Since August 2014, the application of criminal liability to legal entities has been developed in our country, typified in the Comprehensive Organic Criminal Code, COIP. We start from this milestone, almost a decade for the development of casuistry in which the implications of the imputation of criminal responsibility of the legal entity have been outlined in a range of sentences that are not very numerous, however diverse, that the jurisdictional bodies have issued, several of them have incorporated in-depth analyzes of legal, doctrinal, and comparative jurisprudential sources, since the criminal liability of legal entities in other latitudes has an older origin than in the national legal system.

Models of criminal liability of the Legal Entity

In Europe, certain continental countries and Great Britain, as well as the United States, adopted at the time the well-known “vicarious model” or “transfer” of liability of the legal entity. Specifically, Spain, with the promulgation of Organic Law 5/2010, of June 22, 2010, establishes that legal persons will be criminally responsible for crimes committed in their name or on their behalf, and for their benefit, by their representatives. legal and de facto or de jure administrators. Under these assumptions, the RPPJ will be applicable to crimes committed in the exercise of social activities and on their behalf and for their benefit, by those who, being subject to the authority of natural persons, have been able to carry out the acts due to lack or improper control of their employees. , applicable to each case. The penalties applicable in Spanish legislation contemplate, according to the seriousness of the conduct due to action or omission, the following: Quota or proportional fine; Dissolution of the legal entity with loss of the capacity to act in legal traffic; Suspension of activities for a period of up to five years; Closure of premises and establishments for a period of up to five years; Prohibition of carrying out activities in the exercise of which a crime has been committed, favored or covered up.; Disqualification from obtaining subsidies and public aid and from contracting with the central or local State; Judicial intervention to safeguard workers’ rights.

Several Spanish jurists consider the “vicarial model” or “indirect” liability as a model that does not have greater theoretical complexity, since it attributes criminal liability to legal entities with the verification that a crime has been committed by someone. member of the company or organization for the benefit or on behalf of it. That is, criminal responsibility is transferred from the individual to the legal entity automatically, without requiring for this purpose that guilt or conduct attributable to the legal entity be determined. The crime committed by one of the directors or representatives of the organization is attributed, without any other circumstance, to the legal entity if the action has been taken in the course of the company or for its benefit. The guilt of the natural person is what makes the legal person guilty.

This vicarious model presented considerable weaknesses when defining criminal liability of legal entities, since the courts considered that “there was guilt” on the part of the company despite the fact that the criminal conduct of the active subject member of the organization had very little or no no relationship with the company’s activity and on the other hand, the active subject who carried out the conduct did so without observing the applicable prevention standards or policies developed by the company as preventive mechanisms.
From the latter, certain corrective criteria have emerged that allow for better assessment of the efforts developed by the company to prevent criminal conduct committed by its members, which generated the possibility that, through compliance programs, sufficient evidence could be obtained. of the appropriate behavior of the highest-ranking officials in the thorough supervision and care due to the prevention of criminal behavior. However, a member of the company commits a crime even against his or her duties.

As a result of this need to defend the company, we can speak of an evolution of the vicarious model, supported by the existence of a compliance plan that allows demonstrating the adoption of own risk management measures and procedures that respond to the organizational design attached to the law. Separating the company from the illicit conduct in the context that the member acts within the framework of his powers or functions and at least partially for the benefit of the company, and ensuring that the conduct and intention of the active subject member of the organization is transferred to the company because this conduct is contrary to its internal policies and regulations, such as its Code of Ethics and applicable internal regulations determined in its compliance program.
The most common crimes in which the responsibility of a legal entity is declared are: fraud, insolvency or fraudulent bankruptcy, damage crimes, crimes against intellectual and industrial property, crimes against competition and the market, scale crimes, crimes that affect the workers’ rights, nature and the environment, territorial planning, forgery of certificates, bribery, influence peddling, etc.

There is the emblematic case known as State v, Christy Pontiac-GMC where it was held that (…) “if the company must be held criminally responsible, then it is clear that the crime cannot be a personal aberration of an employee acting on his own account ; The criminal activity must, in some way, reflect corporate policy, such that it is fair to say that the activity in question was the company’s activity. 1

In this evolutionary line, the first possibility arises of mitigating the actions and intentions of the member and the company and that generate certain exceptions in the application of vicarious liability. Which resulted in the courts recognizing as a defense argument the fact that “when there is an obvious and significant disconnection between the messages of the company and that of the business agent”
On the other hand, North American prosecutors recognized in the application of their policies and guidelines that compliance plans constitute “proof of due diligence,” which generated a new trend that admits that the company’s responsibility is independent of the responsibility inherent to the vicarious model or transfer of guilt.

Compliance Plans and criminal risk management

A more current model is the one that has to do with criminal risk management, understood as a set of techniques or procedures associated with corporate management with certain complexity and risk levels. From the point of view of Criminal Law, they are known as “technical rules” and the relationship that exists between the legal and criminal consequences that are attributed to compliance or non-compliance with said rules, creating a duty of care to the members of the organization and the responsibility that falls on natural persons.

The company assumes the duty to prevent all criminal conduct that may be committed in the development of its activity, it is about preventing what some authors such as Gruner call the “defective performance” of the business activity, which is related to the content and structure that a compliance program may have. Beyond the formal, the fact that the company exhausts all its efforts to prevent illicit conduct has the consequence in the criminal field that the legal entity is not guilty of the conduct carried out by its members, which generates an eventual exclusion of liability. regarding their own conduct, related to the legal entity’s duty of care.

European criminal dogmatics advocate that it is everyone’s obligation to avoid harm to third parties, which generates the duty to adequately organize behavior, and thus prevent impermissible harm from occurring to others.

In specific cases, it must be proven whether the actions of the active subject, a member of the organization, have acted in their own name or if they had authorization granted by the representative of the company to act on behalf of the company. The jurisdictional body must determine whether the subject acted within the framework of its established powers or not. What is sought in the logic of attribution of legal responsibility in relation to the connection between the external act and the subject on whom the sanction falls that would justify the harmful measure being attributable to the company or the natural person.

In Spanish legislation, a company that has an implemented compliance plan represents a circumstance that exempts the legal entity from liability.

In our country, the COIP in its article 49 typifies the responsibility of legal entities, determining that the crimes committed by them will be for their own benefit or that of their associates, whether by action or omission of those who exercise ownership, control, attorneys, principals and all those who have a direct or indirect legal relationship of administration, direction and supervision and those who comply with orders or instructions from natural persons who are part of its structure.

In our legislation, the criminal responsibility of natural persons is separated, and it is handled independently of the criminal liability of the legal entity, which underlies the event that it is impossible to identify a natural person who has committed the crime.

If the benefit obtained is for a third party other than the legal entity, and the conduct is committed by a natural person, criminal liability cannot be attributed to the legal entity.

The general mitigating circumstances applicable to the criminal offenses of the COIP, established in article 45 paragraph 7 of the aforementioned legal body, are applicable to legal entities.
a) Spontaneously having reported or confessed the commission of the crime before the formulation of charges with which the tax investigation begins, or during its development, as long as you have not formally known about its beginning.

b) Collaborate with the investigation by providing new and decisive elements and evidence before its beginning, during its development or even during the trial stage.
c) Comprehensively repair the damages caused by the commission of the crime, before the trial stage.

d) Have implemented, before the commission of the crime, integrity systems, standards, programs and/or policies of compliance, prevention, direction and/or supervision, in charge of an autonomous body department in larger legal entities, or a responsible person in the case of small and medium-sized companies, whose operation is incorporated into all directive, managerial, advisory, administrative, representative and operational levels of the organization.

The integrity systems, standards, programs and/or policies for compliance, prevention, management and/or supervision must incorporate the following minimum requirements, without prejudice to the provisions of the Regulations issued for this purpose, and other specific standards:

1. Identification, detection and administration of activities in which risk is present;

2. Internal controls   with   those responsible   for   processes   that represent risk;

3. Continuous supervision and monitoring, both internal and independent evaluations of systems, programs and policies, protocols or procedures for the adoption and execution of social decisions;

4. Financial management models;

5. Complaints channel;

6. Code of ethics;

7. Staff training programs;

8. Internal investigation mechanisms;

9. Obligation to inform the compliance officer about possible risks or non-compliance;

10. Rules to discipline violations of the system; and,

11. Know your customer or due diligence programs.

Finally, it is worth highlighting the mitigating condition attributed to the fact that the company has technically implemented a compliance program and it is applied; Depending on its size, under the responsibility of a person or body of the organization, as well as the importance of applying due diligence mechanisms that allow you to know your clients.

ETIQUETAS