chevron-down Created with Sketch Beta.


New French Guidelines for Required Compliance Programs

Bruce J Casino


  • Recent guidance for the anti-corruption compliance programs required by French law is required reading—not simply for French-based corporations but for all United States and other non-French companies that have operating subsidiaries in France.
  • The reputation of France with respect to corruption has suffered in light of highly publicized international bribery cases.
  • Sapin II extended the territorial scope of corruption offenses to non-French individuals and corporate entities.
New French Guidelines for Required Compliance Programs
Alexander Spatari via Getty Images

In January 2021, the French Anti-Corruption Agency (Agence Française Anticorruption (AFA)) published its new compliance program guidance, The French Anti-Corruption Agency Guidelines, effective July 13, 2021. This very detailed guidance for the anti-corruption compliance programs required by French law is required reading—not simply for French-based corporations but for all United States and other non-French companies that have operating subsidiaries in France. The release presents an occasion to review the groundbreaking and far-reaching French anti-corruption law that the new rules implement.

That law is known as “Sapin II,” after the Finance and Economy Minister behind it. The law, which entered into force in 2017, requires companies of a certain size to put in place a compliance program to prevent and detect acts of corruption in France or abroad and to protect whistleblowers. The guidelines provide an extensive checklist of elements that all company compliance and whistleblower programs should consider including, wherever they may be located.

Sapin II, Reputation, and Corruption

The reputation of France with respect to corruption has suffered in light of highly publicized international bribery cases. France is ranked only 26th out of 180 nations for perceptions of corruption, according to the Corruption Perceptions Index 2020, published by Transparency International—with the No. 1 ranking going to the least corrupt nation. This places France immediately behind the United Arab Emirates and Uruguay, but ahead of the United States. (29th). Three of the ten largest U.S. Foreign Corrupt Practices Act (FCPA) settlements ever have been with French companies.

Sapin II was meant to increase France’s reputation and bring French anti-corruption law on par with U.S. and British laws. There had been criticism by international organizations that France was not enforcing its anti-corruption laws, including a failure to ever prosecute a firm for bribery abroad. There was also a concern in France that the U.S. imposition of massive fines against French companies under the FCPA was taking penalties that should go to France and undermining French “judicial sovereignty.”

In some ways the French law is even tougher than the FCPA and the U.K. Bribery Act. For instance, the French law requires compliance programs, whereas the U.S. and U.K. laws do not. The failure to have a compliance program violates French law, whether there was actual bribery or not. The law also has extraterritorial provisions like the U.S. and British laws, which makes France another major nation aggressively claiming jurisdiction over offenses occurring in other nations.

Considering that the French Minister of Justice reported 131 convictions in corruption cases in 2018, it appears that the law has spurred anti-corruption efforts in France.

Application of Sapin II

Sapin II imposes compliance program requirements on two categories of companies. First, the law covers companies in France with at least 500 employees, whether or not they are foreign owned. Second, the law covers companies belonging to a group of companies whose parent company is headquartered in France and whose workforce includes at least 500 employees worldwide. In both cases, there is also a requirement of consolidated revenues in excess of €100 million. For companies with at least 50 employees in France, the whistleblowing program requirements also apply.

The guidelines make clear, however, that the AFA recommends that all companies follow the compliance program and whistleblowing guidelines in a manner that is appropriate given their size.


Sapin II created a new anti-corruption agency, the AFA, a national regulatory body operating under the authority of the French Minister of Justice and Minister of Budget; and the AFA created the guidelines to implement the law. Companies following the guidelines “shall benefit from a prima facie presumption of compliance” with Sapin II, according to the AFA. An English translation has been provided by the AFA. AFA, The French Anti-Corruption Agency Guidelines (Dec. 4, 2020).

Designed to detect and prevent corruption, the AFA has both investigative and supervisory or monitoring powers, as well as the power to impose administrative sanctions in relation to compliance programs. It is entitled to conduct “on-site” investigations. In particular, it has the following key responsibilities:

  1. Assisting both the public and private sectors in the prevention of corruption
  2. Ensuring that companies have implemented the required compliance programs
  3. Reporting violations to prosecutors
  4. Monitoring companies

The agency has the power to obtain documents from companies and to fine companies and individuals for failing to disclose information or for failing to have the necessary compliance program. When a company has not implemented an effective compliance program, the AFA may issue a warning to the company or may impose financial penalties (up to €200,000 for an individual, or €1 million for a legal entity). Details of financial penalties may be made public, with attendant bad publicity.

The AFA, however, does not prosecute. If it finds evidence of a crime, it refers the case to the French public prosecutor, the parquet national financier (PNF). The PNF is the lead French agency charged with investigating and prosecuting bribery and corruption cases.

AFA Guidelines: Contrast with DOJ Guidelines

The extensive 83-page guidelines document has 595 numbered points, half having to do with compliance for public entities. The Department of Justice (DOJ) guidelines on the same subject, “Evaluation of Corporate Compliance Programs,” covers much of the same territory, although in less detail. See Crim. Div., U.S. Dep’t of Just., Evaluation of Corporate Compliance Programs (June 2020).

There are, of course, differences. For instance, the DOJ guidance mentions the important need to evaluate how middle management has reinforced compliance standards and encouraged employees to abide by them. The French guidelines focus only on senior management.

Guidelines’ Requirement: Implementation of a Compliance Program

The United States offers penalty reductions for preexisting and remedial compliance. The U.K. goes one step further, creating a statutory defense for “adequate procedures,” meaning reasonably good preexisting compliance measures. But neither country legally requires antibribery compliance. Put another way, under the U.S. and U.K. systems, failure to adopt an antibribery compliance program is not, in and of itself, illegal. In practice, this can mean that no—or only a weak—compliance program is put in place until either a government investigation begins and the government asks about the compliance program or a compliance program is required as part of a settlement with the DOJ and U.S. Securities and Exchange Commission (SEC), or British authorities.

Sapin II does not provide for a compliance program defense like the one provided under the U.K. Bribery Act but rather requires companies of a certain size to adopt an effective compliance program. This approach is more aggressive and may become a template for other countries looking to strengthen their anti-corruption regimes.

The required compliance program must include the following elements:

  1. A code of conduct that has to be part of the company’s internal regulations
  2. An internal whistleblowing program to report violations of the code of conduct
  3. A corruption risk-assessment process intended to identify risks according to the business lines and geographical areas where the company operates
  4. Procedures for conducting due diligence on clients, suppliers, and third parties
  5. Accounting controls
  6. Training sessions for executives or employees in high-risk positions
  7. Disciplinary procedures for employees
  8. A procedure for assessing/measuring the effectiveness of the compliance program

The requirements to meet each of these elements are elaborated upon in considerable detail in the guidelines and are separated into three “inseparable pillars”: commitment of senior management, knowledge of risks through risk mapping, and risk management.

A corporate entity and its management are both responsible for implementing the compliance program; and if they fail to do so, they may both incur criminal liability. When the AFA identifies a failure to comply, it can order the company to adopt a corruption prevention and detection compliance program within a set time period and also can impose financial penalties and publication of its decisions, as noted above.

Guidelines’ Requirement: Implementation of a Whistleblower Program

Sapin II enshrined new protections for whistleblowers. Whistleblowers are defined as any individuals who reveal or report, selflessly and in good faith, a crime, a serious and obvious breach of law or international commitment, or a serious threat or harm to the public interest, of which they have personal knowledge.

The law provides that a whistleblower must first make a report to a direct or indirect supervisor or a person appointed for this purpose. If this is not followed by any action, the whistleblower can make a report to a court or relevant administrative authority (such as a health-care agency if the whistleblower concern relates to health and safety) or to an association dedicated to assist whistleblowers. As a last resort, the whistleblower can make a report to the public, the press, or the public Defender of Rights (Défenseur des droits), a kind of ombudsman’s office that will help direct it to the relevant authorities.

Companies must implement whistleblowing procedures to collect reports from their employees and business partners. All of these requirements are elaborated upon in some detail in the new guidelines. Procedures must clearly identify how a whistleblower should bring the report to the attention of a supervisor, the employer, or the employer’s designated representative; provide the facts, information, or documents that make up the report; and provide details to enable a dialogue with the recipient to take place, if possible.

Procedures should also clearly identify how an employer or other responsible person or entity will immediately inform the whistleblower of receipt of the report, a (reasonable) time frame for the report to be considered, and how the whistleblower will be informed of any follow-up actions to the report.

An employer must ensure strict confidentiality of the whistleblower’s identity, the identity of the person on which the report is made, and the information and facts reported. The disclosure of these elements is subject to a criminal conviction with up to two years of imprisonment and a €30,000 fine. An employer must also destroy reports that do not lead to a specific investigation. This provision reflects the strong French interest in data privacy and its data privacy laws. There is no parallel provision in U.S. law.

Interfering with the transmission of a whistleblower report to the employer, the courts, or authorities is punishable by up to one year of imprisonment and a €15,000 fine. In addition, of course, there are the existing criminal penalties for the acts of corruption (or influence peddling) that are the subject of the report.

Moreover, Sapin II prohibits discrimination in employment against whistleblowers, including in the hiring process; access to internships; or professional courses, assignments, or salary.

The public Defender of Rights may grant, on request, financial assistance to a whistleblower in certain circumstances. However, Sapin II does not provide for an incentive system for whistleblowers like those in place in the United States, where the whistleblower can receive a portion of the fines imposed on the company that breached its obligations.

Deferred Prosecution Agreements

Sapin II introduced a criminal settlement procedure for corporations called the judicial convention in the public interest (Convention judiciaire d’intérêt public (CJIP)) for such offenses as corruption, influence peddling, and laundering the proceeds of tax fraud. This procedure is similar to the deferred prosecution agreement (DPA) in U.S. and U.K. laws.

A CJIP was first used in the 2017 HSBC Private Bank Suisse SA case, in the context of an investigation for money laundering of the proceeds of French tax fraud of €1.6 billion. HSBC paid a fine of €300 million. Two former executives were separately criminally prosecuted. Airbus also used this procedure in its US$4 billion bribery settlement with France, the United States (under a DPA), and the U.K. in the context of its self-reporting and the predisclosure implementation of preventive measures.

CJIPs do not amount to an admission of guilt. An agreement has to be approved by the relevant regional court after a public hearing. However, the decision of the court to approve the agreement does not constitute a conviction, nor is it registered in the criminal record, which avoids automatic debarment from public procurement contracts. Instead, a CJIP simply puts an end to government action and ensures that information provided by a company as part of an investigation under this law cannot be used for potential future criminal proceedings. The victims may claim damages before a civil court, but the government cannot.

CJIPs are available only to corporations, not individuals. Individual representatives of the company accused of corruption are not covered and remain liable.

A CJIP may impose the following sanctions:

  1. A fine
  2. Implementation of a compliance program for a maximum period of three years
  3. Indemnification of any known victim, with payment having to be made within one year
  4. AFA monitorship

As is required in the United States, the monitorship is paid for by the company. Unlike in the United States, however, a ceiling on the monitorship cost is placed in the settlement agreement. The amount has varied from €200,000 for a relatively small case to €8.5 million in the US$4 billion Airbus settlement. The monitorship cost ceiling in the Airbus case seems low in contrast to U.S. monitorship costs, given the size of the settlement.

Since the law went into effect in 2017, there have been at least 11 CJIPs put in place, six having to do with anti-corruption. All of the anti-corruption CJIPs have imposed a monitorship by the AFA.


Sapin II extended the territorial scope of corruption offenses to non-French individuals and corporate entities. Under the law, French criminal law was made applicable when acts of corruption (or influence peddling) are committed outside of France not only by a French citizen or by a person usually residing in France but also by a person or entity “carrying out all or part of his economic activity on the French territory.” It is unclear whether the simple entry into a contract in France, sale of a product in France, solicitation of French clients, or payment of dividends to French companies constitutes the requisite “part of the economic activity.”

The United States has been criticized for its expansive view of the extraterritorial jurisdiction it asserts. It is not yet clear how aggressive France will be in this regard. Nonetheless, one thing is clear: companies possibly conducting economic activity in France should be aware of the uniquely aggressive requirements imposed by Sapin II and should seek legal counsel to ensure compliance.