The French Anti-corruption Agency updates its guidelines

As the year 2021 progresses, the French anti-corruption landscape gets a significant update, with the French Anti-Corruption Agency (AFA) updating part of the documentation it makes available to help organisations to efficiently prevent and detect corruption. As we approach the end of the first quarter of 2021, please find below an overview of the recent developments in this field which may have consequences for your organisations.

Most recently, on 12 March 2021, the AFA released an updated version of its practical guidance on anti-corruption verifications to be implemented in the context of mergers and acquisitions taking into account the decision rendered on November 25th, 2020 by the Criminal division of the Cour de cassation (Crim., 25 November 2020, No. 18-86.955, see our analysis here. The AFA sheds light on the role of the senior management and the “compliance officer” - in accordance with its recently updated guidelines – in the context of merger and acquisition deals.

This recent update follows another release, on 3 March 2021, by the AFA (on its website) of an English translation of the latest version of its guidelines - already updated in their original French version on 12 January 2021 - intended to help public and private sector entities to prevent and detect bribery, influence peddling and other related offences.

These new guidelines update the first version of the AFA’s guidelines issued on 22 December 2017. They come into force on 13 January 2021. Nevertheless, the AFA indicates that it shall not cite these guidelines in its audits performed until "six months after their entry into force" - ie in the context of its audits performed as of 13 July 2021. Companies have therefore six months to adapt or update their anti-corruption procedures and processes in the light of these new guidelines.

It should be noted that these guidelines are not legally binding and do not create any legal obligations for economic actors. They provide guidance in terms of methodology to be implemented to define a strong anti-corruption compliance programme that organisations may implement "in a manner proportionate to their risk profile". However, these guidelines - together with Article 17 of the Sapin II law - are the French anti-corruption standard. It is therefore appropriate to comply with them as far as possible.

In the context of this update, the AFA takes especially into account

• the lessons drawn from the practice of its audits carried out over the past three years; and
• the decisions rendered by the Enforcement Committee of the AFA on 4 July 2019 and on 7 February 2020.

Formally speaking, the AFA significantly revises the way it presents its guidelines, by establishing a common anti-corruption policy framework (for all organisations) that the AFA deems to be based on "three inseparable pillars", namely:

1. the commitment of the senior management;
2. using risk mapping; and
3. management of the identified risks by means of effective measures and procedures.

At least, the AFA encourages all companies to adopt an anti-corruption programme, including entities which are not subject to Article 17 of the Sapin II law, entities on which the AFA does not have any authority in terms of audit or sanction.

The AFA then strives to apply these generic provisions into specific guidelines for companies subject to Article 17 of the Sapin II law. Please find hereafter some key items which should be carefully considered by companies subject to the French anti-corruption obligation.

Senior management’s commitment. The AFA emphasises on this first pillar, which should be reflected in a personal commitment to the implementation and promotion of the anti-corruption programme especially ensuring that necessary and proportionate human and financial resources are dedicated and that appropriate sanctions are imposed in corruption cases.

To achieve this goal, the AFA does not hesitate to place the expression of this commitment on non-executive governing or supervisory bodies. While this pillar is not expressly provided for in Article 17 of the Sapin II law, companies audited over the past three years by the AFA were in position to note that it is a strong expectation which is expressly stated in the audit reports drawn up by the inspectorate team of the AFA at the end of its audits. The AFA also underscores the role of the compliance function and the importance of the resources made available to it by the governing body to carry out its mission.

Risk mapping. “Above and beyond the legal” provisions, the AFA advises organisations to have their anti-corruption programme addressing “a broader range of risks that are not explicitly mentioned in the legislation, but which could lead to or follow the offenses” mentioned in the Sapin II law such as the offenses of forgery or misuse of corporate assets or the offenses of concealment or laundering related to all of the targeted offenses.

As for the mapping methodology, according to the AFA, companies should be free to choose and implement the methods that seem the most adapted to their particularities (organisation, activities and processes). The AFA mentions certain good practices in this exercise such as conducting consultations which may take the form of workshops in addition to individual interviews and questionnaires to identify the risk scenarios that the company encounters in its activities. The AFA also underscores that companies should ensure the traceability of interviews and methodologies for assessing “gross” and “net” (or residual) risks, as well as the archiving of the different versions of the corruption risk maps submitted to senior management, their approval and the related approved action plans, and, if applicable, the minutes of the different committee meetings. The AFA also recalls that risk mapping is a dynamic and steering tool that should be kept up to date.

Risk management. According to the AFA, this third pillar encompasses all the other measures of the anti-corruption programme whose implementation is made mandatory under Article 17 of the Sapin II law, making a distinction between:

• risk prevention tools;
• detection tools; and
• monitoring and evaluation of the anti-corruption programme.

Although, the AFA has significantly overhaul the formal presentation of the different risk management tools and measures, they substantially remain the same, for example:

• Code of conduct: According to the AFA, it may be helpful to communicate the code of conduct to third parties, subject to any adaptations required to protect any confidential information that it may contain. It also mentions that third parties “should be bound to comply with the code of conduct by a contractual clause”.
• Awareness and training: The AFA emphasises on raising the awareness of all the company's employees and recommends that the training system should also cover the internal whistleblowing system.
• Third-party due diligence: The AFA specifies that the groups of third parties deemed to be risk-free or low-risk may require no due diligence or simplified due diligence, whereas groups deemed to present greater risks might require more thorough due diligence. In this respect, the AFA gives some additional examples of risk factors (duration of the relationship, foreign currencies, payment terms and means, etc.)
• Internal whistleblowing system: The AFA brings out more details on the different steps to be implemented by organisations with regards to submitting and processing the reports. In addition, the AFA now specifies the considerations when carrying out internal investigations into breaches of the company’s anti-corruption code of conduct and the follow-up actions to be taken.
• Monitoring and evaluation of the anti-corruption programme: The AFA suggests implementing indicators, such as the number of reports received, the processing time or the issues raised, and invites organisations to formalise this monitoring and evaluation system within a procedure. According to the AFA, this system includes accounting control and audit procedures – which were addressed separately in the first version of the AFA’s guidelines. The AFA also provides a practical table summarising the first, second and third “lines of defence” on which organisations should focus their monitoring.

Non-binding guidelines and presumption of compliance. While the AFA recalls - and rightly so - that its guidelines are not legally binding, it establishes a presumption of compliance based on the "comply or explain" principle. Thus, according to the AFA, in the event of an audit, a company stating that it has followed these guidelines shall benefit from a "prima facie" presumption of compliance. This presumption may be reversed only if the AFA demonstrates that the application of the guidelines was “ineffective, incorrect or incomplete.” Assuming a situation where a company decides not to follow some or all of the methods recommended by the AFA’s guidelines, such a company “cannot be presumed to be in compliance” with the Sapin II law prior to an audit. As a consequence, should the AFA disputes some or any of the company’s measures during an audit, it is up to the audited company to show that “its choices enable it to meet the requirements” of the Sapin II law. Under these conditions, such a prima facie (and rebuttable) presumption of compliance, should therefore be considered as a strong incentive to comply with the methodology defined by the AFA.

Do not hesitate to contact us for more details on the content of these updated guidelines and their potential impacts on your organisations.