Changes to France's anti-bribery system require large companies and their top management to implement an anti-corruption compliance program.
After a new examination of the bill by both Chambers of Parliament and the consultation of the Constitutional Council, France has enacted its Law "Sapin II" No. 2016-1691 (the Law) on 9 December 2016.
The Law is drafted to meet three objectives: (i) enhance transparency, (ii) fight corruption and (iii) modernize the economy.
The most significant reforms regarding the fight against corruption are (i) the creation of the "French Anticorruption Agency"; (ii) the protection of whistleblowers; (iii) a corporate duty to prevent corruption, and penalties for failing to implement a compliance program; (iv) a new criminal offense for corruptly influencing foreign public agents, with the extension of the possibility to prosecute acts of corruption and influence peddling when committed outside France by non-citizens who reside in France, along with the suppression of restrictive conditions for the prosecution of acts of corruption or influence peddling outside France (i.e. previous conditions (i) that the conduct was likewise punishable as an offense under the law of the country in which it was committed, and (ii) that the prosecution was instigated at the behest of the Public Prosecutor, and not by the victim alone); and (v) the possibility to enter into a deferred prosecution agreement with companies in lieu of criminal prosecution, or to be ordered to implement effective anticorruption compliance programs (see our previous Client Alert No. 1947).
Next steps for large companies and their top management to prevent risks of corruption
Sapin 2 imposes a legal obligation upon large companies and their senior management to prevent risks of bribery and corruption, requiring companies to adopt a number of internal procedures (hereunder an "anti-corruption compliance program").
Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practice in Hong Kong and Japan. The Law Office of Salman M. Al-Sudairi is Latham & Watkins associated office in the Kingdom of Saudi Arabia. Under New York's Code of Professional Responsibility, portions of this communication contain attorney advertising. Prior results do not guarantee a similar outcome. Results depend upon a variety of factors unique to each representation. Please direct all inquiries regarding our conduct under New York's Disciplinary Rules to Latham & Watkins LLP, 885 Third Avenue, New York, NY 100224834, Phone: +1.212.906.1200. Copyright 2016 Latham & Watkins. All Rights Reserved.
The obligation to implement an anti-corruption compliance program applies to:
French companies and public industrial and commercial establishments that fit both of the following criteria:
o Employ at least 500 employees
o Have annual turnover / consolidated annual turnover of at least 100 million
French companies and public industrial and commercial establishments that both:
o Belong to a group that employs at least 500 employees and whose parent company is headquartered in France
o Have an annual turnover / consolidated annual turnover of at least 100 million
Subsidiaries and controlled companies of such French companies if such French companies present consolidated annual revenues
Who can be punished?
The companies themselves (either of private or public nature)
The company president ("prsident"), CEO ("directeur gnral"), managing director ("grant") and the members of the executive board ("membres du directoire")
The anti-corruption compliance program is composed of:
A code of conduct, which defines and illustrates prohibited acts and behaviors likely to characterize acts of corruption or of influence peddling; such code of conduct should be incorporated into the company's internal applicable rules and regulations, and for this reason prior consultation of company employees' representatives is required.
In practice: A code of conduct, sometimes called a code of ethics or code of practice, is a set of principles and rules outlining an organization's responsibilities and best practices. Most common sections of a code of conduct include: ethical principles, values, accountability, standard of conduct, standard of practice, and disciplinary actions. Drafting such a code is a delicate and challenging process, as the effort to develop an effective code can impact the company's employees, customers, business partners and other stakeholders. The main questions to consider when drafting a code of conduct are:
o Does the code clearly articulate the companies' expectations and commitment?
o Does the code provide employees with a practical roadmap and tools for their daily work?
o Does the code coordinate with existing policies and other guidance tools?
Latham & Watkins
December 14, 2016 | Number 2050 | Page 2
o Does the code clearly identify and prioritize risks issues?
o Does the code reach the right balance between the number of topics addressed and each topic's appropriate level of content?
o How should the company communicate about the code with employees, customers, business partners, stakeholders, etc.?
An internal whistleblowing system "to allow employees to report acts or behaviors that violate the company's code of conduct".
In practice: A whistleblowing system is a means of internal communication implemented within the company. As part of the anti-corruption compliance program, it allows the reporting of any action or behavior related to corruption or influence peddling.
The system can take multiple forms, which will often vary depending on the size and nature of the organization, possibly including: a designated website, a dedicated phone line; internal reporting to a dedicated person, email, a complaint box, etc. The system can be managed either internally or with the help of a third-party service provider. The seven main steps of a whistleblowing system are: (i) claim; (ii) receive; (iii) analyze; (iv) investigate; (v) resolve; (vi) report (if applicable); (vii) retain. The implementation of an effective whistleblowing system includes, in particular:
o Defining a clear process for investigating complaints
o Regularly educating employees on the who-what-when-where-why-how of reporting suspected activity
o Ensuring the confidentiality of the information and protecting the whistleblower at all stages of the process
o Setting up a procedure to retain and maintain files and information on alleged wrongdoings
o Taking into account data protection laws and filing the necessary notifications to the French data protection authority (CNIL)
Nota Bene: This "internal whistleblowing system" must be distinguished from the "procedure of collection of alerts" that must be implemented by all employers (public or private) with at least 50 employees. This "procedure of collection of alerts" is of a broader form, and is provided in the chapter of the Law related to the general status and legal protection of whistleblowers (Articles 6 et seq.). It should allow the receipt of alerts beyond the sole scope of acts related to corruption and influence peddling, from any employee or external and occasional collaborators of the company.
Finally a specific and sectorial procedure of alerts is provided by the Law for the French Financial Markets Authority ("AMF"), for the French Prudential Supervision and Resolution Authority and for almost all companies falling under the control of these Authorities, as defined by Article 16 of the Law.
Latham & Watkins
December 14, 2016 | Number 2050 | Page 3
A risk mapping, regularly updated and designed to identify, analyze and prioritize the risks for the company to be exposed to third parties' requests for purposes of corruption, depending on the business sectors and geographical areas concerned.
In practice: A company cannot implement an effective anti-corruption compliance program without first identifying and assessing the risks specific to the company's industry, geography, business structure, business partners and level of government oversight. The main phases for implementing a risk mapping are to: (i) identify actual and potential risks; (ii) assess the risks; (iii) determine preventive/corrective measures; (iv) recommend and present to the business (need to select the most appropriate format); and (v) enhance and implement. Risks should be assessed on two criteria: (i) their likelihood (or their frequency) and (ii) the impact of their occurrence on the company. Priority should then be given to all significant risks the company can face, i.e., all the risks that are likely to occur and that would have a significant impact on the company. Once both risks and their consequences for the company are identified, the company should decide how to deal with the risk, i.e.: (i) eliminate the risk; (ii) transfer the risk to another contractual party; (iii) reduce the risk (its severity); or (iv) tolerate the risk (if the measures to eliminate/transfer/reduce the risk are not worth taking or not cost effective). The most obvious preventive and corrective measures include: implementing effective changes in business practices; updating/drafting policies; renegotiating insurance coverage; adding new clauses to a contract; issuing alerts; and providing training, etc.
Due diligence procedures for the company's clients, major suppliers and intermediaries, in light of the risk mapping.
In practice: Due diligence procedures generally imply the (i) collection of information on the third party (for example through Internet, database and media searches, but also through the completion of questionnaires); (ii) verification and validation of data by the compliance or legal department (or at least by a business unit distinct from the one looking to hire the third party) to identify possible gaps or inconsistencies; and (iii) evaluation of results with a "red flag" checklist. The company should then implement mitigating measures considering the seriousness of the red flag identified. Also, for certain high-risk third parties, the assistance of an external due diligence service provider may be necessary to undertake additional tasks, such as checking the third party against watch lists. Once the client/supplier or intermediary is approved, efforts to mitigate risks of corruption can also involve: contract protections with specific provisions (such as an obligation to comply with the company's anti-corruption policies or a provision limiting the third party's ability to act on the company's behalf); or monitoring measures in order to supervise the third parties' conduct on an ongoing basis (such as the requirement of certifications and anti-corruption training); and special payments review and approval.
Internal or external accounting control systems -- intended to ensure that the company's financial books, records and accounts are not used to hide acts of corruption or of influence peddling. Such controls can be carried out either internally, or by the company's external auditors which are also responsible for the certification of its accounts.
In practice: Accounting control systems are the methods and procedures a company implements to ensure the continued accuracy and validity of its financial statements. The internal controls protect the company from abuse and fraud, and help verify that all information is accurate. Such controls typically include:
Latham & Watkins
December 14, 2016 | Number 2050 | Page 4
o Separation of duties among the employees (bookkeeping, deposits, reporting, auditing)
o Restrictive access controls to financial systems (access tracking via passwords, login keys, etc.)
o Physical audits (when relevant), and documents that standardize financial transactions to maintain consistent records to facilitate searching for discrepancies
o Formal approval requested from specific managers for large payments and expenses, or important transactions
Training programs for managers and individuals most likely to be exposed to risks of corruption and influence peddling.
In practice: The key functions most likely to be exposed to corruption risk include those involved in: sales, purchasing and logistics; contract negotiations; audit; internal controls; legal; finance; human resources. For the training programs to be effective, each relevant employee should receive training tailored to the company's geography, industry and structure, but also to the employee's function within the company. Such programs can take various forms and use different methodologies, such as: DVDs, e-learning on the company's intranet; face-to-face meetings with experienced external trainers; Q&A, role playing, case studies, etc. Always remember to document completion of anti-corruption trainings as the company can one day use the number of employee hours spent on training as a legal defense.
A deterrent sanctions policy, including disciplinary actions against employees for breach of the company's code of conduct
In practice: an organization should make clear to managers and employees that any abuse or disregard of the company's code of conduct may lead to disciplinary sanctions.
An internal system to control the implementation of the above measures
In practice: an internal control system typically consists of a set of rules, policies and procedures a company implements to provide reasonable guarantee that its: (i) financial reports are reliable; (ii) operations are effective and efficient; and (iii) activities comply with applicable laws and regulations. Internal control programs should be monitored and revised on a consistent basis to ensure they are effective and current with technological and other advances. Examples of internal controls to check the implementation of the above measures could be:
o Regular meetings scheduled with auditors to report any deficiency
o Automatic backups every day; forced password changes every six months
o Review of references for new employees
o Necessity to receive authorization from several managers before proceeding with certain purchases, actions or decisions, etc.
Latham & Watkins
December 14, 2016 | Number 2050 | Page 5
The French Anti-corruption Agency will likely issue guidelines for companies to fulfill the abovementioned obligations under Sapin 2 (as done by SPCP in March 2015)
The obligation to implement an anti-corruption compliance program will enter into force on 1st June 2017 (on the first day of the sixth month following the enactment of the Law).
In practice, please note that a State Council decree must determine the operating conditions of the French Anti-corruption Agency and of its Sanction Committee. Moreover, the French Anti-corruption Agency will likely issue guidelines for companies to fulfill their obligation (Article 3). These recommendations should be adapted to company size and to the nature of the risks identified.
What risks in case of non-compliance?
After a control, the French Anti-corruption Agency may issue a warning if it finds that a company does not have an adequate anti-corruption compliance program in place.
The French Anti-corruption Agency's Sanction Committee also has the power to impose administrative sanctions upon the company and/or its representative, including (i) an injunction to improve the anticorruption compliance program, and/or (ii) a fine up to a maximum of 200,000 for natural persons, and 1 million for legal persons.
The Sanction Committee may also decide that the decision imposing the injunction/fine be published, at the expense of the person the decision concerns.
Beyond such controls, we can anticipate that compliance will automatically be checked in case of corruption or influence peddling.
The French Deferred Prosecution Agreement
As anticipated (See Client Alert No. 1947), the possibility for companies accused of corruption to enter into criminal settlements with the French authorities has been reintroduced in the text of the Law via parliament amendment, in a revised version.
Under this now renamed "public interest judicial agreement" ("convention judiciaire d'intrt public"):
As long as prosecution has not been set in motion (i.e., until the end of the preliminary investigation), the public prosecutor may offer companies accused of offenses of corruption or influence peddling, a settlement imposing:
Payment of a fine of up to 30% of the company's average annual turnover over the past three years
Implementation of an anti-corruption compliance program aimed at preventing and detecting acts of corruption for three years, under the control of the newly created French National Anticorruption Agency
Indemnification of identified victims for the harm suffered, within a one-year period maximum
The possibility for the company to enter into the public interest judicial agreement is also given during the investigation stage, upon request or with the approval of the public prosecutor.
Latham & Watkins
December 14, 2016 | Number 2050 | Page 6
Once the company accepts the proposed agreement, the agreement is submitted to the review and validation of the judge. The judge approves or declines the agreement in a public adversarial hearing, with the possibility for the victims to be present at the hearing.
The agreement entails no recognition of liability on the part of the company nor any mention in the criminal report.
Any settlement, including the identity of the parties concerned and the amount of the fine, will be published on the National Anti-corruption Agency's website.
The agreement can only be entered into with the company; the company's signature does not prevent the prosecution of the company's management.
The agreement does not preclude victims (except the State) from pursuing the company for civil damages.
Latham & Watkins
December 14, 2016 | Number 2050 | Page 7
If you have questions about this Client Alert, please contact one of the authors listed below or the Latham lawyer with whom you normally consult:
Fabrice Fages firstname.lastname@example.org +184.108.40.206.20.00 Paris
Matthias Rubner Matthias.Rubner@lw.com +220.127.116.11.20.00 Paris
Hugues Vallette Viallard Hugues.ValletteViallard@lw.com +18.104.22.168.20.00 Paris
Elise Auvray Elise.Auvray@lw.com +22.214.171.124.20.00 Paris
You Might Also Be Interested In
French Anti-Corruption Reform Expected In 2016
International Fraud & Asset Tracing (3rd Edition), France
The Macron Law Modifies French Competition Rules and Procedures
5 Questions About France's New Health-related Class Action Law
Client Alert is published by Latham & Watkins as a news reporting service to clients and other friends. The information contained in this publication should not be construed as legal advice. Should further analysis or explanation of the subject matter be required, please contact the lawyer with whom you normally consult. The invitation to contact is not a solicitation for legal work under the laws of any jurisdiction in which Latham lawyers are not authorized to practice. A complete list of Latham's Client Alerts can be found at www.lw.com. If you wish to update your contact details or customize the information you receive from Latham & Watkins, visit http://events.lw.com/reaction/subscriptionpage.html to subscribe to the firm's global client mailings program.
Latham & Watkins
December 14, 2016 | Number 2050 | Page 8