International and national standards on compliance management systems: ISO Standards and the UNE Standard 19601

Published on 23rd Feb 2017

The compliance culture continues its expansion, meaning that companies that wish to implement and maintain culture of integrity require standardised procedures that demonstrate their commitment to fulfil the legal requirements that apply to them.

In the current global business environment, the compliance with the legality by the companies must be aligned with the international compliance standards, with the requirement of its accreditation becoming increasingly common in international trading. In this context, the standardisation and consistency of the compliance management systems becomes particularly necessary with a view to obtaining the corresponding certification provided by a third party.

For this purpose, International Organization for Standardization (ISO) has been creating international standards of Compliance Management Systems applicable to all entities on a global level. And, at national level, Spain has been working on a uniform compliance management system.

The Standard ISO 19600:2015 – Compliance Management Systems (CMS) was the first standard published regarding Compliance. As stated by AENOR, “this Standard contains guidelines for implementing, evaluating, maintaining and improving an effective compliance management system as well as recommendations on the elements an organisation should rely on to ensure compliance with an adequate general compliance policy, to demonstrate its commitment to the legal requirements and its capacity to assume obligations in this regard. Notwithstanding its usefulness, it should not be forgotten that this Standard is not certifiable, and as indicated above, it only includes guidelines and recommendations”.

Subsequently Standard ISO 37001:2016 – Anti-Bribery Management- Requirements with guidance for use, was published. This Standard contains requirements and guidelines with which companies must comply for the proper implementation, monitoring and improvement of anti-corruption management systems. This ground-breaking Standard involves the publication of the first international standard to articulate prevention of bribery systems at global level, based on the principle of proportionality, which is adaptation to the circumstances of each company and its specific risks. ISO 37001 focuses on certain key aspects that must be taken into account when considering an effective procedure, such as the involvement of senior management, risk assessment, the designation of a Compliance Officer, the existence of financial and commercial controls, information and investigation procedures, controls implemented, training and awareness of employees and third parties, continuous monitoring, etc.

Notwithstanding the foregoing, Standard ISO 37001 is intended to prevent only bribery crimes, but the fact is that this Standard can be integrated with any other compliance management systems that companies may have in place. Moreover, the compliance management systems implemented that fulfil the requirements detailed in the aforementioned Standard may be certifiable. The certification represents a great competitive advantage, as the request for accreditation of the appropriate implementation of compliance management systems is becoming increasingly common in international trade.

As result of these ISO Standards, the Spanish Organisation for Standardisation (AENOR), is actively working nationwide on the standardisation of national compliance management systems. In the aftermath, it is expected that UNE Standard 19601 (formerly known as UNE 307101) on Compliance Management Systems will soon be published. In contrast to the UNE-ISO 19600: 2015 – Compliance Management Systems (CMS), UNE Standard 19601 will include requirements demanded for the correct implementation of a criminal compliance management system, including monitoring, surveillance and control systems that companies must incorporate in the development of their activities. It is foreseeable that UNE Standard 19601 will be certifiable, thereby it will foster the confidence of third parties with whom any legal relationship is maintained.

This is an extraordinary novelty given that to date there is no official standard in Spain to normalise compliance management systems for crime prevention in companies. In any case, it should not be forgotten that, although the Standard UNE 19601 will be a huge step forward, the fulfilment of its requirements, and even having the corresponding Certification, does not guarantee that companies hold irrefutable proof of compliance in the event of the commission of a crime, but will be one more significant evidence to be taken into account in the assessment that the Judge must carry out.

What is clear is that compliance is here to stay; therefore it is vital to enhance the compliance culture in all companies. For this purpose, the ISO and UNE Standards are a superb help for the implementation of adequate and effective crime prevention programmes and compliance management systems.


* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?