Companies subject to the Sapin II law must:
- Evaluate their corruption risks through risk mapping and adequate due diligence of third parties.
- Educate employees and third parties most exposed to corruption risks through adequate training and a strong code of conduct.
- Establish sanctions controls, including clear whistleblower mechanisms, a disciplinary regime, accounting controls, internal controls and monitoring systems. The law outlines eight clear measures companies must follow to develop or compare their compliance program.
The law outlines eight clear measures companies must follow when developing their compliance program:
- Code of Conduct: the company must develop and implement a code of conduct.
- Internal Whistleblower Mechanisms: Establish an internal whistleblower system.
- Risk Mapping: Develop a risk cartography of the company’s exposure to corruption risks.
- Third Party Due Diligence: Assessment of third parties (clients, intermediaries, providers, etc.) based on the risk map developed.
- Strong Accounting Controls: Establish accounting controls to ensure that the company’s books and accounts are not concealing violations such as bribery, gifts or other dubious expenses.
- Compliance Training Program: Design a compliance training program that targets CEOs, managers and employees most exposed to corruption risks.
- Disciplinary regime: Establishment disciplinary sanctions to be applied in cases where the company code of conduct has been breached.
Internal Controls: Set up internal controls to evaluate and monitor the effectiveness of the company compliance program.
The program aimed at protecting whistleblowers and setting up whistleblowing processes is more encompassing than the other seven measures as it covers all crimes, offences, and violations of international law. It applies to legal persons, both private and public, with more than 50 employees, which is why this provision will be enforced as of 1 January 2018. Reporting schemes must ensure the confidentiality of the whistleblower’s identity, the identity of the report’s subject and the information collected. The disclosure of any of these pieces of information is sanctioned by up to two years’ imprisonment and a EUR 30,000 fine. Interfering with the transmission of a report to the employer, courts or authorities is punishable by up to one years’ imprisonment and a EUR 15,000 fine.
The Sapin II law also provides for the establishment of the French anti-corruption enforcement agency, Agence Française Anti-Corruption (AFA). The agency is made up of several magistrates from various French institutions. It operates under the French Minister of Justice and the Minister of Budget. The agency has three main functions:
A normative function: The AFA is tasked with first and foremost making recommendations to companies to prevent and detect acts of corruption, influence peddling, illicit enrichment, embezzlement of public funds,graft and favoritism.
A control function: The AFA will control the implementation of compliance programmes within companies and will therefore have the power to inquire for any document or information from a given company. The agency’s officers have the power to communicate with any person whose cooperation seems necessary, all the while ensuring confidentiality. Following its control, the agency makes a report on the company’s compliance programme and, where necessary, recommendations to improve it.
A disciplinary function: The AFA may issue warnings or orders to entities which are noncompliant with the eight measures outlined above. Where a company fails to implement or to improve its compliance programme based on the recommendations made by the AFA, and subsequently to a safe harbour period that may last up to three years, the AFA may either issue a warning or impose sanctions that may reach up to EUR 1 million. If a representative of a noncompliant legal entity fails to implement the AFA’s recommendations, he/she may face a fine of up to EUR 50,000 and a two-year prison sentence.
It is possible that decisions reached by the agency may be made public, potentially causing harm to the reputation of a company.