UNE 19601:2017

This Standard sets out requirements and facilitates guidelines for adopting, implementing, maintaining and continuously improving (3.15) criminal compliance policies (3.24) and the rest of the elements of a criminal compliance management system (3.31) in organizations ( 3.20).NOTEA criminal compliance policy (3.24) can be established independently, or integrated into a wider compliance policy, that is, not limited to criminal prevention. Similarly, a criminal compliance management system (3.31) can be established independently, or integrated into a more comprehensive compliance model, that is, not limited to criminal prevention.The standard is particularly applicable in the context of management and control systems on criminal risks (3.29), establishing requirements (3.27) and guidelines to have models aligned with what Spanish criminal law requires to control and management systems for the prevention and detection of crimes, both in form and substance.Notwithstanding the foregoing, this UNE Standard may also be useful for establishing control and management systems for the prevention and detection of crimes committed in the context of business activities, even if they do not involve the criminal liability of the legal person in Spain or or are committed by Spanish organizations (3.20).This UNE Standard is applicable to:a) Any type of organization (3.20), regardless of its type, size, nature or activity. It is projected on criminal risks (3.29) in the following contexts: private sector, public sector, for or not for profit.b) Activities carried out by both the members of the organization (3.17) and by business partners (3.32), both acting on behalf of the organization (3.20), representing it or for its benefit.c) Behaviors developed directly or indirectly.This Spanish Standard does not specifically project on other risks (3.28) that are related to the criminal sphere or assuming non-compliance with the regulations, are not directly related to criminal offenses committed with the objective of benefiting the juridical person, such as risk (3.28) of fraud within the organization (3.20). However, the organization (3.20) may decide to extend the scope of both the criminal compliance policy (3.24) and the criminal compliance management system (3.31) to these areas, should it prove useful.These requirements (3.27) should be applied proportionally to each case according to the circumstances specified in sections 4.1, 4.2 and 6.2 of this Spanish Standard.In case all or part of the requirements (3.27) specified in this standard conflicts with or is prohibited by any legal provision or case law, the organization (3.20) shall not be bound by the same or its affected party.