, the legal persons bear criminal responsibility:
a) For offences committed in the name or on behalf of the legal persons in order to obtain direct or indirect benefit, by their legal representatives or by those acting individually as members of a body of the legal person who are authorized to make decisions in the name of the company or have the power or right to carry out organization and control functions in the company.
b) For offences committed during the exercise of social/company activities or on behalf of and for direct or indirect benefit of those, by persons who are under the authority of the mentioned physical persons in the preceding paragraph who have been able to carry out the acts as those had seriously violated supervision, surveillance and control of their activity, taking into consideration specific circumstances of the case.
2. In case the offences were committed by the indicated persons in point a) of the preceding paragraph, the legal person will have no responsibility if the following conditions are fulfilled:
1. The Administration Board had adopted and efficiently applied, before the offence was committed, the organization and management models which include measures of monitoring and control suitable to prevent offences of the same type or to significantly reduce the possibility of their commitment
2. The supervision of the functioning and compliance of the prevention model has been entrusted to an organ of the legal person with autonomous power of initiative and control or that has legally been given the function of surveillance of the efficiency of internal controls of the legal person.
3. Individual authors have committed an offence fraudulently eluding organization and prevention methods, and
4. There was no omission or insufficient exercise of the tasks of monitoring, surveillance and control by an organ referred to in condition 2. In the cases in which the above circumstances can only be partially accredited, this circumstance will be assessed for the purpose of mitigation of the penalty.
3. In legal persons of small dimensions the work of monitoring referred to in condition 2 of paragraph 2 can be realized directly by the management organ. In this regard, the legal persons of small dimensions are those that, according to the applicable law are authorized to present profit and loss accounts.
4. If the offence was committed by the persons indicated in point b) of paragraph 1, the legal person will have no responsibility, if before the offence was committed, it had adopted and efficiently applied a management and organization model which proved to be adequate in the prevention of offences of the same type as the one committed, or proved to reduce significantly the risk of its commission. In this case the extenuation factor contemplated in paragraph 2 of this article could be equally applicable.
5. Organization and management models to which it is referred the condition from
1. The paragraph 2 and the previous paragraph shall fulfill the following requirements 1. They shall identify the activities in the scope of which the offences which should be prevented, can be committed.
2. They shall establish the protocols and procedures that specify the formation process of the willingness of the legal person to make decisions and implement them, in compliance with the organization and management models.
3. They shall have in place the management models of adequate financial resources to stop the commitment of offences, which have to be prevented.
4. They shall impose the obligation of informing the organ in charge of controlling and surveillance of the functioning of the prevention model, about possible risks or infringement.
5. They shall establish a disciplinary system which will adequately sanction the infringement of the measures established by the model.
6. They shall perform a periodical verification of the model and its possible modification when infringements related to its provisions are done or when occur changes in its organization, in the control structure or in its activity, which make them necessary to be implemented.
n the next issue we will analyze one of the most significant Spanish initiatives in relation to the practical performance of a management system: the UNE 19601 Norm.