French companies used to watch from afar with dismay the sanctions imposed by the US authorities on French multinationals prosecuted for corruption of public officials. The extra-territorial application of the Foreign Corrupt Practices Act 1977 and the UK Bribery Act 2010 were a cause for concern but they had difficulty imagining that such misfortune could happen to them, quite simply because many of them had implemented, at least in appearance, codes of ethics or procedures for combatting corruption.

Compliance procedures must, however, be effective and comply with strict international standards. With the presentation of the Sapin II bill to the Council of Ministers on 30 March 2016, which introduces an obligation on organisations to prevent and detect of corruption risks, France has finally embraced new legislation more in line with these standards.

The implementation of effective anti-corruption procedures will no longer simply be a choice for French companies, but a genuine duty, and a precaution they will need to take.

Who is targeted by this Sapin II bill?

The obligation of preventing and detecting corruption risks is imposed on companies employing at least 500 employees (or belonging to a group of companies employing at least 500 employees) whose turnover is higher than 100 million euros, as well as to the directors of these companies.

What procedures will need to be implemented?

  • Adoption of a code of conduct which:
    • Clearly describes prohibited conduct and behaviour characterised as acts of corruption or influence;
    • Defines a common set of values for the organisation;
    • Promotes a culture of integrity; and
    • Applies and is enforceable internally at all levels and externally to all entities over which the organisation exerts effective control.
  • Implementation of an internal whistle-blowing system which:
    • Collects potential alerts and ensures adequate protection of employees reporting unlawful or risky conduct or situations; and
    • Requires the organisation to take appropriate measures on the basis of those alerts.
  • Establishment of risk mapping procedure:
    • In the form of regularly updated documentation;
    • Which identifies, analyses and prioritises the company’s risk exposure to external risks of corruption within the sectors of activity and geographical areas in which the company carries out its business activities or, where appropriate, the entities over which the organisation exerts effective control carry out their business activities; and
    • Enabling the company’s procedures to be adapted to the risks identified.
  • Implementation of a process for verification of the integrity of its clients, suppliers, partners and agents.
  • Performing internal or external accounting inspections intended to ensure compliance of books, records and accounts with the organisation’s procedures.
  • Organisation of a training program for managers and personnel with the highest exposure to corruption risks.
  • Establishment of disciplinary sanctions procedure for members of the company in the case of breach of the company’s code of conduct

What are the sanctions in case of violation of these provisions?

The following sanctions are provided for and implemented by the Sanctions’ Commission of the National Agency for the detection and prevention of risks of corruption (the “Agency”):

  • An injunction ensuring compliance with any recommendations of the Sanctions’ Commission.
  • Sanctions of an amount which is proportionate to the seriousness of the breaches identified and to the financial situation of the natural person or legal entity concerned (up to 200,000 euros for natural persons and 1 million euros for legal entities).
  • Possible publication of the sanctions.

Creation of an additional criminal penalty for ensuring compliance

  • In the event of conviction for corruption or influence peddling offences, new article 131-39-2 of the French Criminal Code provides that an organisation may be required to adopt and implement a program to ensure compliance within the organisation under the supervision of the Agency for a maximum period of 5 years.
  • Sanctions for violation of this obligation is equivalent to 2 years imprisonment and a fine up to the double of the amount gained through the commission of the offence for legal entities.

What to do?

Companies to which Sapin II applies must evaluate without delay their compliance programs to ensure they have adequate compliance procedures already in place. Otherwise, a full compliance program must be set up. A company must then ensure that those procedures are fully implemented and, if necessary, updated in accordance with the external recommendations of a certified body.

Companies will need to carry out an audit of their existing compliance programs including:

  • Completion of a due diligence checklist, questionnaire and full analysis of the adequacy of the compliance program documentation;
  • Interviews with key individuals (CEO, CFO, Chief Compliance Officer etc.) regarding the compliance procedures and corruption risks;
  • Establishment of a risk-map; and
  • Analysis of the effectiveness of the compliance program and “gap analysis” through:
    • The audit of sale contracts, tender offer documents, agreements with third parties and intermediaries;
    • Conducting new targeted interviews with personnel at high risk of exposure;
    • Conducting tests evaluating the compliance procedures;
    • An audit of (i) the meeting minutes of compliance bodies to ensure that the function satisfies the conditions of autonomy and accountability, (ii) the training reports of management and personnel, (iii) the documentation recording the detection and investigation of regarding to any potential acts of corruption, (iv) the audit reports related to the hiring of sensitive employees and third parties co-contractors and (v) the implementation of sanctions;
    • Issuance of a report by any external certification body which conducts a review of the company’s compliance programs and any recommendations made.
  • Implementation of external recommendations by:
    • Drafting and implementing any missing documents/procedures;
    • Training of management and personnel on the new procedures; and
    • Performing a compliance audit in respect of these procedures.

Find more articles in April’s edition of Corporate Crime Matters