Bank governance breaks when oversight becomes optional.
Madrid, February 2026.
Spain’s National Court has cleared the way for BBVA and its former chairman Francisco González to stand trial over the bank’s alleged use of companies linked to former police commissioner José Manuel Villarejo. The decision rejects the appeals filed by the bank and several former executives, and it upholds the investigating judge’s conclusion that the case has enough indications to be tested in open court. The core allegation is not abstract misconduct but an operational pipeline, a paid access to covert capabilities that allegedly delivered information outside legal boundaries. In corporate terms, it is the moment when compliance language collides with the forensic detail of who ordered what, who paid for it, and who benefited.
The criminal qualification endorsed by the court frames the conduct as continued bribery and unlawful discovery and disclosure of secrets. Spain’s Anti Corruption Prosecutor’s Office has argued that the bank’s claim of ignorance is not credible, and the court’s reasoning aligns with that view by focusing on decision making at the top. What makes this case structurally significant is that it treats the bank as a legal person with potential criminal exposure, not merely a platform where individuals misbehaved. This shifts the narrative from reputational damage to institutional accountability, because the question becomes whether the organization’s design enabled the conduct. The court also points to a blind spot in internal controls, the idea that the executive presidency and senior leadership sat outside meaningful supervision.
A key element in the file is the role attributed to González, not as a distant figurehead but as someone the court says could have ordered certain contracts directly. According to the ruling summarized by Euronews, judges underline that González was familiar with Cenyt, a company linked to Villarejo, and that earlier engagements had not produced results while this one did. That observation matters because it frames intent through performance, suggesting that the value of the service lay in methods that crossed legal lines. The court further indicates that González could have been aware that information delivered by Cenyt was obtained through improper access to reserved databases and police resources. Even if the defense insists the trial will prove innocence, the judicial threshold for moving forward has now been met.
The alleged mechanics of the operation are unusually specific for a corporate case. The case file describes services that included surveillance, phone interception, queries of personal data, and tracing of assets, with targets reportedly spanning business figures, lawyers, and journalists. These are not marginal tasks for a bank, and that is precisely why prosecutors argue they could not have occurred as an isolated security whim. The accused list includes figures who once sat at the core of BBVA’s power structure, such as former chief executive Ángel Cano, former legal services director Eduardo Arbizu, former chief of staff Joaquín Gortari, and former risk director Antonio Béjar, along with former head of security Julio Corrochano. The narrative also includes the allegation that Corrochano provided the connective tissue between the bank and Villarejo’s network, promising discretion as a feature of the product.
Time is another weapon in this case. The alleged period runs from 2004 to 2016, long enough to suggest a system rather than a single crisis response, and long enough to raise questions about institutional memory and continuity of controls. A scheme that persists across years usually survives because it is useful, protected, or normalized, sometimes all three. In a regulated bank, longevity also forces a second inquiry: what did the governance architecture reward, and what did it fail to punish. If oversight cannot see upward, misconduct does not need to be hidden, it only needs to be framed as strategy. That is why the court’s emphasis on a control gap at the top is more than a procedural note, it is an indictment of design.
This episode also lands inside a broader European debate about whether bank governance is built to detect risk or to document it after the fact. The European Banking Authority has repeatedly pushed supervisory expectations around internal governance, fit and proper standards, and the effectiveness of control functions, precisely because complex institutions can appear compliant while decision making remains concentrated. Cases like this test the credibility of that agenda, since the alleged conduct is not a technical accounting failure but a parallel intelligence function inside a private entity. The deeper issue is that corporate compliance can become a theatre of forms, while power flows through informal channels. When oversight is reduced to paperwork, illicit capability can be outsourced and disguised as consultancy.
There is also a global integrity dimension that goes beyond Spanish criminal law. The Financial Action Task Force sets international standards for risk governance and the prevention of illicit financial behavior, and while this case is not framed primarily as money laundering, it sits in the same ecosystem of institutional trust. Once a major bank is accused of paying for illegal access to state databases and covert surveillance, the harm extends into the informational perimeter of markets. Trust is an asset class, and it is priced in funding costs, counterparty confidence, and regulatory tolerance. Even if the trial does not end in conviction, the evidentiary record can still reshape how oversight bodies interpret governance failures. That is the hidden cost, the slow conversion of a legal case into a supervisory memory.
For Spain, the trial is a stress test of how far accountability can move up the hierarchy in a major financial institution. For BBVA, it is a test of whether corporate structure can be presented as a firewall or whether prosecutors can show it operated as a conduit. For executives and boards across Europe, the case reads like a warning about what happens when security functions become politically adjacent and operationally opaque. The court will now have to weigh not only whether crimes occurred, but whether the organization’s internal architecture made those crimes plausible and repeatable. In that sense, the story is not only about Villarejo’s network, it is about what modern institutions do when they decide that rules are negotiable.
Phoenix24: clarity in the grey zone. / Phoenix24: claridad en la zona gris.