Sapin II Legal Brief: New Compliance Regulations in France
Nadège Dallais–Counsel, Baker & McKenzie Paris
This white paper outlines the central facets of the regulations and recommendations of Sapin II, who they impact, why they are important and practical recommendations for how companies can comply with these new legal requirements.
The long-awaited French anti-corruption and whistleblower-protection legislation, Sapin II, was issued on 9 December, 2016 and the more substantial new anti-corruption requirements came into force on 1 June, 2017 for companies/groups with at least 500 employees. A recent government decree of 19 April, 2017 has also set out legal requirements which will come into force on 1 January, 2018 for companies with at least 50 employees in France and a decision of the French Data Protection Authority (CNIL) dated June 22, 2017 has additionally widened companies’ whistleblowing reporting obligations.
Complying in a Globalised Economy
There is no doubt that global compliance standards are converging, and with the growing scrutiny that comes from the never-blinking eye of social media, ethics and compliance professionals often find themselves faced with a dual challenge: that of staying up to date and aligning with compliance regulations from multiple jurisdictions, whilst instilling a strong ethos that permeates through the business across all geographies.
Prudent ethics and compliance professionals would therefore be wise to pay attention to new laws and updates to existing regulations in any country in which they do business. This can seem a daunting task; however, there are a number of steps that can ease this process whilst advancing the firm’s ethics and compliance culture in a global context. Before we look at those, we present an overview of the new compliance laws in France.
What You Need to Know – a Snapshot of the Law
Below we have provided a broad summary of the fundamental features of Sapin II. However, we recommend that companies affected by this legislation obtain professional legal advice if they are in any doubt as to its implications for their business.
Further details of Sapin II can be found at:
Purpose of the law |
To prevent corruption, establish increased transparency, reinforce companies' internal monitoring and risk management obligations and enhance protection for whistleblowers, aiming to bring France into compliance with international standards in transparency and the fight against corruption. |
When does it come into effect? |
For companies in France with at least 500 employees (or companies belonging to a group of companies whose parent company is headquartered in France and whose workforce includes at least 500 employees) and with consolidated revenues in excess of EUR 100 million: | The requirement for these companies to take measures to prevent and detect acts of corruption or influence peddling, in France and abroad, came into force on 1 June 2017. |
For companies with at least 50 employees in France: | The requirement for these companies to implement appropriate whistleblowing procedures will come into force from 1 January 2018 |
What has changed / is changing? |
For all companies: | - A national regulatory body has been created to detect and prevent corruption – the Agence Française Anti-corruption (AFA).
- A new general definition of ‘whistleblowers’ has been introduced across all industries and sectors to enhance whistleblower protection.
Whistleblowers are defined as any individual who reveals or reports, selflessly and in good faith: - a crime or misdemeanor
- a serious and obvious breach of: (a) an international commitment duly ratified or approved by France; (b) a unilateral act/decree of an international organisation adopted on the basis of such commitment; or (c) a law or regulation
- a serious threat or harm to the public interest, of which he/she has had personal knowledge
Disclosure of matters involving national defence, confidential medical issues or legal privilege are excluded from the scope of protection and cannot be disclosed. |
For companies in France with at least 500 employees (or companies belonging to a group of companies whose parent company is headquartered in France and whose workforce includes at least 500 employees) and with consolidated revenues in excess of EUR 100 million: | These companies are required to actively manage corruption risks and to take appropriate measures and implement effective compliance programmes to prevent and detect acts of corruption or influence peddling, in France and abroad. The requirements include the implementation of: - A code of conduct defining and illustrating prohibited conduct that may be seen as acts of corruption or influence peddling
- An internal reporting procedure to collect reports from employees who witness conduct or situations that infringe the code of conduct
- Regularly updated risk mapping to identify and analyse the company’s risk of exposure to corruption
- Processes to review third parties (clients, direct suppliers and intermediaries) for risk mapping purposes
- Internal and external accountancy control procedures
- Training programmes for executives and employees most exposed to acts of corruption or influence peddling
- A disciplinary procedure to implement disciplinary action against employees for violation of the code of conduct
- An internal monitoring and assessment system of the measures implemented
Sapin II requires these measures to have been implemented by 1 June 2017. In companies where this has not yet happened, we recommend implementation takes place as soon as possible |
For companies with at least 50 employees in France: | Companies should implement ‘appropriate’ whistleblowing procedures to collect reports from their staff and external and occasional business partners. Reports should be brought to the attention of a supervisor, the employer or a designated representative. ‘Appropriate’ procedures ought at a minimum clearly identify how a whistleblower should: - Bring the report to the attention of a supervisor, the employer or designated representative
- Provide the facts, information or documents which make up the report
- Provide details to enable a dialogue with the recipient to take place, if necessary
‘Appropriate’ procedures should also clearly identify how an employer or other responsible person or entity will: - Immediately inform the whistleblower of: (a) receipt of the report; (b) a (reasonable) timeframe for the report to be considered; and (c) how he/she will be informed of any follow-up actions to the report
- Ensure strict confidentiality of the whistleblower’s identity, the facts and the people identified in the report
- Destroy reports which do not lead to a specific investigation (within 2 months from the end of the period for the report to be considered)
Affected companies may wish to consider implementing an automated whistleblowing hotline, to ensure reports are treated in a confidential and consistent manner. For companies of all sizes, it is also important to note that the implementation of Sapin II’s requirements will have implications in terms of: - Data processing: companies must comply with the requirements set by the French Data Protection Authority (CNIL) in the arrangements they implement
- Regulatory compliance: aspects of compliance programmes may need to be incorporated into a company’s Internal Regulations, requiring prior consultation with employee representatives, and the provision of information to the French labour authorities
|
Why is this important? |
For all Companies: | Sapin II is the first time that French law has placed an obligation on companies to implement comprehensive measures to prevent and detect acts of corruption or influence peddling in France or abroad. Companies can face fines for non-compliance with new legal requirements (in addition to existing criminal penalties for acts of corruption or influence peddling). In particular, the disclosure of confidential information while processing a report can be punished by up to two years’ imprisonment and a fine up to EUR 30,000. In addition, interfering with the communication of a report to the responsible person is punishable by a fine up to EUR 15,000 and up to one year’s imprisonment. |
For companies in France with at least 500 employees (or companies belonging to a group of companies whose parent company is headquartered in France and whose workforce includes at least 500 employees) and with consolidated revenues in excess of EUR 100 million: | These large companies will need to implement a full compliance programme. The AFA will actively police compliance with Sapin II, and is entitled to conduct “on-site” investigations. Where an effective compliance programme is not in place, the AFA may issue a warning to the company, and may impose financial penalties (up to EUR 200,000 for an individual, or EUR 1,000,000 for a legal entity), and details of financial penalties may be made public. |
For companies with at least 50 employees in France: | Smaller companies who have not previously needed to be concerned with compliance issues in this area will now need to take “appropriate” measures to collect reports of all forms of whistleblowing that fall within the new SAPIN II definition. |
What Should I Do Now?
Companies should follow the new legal requirements which, in light of their headcount and revenue, apply to them, to ensure that they comply with French law. Companies belonging to an international group may already have similar compliance schemes in place and they should verify whether they comply with the new rules in France and adjust their existing schemes if need be.
1. Supercharge Your Ethics & Compliance Programme Effectiveness
Compliance professionals need to commit to core programme elements that improve their organisational culture. This can be done by clearly defining programme effectiveness and committing to using industry-leading best practices to improve organisational culture. To do so, ethics and compliance professionals must know:
- How to leverage the effectiveness of an E&C programme through its entire lifecycle
- Best practice approaches for implementing, maintaining and improving core E&C programme elements
- Specific ways organisational culture can make or break a programme and keys to supporting a healthy culture
2. Inspire Ethical Behaviour with a Fresh, Innovative Approach to Your Code of Conduct
A code of ethics is the foundational document of every company’s ethics and compliance programme—and one of the first pieces of information an employee reads. Because the code is a vital policy, true leaders make a commitment to regularly use fresh, innovative approaches to inspire employees to meet its standards. Getting the most out of your code requires:
- Learning the key steps to assess and build (or re-build) a code to ensure it is working hard for your organisation
- Understanding how to ensure that your code is fully enforceable under local laws (in particular by complying with the French specific implementation process) • Reviewing examples of cutting-edge codes and incorporating best practice elements
- Understanding the opportunities presented by interactive digital codes and how they can connect with and support other elements of your E&C programme
3. Engage Your Board with a Compelling Board Reporting Strategy
A well-executed board reporting strategy helps ethics and compliance programmes gain credibility and visibility while increasing board support and engagement. As part of your engagement strategy, make sure to use:
- Criteria to benchmark your current board reporting protocol against best practices
- Memorable and effective board reports
- Sample content and metrics from leading reports
4. Build a Strong, Defensible Third Party Risk Management Programme
As regulatory scrutiny and high-profile cases increase, compliance professionals need to be asking more questions than ever about effective management of third party risks. In order for you to stay ahead of these trends, you need to understand:
- The difference between a third party risk management approach that withstands regulatory scrutiny and one that does not
- Best-practice guidelines for auditing third parties
- Industry-leading frameworks to use to assess your third-party corruption risk
5. Stay Ahead of Emerging Workplace Behaviour Risks with Training and a Strong Whistleblowing Programme
Cultural and socioeconomic trends impact workplace behaviour—and behavioural risk. Skyrocketing social media use, changing recreational drug laws, use of personal mobile devices and a multitude of other security and privacy threats are forcing organisations to stay on top of their evolving risk profile. To stay ahead of the curve, and your employees, make sure you know:
- How to write and manage policies that mitigate organisational risk within a rapidly changing legal landscape
- How to successfully navigate differences in national and international regulations
- Fresh approaches for training employees on appropriate workplace behaviour, and strengthening a culture of compliance, both through physical awareness building (such as posters and banners) and also through your company’s intranet
- The role language plays in changing internal culture. For example, move away from negative expressions such as ‘whistleblowing hotline’, and instead use terms such as ‘Ethics Hotline’ or ‘Speak-Up Hotline’
6. Know how to Navigate the EU Regulatory and Cultural Landscape
As the new French law and Italian proposals show, ethics and compliance professionals across the EU, and globally, are faced with the challenges of navigating the complex maze of different laws and regulations, as well as the vast and inherent cultural differences across countries. To ensure your E&C programmes flourish in EU countries, you need to be aware of how to:
- Maintain programme momentum
- Deepen and mature your programme
- Ensure your programme stays ahead of the curve (steps 1 to 5)
Best Practices to Comply
The new French Sapin II legislation demonstrates the importance of paying attention to global compliance standards. In today’s globalised economy, operational boundaries can become quickly blurred, and companies must be wise to legislation that affects them in any country in which they do business.
Whilst meeting international compliance requirements is essential for any company, prioritising an organisational culture – from the top down – which promotes integrity, ethics and respect, and supports employees in good decision-making, brings benefits far beyond basic compliance.
Foreign groups should be careful to tailor their whistleblowing mechanisms in order to take into account local requirements. In particular, in France, although Sapin II has now created heightened compliance standards in relation to acts of corruption or influence peddling in particular, the scope of standard employee whistleblowing in France is currently limited by the French Data Protection Authority (CNIL) to certain limited compliance topics.
Clear compliance policies, thorough employee information and regular training is key to promote an effective compliance programme.
How NAVEX Can Help
NAVEX Global provides speak-up or ethics (‘whistleblowing’) hotline services to thousands of companies around the world, helping employees, customers, suppliers and other stakeholders quickly and easily report potential ethics and compliance issues. Our hotline services also provide compliance professionals with the ethics & compliance data they need to inform their programme, making it easier to spot trends and take corrective action before minor issues become major.
For further information, visit our Whistleblower Hotline Intake page.
About NAVEX Global, Inc.
NAVEX Global is the worldwide leader in integrated risk and compliance management software and services. Our solutions help organisations manage risk, address complex regulatory requirements and foster an ethical, productive workplace culture.