For a long time, compliance in France was limited to anti-money laundering. While guidelines on the implementation of compliance programs had been published by employers' union (AFEP-MEDEF) and by the Central Corruption Prevention Department ('SCPC'), compliance remained marginal amongst French companies. Unlike the United States and the United Kingdom, the French enforcement system did not have any incentives for companies to embrace corporate governance and compliance.
Two laws recently enacted by French Parliament radically changed the French regulation landscape. The Law on transparency, anti-corruption and economic modernization (also called "Law Sapin II") enacted on December 9, 2016 created an obligation for large companies to deter and prevent companies from committing corruption. The second law called Law on the duty of vigilance of parent companies and contracting companies (also called "Law on duty of vigilance") was enacted on March 27, 2017. It established a legal obligation to implement a compliance program focused on human rights, health & safety and environmental protection.
Sapin II created a legal obligation for corporations and their senior management to detect and prevent corruption by implementing an anti-corruption program.
The duty applies to:
- Companies headquartered in France that employ over 500 employees and have an annual revenue of at least €100,000,000 or,
- Companies belonging to a group headquartered in France that employ over 500 employees and a consolidated annual revenue of at least €100,000,000.
In the case of a group, the parent company must implement a compliance program in all its subsidiaries (including their foreign subsidiaries). Conversely, subsidiaries whose parent company has a Sapin II compliance program are deemed to comply with Sapin II.
To comply with the obligation, corporations must adopt an efficient anti-corruption compliance program consisting in the following:
a) A code of conduct prohibiting corruption and influence peddling,
b) A whistleblowing mechanism,
c) An on-going risk mapping,
d) Due diligence procedures on clients, suppliers and third party intermediaries,
e) Internal and external accounting controls,
f) Training programs,
g) Disciplinary sanctions for violations of the code of conduct,
h) Periodic reviews and evaluations of the compliance program.
Failure to implement sufficient and effective compliance programs can incur administrative fines up €1 million for corporations and up to €200,000 for individuals.
In addition to making the adoption of a compliance program a legal obligation, a new agency called National Anti-Corruption Agency was created in order to supervise and enforce the implementation of Sapin II.
The Agency was given broad investigating powers including the power to request any document it deems relevant for the purpose of an investigation from public entities and corporations as well as conduct on-sight investigations. The Agency's enforcement committee is entrusted with the power of imposing fines on non-compliant corporations as described above. The first verifications led by the Agency started in October 2017. So far, the Agency only targeted large companies.
In addition to enforcement powers, the Agency is given the task of issuing anti-corruption recommendations and guidelines to the public and private sector as well as the role of acting as intermediary between companies and whistle-blowers. The Agency's Guidelines were published on December 22, 2017.
Companies that do not fall under Sapin II and have at least 50 employees still have the obligation to implement a whistleblowing mechanism.
Sapin II prohibits retaliation against whistle-blowers provided they act in good faith. Evidence of good faith will in part depend on whether whistle-blowers follow the requisite steps in order to bring the issue to the employers' attention. Pursuant to Sapin II, whistle-blowers must follow the following steps:
i) Whistle-blowers must inform their direct or indirect manager or, if applicable, any person appointed for receiving alerts from whistle-blowers (eg. compliance officers);
ii) If the above mentioned managers fail to take appropriate measures within a reasonable time, whistle-blowers are allowed to send the alert to the relevant enforcement authorities;
iii) If the enforcement authorities fail to consider the alert within 3 months, whistle-blowers are allowed to make the alert public.
Whoever hinders whistle-blowers from sending alerts to the enforcement authorities and to make them public can incur a prison sentence up to 1 year and a fine up to €15,000.
Human rights and environmental compliance
The Law on the duty of vigilance gave rise to numerous debates before its adoption on March 27 2017. The Law was even referred to the French Constitutional Council which ultimately vetoed the possibility to impose a civil fine on a company a result of a failure to implement such a compliance program.
Notwithstanding the Constitutional Council's decision, the law entered into force on March 28 2017 and the duty to prevent human rights and environmental violations became a legal binding obligation in France.
The obligation applies to:
- French companies headquartered in France that employ at least 5,000 employees worldwide (including through direct and indirect subsidiaries); or
- Foreign companies headquartered outside France, with French subsidiaries, as long as they employ at least 10,000 employees worldwide (including through direct and indirect subsidiaries).
Despite the seemingly wide encompassing scope of the law, this duty only applies to companies incorporated in France under the form of a société anonyme, a société en commandite par actions or a société par actions simplifiée. This, in practice, means that only companies incorporated in France are subject to the law.
To comply with the duty of vigilance, the above mentioned companies must implement a compliance program similar to the one laid down in Law Sapin II. The vigilance compliance program must include:
a) A risk mapping
b) Procedures to regularly assess risks associated with subsidiaries, sub-contractors, and suppliers with which the company has a commercial relationship;
c) Actions to mitigate identified risks or prevent the most serious violations;
d) A whistleblowing mechanism ;
e) Procedure to assess measures that have been implemented as part of the company's plan and their effectiveness.
Companies are expected to make their vigilance program public and include it in their annual reports.
Unlike anticorruption compliance, no new agency was created in order to supervise the implementation of the Law on the duty of vigilance. As mentioned above, the imposition of a civil fine as a result of a failure to implement a vigilance program was struck down by the Constitutional Council. However, the law provides that companies failing to comply with the vigilance duty will have to remedy the damage that "the execution of these obligations could have prevented". This alternative is based on the general law of civil liability (tort). Any concerned party will have standing to bring a civil liability action against the faulty company. In order to establish civil liability, one will have to prove that damages were caused by a breach of the companies' vigilance duty. The mere fact of failing to implement of vigilance program is not sufficient to trigger civil liability.
* * *
Although the Law Sapin II and the Law on the duty of vigilance clearly draw upon the FCPA and UKBA compliance experience, France has decided to take a different approach by establishing new binding legal obligations on companies instead of creating incentives for companies to voluntary subject themselves to compliance programs. It is particularly telling to note that the implementation of an anticorruption compliance program is still not considered a mitigating factor in the event of a criminal conviction.