The Supreme Court elaborates on this idea in the aforementioned ruling, dedicating an entire point in the grounds section to the importance of compliance programs in the corporate sphere in order to decrease the criminal liability of the legal person. Specifically, the Court affirms: “that good corporate practice at a company means implementing regulatory compliance programs that guarantee that these types of acts are not committed or prevent on-going actions for embezzlement or misfeasance which a good regulatory compliance program would have immediately detected.”
As we have said, it is extremely noteworthy that this ruling mention and include regulatory compliance programs, given that it is a ruling against executives and not the legal person, and also because it refers to two crimes: misappropriation and improper management, which do not serve as grounds for criminal liability for legal persons. Let us recall that the offences for which a legal person may be convicted appear as numerus clausus and are as follows: organ-trafficking; in terms of human beings, crimes related to prostitution and the corruption of minors; crimes against privacy and computer “hacking”; fraud; concealment of assets; insolvency involving criminal negligence; computer-related damage; crimes against intellectual property, the market and consumers; money laundering; tax or social security fraud or evasion; crimes against foreigners’ rights; crimes involving construction, building and urban planning; environmental crimes; crimes related to nuclear energy; high-risk crimes due to explosives; crimes against public health; fraudulence in payment methods; bribery; exercise of undue influence; corruption of a foreign civil servant; organised crime; the financing of terrorism; and contraband; that is, neither misappropriation nor improper management is included.
In this regard, and in order to reduce the attribution of criminal liability to legal persons due to the commission of the above-mentioned crimes, compliance programs were designed, and are the solution chosen by the Supreme Court, as it refers to them in the aforementioned ruling of 8 April. The ruling states that the instrument that the Caja de Ahorros del Mediterráneo could have used to protect itself from the risks arising from the offence of misappropriation committed by its executives was not a compliance program, but rather the classic internal audit. However, and without prejudice to this, the Court included a very broad point in the grounds in which it defended regulatory compliance programs.