Civil Liability Ex Delicto of the Employer: Limits of Compliance as an Excluding Cause

The ruling of the Supreme Court 737/2018 addresses an increasingly relevant issue in criminal law and the liability of legal persons: the delimitation of the effects of a compliance program in relation to civil liability ex delicto. In the case under judgment, an employee of a bank was convicted for a continuing offense of embezzlement, using his dual role as an accountant for a commercial company and an employee of the banking institution. The bank was declared subsidiarily liable.

One of the grounds for the appeal filed by the bank aimed to disconnect its civil liability from the crime committed by its employee, arguing, among other things, the existence of a control program and the fact that the broken trust was exclusively between the convicted person and the harmed party. The Supreme Court dismissed this argument, reaffirming that criminal compliance programs do not automatically exclude subsidiary civil liability, which remains by virtue of the mere fact that the crime was committed in the course of functions within the company’s structure.

Facts: Willful Crime Committed Within a Dual Fiduciary Relationship

The defendant, an employee of the bank and external accountant for the companies VERDICIO S.A. and COPORSA 87 S.A., took advantage of his dual position to make fraudulent withdrawals from the account of one of these companies, a client of the bank. Specifically, he embezzled more than €150,000 through unauthorized cheque collections and withdrawals, cleverly disguising them in the bank's accounting without raising suspicion for almost a decade. The deception was possible precisely because of his direct access to the banking systems, combined with the personal trust placed in him by the company’s administrator.

The first-instance ruling convicted the defendant of a continuing offense of embezzlement and imposed subsidiary civil liability on the bank pursuant to Article 120.4 of the Criminal Code.

Bank’s Argument: Compliance and Autonomy of the External Relationship

In its appeal, the bank raised several grounds for contestation, but the core of its defense was to deny the connection between the criminal activity and its role as employer of the convicted person. It argued that:

1. The crime was not committed in the exercise of the bank's functions but as part of an external relationship of trust between the convicted person and the victim.
2. In any case, its compliance plan had established reasonable control mechanisms.
3. There had been a break in the functional link, which would justify the exclusion of the bank as a third party civilly responsible.

In response to this, the Supreme Court examined whether the fact that the crime was committed by abusing an employment function, but also through an external relationship, could exclude or reduce the company's liability for the actions of the employee.

Supreme Court Ruling: Subsidiary Civil Liability and the Limits of Compliance

The Supreme Court firmly rejects the argument that the existence of a compliance program or the partial autonomy of the relationship between the perpetrator and the victim can exclude the employer's civil liability when the crime was committed within the framework of the business’s functions.

The Court recalls that subsidiary civil liability under Article 120.4 of the Criminal Code does not require employer fault, nor participation or knowledge of the crime, but merely a relationship of functional dependency, which leads to the duty to answer for the damages caused by its employees. Essentially, this is vicarious liability, which follows the principle that those who benefit from the work of others must also bear the damages when those individuals commit crimes in the course of their duties.

In this context, the Court emphasizes that the defendant could not have carried out the crime without being employed by the bank, as it was his position that allowed him to access accounts, manipulate accounting entries, and make withdrawals. Even though he was also the accountant for the harmed company, his dual role was key in the commission of the crime. The bank, acting as the financial entity managing the accounts, gave the defendant direct and uncontrolled access to the funds, facilitating the fraudulent operation.

Therefore, it does not matter that the broken trust was with the victim, nor that the bank had implemented a control system: the decisive factor is that the crime was committed in the course of the employee’s functions within the company.

Criminal Compliance: Limited Effectiveness to the Criminal Liability of the Legal Person

One of the doctrinally most interesting points of the ruling is the clarification of the role of criminal compliance programs, which have gained great relevance since the introduction of the criminal liability of legal persons into Spanish law (Article 31 bis of the Criminal Code).

The Court recognizes that compliance systems can serve as grounds for exemption or attenuation of the criminal liability of the legal person if it can be proven that effective prevention and control mechanisms were in place. However, it clearly clarifies that such effects do not extend to civil liability ex delicto, nor to subsidiary civil liability under Article 120.4 of the Criminal Code.

In other words, the effectiveness of compliance has a limited scope, applicable only to the direct criminal liability of the legal person, but it does not exempt the company from civil liability when an employee commits a criminal offense in the exercise of their duties. This distinction is grounded in the fact that civil liability ex delicto is not aimed at punishment, but at repairing the damage, and is based on principles of commutative justice, not on criteria of guilt or intent.

Conclusion

The Supreme Court ruling 737/2018 clearly establishes that the subsidiary civil liability of the employer is not excluded by the existence of an effective compliance program or the presence of an external trust relationship between the perpetrator and the victim. The key factor for liability is whether the crime was committed within the functional scope of the business's role. In this case, the bank employee took advantage of his access to the bank's internal systems to perpetrate a continuing fraud, and therefore the bank's responsibility as a third party civilly liable is unavoidable.

Moreover, the ruling defines the limits of compliance by making it clear that its exonerating effect only applies to the direct criminal liability of the legal person, not to civil liability ex delicto or the criminal liability of the individual perpetrator. This pronouncement strengthens the idea that compliance is not an absolute shield against all forms of liability, and that its legal utility is conditioned by its context of application.

Ultimately, the ruling reaffirms an objective and functional concept of subsidiary civil liability within the corporate framework, based not on fault, but on the fact that the employer structures, controls, and benefits from the framework within which the crime was committed, and therefore must also answer for its consequences.