The anti-corruption law known as “Sapin II” was passed on 9 December 2016 in the hopes of bringing French anti-corruption legislation in line with the strictest European and international standards. Global companies need to take notice because the new law is essentially the first of its kind in France. Prior to Sapin II, the laws against paying bribes to foreign government officials were virtually non-existent in France and the increased liability means that companies could face separate penalties under the FCPA, UK Bribery Act and now Sapin II.
For non-French companies that are operating in France, it is imperative that the new guidelines be communicated to employees in high risk functions and activities such as government contracting, sales, procurement and third party management. Even for companies that have an existing global anti-bribery programme in place, there is a need to ensure that their measures are in line with the expectations of the new French Anti-Corruption Agency. Global companies cannot necessarily drop in a US or UK founded compliance programme and expect to meet all the requirements under Sapin II. Depending on the state of the existing compliance programme, Sapin II can require companies to:
- Train high risk employees on bribery and corruption
- Add illustrative examples in the code about prohibited behaviours related to bribery
- Conduct a risk assessment of both clients and third parties
- Conduct risk mapping to determine the exposure to corrupt acts and regularly update it
The need to implement procedures
The main innovation of the law is the requirement for certain companies to implement a compliance programme by June 2017. Under the new law, programmes must include:
- A code of conduct which defines and illustrates different types of behaviour that might be related to corruption or conflicts of interest
- Internal whistleblowing procedures which allow the reporting of a violation of the code of conduct and guarantee anonymity; it is important to note that this whistleblowing measure applies to all companies in France with over fifty employees
- Risk mapping, regularly documenting the process of identifying, analysing and classifying risks in accordance with the company’s operations and the zones of geographic operations
- Assessment procedures for customers, suppliers and intermediaries in respect to the risk mapping made
- Accounting checks, internal or external, to ensure that fraudulent record-keeping methods are not used to cover up misconduct
- Training programmes designed for employees who are exposed to corruption and conflict of interest risks
- Disciplinary action procedures in case of code of conduct violations
- An internal check and assessment system on the implementation of the measures
Companies and their directors may be held responsible if they do not implement the frameworks required by the law. Putting an individual burden on directors can have a significant impact on the credence and resources that are given to the compliance programme at the company. It is more likely that compliance professionals can get buy-in from top executives if there is the risk of individual accountability for deficient policies and procedures.
Who needs to put these measures in place?
The new obligation applies to French companies and their presidents, general directors and managers if the companies have revenues exceeding €100 million and either (a) have over 500 employees or (b) are part of a group of companies or a subsidiary of a French holding with over 500 employees.
Additionally, the law applies to conduct that occurs outside of France by French companies and their business units. In this respect, the law is similar to the US Foreign Corrupt Practices Act or UK Bribery Act in that the French government is willing and able to enforce penalties and sanctions beyond its own borders.
The vigilance of the French Anti-Corruption Agency
Sapin II establishes the French Anti-Corruption Agency, which will be in charge of preventing and detecting corruption and conflicts of interests. The agency will have to assess the efficiency of the compliance programmes put in place by companies. The question of what is an “efficient” compliance programme is somewhat of a vague area outside of the basic guidelines provided in the law.
Companies will largely need to extrapolate for themselves what specific elements make up an efficient programme. One way to determine what is deemed a quality programme in the eyes of regulators is to examine the opinions and significance of enforcement actions as they correlate to the robustness of that particular company’s compliance programme. Companies can learn a great deal from their own mistakes but it can be much more cost effective and efficient to learn from the mistakes of others and adjust their own programmes accordingly.
In case of established breaches, the French Anti-Corruption Agency will have the ability to:
- Scold: Directly warn the company’s representatives to comply with the law.
- Recommend: Refer to the Enforcement Committee of the agency to address financial sanctions.
- Publicly share: Publish information about the injunction and the sanction.
Key risks to consider for failing to establish a compliance programme
- Financial risks: Fines up to €200,000 (US$213,000) for an individual, and up to €1 million (US$1.07 million) for a legal entity can be imposed.
- Control risks: An obligation to establish a compliance programme within five years under the supervision of the French Anti-Corruption Agency. The need to build a programme under the close supervision of a government agent is surely more burdensome on companies than working on it on their own.
- Reputational risks: The publication of sanctions by the Enforcement Committee will affect a company’s reputation and result in a loss of confidence from customers. It might look like the company has poor standards and values.
- Legal proceedings: If a company fails to comply with the Enforcement Committee’s injunctions and sanctions, it might be exposed to legal proceedings.
How can we help?
The Red Flag Group is already engaged with numerous French companies to ensure they are in compliance with Sapin II and other international standards.
As part of our Sapin II Risk-Assessment Package, The Red Flag Group offers a combination of business advising, information services and technology to ensure that your organisation is fully prepared for the new measures. We can assist and work with you to provide:
- Codes, policies and procedures: The Red Flag Group can help write or update your code of conduct in line with the new law. We can also design and implement processes such as a reliable and anonymous internal whistleblowing procedures, which would enable you to efficiently track and remediate issues. Note that having the right anti-corruption policies and procedures in place is a step towards reaching the new ISO 37001 standard on anti-bribery management systems.
- Integrity due diligence: The Red Flag Group can conduct discreet investigations on your third parties to establish the risk of corruption. We can review their profiles in the media, litigation databases and corporate registries and conduct reputation enquiries. We can provide advice on how risky it is for you to deal with these third parties and what you can do to mitigate these risks.
- Auditing: The Red Flag Group can conduct audits of your suppliers and distributors to ensure that they have effective anti-corruption standards. We can undertake projects in any part of the world, with in-house compliance, accounting and IT with local language capabilities.
- Training and advice: The Red Flag Group can build training programmes for employee groups with higher exposure to corruption risks. We can also help you build courses, workshops and face-to-face trainings.
- Risk assessment and review: The Red Flag Group can identify the highest risks for you to address based on your activities, country of operations, industry, supply chain and stakeholders.
If you are concerned about Sapin II and its impact on your company, or for more information on our Sapin II risk-assessment package, please contact firstname.lastname@example.org.
For more information about The Red Flag Group and our range of services, please visit www.redflaggroup.com.