Skip to main content

Clifford Chance

Clifford Chance

Regulatory Investigations and Financial Crime Insights

Is Spain ready for the EU Whistleblower Protection Directive?

Currently, there are no universal regulations on whistleblower protection under Spanish law, but specific laws in various sectors already contain some provisions that are in line with the requirements laid down by the Whistleblower Protection Directive.

This "partial coverage" of whistleblowing under Spanish law includes certain coverage in the financial services sector, regarding anti-money laundering regulation, as well as criminal compliance programmes, but still leaves gaps in protection across other sectors.

Sector-specific regulations

There are several sector-specific regulations in Spain providing for the obligations of business entities to introduce internal reporting channels or requiring competent authorities to provide external reporting channels for whistleblowers.

In particular, publicly traded companies are required to have in place procedures allowing for anonymous reporting of the breaches of law or ethical standards1. In addition, regulations in the following sectors are particularly notable:

Financial sector

Internal reporting

Credit entities (i.e. banks, saving banks and cooperatives of credit) investment firms, management companies of collective investment undertakings, governing bodies of stock exchanges, and data reporting services providers are obliged, under specific sectoral regulations, to introduce channels for anonymous reporting of breaches of law or ethical standards. These channels must also ensure confidentiality of the whistleblowers' identity and appropriate handling of their reports and follow-up procedures. The financial institutions are also obliged to ensure that the whistleblower is protected against retaliation or unfair treatment as a result of the reporting.

External reporting

Additionally, there are some regulations providing for external reporting channels. In particular, Spanish law regulates reporting to the Spanish Securities Market Commission (the "CNMV") on specific breaches such as: (i) breaches of the MAR (EU Market Abuse Regulation), (ii) breaches of Regulation (EU) No 600/2014, on markets in financial instruments, (iii) breaches of Regulation (EU) No 1286/2014, on key information documents for packaged retail and insurance-based investment products (PRIIPs), (iv) breaches of Regulation (EU) No 575/2013, on prudential requirements for credit institutions and investment firms, when related to investment firms ("Regulation 575/2013"), or (v) breaches of Law 35/2003 of collective investment undertakings.

Likewise, Spanish law regulates reporting to the Bank of Spain ("BoS") of breaches of the prudential supervisory obligations of credit entities set out in Law 10/2014 and in its developing regulations.

The reporting to both, the CNMV and the BoS, should include a minimum content as set out in the Spanish legislation (i.e. whereas for reporting to the CNMV it may be anonymous or include the identification of the person issuing them, reporting to the BoS shall include the identification of the person issuing it and, for both, it should provide all factual elements from which at least a founded suspicion of infringement can be reasonably derived).

The CNMV and the BoS are obliged to ensure that the means of communication used for reporting such breaches are independent, as well as that any information provided is kept confidential2. No personal information on the reporting person may be disclosed to the auditor or the audit firm and the anonymity of the whistleblower must be guaranteed.

Anti-money laundering regulation

All entities which are legally required to prevent money laundering and terrorist financing ("Obliged Entities") in Spain must implement procedures to enable their employees, managers, agents or other persons acting on their behalf to report, even anonymously, potential or actual breaches of regulations on counteracting money laundering and terrorist financing. For that purpose, all Obliged Entities have the duty to adopt in writing and implement adequate policies and procedures to ensure the reporting and the compliance with the provisions of the Spanish AML Law in order to forestall and prevent transactions related to money laundering or terrorist financing3.

The whistleblowing channel may be a stand-alone procedure or it may be integrated into the systems which the obliged entities may have set up for reporting information on the occurrence of acts or conduct contrary to other general or sectoral rules and regulations applicable to it (such as the ones referred to above regarding internal reporting in the financial sector). Obliged Entities must also adopt measures to ensure that whistle-blowers who report such breaches are protected from retaliation, discrimination or any other unfair treatment. The whistleblowing channel management shall be subject to the regulations on the protection of personal data for internal complaints reporting systems4.

Criminal compliance programmes in Spain

Having implemented a whistleblowing channel for reporting any potential criminal offences being committed within the organisation, or any other compliance-related irregularity, is one of the essential elements of a criminal compliance programme in Spain. This requirement was introduced in Organic Law 10/1995, of 23 November, of the Spanish Criminal Code ("Spanish Criminal Code") in 20155, following the introduction of the corporate criminal liability in Spain in 20106.

Specifically, article 31 bis 5 of the Spanish Criminal Code includes "an obligation to report to the compliance body any violation of the standards and controls (whistleblowing channel)" which, if assessed as an effective compliance tool in conjunction with other essential elements of the criminal compliance programmes under Spanish Law, could lead to the exoneration of criminal liability for the legal entity.

The provision lacks any details as to how such internal reporting should be managed, what minimum contents or reporting lines to include, and, most importantly, it does not provide any guidance for whistleblowers' protection. However, the Prosecutor General's Office has repeatedly insisted on the importance of both preserving confidentiality of the whistleblowers' identity and to ensure that they do not suffer any retaliation or unfair treatment7.

When is the Whistleblower Protection Directive expected to be transposed in Spain?

Spain aims to transpose the Whistleblower Protection Directive at the beginning of 2021, even when the deadline for transposing the Directive is 17 December 2021. For that purpose, in Spain a working group within the Ministry of Justice started working on a draft in mid-year 2020 and opened a period for public consultation until the 27 January.

In order to transpose the Whistleblower Protection Directive, Spain will have to introduce a more comprehensive legal framework on whistleblowing than the current piecemeal sectoral rules. This means that, among the main obligations imposed by the Directive, the Spanish legislator will need to address the requirement for all companies with over 50 employees to introduce internal whistleblowing procedures, as well as the designation of the appropriate authority to facilitate external reporting and follow-up.

1. Good Governance Unified Code of Listed Companies published by the CNMV in 2013 (Código Unificado de buen Gobierno de las Socedades Cotizadas).
2. Article 276 quarter paragraph 1 of the Spanish Securities Market Act for reporting to the CNMV and Article 121 for reporting to the BoS.
3. Article 26 of Spanish Law 10/2010, of 28 April 2010, on the Prevention of Money Laundering and Terrorist Financing (the "Spanish AML Law")
4. Article 26 bis of the Spanish AML Law.
5. Organic Law 1/2015, of 30 March, which amends the Spanish Criminal Code.
6. Article 31 bis of the Organic Law 5/2010, of 22 June, which amends the Spanish Criminal Code.
7. Circular 1/2016, 22 January 2016, issued by the Prosecutor General's Office.