Transactions October 2017
Supplier due diligence in criminal compliance
By Dolores Sancha
Why compliance is necessary
There is now no doubt as to how important it is to have a criminal compliance management system in place, since the entry into force of Spanish Organic Law 1/2015 of 30 March, which amends Spanish Organic Law 10/1995 of 23 November on the Criminal Code, the issue of administrative order 1/2016 by the General State Prosecutor's Office and the first judgment handed down by the Supreme Court on the criminal liability of legal entities, number 154/2016 of 29 February, or following judgments; judgment 221/2016 of 16 March and judgment 516/2016 of 13 June.
Article 31 bis of the Criminal Code governs the criminal liability of legal entities and the instances in which said entities may be released from such liability, while article 129 governs the criminal liability of entities with no legal personality. In order to be released from criminal liability, organisations must prove compliance with the requirements of article 31 bis, which essentially means that they must have implemented a culture of compliance by adequately training company personnel and duly monitoring this culture.
In order for a company to be released from liability, it must have a culture of compliance that is able to identify, analyse and assess criminal risks both at the heart of the organisation and in its relations with suppliers and customers.
If a supplier uses a transaction with our organisation to commit a crime, we may find ourselves involved in such action and, as such, become criminally liable. In order to be released from liability, the company must prove that it has implemented a criminal compliance management system and that it complies with the requirements of article 31 bis.
If a third party with a well-established criminal compliance culture wishes to enter into an agreement with our company, in addition to assessing our technical and economic solvency, it will investigate or ask us about our criminal compliance management system and, if we don't have one, it may decide that we represent a risk for its organisation.
Criminal compliance in our relationships with suppliers under standard UNE 19601
Standard UNE 19601 (hereinafter, the Standard) provides a full reference framework for implementing criminal compliance management systems that are in-line with the requirements of the Criminal Code and international standards such as Standard UNE-ISO 19600, Standard UNE-ISO 37001 and Standard UNE-ISO 31000.
As discussed above, under the Standard (which is a broad category defined by exclusion that comprises all individuals or entities outside an organisation with whom/which it has or expects to have a relationship), the organisation must analyse its suppliers and business partners (among other factors) in order to understand its requirements and determine the scope of the criminal compliance management system.
Initially, the organisation must identify the risks suppliers represent. This must be done “subjectively”, that is, by analysing the supplier's own circumstances such as type of activity or how lax regulations are in the country in which it is located (a company located in the European Union does not carry the same level of risk as one operating in a country outside the European Union whose regulations we have no knowledge of or that may have more indulgent regulations. This is due to the fact that companies located within the European Union are subject to the requirements of both Spanish and European regulations). Risks must also be "objectively" analysed by investigating the characteristics of the transaction to be performed.
When analysis concludes that a high to low risk exists (this definition is intentionally left open by the Standard in order that each organisation may adapt it to its own situation), we must decide whether or not to perform due diligence in order to better assess risk. By way of illustration, the Standard includes several examples of due diligence procedures that may be employed such as sending questionnaires, seeking public information on a business partner, its shareholders and directors and looking for a reference to said business partner in lists of sanctioned entities, among others. The depth of analysis will largely depend on how much influence an organisation has over its supplier. If it is not possible to obtain the information required, the supplier must be considered a risk.
The organisation must adopt certain financial and non-financial controls, which will be dependent on the risk assessment and the nature of the activity it performs. Non-financial controls must be implemented in order to detect, manage and avoid criminal risks in transactions, acquisitions, trade, supplies, etc. Furthermore, if the risk assessment yields a high to low result, under the Standard the organisation must establish contractual compliance clauses that are proportional to the risk assessment as regards their level of detail and requirements. Examples of contractual clauses included in the Standard are as follows: to expressly prohibit any criminal activity (zero tolerance with respect to criminal risks) performed either directly or through third parties in connection with the engaged activity; to establish a requirement for a criminal compliance management system (or similar) in order to render the above point more effective or consider terminating the contractual relationship in the event of non-compliance with either the above or the provisions of the criminal compliance management system.
To reiterate, whether or not we are able to include these clauses in a contract will depend on the degree of influence we have over a supplier. If it is not possible to include such clauses, this circumstance must be considered as a factor in the risk assessment performed in connection with the transaction at issue in order to determine whether or not it should go ahead.
In conclusion, it is only possible to consider a compliance management system well-implemented if it is monitored, updated, improved and amended when necessary, as per the criteria included in the Standard and the specific requirements of the organisation.