French Anti-Corruption Authority issues precise and detailed guidelines on compliance programs

The French anti-corruption law issued on 9 December  2016 (Sapin II) requires companies with more than 500 employees and a turnover of more than EUR 100 million to have implemented anti-corruption programs as from 1 June 2017.

Last December, the French Anti-Bribery Agency (Agence Française Anticorruption or AFA) released guidance on these compliance duties. These guidelines – although non-binding – provide some welcome clarification on the measures to be implemented.

Senior management required to be fully involved in the program's implementation

Under Article 17, directors are liable for implementing the anti-corruption program to prevent and detect corruption.

In this respect, the AFA requires senior management's commitment in establishing a culture of integrity, transparency and compliance. Senior management must promote a zero tolerance policy for any unethical behaviour and any risk of corruption. Their role should also include communicating the organisation's determination to fight corruption, internally and externally, and to ensure that the resources allocated for preventing and detecting corruption are adequate (in terms of both the team and budget).

Anti-corruption code of conduct expressing the company's position on corruption as well as being a guide for the employees

Article 17-II-1 of Sapin II provides that the company must produce a code of conduct defining and illustrating the different types of behaviours that are prohibited. It should also deal with the various situations that employees may face and give practical recommendations.

The code of conduct must also set out the company's policies on gifts, invitations, facilitation payments, conflicts of interest, sponsorship and lobbying if applicable.

Internal whistle blowing system: enabling employees to disclose potential corruption acts in a confidential way

Sapin II provides for a general protection of whistle-blowers' rights following any disclosure.

Whistle-blowers cannot be subject to any criminal action or disciplinary sanction (discrimination or dismissal procedure for example) if the disclosure is "necessary and proportionate to safeguard the interests concerned" and done in good faith.

Pursuant to a Decree dated 19 April 2017, companies should take measures to ensure the whistle-blower's anonymity, the confidentiality of the disclosures and the protection of the identity of any persons named in the disclosures whilst investigations are proceeding. The whistle-blower will be notified of the end of the proceedings and if no action has been taken, the information collected must be destroyed within two months from the date of the closure of the investigation.

We highly recommend drafting a whistle blowing policy which sets out, in addition to the whistle-blowing procedure, the whistle blowers' rights.

Risk mapping of corruption: a key new document to be designed

Under Article 17-II-3 of Sapin II,  companies must carry out risk mapping to enable it to monitor corruption risks by deepening its knowledge of the specific internal and external risks.

The written document should be designed to identify, assess, prioritise and manage the company's exposure to corruption risks depending in particular on the business sector and geographical areas in which the company operates.

Risk mapping is a key tool within the anti-corruption program ,which allows a company to strengthen control of corruption risks.

Stringent obligations relating to third-party due diligence procedures

Pursuant to Article 17-II-4 of Sapin II, "the directors should conduct due diligence procedures for assessing the situation of clients, first-tier suppliers and intermediaries ".

Third party due diligence mainly consists of gathering documents and information about a third party so as to assess the corruption risk exposure that the company incurs in initiating or continuing a relationship with this company.

In its guidelines, the AFA recommends that third party due diligence should be applied to "all third parties", which is a broader approach than provided by the Sapin II.

Third party due diligence procedure should be conducted before the start and in course of the relationship, depending on the level of risk of the third party.

Accounting control procedures: crucial tools for preventing and detecting corruption

Article 17-II-5 of Sapin II requires the implementation of "internal or external accounting control procedures to ensure that books, records and accounts are not used to conceal acts of corruption".

According to the AFA, the company does not have to set new accounting procedures. However, it should take into account concealment of corruption as one serious risk.

Training for senior management and staff members at risk

Article 17-II-6 requires "trainings for managers and staff members who are most exposed to corruption risks".

Training aims at making employees aware of the risks of corruption. The AFA recommends that employees most at risk attend face-to-face trainings including case studies and customized scenarios whereas other employees could attend e-learning modules.

Osborne Clarke comment

There can be a temptation for companies to consider the implementation and monitoring of an anti-corruption program as a heavy burden  that confers no business benefit. If done  correctly  though, these measures can provide  an opportunity for a company to better control their reputation and image,  have greater insight of their business partners and improve their credibility.