Maria Lancri (mlancri@squairlaw.com) is Attorney at Law for Squair in Paris, France.
The French Anticorruption Agency (AFA), which was set up by the French Sapin II law,[1] has a goal to assist entities in setting up their programs—alongside its mission of conformity for anticorruption compliance program audits. As part of this, the AFA issued at the end of December 2019 an updated version of their Guide pratique La fonction conformité anticorruption dans l’entreprise (Practical guide: The anticorruption compliance function in the company).[2]
One size does not fit all
The new guidance considers comments that had been communicated to the AFA by several professional associations in view of the first version of this guidance, which was issued back in January 2019. The language used in this new version also takes into account the remarks made last July by the AFA’s Sanctions Committee (i.e., the body in charge of sanctioning companies in case the AFA’s audits reveal strong defaults in anticorruption compliance programs) when they considered in their first decision[3] that the AFA-issued guidelines are not mandatory to follow as long as the company being audited can demonstrate the effectiveness of its compliance program regarding risk mitigation.[4]
As a consequence, this new version takes a few precautions, noting, for example, that there is no one model for a compliance officer and that this is left to each company to define in view of their specificities (size, nature of activities, maturity of their compliance program, etc.); their risks; the design of the compliance function; how the compliance officer should be chosen; and the scope of their mission while considering other transverse functions’ missions in the organization, such as auditing or legal.
The guidance also states clearly that it is not mandatory to have a compliance officer, although the AFA considers it very useful to implement a compliance function with the necessary means, as this shows how dedicated the management team is to the success of the compliance program. This is also a way for management to show stakeholders and employees how committed they are to the company’s values and the compliance program. Management defines the compliance function in their organization, assists in deploying the program, and amends the program in order to make it more efficient.
Guidelines regarding the compliance officer’s role and others
The AFA then goes on describing what the “ideal” compliance function should be and how strategic the role of compliance should be in a company. The compliance officer should take a lead role in:
-
Conceiving the compliance program under the supervision of management
-
Organizing the program’s deployment along with other functions of the company
-
Controlling the actual deployment of the program
-
Promoting an anticorruption culture within the company through training
-
Using IT tools as needed
-
Assisting operational managers and employees in situations where they may face an anticorruption risk
-
Reporting on the status of the program
-
Participating in any internal investigations
The guidance also reiterates that the compliance officer’s mission should include other support functions, including in fields of law, such as anti-money laundering, antitrust, data privacy, etc. The AFA has authority only over anticorruption issues, so with the compliance officer’s broader scope, they now have a better understanding of an organization’s internal function.
For that purpose, the AFA—applying private-sector auditing methods—proposes that companies set up a responsibility assignment matrix to illustrate the participation and deliverables made by different roles (e.g., general counsel, the compliance officer, information technology, and human resources). This matrix already appeared in the first version of the guidance. Its use reflects a concern the AFA may have when auditing compliance programs: that violations of the compliance program are more likely to happen when an organization is unsure of who is in charge of certain steps in the program or when several people have overlapping powers.
For those who do not read French, it might be interesting to refer to the English version of the EU’s Guidelines on the Data Protection Officers (DPO).[5] This version details the role of the DPO, and it was certainly studied by the AFA to draft its own guidance, although there are slight differences due to the specifics of each one of the statuses.
Note that in some regulated activities, such as financial services, appointment of a compliance officer is compulsory by law to oversee the implementation of the anti-money laundering and countering financing of terrorism programs. Moreover, this person should be a member of management.
The last section of the guidance relates to the responsibility of the compliance officer. It should be read along with the discussion of the officer’s mission in the penultimate paragraph, where the limits of the role are defined by the role general management has in implementing the anticorruption compliance program.
This is not surprising. To ensure efficiency of the program, we often discuss the necessary involvement of the board in overviewing the efficiency of a compliance program put in place by management, which derives from general principles of corporate law on both sides of the Atlantic. On top of that, the French Sapin II law makes the general manager liable if the program is not adequately implemented. One would say this is “the French way” to convince companies to go forward with their compliance program, in a country where people and companies tend not to act until an obligation is mandatory by law. Consequently, the compliance officer is not liable for compliance program deployment. Obviously, if they had a personal liability in the conduct of some act of corruption, then they could be liable of a criminal offense.
Lastly, the guidance considers that compliance officers may also see their professional responsibilities questioned, in particular if they could have prevented an act of corruption. For that purpose, the AFA reiterates that the compliance officer may benefit from the protection of the whistleblower status similar to any other employee that fulfills the legal conditions. This is a way for the AFA to encourage the use of the whistleblower hotline in case the compliance officer is facing a major issue and cannot deal with it internally. One should, however, not forget that if the matter reported to the AFA can be qualified as a criminal offense, the AFA, as any public agent, has the duty to report it to prosecutors.
The compliance function needs support from general management
As with many other authorities, the AFA sees that compliance officers’ access to direct reporting lines to general management and to executive committees is a positive sign of an actual commitment of general management to take compliance issues seriously.
In practice—so far—due to the current organization of companies, many compliance officers are not attached to general management. In order to take this into account, the new guidance states more frankly that the compliance officer may report to a lower level in the organization if it doesn’t prove to be an obstacle when an officer needs access to general management. Once again, in case a company is audited, management will bear the burden of demonstrating that the compliance officer’s attachment to a lower level is not an impediment.
One subject that concerns many human resources departments in France is understanding whether autonomy and independence granted to the compliance officer mean there is a contradiction with the permanence of the compliance officer’s relationship to their employer. The AFA provides an answer, declaring the compliance officer has to accomplish certain duties and report on them. These actions revolve around the eight items of the anticorruption compliance program, set by article 17 of the Sapin II law and detailed at a later stage in the guidance. This language could very much be used as a job description for the compliance officer.
Would failing to complete and/or report said duties be a basis to sanction or even terminate a compliance officer? It is unsure, because, as we all know, general management has to provide the compliance officer with the necessary means to accomplish their mission and monitor the program. It is certain, however, that a compliance officer would present a lack of means as a first defense if their position were jeopardized. As a matter of fact, the AFA dedicates a full paragraph to these necessary means (both human and financial). When conducting its audits, this is an issue the AFA reviews to be able to assess the efficacy of the compliance officer’s role.
Additionally, the compliance officer should be seconded by a network of “champions” (référents) that partner with each of the branches of the company. Once again, this network is not mandatory, but in its drafting, the AFA praises the appointment of champions and emphasizes their input, because the champions are close to the business and should, therefore, have good knowledge of the risks and activities of their respective branches.
The compliance officer as an individual
In the end, who is the “ideal” compliance officer? The AFA does not say that a specific background, such as legal, is more valuable than others, but only that the individual should preferably have good management skills and a decent knowledge of anticorruption laws. The AFA specifically notes that a compliance officer should have experience in risk mapping, which is considered the cornerstone of a compliance program.
The AFA adds that background checks could be conducted to select a person for such a position. The guidance very wisely states that this check should be done in accordance with the limitations set by labor law, which is very demanding in France. It is this author’s opinion that data protection obligations should also be complied with.
Conclusion
Overall, the updated guidance mostly follows the terms of the previous version, albeit with the use of less compulsory wording. It is certainly a good tool for compliance officers to show their general management, for the sake of comparison, in case their company’s anticorruption compliance program has any lingering flaws that should be revisited. After all, in France, the obligation is made stronger when it is written in black and white.
Takeaways
-
The French Anticorruption Agency’s revised guidance complements the Sapin II law.
-
Although addressing French compliance officers and officers of French organizations, the guidance can help companies all over the world comply with their own regulations.
-
The guidance recommends that companies allow compliance officers to be autonomous and independent.
-
Additionally, companies should provide compliance officers with adequate resources to perform their mission.
-
The compliance officer can be held personally liable if they are directly involved in misconduct.