On January 12, 2021, the French Anti-Corruption Agency (AFA) published new guidelines for companies in the public and private sectors, laying out recommendations in order to ensure compliance with the French Anti-Corruption Law (Sapin II) sanctioned since the end of 2016.
These new guidelines result from a public consultation process, held between October 16, 2020, and November 16, 2020, involving more than 40 employees, including 13 associations, 7 business federations, 10 law firms and consultants, 5 central administrations, and 2 non-governmental organizations. The guidelines clarify that the recommendations are not mandatory, and other measures for preventing and detecting acts of corruption are permitted if they are in accordance with the law’s content.
The guide begins by stating that an anti-corruption system refers to the set of measures taken and procedures put in place by an organization to learn, prevent, detect, and punish acts of corruption.
The guide discusses the following three inseparable pillars:
THREE INSEPARABLE PILLARS
1. Commitment by top management to carry out missions, skills, or activities of the organization free of breaches of probity, as follows:
• Have exemplary personal behavior, both in word and in action, in matters of integrity and probity.
• Promote the anti-corruption system through personal communication.
• Implement sufficient means to achieve the effectiveness and efficiency of the law’s content.
• Be responsible for the correct management of this system.
• Comply with it to make decisions that are appropriate for you.
• Ensure that adequate and proportionate sanctions are imposed in case of behavior contrary to the code of conduct, or that could be identified as a breach of probity.
2. Knowledge of the risks to integrity to which the entity is exposed by elaborating a risk mapping.
3. The management of these risks, through the implementation of effective measures and procedures aimed at their prevention, the detection of possible behaviors or situations contrary to the code of conduct or which may constitute a violation of probity and the respective sanction. This management also includes monitoring and evaluating the effectiveness of these measures and procedures.
The measures and procedures described in Item 3 above are subdivided into prevention and detection, according to the tables shown below:
PREVENTIVE MEASURES AND PROCEDURES
1. The code of conduct and its procedures / policies.
2. Awareness of and training concerning the risks of a breach of integrity.
3. Third-party integrity assessment.
DETECTION MEASURES AND PROCEDURES
1. An internal alert system.
2. A monitoring system.
3. The management of observed deficiencies.
4. Ensuring the appropriate conservation and filing of measures and procedures and their method of preparation.
The guide provides additional recommendations for companies with more than 500 employees and sales of more than 100 million Euros.
Concerning the first pillar, described above, the following additional recommendations are established:
1. Definition of top management:
• Presidents, general managers, and managers of companies based in France, who employ at least five hundred employees and whose turnover exceeds 100 million Euros.
• Presidents, general managers and managers of companies belonging to an economic group whose head office is headquartered in France, whose staff includes at least five hundred employees and whose turnover exceeds 100 million Euros;
• Presidents and general managers of public establishments of an industrial and commercial nature who employ at least five hundred employees or belong to a public group whose workforce includes at least five hundred workers and whose turnover exceeds 100 million Euros.
• Members of the board of directors of public limited companies governed by article L. 225-57 of the French commercial code and who employ at least five hundred employees, or belong to a group of companies whose workforce includes at least five hundred employees, and where turnover exceeds 100 million Euros.
2. Senior management responsibility:
• Top management is committed to implementing a zero-tolerance policy in relation to any fact of corruption, promoting and disseminating a culture of anti-corruption compliance within the company and with third parties, prioritizing the prevention and detection of corruption.
• The implementation of the anti-corruption mechanism is the responsibility of senior management, which can, when appropriate, delegate operational implementation to an Anti-Corruption Compliance Officer, hereinafter referred to as “Compliance Officer.”
• Senior management defines the risk management strategy and ensures its implementation. It provides the implementation of a related action plan and the appropriate means to execute it, using indicators, monitoring, and audit reports, that the anti-corruption system is organized, efficient, and up to date.
3. Dedicated media:
• Human and financial resources proportional to the company’s risk profile.
• Anti-corruption compliance team.
• Recourse to external advice or service providers, if applicable.
• Implementation of tools such as third-party integrity assessment tools, internal alert, risk management, monitoring, e-learning, etc.
• Management of anti-corruption training.
• Production of reports and periodic evaluations.
4. Compliance officer:
• There must be communication with all employees concerning: (i) the entrusted missions, which take into account the strategic and organizational choices made and the characteristics of the company (namely: economic model, sector of activity, size), (ii) the elements that guarantee the independence of the Compliance Officer through their positioning in the organization chart and the modalities of access to the management body, the board of directors and the specialized commissions that emanate from it, (iii) articulation with other business functions and other areas of responsibility. compliance and (iv) the organization of the company’s anti-corruption compliance function, particularly the material and human resources dedicated to it.
• In an economic group, a central Compliance Officer and local Compliance Officers’ appointment is suggested.
• Senior management must ensure that the Compliance Officer always has: (i) access to any information useful for the performance of their duties, allowing them to have an accurate image of the company’s business, (ii) the independence of their action vis-à-vis other company functions and the ability to influence them and (iii) access to senior management to obtain support.
• Regardless of their position in the organization chart, it is essential that the Compliance Officer maintains a direct and regular link with senior management and has easy access to the Board of Directors.
• Senior management must ensure that the Compliance Officer has the necessary skills, especially: (i) ability to perform a cross-cutting function, (ii) knowledge of regulations related to anti-corruption compliance, as well as business activities and risk management techniques. This knowledge may have been acquired through training or professional experience.
5. An adapted internal and external communication policy:
• The company must communicate widely about its policy for preventing and detecting corruption to all its employees.
• Adapted to its structure and activities, the anti-corruption system’s internal communication necessarily includes the code of conduct, anti-corruption training, and the internal alert system.
• The company must also communicate, in appropriate terms, its anti-corruption policy to external partners to protect its employees from undue requests.
With respect to the second pillar described above, the following recommendations are established:
1. Risk mapping should take the form of regularly updated documentation designed to identify, analyze and prioritize risks, the company’s exposure to external requests for corruption purposes, depending on the sectors of activity and geographic areas in which the company operates.
2. Companies must carry out a mapping covering the risks of corruption and those of influence peddling.
3. Corruption risk mapping requires: (i) extensive knowledge of the company and its activities, including the managerial, operational, and support processes that these activities require for their implementation and (ii) identifying the roles and responsibilities of employees in a company, regardless of their levels.
4. Risk mapping is evolving in view of the need to periodically reassess risks and whenever there is a significant change in the company. To facilitate its updating, the mapping is part of a process of continuous improvement, allowing companies to strengthen control of their risks.
5. The risk mapping must be based on an objective, structured, and documented analysis of the corruption risks to which a company is exposed during its activities. The description highlights the potential impact of risks (severity) and their probability of occurrence (frequency), the elements likely to increase them (aggravating factors), as well as the responses provided under the existing risk control system or to be provided as part of an action plan.
6. The risk mapping must contain the following guidelines: (i) roles and responsibilities of the parties involved in the risk mapping, (ii) identification of the risks inherent in the company’s activities (identification of risk processes and scenarios), (iii) assessment of gross risks to identify the company’s level of vulnerability for each risk scenario identified in the previous step, (iv) assessment of net or residual risks. Therefore, it is a matter of reassessing the scenarios of gross risks, taking into account the existing and implemented risk control means, (v) prioritization of liquid or residual risks and preparation of the action plan, (vi) formalization, updating, and archiving of the risk mapping.
With respect to the third pillar described above, the following recommendations are established, primarily from the perspective of prevention:
1. Code of Conduct:
• It is a document that expresses senior management’s decision to engage the company in preventing and detecting corruption, being applicable and enforceable to all company employees.
• The code of conduct must be prepared jointly by the Compliance Officer and the company’s qualified people and validated by senior management.
• The code of conduct may refer to other documents, such as policies and procedures.
• The code of conduct must be prepared after the risk mapping to identify the risks that should initially be avoided.
• The code of conduct should provide examples of specific cases.
• The code of conduct presents the internal alert system designed to collect reports regarding conduct or situations contrary to its provisions.
• The code of conduct mentions the qualified function to answer questions from the team (for example, The Compliance Officer) and the procedures for contact.
• The code of conduct must be drafted in terms that make it intelligible and accessible to non-specialists. It can be translated into one or more languages.
• Must be updated regularly.
2. Awareness and training:
• A training system should be implemented for managers and employees most exposed to the risks of corruption and influence peddling.
• While the awareness system allows employees to be better informed and receptive to the issues presented to them, the training system must provide the knowledge and skills necessary to exercise an activity or trade. This fits into the company’s overall training plan.
• The training system must: (i) be coordinated with the other measures and procedures of the anti-corruption system and (ii) consider the specific risks to which the various categories of personnel are exposed.
• Awareness actions can be related in particular to (i) the code of conduct, reflecting the commitment of top management, (ii) corruption in general, its challenges, its forms, and the penalties incurred, whether disciplinary or criminal, (iii) the behavior to be adopted in the face of corruption, the role and responsibilities of each one and (iv) the internal alert system.
• This content must be adapted to the nature of the risks, the functions performed, and the geographical areas.
• The objective of the training should be to improve understanding and knowledge about: (i) the associated processes and risks, (ii) breach of probity, (iii) due diligence and measures to be applied to reduce these risks, (iv) the behaviors to be adopted in the face of an improper request and (v) the disciplinary sanctions incurred in case of non-compliant practices.
• Specific themes must be addressed due to the participants’ roles and the specific risks they face. Corruption detection tools can be a topic covered in training for employees in charge of a control function.
• The establishment of indicators makes it possible to monitor the training system, including training outsourcing. These indicators may include the following items: (i) rate of training coverage in relation to the target audience and (ii) number of hours of training on compliance and anti-corruption system.
3. Third-party integrity assessment:
• Definition and objectives of third-party integrity assessment.
• Articulation of the evaluation system with other systems (including the fight against money laundering and the financing of AML-CFT terrorism).
• Definition of third-party assessment methods.
• Methods for assessing the integrity of others.
• Assessment of the risk level of third-parties.
• Conclusions to be drawn from third-party assessments.
• Due diligence measures to be implemented during a business relationship.
• Monitoring the contractual relationship with the third-party.
• Renewal and updating of third-party assessments.
• Monitoring the third-party assessment process.
• Retention of third-party information.
We now move on to the third pillar, where the following recommendations are established from the perspective of detection:
1. The internal alert system:
• Definition and objectives, enabling the implementation of a channel for reports of misconduct.
• Articulation of the different alerting and centralization mechanisms in a single person responsible for their management.
• Organization of the alert system adapted to the company’s risk profile.
• Handling of complaints.
• Adequate communication of the internal alert system, insertion in the code of conduct, and elaborating a procedure that establishes clear rules.
• Filing of complaints and their handling, with the anonymity of the people involved’s personal data.
2. The monitoring system:
• The internal control and audit system’s contribution to the prevention and detection of risks of corruption.
• Companies generally have a general-purpose internal control and audit system, which can consist of up to three levels.
(i) The first level controls aim to ensure that the tasks inherent to an operational or support process have been performed according to the procedures defined by the company and that they can be conducted by operational or support teams or by the manager, (ii ) the second level controls aim to guarantee, according to a predefined frequency or randomly, the proper execution of the first level controls, whereas the second level controls can be performed by the Compliance Officer, the quality function, the risk management function or, if any, the management control function, in particular, and (iii) third-level controls, also called “internal audits,” Aim to ensure that the monitoring system meets the company’s requirements, being effectively implemented and updated.
• Anti-corruption accounting controls must: (i) ultimately ensure compliance with the same principles as general accounting controls (regularity, fairness, and fidelity of accounting and financial transactions), (ii) detecting transactions without cause or justification (for payments, in whole or in part, not caused for financing “cashier two”) and (iii) be based on the same methods as general accounting controls and include, for example, controls by sampling, by consistency review, by comparison with physical reality (inventory) or by confirmation by third parties.
• The formalization of anti-corruption accounting controls must take into account: (i) the object and scope of the controls, (ii) the roles and responsibilities in their implementation, (iii) the methods of sampling the operations to be verified, if applicable, (iv) the definition of a control plan, (v) incident management methods and (vi) the materiality limit or criterion that should lead to a control.
• Risk accounting entries must be examined and validated by an employee other than those who recorded them.
• Cross-validation between employees is satisfactory for entries below a defined threshold. Entries above this limit must require validation by management.
• Sampling methods must be defined based on a preliminary analysis of the various inputs and risks involved to allow representativeness.
• Accounting audits must cover all accounting systems to ensure that anti-corruption accounting controls comply with business requirements, are effectively implemented, and kept up to date.
• The correction of identified deficiencies also feeds an update of the corruption risk map and can be the subject of additional illustrations in the code of conduct and training materials dedicated to preventing corruption in coordination with the Compliance Officer.
• If the irregularity indicates suspicion or facts related to corruption, it must be immediately reported to the Compliance Officer and the company’s top management.
• Anti-corruption accounting controls can be implemented: (i) internally, by accounting and financial services or by specialized services (shared service centers, management control, internal audit, etc.) made available by the company for this purpose and (ii) externally, by third parties that the company contracts for such purpose.
3. Monitoring and evaluation of the anti-corruption system:
• This monitoring must meet four objectives: (i) monitor the implementation of anti-corruption measures and test their effectiveness, (ii) identify and understand deficiencies in the implementation of the procedures, (iii) define recommendations or other appropriate corrective measures, if necessary, to improve the effectiveness of the anti-corruption system and (iv) detect, where appropriate, facts of corruption.
• For each of the controls, there must be the object and scope, the person (s) responsible for the control, the appropriate control method (the type of measurement, supporting documents, analysis, and evaluation), and the sampling based on a risk analysis. Likewise, the plan must provide for the periodicity of the control, the formalization envisaged, the communication of the control results and the corrective measures that can be implemented, and the procedures for keeping documents related to the controls.
• If the irregularity indicates suspicion or reveals facts related to corruption, it must be immediately reported to the Compliance Officer and the company’s top management.
• Anti-corruption accounting controls can be implemented: (i) internally, by accounting and financial services or by specialized services (shared service centers, management control, internal audit, etc.) made available by the company for this purpose and (ii) externally, by third parties that the company hires for such purpose.
• The identification of the types of monitoring to be implemented.
Still, with respect to the third pillar described above, the following recommendations are established from the perspective of remediation:
1. Management and monitoring of observed deficiencies:
2. Disciplinary regime:
• Covers all measures that a company reserves the right to take in the event of behavior considered unlawful.
• In companies with at least 20 employees, internal regulations are mandatory.
• The sanction can then be pronounced against an employee only if provided for in the internal regulations.
3. Principle of sanctions ranking:
• The disciplinary sanction must be proportional to the fault committed.
• When violations of the duties of integrity and probity of personnel are discovered, disciplinary proceedings must be brought against them, with proportional sanctions imposed.
• Senior management is not obliged to wait for a criminal decision to be issued before applying disciplinary sanctions if the facts are proven, and their seriousness justifies it.
4. List of sanctions:
• The company can establish disciplinary sanctions to be applied to its employees, which favors the strengthening of risk control mechanisms for breach of probity.
5. Internal communication:
• The disclosure, in a format that guarantees total anonymity of disciplinary sanctions, can be determined by senior management to recall the zero-tolerance policy regarding any behavior contrary to integrity and probity.
Finally, the guide adds a section entirely dedicated to public entities, with provisions similar to those described here but adapted for the public service.