France's finance minister Michel Sapin presented a proposal for a new law on transparency, anti-corruption measures and the modernisation of the economy to the Council of Ministers on 30 March 2016.

The proposal includes innovations in various fields (transparency of public decisions, effectiveness of financial regulation, greater protection for consumers), including new rules on corruption and ethics violations.

At the heart of these new anti-corruption rules lies an obligation for businesses of a certain size to be proactive in terms of preventing corruption. Compliance with this obligation would be monitored by a new agency for the prevention and detection of corruption, the "Service Chargé de la Prévention et de l'Aide à la Détection de la Corruption" (SCPADC).

The SCPADC would report to the justice and budget ministers and would be responsible for issuing recommendations to help businesses and government departments meet the new obligations, for monitoring compliance and for imposing fines on both individuals and legal entities for any breaches of the compliance procedures implemented. It would also take over the duties of the current agency, the Service Central de Prévention de la Corruption, with more substantial resources at its disposal.

The other key points of the reform concern the enforcement component of the anti-corruption machine:

  • an additional penalty for non-compliance under the control of the SCPADC and the public prosecutor may be imposed on businesses for corruption or influence peddling;
  • the conditions under which the French authorities can prosecute businesses for actions undertaken outside France to corrupt foreign public officials would be relaxed;
  • a new offence of influence peddling with foreign public officials would be introduced

In terms of whistleblowers, the new law would introduce special rules to protect individuals acting in good faith to report breaches by finance sector businesses to the AMF, France's financial markets regulator (Autorité des marchés financiers) or the ACPR, the banking and insurance regulator (Autorité de contrôle prudentiel et de résolution). Nevertheless, contrary to the original programme for the law, there would be no general protected status for whistleblowers from all sectors (public and private) and industries. According to the press pack released by the French government, this status, derived from a definition of the term "whistleblower" and general principles governing "ethical disclosures", is to be incorporated into the proposed law by amendment, based on a consultation of the Conseil d'Etat, France's highest public law court.

Lastly, although the provisions on plea-bargaining for legal entities implicated in corruption offences were removed from the final version of the law, they could yet be reinstated – albeit with a narrower scope – during the forthcoming parliamentary debate.

At this juncture, businesses should primarily be concerned with the new obligation to prevent risks of corruption. Under French law, there is currently no requirement for companies to implement specific anti-corruption measures.

Although anti-bribery programmes have long been standard at bigger companies due to their international obligations, their smaller counterparts, which are not as exposed to foreign laws, would need to make some substantial changes.

The number of companies affected by the new French compliance rules is expected to be high, around 1,570 according to the press pack released by the finance ministry, with a combined total of 5.3 million employees in the country.

What types of companies would be affected?

The reform would affect "companies with 500 employees or more or belonging to a group of companies with an aggregate workforce of 500 employees or more and an individual or group turnover of €100 million".

The biggest French businesses therefore evidently fall into the net but medium-size companies are also concerned, provided they meet the above criteria.

The two conditions are cumulative: a company with a turnover exceeding the threshold but with a workforce below 500 would avoid the new rules and vice versa, according to the current wording of the law.

Businesses that do not meet the two thresholds individually but that belong to a group of companies with more than 500 employees and a consolidated turnover of over €100 million would nevertheless be affected.

The obligations would concern the company itself and all subsidiaries and companies controlled by that company. Compliance measures could be organised for the group as a whole by the parent company.

The new system raises certain important questions as to how the rules should be interpreted in terms of groups of companies, especially international groups. For example:

  • when applying the thresholds to groups of companies, should all companies be taken into account, both in France and abroad (or just companies incorporated in France)?
  • would the foreign parent company be affected if the group exceeds the thresholds but the French subsidiary employs fewer than 500 people?

While we can attempt to extrapolate tentative answers to these questions from the law as it currently stands, the final rules will evidently depend on the forthcoming changes and clarifications brought to the text.

What would be the new obligations?

For businesses, the new obligation to prevent corruption would entail implementing "measures to prevent and detect instances of corruption or influence peddling in France or abroad". Companies would therefore need to introduce anti-bribery measures for both their French and foreign operations.

More specifically, the new law would require them to:

  • adopt a code of conduct defining and providing examples of the types of actions that must be avoided (many companies have already done this but their codes would nevertheless need to be reviewed);
  • introduce an internal whistleblowing procedure to allow employees to report breaches of the code of conduct;
  • conduct a risk assessment to identify and classify risks of corruption depending on the business sectors and geographical areas in which the company operates (here again, the recommended methodology for this exercise, which is already performed by many companies, remains to be seen);
  • introduce due diligence procedures for clients/customers, direct suppliers and intermediaries (these procedures would need to be on-going and not just applied once, on first contact with a new party);
  • implement accounting procedures to ensure that the company's registers and accounts have not been manipulated to conceal instances of corruption;
  • establish an anti-corruption training programme for executive level employees and those at the highest level of risk (here again, many companies already run this type of training programme; they would need to ensure that the training is clear in terms of the specific risks the company is seeking to avoid rather than adopting a "one size fits all" system of limited worth);
  • impose disciplinary measures, for breaches of the code of conduct. 

To help businesses create these tools – which are broadly inspired by the compliance tools used for some time in the US and the UK, for example – the idea is for SCPADC to publish recommendations that will depend on the size of the company in question and the types of risks identified.

For bigger companies, measures already in place would need to be adapted to meet the new requirements. However, they would also need to deal with conflicts between the French compliance rules and those of other laws or foreign authorities to which they are also subject.

Companies are liable to be audited and would therefore need to maintain the appropriate procedures at all times, requiring them to re-direct resources to manage compliance.

What penalties are companies facing?

The SCPADC would be responsible for imposing penalties for violations of the new obligations.

As well as the company itself, the legal representatives (president and managing director [directeur général], members of the management board [directoire] of a société anonyme, general manager [gérant], etc., depending on the type of company) could also face liability in their personal capacity.

The new law makes no mention of delegations of authority being established for compliance purposes. By analogy with past decisions concerning criminal liability, the manager would need to delegate his/her powers "to a person with the necessary competence, authority and resources", thus transferring the liability for any future breaches. Although legally possible, implementing this kind of transfer would evidently be a sensitive issue given the level of responsibility involved, for compliance officers in particular.

The procedure provided by the proposed law is as follows: the SCPADC is to be empowered to carry out "on its own initiative, or at the request of the justice or budget minister" an audit of the compliance of the procedures established and subsequently, should it detect a breach, it would then have three years to issue a warning or refer the matter to the Enforcement Committee [Commission des sanctions].

There would be various options available to the Enforcement Committee in terms of the penalties it can potentially impose, namely:

  • ordering the company and its representatives to adapt their internal procedures to meet certain recommendations within a period of time to be set by the Committee;
  • imposing a fine, of which the amount (i) must be commensurate with the seriousness of the breach or breaches and the financial situation of the individual or legal entity in question and (ii) may not exceed €200,000 for individuals and €1 million for legal entities;
  • ordering the publication of its decision.

In addition:

  • the proceedings must be carried out in the presence of all parties: "no penalty or injunction may be ordered without a hearing of the person concerned or a representative thereof or, failing this, the issue of a formal invitation to that person to appear";
  • the Enforcement Committee must substantiate its decision;
  • the appeal that may be brought against the Enforcement Committee decision would be a full appeal (i.e., with the power to revise the decision and not just set it aside).

This heralds the creation of a new form of disputes procedure for anti-bribery matters.

The procedure described in the proposed law is broadly inspired from that applied before the AMF Enforcement Committee.

Certain doubts remain however, especially at the procedural level (including the rights of the company being audited, which must "refrain from obstructing [the SCPADC officers] in any way" or face a fine of €30,000).

There is also the question of the compatibility of the Sapin II measures with those that may need to be  implemented under the proposed law on the duty of vigilance of parent and subcontracting companies, which is also designed to force France's large and multinational businesses to establish a "vigilance plan" for preventing risks, including "instances of corruption", and incorporates substantial civil penalties for non-compliance (see Article 4 below for further detail).

What is already clear is that companies will have a lot to learn from the French National Assembly debate on the Sapin II law, scheduled to take place in the coming weeks.

New rules for the protection of whistleblowers

One of the most anticipated innovations of the proposed law was the creation of a protected status for whistleblowers from all sectors (public and private) and industries. The implementation of this new status, to be based on a definition of the term "whistleblower" and general principles governing "ethical disclosures", was heralded as the conclusion of a legislative process that has gradually broadened the scope of the protective measures in place for whistleblowers, which were first defined in a law adopted on 13 November 2007 on reporting instances of corruption and have grown over time to include:

  • the reporting of "events relating to the safety for health" of medicines and health products (law of 29 December 2011);
  • the public disclosure of information of which the concealment could "cause a serious risk to public health or the environment" (law of 16 April 2013);
  • the reporting of conflicts of interest concerning certain elected and public officials (law of 11 October 2013);
  • the reporting, by any employee, "of events constituting an mid-level or serious offence of which he or she has become aware in the course of his or her duties" (law of 6 December 2013).

In the end, this protected status was not included in the proposal submitted to the Council of Ministers on 30 March 2016. At most, it provides for the agency responsible for the seizure and confiscation of assets in criminal matters, the "Agence de gestion et de recouvrement des avoirs saisis et confisqués" (AGRASC), to finance the legal costs of persons who have "reported or testified to events that could constitute offences of corruption, influence peddling, extortion by a public official [concussion], conflict of interest on the part of a public official [prise illégale d'intérêt], misappropriation of public funds or preferential treatment".

However, the government's press pack does state that the general status of whistleblower is to be incorporated into the law by amendment, based on a consultation of the Conseil d'État. The legislative process for this should be worth following.

Although no general rules are provided on whistleblowers, the proposed law would introduce new special rules protecting individuals who act "in good faith" to report "potential breaches" of the obligations contained in certain EU regulations on the financial sector to the AMF or ACPR. These regulations include the Market Abuse Regulation of 16 April 2014, which effectively means that persons reporting insider dealing, disclosures of inside information and manipulation would have protected status.

Unlike the system introduced under the law of 6 December 2013, the special rules defined in the proposed law would not only apply to reports of "events constituting" an offence of which the whistleblower has "become aware in the course of his or her duties". Instead, they cover any reporting of "potential" breaches and are not limited to events discovered by the whistleblower in the course of his or her duties. This broader scope corresponds to the requirements set by the EU lawmakers on corruption (especially in the Market Abuse Regulation).

In terms of the specific protections afforded, as was the case of the law of 6 December 2013, Sapin II provides that

(i) any "unfavourable steps" taken against a whistleblower for making a disclosure will automatically be void and that (ii) the burden of proof will benefit the whistleblower should any action be taken against him or her with respect to the disclosure made. Again, as in the law of 6 December 2013, there are no criminal penalties provided for persons taking unfavourable steps against a whistleblower as "payback" for the disclosure. This issue received fierce criticism from NGOs at the time of the 6 December 2013 law and could be amended during the upcoming parliamentary debate.

As a safeguard against the risk of unfounded reports, the proposed new law also states that no unfavourable action may be taken against individuals implicated in a disclosure "on the sole basis of that disclosure".

Lastly, again in a bid to meet EU financial regulation requirements, the new law would require certain financial sector businesses (including investment service providers and financial investment consultants) to establish internal processes to allow their employees to report breaches. The AMF and ACPR would also need to introduce the corresponding procedures for receiving these reports, of which further details would be specified in the AMF General Regulations and by order of the finance minister for the ACPR. These procedures would need to incorporate the measures imposed by the EU Directive of 17 December 2015 as regards reporting infringements of the Market Abuse Regulation.