On 22 December 2017, the French anti-corruption agency (L’Agence française anticorruption or AFA) published formal guidance to help private and public-sector entities detect and prevent corruption, influence-peddling, extortion by public officials, unlawful taking of interest, misappropriation of public funds and favouritism. For more information on the 2017 guidance, see this blog post.
On 12 January 2021, the AFA released an update of its previous guidance. The new guidelines will start applying to AFA inspections starting on or after 1 July 2021. These updated guidelines are not available in English yet, but the French version can be found here.
The guidelines not only clarify some issues addressed only generally by the 2017 recommendations but also formalise the way the AFA expects companies to address corruption risk.
The following changes are of particular note.
The presumption of conformity
The updated guidelines establish the principle that companies are presumed to have followed the AFA guidelines unless the AFA can show that the company applied the guidelines in a way that was ineffective, incorrect or incomplete.
A company can decide not to implement the AFA guidelines. In such cases, if the AFA challenges in the course of an audit all or part of the measures taken by the company, it would be up to the latter to show how it has otherwise met the requirements laid down by Sapin II, France’s anti-corruption law.
Designing and implementing risk-mapping
Risk-mapping aims to identify, analyse and measure an organisation’s exposure to bribery. The new guidelines define the role of the following individuals and groups in the development or promotion of risk-mapping:
- the ruling body (ie the board of directors or equivalent);
- the compliance officer;
- the managers of operational and accounting processes and other support activities;
- the chief risk officer; and
- employees.
The updated guidelines also provide more detail on developing risk-mapping. For example, it recommends improving exchanges between the individuals and groups listed above, more systematic and complete archiving of preparatory notes, and more extensive references in supporting risk-mapping.
Finally, the AFA specifies that risk-mapping must be adapted to each company according to its activities, size and structure.
Only corruption and influence-peddling covered
The updated guidelines now only cover the offences of corruption and influence-peddling. But they also state that an organisation’s anti-corruption processes should address risks that are not expressly covered by the text but are related to corruption and influence-peddling, eg the falsification or abuse of company assets, and the concealment and laundering of the proceeds of corruption and influence-peddling.
The three pillars of the anti-corruption framework
These are:
- tone from the top;
- risk-mapping (see above); and
- compliance measures.
For the first pillar, senior management should ensure that the aims, competencies and activities of the organisation are carried out without compromising the organisation’s integrity.
Training and awareness-raising
The updated guidelines detail how the AFA expects organisations to train their people and raise staff awareness of corruption issues.
Internal investigations
The AFA now specifies the considerations when carrying out internal investigations into breaches of the company’s anti-corruption code of conduct and the follow-up actions to be taken.
The internal investigation must be conducted by ’qualified persons designated by the company's governing body’ and be subject to ’strict obligations of confidentiality’.
A formal report must be produced that sets out all the facts and evidence gathered (both incriminating and exculpatory), how the investigation was carried out, and the legal and/or disciplinary action to be taken (if any).
The guidance also states that the governing body should be informed at the end of the investigation ‘when the suspicions appear to be sufficiently substantiated’, that the risk map should be updated if necessary, that legal action should be taken (if necessary) and that disciplinary action should be taken if the behaviour is contrary to the code of conduct.
Note that, while Sapin II requires organisations to have an alert system, it does not require organisations to launch an internal investigation into every alert received.
AFA's guidelines on the gathering of evidence are not binding but should nevertheless play a central role in the design and deployment of risk maps.
Sanctions for misconduct
The AFA guidance has a whole section on this topic, recommending in particular that sanctions are proportionate to the misconduct.
The code of conduct
The guidance does not go into much detail about what content is required in a code of conduct. However, the guidance recognises that the code of conduct can be integrated into a broader ethics and compliance system and, above all, suggests how the code of conduct might work alongside documents relating to risk-mapping, and internal policies and procedures.
Careful consideration should be given to these guidelines, alongside any further clarification the AFA produces.