French Anticorruption Agency Issues Detailed New Guidelines for Compliance with Sapin II
The new French Anticorruption Agency (Agence Française Anticorruption, or AFA) recently issued a set of guidelines detailing the AFA’s expectations for corporate compliance programs.
The AFA Guidelines note that they are “inspired by the best international standards” and describe compliance program components that are generally similar to those outlined by other national authorities, including the U.S. Department of Justice (“DOJ”) Fraud Section’s 2017 Evaluation of Corporate Compliance Programs (“DOJ Evaluation Guidance”) and 2016 Foreign Corrupt Practices Act (“FCPA”) Enforcement Plan and Guidance, the DOJ’s and U.S. Securities and Exchange Commission’s 2012 FCPA Resource Guide, and the U.K. Bribery Act 2010 Guidance.
AFA Guidelines in Comparison to U.S. and U.K. Guidance Documents
The AFA Guidelines go much further in describing requirements for the due diligence of third parties than recommendations found in the DOJ guidance documents referenced above and the U.K. Bribery Act Guidance. For example, the DOJ Evaluation Guidance includes “Third Party Management” as a topic and asks a series of questions relating to whether a company has a risk-based process, appropriate controls for the retention and management of third parties, and an appropriate system for handling issues identified in third-party relationships. The FCPA Resource Guide lists appropriate due diligence as a “hallmark” of an effective compliance program, noting that certain guiding principles such as understanding the qualifications and reputation of third parties should be considered when conducting such diligence. The U.K. Bribery Act Guidance includes due diligence as one of the principles that should inform commercial organizations’ compliance programs and offers general prescriptions for how companies should approach such diligence.
The AFA Guidelines, however, provide significantly more detailed recommendations, including specifying, for instance, that “there should be three levels of due diligence participants within organizations,” (1) line managers “who conduct due diligence and are accountable for it,” (2) the compliance officer who “should provide expertise and advice to the line managers . . . with support in the highest-risk cases,” (3) and “top management” who “should make the final decision in the highest-risk cases notified by the line managers.” The guidelines also name fourteen separate types of information that commercial organizations should obtain in conducting due diligence on third parties.
Similar to the U.S. and U.K. guidance documents, the AFA Guidelines identify “Risk Mapping” as one of eight compliance program requirements but go much further in detailing requirements for identifying risks. For instance, the DOJ Evaluation Guidance includes “Risk Assessments” as one of eleven topics and poses four questions for companies to use to assess the adequacy of their methods for identifying, analyzing, and addressing the risks that the companies face.
The AFA Guidelines, however, detail a specific, six-step methodology for identifying and assessing corruption-related risks, including (1) clarifying the roles and responsibilities for those employees responsible for the risk mapping process; (2) identifying risks “inherent” in the commercial organization’s activities; (3) assessing the commercial organization’s exposure to such corruption risks; (4) assessing the adequacy and effectiveness of the means for managing these risks, including determining what “residual” risks may remain following the adoption of preventive measures; (5) prioritizing and addressing such residual risks; and (6) periodically updating the risk map. In detailing these steps, the guidelines recommend that after identifying risks inherent in the commercial organization’s activities, the organization should assess the organization’s vulnerabilities to each risk through multiple specific indicators that the guidelines also identify and describe. The guidelines then recommend that organizations create appendices to their risk maps to explain their methodologies for computing “gross,” “net,” and “residual” risks and the definitions used.
Similar to the AFA recommendations for due diligence, such a thorough approach for Risk Mapping would clearly achieve the AFA’s stated goal of assisting companies to create compliance programs that protect the organizations from corruption-related risks. However, the recommendations are specific enough that few companies will have previously created programs that meet these requirements.
Internal Whistleblowing System
Finally, the AFA Guidelines again go much further in describing the requirements for an internal whistleblowing system than recommendations found in the U.S. and U.K. guidance documents. For instance, the DOJ Evaluation Guidance lists “Confidential Reporting and Investigation” as a topic, and within that topic includes questions addressing the effectiveness of the reporting mechanism, whether investigations are staffed by qualified personnel, and how the company responds to internal investigations. The U.K. Bribery Act Guidance includes only a brief reference to the need for “‘speak up’ or ‘whistleblowing’ procedures” as part of a commercial organization’s “proportionate procedures” to preventing corruption.
By contrast, the AFA Guidelines provide far more detail, listing ten separate recommended requirements for commercial organizations’ internal whistleblowing systems. Among the more detailed requirements are provisions for communications with whistleblowers, who within the organization is responsible for receiving and handling whistleblower complaints, and measures for ensuring the whistleblowers’ anonymity, including the requirement that information that might identify the whistleblower must be destroyed within two months of the end of an investigation.
It remains to be seen what impact the guidelines may have on the AFA’s enforcement of Sapin II, which formally took effect on June 1, 2017. As noted, commercial organizations are not legally required to adopt the AFA Guidelines, and many organizations would, in the near term, struggle to adopt some of the guidelines’ more detailed recommendations. In particular, even companies with highly developed compliance programs may not meet the AFA’s detailed recommendations for risk mapping and corporate due diligence programs. However, the AFA has repeatedly indicated that it does not wish to see companies that already have put in place extensive compliance programs start from scratch and create a new, separate set of tools to comply with Sapin II requirements. Instead, it will consider global compliance programs that take into account, for instance, the requirements of the FCPA and U.K. Bribery Act in addition to Sapin II. Such an approach would also be consistent with the provisions of Sapin II providing French authorities with the flexibility to negotiate settlement agreements with corporate defendants similar to the deferred prosecution agreements employed by U.S. and U.K. authorities.
At the same time, given the detailed guidance that the agency has now provided, the AFA might conceivably provide more favorable treatment to companies with compliance programs that align with the guidelines, in the same manner that U.S. authorities have consistently rewarded companies with robust compliance programs.
While aspects of the AFA’s enforcement priorities and approach remain unknown, companies with operations in France are now on notice of the rigorous compliance program standards that the agency recommends that commercial organizations adopt. Given the detail of the AFA Guidelines, commercial organizations should, at a minimum, assess their current compliance framework to ensure that they are taking all reasonable steps to protect the organizations from corruption-related risks. Further, companies with heightened corruption-related risks in France, including those subject to the requirements of Article 17, may wish to go further, including ensuring that their compliance programs are fully aligned with the detailed provisions of AFA Guidelines.