Maria Lancri (mlancri@squairlaw.com) is Attorney at Law for Squair in Paris, France.
The Sanctions Committee of the French Anti-Corruption Agency (AFA) issued its first decision on July 4, 2019.[1] Since mid-2017, the French Sapin II[2] law has required large French companies (i.e., companies incorporated in France with more than 500 employees or belonging to a group of more than 500 employees, and achieving a consolidated turnover of more than 100 million euro; also, French subsidiaries of foreign groups) to implement an anticorruption compliance program comprising eight items:
-
A code of conduct
-
A whistleblowing scheme
-
Risk mapping
-
Third-party due diligence
-
Accounting control procedures
-
Training program
-
A disciplinary system
-
An internal audit and evaluation mechanism[3]
The French Sapin II law was created in response to the OECD heavily criticizing France for failing to fight efficiently against corruption, although corruption offenses are part of the criminal code; other countries, like the US, have only guidelines issued by a regulatory body. Additionally, the AFA was created to prepare guidelines to assist both administrations and private companies in “preventing and detecting cases of corruption and influence peddling”[4] and related offenses. These guidelines provide companies with the AFA’s expectations of what a “good” compliance program looks like.
The Sapin II is a sort of experimentation:
-
No other law stipulates within the law the elements of an anticorruption compliance program; in other countries, this is being done through guidelines issued by the administration or prosecutors’ offices.
-
The law provides for a control of the viability of said programs and potential sanctions outside of any investigation or sanction of actual corruption cases. The AFA’s agents therefore have no other system of law to rely on or to compare with the French system.
Some French companies had already implemented an anticorruption compliance program prior to the Sapin II law, mainly when they added activities overseas like in the US or the UK, and were influenced by what other systems had developed. Others created their programs when the law was enacted.
Considering how new this requirement was for most companies, they had not yet fully developed their programs when the controls started.
The companies chosen for these controls have different backgrounds and are active in different markets. The AFA claims that the companies are selected to allow the agency to acquire a good knowledge of the French market. The AFA may also select companies when their behavior has been flagged.
Timeline of SAS S.’s control
One of the companies controlled was SAS S., a privately held French company, with activities in 44 countries.
This type of anticorruption compliance program control generally follows different steps:
-
Notification of the control and request to answer a detailed questionnaire and provide documentation within 15 days (the questionnaire was made public after a few months to allow companies to get prepared);
-
Analysis of the documentation remitted and further questions;
-
On-site control during which interviews with officers and employees are conducted;
-
AFA’s report;
-
Written comments from the company and meeting with the AFA;
-
Final decision (relief, warning, or transfer to the Sanctions Committee).
The full procedure is detailed in the Charte des droits et devoirs des parties prenantes au contrôle.[5]
The director of the AFA may decide to refer the case to the Sanctions Committee if he/she decides that the violations in the compliance program are too great. After a proper study of the matter, exchanges of briefs, and a hearing, the AFA’s Sanctions Committee has the power to (i) consider that there are no violations and release the company, (ii) order a company to adapt its compliance program, and/or (iii) render a monetary sanction of up to €200,000 for individuals, namely the corporate officers, and up to €1 million for corporate entities.
In the case of SAS S., the control phase of the process lasted from October 18 to December 15, 2017, and a year and a half later, the final step—the hearing before the Sanctions Committee—was held on June 25, 2019. Logically, the company took advantage of that long period to update and complement its compliance program. The Sanctions Committee made it clear during the hearing that, procedurally speaking, they would base their decision on how the compliance program had been developed until the day of the hearing. This position was restated in the decision.
The issues of the SAS S. case
The AFA considered that the company violated five of the eight items of the program:
-
Nonconformity of the risk mapping
-
Nonconformity of the code of conduct
-
Absence of a third-party due diligence procedure
-
Absence of anticorruption accounting controls
-
Absence of an internal audit and evaluation mechanism
The company considered their compliance program in-line with the requirements of the law and thought the AFA guidelines were adding obligations not provided for in the law. Their aim was to get the Sanctions Committee to rule on how binding the AFA guidelines were.
There was hope that the decision would be of great help for other companies under Sapin II obligations; however, the decision rendered on July 4 by the Sanctions Committee[6] fell short of expectations. It considered the company’s compliance program as adequate and released it from any further procedure, but the decision did not provide the guidance that the legal community wished for.