The new French Anticorruption Agency (Agence Française Anticorruption, or AFA) recently issued a set of guidelines detailing the AFA’s expectations for corporate compliance programs. The guidelines, which are not legally binding but are required by France’s Sapin II law and followed a period of public consultation, provide public and private commercial organizations with a framework for ensuring that their compliance programs adequately protect the organizations from corruption-related risks. The guidelines are also intended to help certain commercial organizations meet the statutory requirements of Article 17 of Sapin II, which requires French companies (including the French subsidiaries of foreign companies) with over 500 employees and annual revenues exceeding €100 million to adopt certain identified compliance program requirements.
The AFA Guidelines note that they are “inspired by the best international standards” and describe compliance program components that are generally similar to those outlined by other national authorities, including the U.S. Department of Justice (“DOJ”) Fraud Section’s 2017 Evaluation of Corporate Compliance Programs (“DOJ Evaluation Guidance”) and 2016 Foreign Corrupt Practices Act (“FCPA”) Enforcement Plan and Guidance, the DOJ’s and U.S. Securities and Exchange Commission’s 2012 FCPA Resource Guide, and the U.K. Bribery Act 2010 Guidance. At the same time, however, the approximately 15,000-word AFA Guidelines provide far more precise recommendations for certain compliance program elements than described by the various DOJ guidance documents, the Bribery Act 2010 Guidance, or Sapin II. Accordingly, although many multinationals may have previously implemented compliance programs based on the international best practices highlighted by U.S., U.K., and other authorities, such companies may wish to revisit elements of those programs in light of the AFA’s most recent guidance.
AFA Guidelines in Comparison to U.S. and U.K. Guidance Documents
The AFA Guidelines go much further in describing requirements for the due diligence of third parties than recommendations found in the DOJ guidance documents referenced above and the U.K. Bribery Act Guidance. For example, the DOJ Evaluation Guidance includes “Third Party Management” as a topic and asks a series of questions relating to whether a company has a risk-based process, appropriate controls for the retention and management of third parties, and an appropriate system for handling issues identified in third-party relationships. The FCPA Resource Guide lists appropriate due diligence as a “hallmark” of an effective compliance program, noting that certain guiding principles such as understanding the qualifications and reputation of third parties should be considered when conducting such diligence. The U.K. Bribery Act Guidance includes due diligence as one of the principles that should inform commercial organizations’ compliance programs and offers general prescriptions for how companies should approach such diligence.
The AFA Guidelines, however, provide significantly more detailed recommendations, including specifying, for instance, that “there should be three levels of due diligence participants within organizations,” (1) line managers “who conduct due diligence and are accountable for it,” (2) the compliance officer who “should provide expertise and advice to the line managers . . . with support in the highest-risk cases,” (3) and “top management” who “should make the final decision in the highest-risk cases notified by the line managers.” The guidelines also name fourteen separate types of information that commercial organizations should obtain in conducting due diligence on third parties. The AFA Guidelines provide further recommendations relating to how commercial organizations should handle the final assessment of the completed due diligence, enact preventive measures when working with third parties, update third-party due diligence findings, monitor dealings with third parties and the due diligence process itself, audit the third-party due diligence process, and retain third-party due diligence records. While the approach detailed in the guidelines may work for many companies, many commercial organizations with highly developed due diligence programs will have structured those programs in ways that are significantly different.
Similar to the U.S. and U.K. guidance documents, the AFA Guidelines identify “Risk Mapping” as one of eight compliance program requirements but go much further in detailing requirements for identifying risks. For instance, the DOJ Evaluation Guidance includes “Risk Assessments” as one of eleven topics and poses four questions for companies to use to assess the adequacy of their methods for identifying, analyzing, and addressing the risks that the companies face. Similarly, the FCPA Resource Guide highlights that companies should design their compliance programs based on the particular risks that the companies face, although it does not identify a specific approach or methodology for such risk assessments. The U.K. Bribery Act 2010 Guidance likewise identifies certain “basic characteristics” of a risk assessment and highlights commonly encountered risks.
The AFA Guidelines, however, detail a specific, six-step methodology for identifying and assessing corruption-related risks, including (1) clarifying the roles and responsibilities for those employees responsible for the risk mapping process; (2) identifying risks “inherent” in the commercial organization’s activities; (3) assessing the commercial organization’s exposure to such corruption risks; (4) assessing the adequacy and effectiveness of the means for managing these risks, including determining what “residual” risks may remain following the adoption of preventive measures; (5) prioritizing and addressing such residual risks; and (6) periodically updating the risk map. In detailing these steps, the guidelines recommend that after identifying risks inherent in the commercial organization’s activities, the organization should assess the organization’s vulnerabilities to each risk through multiple specific indicators that the guidelines also identify and describe. The guidelines then recommend that organizations create appendices to their risk maps to explain their methodologies for computing “gross,” “net,” and “residual” risks and the definitions used.
Similar to the AFA recommendations for due diligence, such a thorough approach for Risk Mapping would clearly achieve the AFA’s stated goal of assisting companies to create compliance programs that protect the organizations from corruption-related risks. However, the recommendations are specific enough that few companies will have previously created programs that meet these requirements.
Internal Whistleblowing System
Finally, the AFA Guidelines again go much further in describing the requirements for an internal whistleblowing system than recommendations found in the U.S. and U.K. guidance documents. For instance, the DOJ Evaluation Guidance lists “Confidential Reporting and Investigation” as a topic, and within that topic includes questions addressing the effectiveness of the reporting mechanism, whether investigations are staffed by qualified personnel, and how the company responds to internal investigations. The U.K. Bribery Act Guidance includes only a brief reference to the need for “‘speak up’ or ‘whistleblowing’ procedures” as part of a commercial organization’s “proportionate procedures” to preventing corruption.
By contrast, the AFA Guidelines provide far more detail, listing ten separate recommended requirements for commercial organizations’ internal whistleblowing systems. Among the more detailed requirements are provisions for communications with whistleblowers, who within the organization is responsible for receiving and handling whistleblower complaints, and measures for ensuring the whistleblowers’ anonymity, including the requirement that information that might identify the whistleblower must be destroyed within two months of the end of an investigation.
It remains to be seen what impact the guidelines may have on the AFA’s enforcement of Sapin II, which formally took effect on June 1, 2017. As noted, commercial organizations are not legally required to adopt the AFA Guidelines, and many organizations would, in the near term, struggle to adopt some of the guidelines’ more detailed recommendations. In particular, even companies with highly developed compliance programs may not meet the AFA’s detailed recommendations for risk mapping and corporate due diligence programs. However, the AFA has repeatedly indicated that it does not wish to see companies that already have put in place extensive compliance programs start from scratch and create a new, separate set of tools to comply with Sapin II requirements. Instead, it will consider global compliance programs that take into account, for instance, the requirements of the FCPA and U.K. Bribery Act in addition to Sapin II. Such an approach would also be consistent with the provisions of Sapin II providing French authorities with the flexibility to negotiate settlement agreements with corporate defendants similar to the deferred prosecution agreements employed by U.S. and U.K. authorities. It would also be in line with the AFA’s intention to cooperate with foreign authorities in corruption-related investigations.
At the same time, given the detailed guidance that the agency has now provided, the AFA might conceivably provide more favorable treatment to companies with compliance programs that align with the guidelines, in the same manner that U.S. authorities have consistently rewarded companies with robust compliance programs. Additionally, although the AFA Guidelines themselves are also not legally binding, they detail specific, compliance-related measures that, in the AFA’s estimation, commercial organizations subject to Article 17 should meet. The AFA may therefore view noncompliance with the guidelines as a sign that one or more items of a compliance program legally required under Article 17 is lacking or incomplete, and therefore expose companies to administrative pursuits or requests (notably document and information production requests). The AFA has also reportedly conducted a number of recent on-site audits at French companies, and there are expectations that the agency is likely to increase its enforcement efforts. Noncompliance with the guidelines could trigger suspicion from the AFA, other regulators, or French prosecutors, who may consider that the organization is concealing misconduct.
While aspects of the AFA’s enforcement priorities and approach remain unknown, companies with operations in France are now on notice of the rigorous compliance program standards that the agency recommends that commercial organizations adopt. Given the detail of the AFA Guidelines, commercial organizations should, at a minimum, assess their current compliance framework to ensure that they are taking all reasonable steps to protect the organizations from corruption-related risks. Further, companies with heightened corruption-related risks in France, including those subject to the requirements of Article 17, may wish to go further, including ensuring that their compliance programs are fully aligned with the detailed provisions of AFA Guidelines.
 Sapin II is formally known as the Transparency, Anticorruption, and Economic Modernisation Act 2016-1691 of 9 December 2016.
 The eight corporate compliance program components described by the AFA Guidelines are (1) Top Management’s Commitment to Preventing and Detecting Corruption, (2) Anticorruption Code of Conduct, (3) Internal Whistleblowing System, (4) Risk Mapping, (5) Third-Party Due Diligence Procedures, (6) Accounting Control Procedures to Prevent and Detect Corruption, (7) Corruption Risk Training, and (8) Internal Monitoring and Assessment System. The AFA Guidelines’ compliance program elements are generally similar to, if far more expansive than, the eight internal procedures listed in Article 17. The guidelines also include a final section describing how the component guidelines should be applied by all public sector entities, which we do not describe as part of this article.
 While much of the required information would be part of any standard due diligence efforts, including the third party’s reputation, the country risk, and the compensation arrangement, other information may be less standard, including, for instance, due diligence that the third party does on its own third parties.
 The DOJ Evaluation Guidance lists 119 questions, grouped into eleven topics, which the DOJ Fraud Section may ask in assessing corporate compliance programs in the context of a criminal investigation. The questions provide significant insight into the Fraud Section’s views on an effective corporate compliance program. However, by framing the Evaluation Guide as a series of questions, the Fraud Section avoids establishing specific formulas for companies to adopt in their compliance programs.
 Sapin II itself creates a new legal framework for whistleblowers, including providing for criminal penalties for individuals who act to prevent someone from raising a concern. The AFA Guidelines state that “the internal whistleblowing system should be distinct from the procedures implemented to ensure protection of whistleblowers under the terms” of Sapin II while at the same time noting that a “single technical system for receiving” disclosures may be established.
 French authorities published the first such agreement, known as a convention judiciaire d’intérêt public (CJIP), with HSBC Private Bank Suisse SA in November 2017. It is the first such agreement under the Sapin II.
 Such an approach is memorialized in the Department’s new FCPA Corporate Enforcement Policy. That policy, which is incorporated into the U.S. Attorneys’ Manual, states that in determining whether a company meets the remediation requirements necessary to obtain credit under the program, DOJ will assess several factors, including the culture of compliance at a company and the quality of its compliance resources. USAM 9-47.120 – FCPA Corporate Enforcement Policy, available at https://www.justice.gov/criminal-fraud/file/838416/download.