Sapin 2: deciphering the AFA's final recommendations

What recommendations?

This publication has been long awaited by both public and private entities that are subject to it, allowing them to initiate, continue or finalize their compliance procedures within a clearer normative framework.

As with its interim recommendations, the AFA outlines its recommendations measure by measure:

1- The commitment of the governing body 

Although not explicitly mentioned in Article 17 of the Sapin 2 law, the AFA considers the commitment of the governing body to be the initial step in the implementation of a compliance program worthy of the name. According to the AFA, this commitment can be broken down as follows:

• The implementation of a zero tolerance policy towards corruption risks

In practical terms, this means that companies must allocate the necessary resources to prevent and detect corruption. It also means adopting a firm attitude towards cases of corruption through an effective disciplinary system.

• Integrating anti-bribery into company policies and procedures, which may include adopting a policy or setting up a whistleblower system
• Governance of the corruption prevention and detection program

This implies the appointment of a compliance officer in charge of steering, deploying, implementing, evaluating and updating the anti-corruption program adopted by the entity in question.

• The adoption of a communication policy both for employees and for the various external partners.

2- The anti-corruption code of conduct

The AFA has clarified certain uncertainties. It confirms the possibility of integrating the code of conduct into the internal regulations. The latter may refer to detailed sheets or be common to all companies of a group, provided that this does not make it less effective.

The AFA reminds us that it must be used wherever the entity carries out its activity and that it can be a communication tool for third parties.

3- The internal alert system 

The final recommendations provide clarifications concerning the implementation of two different alert systems under Articles 8 and 17 of the Sapin 2 Law, which creates a problem of legibility for employees.

According to the AFA, when setting up a single system, companies must be able to discriminate between whistleblowers according to the regime to which they belong. Otherwise, they should extend the legal whistleblower regime to all reports.

4- Risk mapping 

The development of a risk map is one of the measures required by Article 17 of the Sapin 2 law. According to the AFA, "insofar as the risks identified by the corruption risk map determine the content and level of detail of the anti-corruption compliance program, organizations should focus their compliance efforts on this map".

These risks, according to the AFA, must be identified by taking into account the particularities of each organization: geographical area, sector of activity, process and business, stakeholders.

The agency no longer requires an exhaustive knowledge of risks, the important thing is that the knowledge of risks is precise. This does not make the mapping exercise any less demanding for the entities that are subject to it. The AFA confirms the need to cover both managerial and operational processes, involving the various levels of the hierarchy.

5- The training system 

The final recommendations focus on raising awareness among all staff through various types of training: thematic training on risky activities, basic training on corruption, and specific training on the whistleblowing system, which must be adapted to the employee's level of exposure to risk. No reference was made to the training of external employees.

6- Accounting control procedures 

Article 17-II-5 of Law No. 2016-1691 of December 9, 2016 requires the implementation of "accounting control procedures, whether internal or external, designed to ensure that books, records and accounts are not used to conceal acts of corruption or influence peddling."

According to the AFA's recommendations, the company should not create a new accounting procedure but "integrate the fact that the risk of concealment of corruption is one of the risks of irregularity, insincerity and infidelity in accounting documents".

Those responsible for auditing accounting documents must be "aware of this risk and of the importance of preventing and detecting corruption".

Accounting control procedures can be implemented both internally and externally. At the internal level, three levels of control are recommended:

1. An initial check by the people in charge of entering and validating the accounting entries,
2. A second control by sampling by persons independent of those who carried out the first level controls,
3. A third control through internal audits.

7- Third party evaluation procedures 

The implementation of third-party assessment procedures is the most dreaded obligation for companies subject to the Sapin 2 law. This obligation requires companies to put in place assessments to identify and measure "the corruption risks to which the organization entering into or continuing a relationship with that third party is exposed."

Not only does this obligation drastically change the way companies approach their relations with third parties, but it also places a considerable amount of work on their shoulders.

The assessment procedures consist mainly of collecting information on third parties, verifying their presence and that of officers, beneficial owners and directors in the sanction lists, and verifying the presence of politically exposed persons among the officers, directors or beneficial owners.

These procedures did not change significantly with the final recommendations. However, it is interesting to note that theAFA has decided to give this application a much broader scope. Beyond what is provided for by the Sapin II law, which limits due diligence to first-tier customers and suppliers and intermediaries, the AFA believes that checks should be carried out on all third parties with whom the company is in contact or wishes to enter into contact, prioritizing those identified by the risk mapping.

It should be noted that the triple level of control recommended by the AFA as well as the large number of monitoring indicators may constitute a real fear of cumbersome processes for companies, although they are necessary in principle to ensure the proper application of the measures in question.

8- An internal control and evaluation system 

The implementation of an internal control and evaluation system for the compliance program is an ultimate obligation under the Sapin 2 law.

The purpose of such a system is to test the effectiveness of the preventive measures put in place, as well as to identify and understand the shortcomings in their implementation in order to put in place the necessary corrective measures to ensure greater effectiveness.