On July 4, the French Anti-Corruption Agency (AFA) issued its first decision on whether a company should be sanctioned for an insufficient corruption prevention program, pursuant to the landmark 2016 Law Sapin II (article 17). As per the law, the decision was made by a “Sanctions Commission” set up within the AFA but independent from the AFA Director.
To the dismay of many at the AFA and in the French compliance community, the Sanctions Commission declined to sanction (pdf) the respondent company, on the grounds that its anti-corruption compliance program was in line with the Sapin II law.
While the AFA Director and his team could certainly have used a stronger enforcement message for a start, a careful reading of the decision leads to a nuanced appraisal from a compliance perspective. It is important to understand, in particular, that the decision is based on the state of the company’s compliance program at the date the decision was made (July 4, 2019) and not at the date of the AFA’s first audit notification (October 17, 2017).
By declining to sanction the company, what the Sanctions Commission did in substance was to reward the company for its improvements, under the AFA’s guidance and pressure, since the start of the audit procedure. So, in a strange way, the decision may be seen as a victory for AFA teams who have succeeded in pushing an initially non-compliant company to the level required by the Sanctions Commission. This dynamic approach is interesting, as it creates strong incentives for audited companies to quickly beef up their compliance program, in hopes of convincing the Sanctions Commission to not impose sanctions.
But this approach may also encourage a “wait-and-see” attitude from companies that have not yet been audited by the AFA, as the audit notification seems to trigger a remediation period.
The Sanctions Commission also lost, in my view, an opportunity to take a strong stance on the key issue of the effectiveness of the compliance program.
Sapin II enjoins companies to set up anti-corruption “measures” and “procedures” but does not explicitly state that these procedures must be effective. As all anti-corruption compliance professionals know well, this notion of “efficacy” is key to the approach of U.S. and UK regulators. It is also common sense: a compliance program that is not implemented to a sufficient degree is simply useless for everybody and a fig leaf.
The July 4 decision of the Sanctions Commissions remains somewhat ambiguous here. In particular, when it comes to evaluating the third parties due diligence scheme of the respondent company, the Sanctions Commission first notes that the scheme and procedures “exist” (§33) and then moves on to consider how they have been rolled out company-wide (§34). This strongly suggests that the Commission is evaluating the implementation and effectiveness of the procedures beyond their mere existence on paper. But this important point could have been made more explicit for everybody to understand.
Also, to exonerate the company from any breach of Sapin II when it comes to third parties, the Sanctions Commission seems to rely only on the fact that the headquarters had distributed to the subsidiaries a “Group Master Plan” and that the company’s Risk Director had stated that the evaluation of third parties had been accomplished in 30 out of the 44 countries of operation. Anybody who has ever set up a third party monitoring scheme in a multinational company will recognize that there is a significant gap between issuing a “Group Master Plan” to having an effective company-wide third party scheme in place.
While I am not privy to the details of the company’s achievements when it comes to third parties, I find the reasoning of the Sanctions Commission here quite superficial and not commensurate with the importance and difficulty of setting up a good third parties monitoring scheme.