According to Law No. 2016-1691 of December 9, 2016 “On Transparency, Fight against Corruption and Modernisation of Economic Life” (hereinafter, the Law), AFA provides legal persons with guidance on the prevention of corruption. The aforementioned paper is an updated version of theRecommendations released in 2017 (which we have already written about, in Russian) and takes into account the changes of the last three years and the lessons learnt.
The Recommendations define the terms and conditions for introducing a system of anti-corruption measures in all organisations of the public and private sectors established in France and beyond and operating in the country and abroad regardless of their size, corporate form of organisation, legal status, area of activity, budget, turnover and staff numbers.
The Recommendations are not legally binding and organisations are allowed to adopt other measures which are not outlined in the Recommendations provided that they are aimed at observing the provisions of the Law. However, AFA is guided by the Recommendations when it conducts its verifications, which means that if the corporate system of anti-corruption measures is based on them, the organisation may count on a “simple presumption of compliance”. At the same time, the fact that the organisation has not adopted all or some of the measures provided for by the Recommendations cannot be considered a priori as a failure of the organisation to observe the Law if it shows AFA that the measures it has in place allow it to comply with the requirements set down by the Law.
I. General provisions
The first part of the Recommendations is centered on the general principles of and approaches to the organisation of the corporate system of anti-corruption measures.
In particular, it stresses that organisations should adapt the measures proposed in the Recommendations to their risk profile which is affected by different factors: types of corporate activity, kind of products they produce and services they provide, management structure, size, geographical location, categories of third parties, etc.
Those organisations that have subsidiaries/dependent enterprises must ensure the quality and effectiveness of the functioning of anti-corruption systems in the whole control circuit.
According to the Recommendations, the corporate system of anti-corruption measures should be based on three “pillars”:
- “Engagement of the management”, meaning demonstration of personal commitment to the principles of integrity and intolerance of corruption and support of the adoption of anti-corruption measures by the management, including the provision of necessary resources, monitoring and control.
- The mapping of the risks that the organisation is subject to, which is the “cornerstone of the anti-corruption system”; it should be conducted both immediately before the development and introduction of the system of anti-corruption measures and after that on a regular basis.
- Risk management based on the implementation of measures and procedures aimed at their prevention, detection and corrective action, as well as monitoring and assessment of the effectiveness of such measures and procedures.
In this context, the measures and procedures aimed at preventing the risks include:
- Code of conduct: it defines different types of conduct which should be prohibited as they potentially create the conditions for violations/infringe the principles of integrity. The code may be supplemented by other documents regulating specific aspects of ethical and professional conduct, for instance those regarding gifts and hospitality, charity and sponsorship activities, lobbying, management of conflicts of interest, etc.
- Awareness-raising and training: the staff of the organisation should be aware of its anti-corruption policy; moreover, the content of training for different categories of employees and managers should be based on the outcome of risk assessment;
- Due diligence of the third parties: in order not to be involved in unlawful activities the organisation should conduct the due diligence assessment of the third parties, either natural or legal persons, with whom the organisation has established or intends to establish a business relationship. The character and depth of assessment may be based on the division of the third parties into homogeneous groups that have compatible risk profiles: the assessment may not be conducted for the lowest risk groups of third parties or it may be carried out in a simplified form, whilst the groups that are most vulnerable to risks will require an in-depth assessment, including tracing of financial flows and strict control over the implementation of the tasks assigned to them. The assessment may be conducted in various ways: from simple analysis of information published in open sources to in-depth research and submission of an evaluation questionnaire directly to the third party. Contracts with third parties may include provisions on the termination or non-renewal of the business relationship in the case of occurrence of any situations that may constitute a violation of the principles of integrity or a failure to abide by the guiding anti-corruption principles of the organisation.
The measures and procedures aimed at detecting the risks include:
- A system for reporting violations: based on its risk profile, the organisation should have mechanisms for receiving and processing reports on the conduct and situations that are not in line with the code of conduct or constitute an infringement of the principles of integrity. This system may include one or several reporting channels, beginning with a simple dedicated email address and ending with special software or even a separate ethical digital platform. The administration of this system may be either carried out by the organisation itself or outsourced to an external entity;
- Control systems: the organisation establishes an internal control system compatible with its risk profile. Ideally, this system should consist of three levels: the first, “preventative” control is exercised before the implementation of a decision or an operation directly by the divisions responsible for their implementation; the second, “detecting” control is carried out in relation to all or some decisions adopted or operations conducted on a regular basis, whose frequency is defined in advance, or randomly and aimed at assessing the preventative control and appropriate functioning of the anti-corruption system as a whole; and the third, periodic audit of the internal system is conducted by independent individuals. The main instrument of this system is accounting control which implies the monitoring of book-keeping, registers and accounts with a view to ensure that they are not used to conceal acts of corruption. It is recommended that the accounting control system is also structured in the same “three-level” manner;
- Elimination of detected shortcomings: corrective measures should be adopted to eliminate the shortcomings detected in the course of the control procedure. In particular, if violations of the code of conduct or the principles of integrity were detected, the respective sanctions should be imposed. To this end, the organisation should draft action plans on how to eliminate them, which describe in detail the measures to be taken, designate those responsible and the terms of their implementation. The state of implementation of these plans should be regularly monitored and the outcome of the monitoring should be reported to the management;
- Maintenance and archiving of documents: the organisation creates the infrastructure for the maintenance and archiving of documents and information regarding the improvement of the anti-corruption system to ensure its controllability. The retention schedule depends on the character of information.
II. Specific conditions of implementation by organisations of the private sector and public companies
The second part of the paper examines in further detail the specificities of the process of creation of a corporate system of anti-corruption measures referred to in article 17 of the Law: the companies (including the public companies of “industrial and commercial character”, EPIC*) with at least 500 employees or belonging to the group of companies headquartered in France whose staff number is at least 500 employees and turnover exceeds €100 million**. According to the Law, these organisations must adopt corruption prevention measures; if a company fails to do so, it may be held liable by AFA (also in the form of a fine of up to €1 million in the case of legal persons and €200,000 in the case of natural persons).
As regards risk mapping, the paper highlights that it should be formalised, i.e. have the form of written and structured documentation where the methods for conducting it, measures adopted to control risks and the roles and responsibilities assigned to different interested parties are described in detail. Depending on the specific character of activities and the structure of the company, risk mapping may be organised, for instance, in accordance with the areas of activity, business processes, subjects or geographic regions.
According to the Recommendations, the procedure for risk assessment includes six stages:
- distribution of roles and responsibilities in the risk assessment procedure;
- identification of risks inherent in the activities of the company:
а) compilation of a list of business processes of the company, identification of the processes which are the most representative or the most vulnerable to risks, and b) the definition of scenarios for the realisation of risks in each business process by gathering information from the employees of all hierarchical levels and divisions of the company, in particular, in the course of seminars, interviews and through questionnaires;
- preliminary risk assessment: the detection of “raw” risks which the company is vulnerable to, i.e. the risks that exist before the control measures are implemented, and assessment of each detected risk scenario under three indicators: impact on the company (reputational, financial, economic, legal), probability of occurrence (defined on the basis of the most complete information which is also adapted as much as possible to the specifics of the risk detected, for instance, the record of incidents) and aggravating circumstances (assessed on the basis of gravity rates, for example, in a situation where the company conducts international activities the rate permits to take into account the impact of the geographical location at the stage of a general risk assessment;
- the assessment of “clean” (“residual”) risks: the reassessment of the “raw” scenarios taking into consideration the means of control that are already in place and the risks occurred;
- prioritization of risks and development of an action plan: classification of risk scenarios by levels and definition of risks, whose reduction measures should be adopted in the first place, as well as selection of these measures and development of a detailed plan of their implementation (timeline, responsible persons, monitoring and reporting);
- formalization, update and archiving of the risk map: in conclusion of all previous stages a risk map of the organisation is drawn; it is supplemented by a description of the methods of its development, methodology for detecting, assessing, prioritising and managing the risks; the necessity to update the risk map should be evaluated annually; all versions of the maps as well as the registers of control should be dated, have references and be archived.
III. Specific conditions of implementation by authorities and public entities
The third part is focused on specific conditions of implementation of the Recommendations by the subjects indicated in article three of the Law: public bodies, local government bodies, public entities, semi-public corporations, and public-interest associations and foundations.
In particular, considering the fact that officials of public bodies and entities may be subject to additional obligations, prohibitions and restrictions under the law, it is necessary to take these circumstances into account in developing a system of anti-corruption measures. For example, certain disciplinary sanctions against civil servants may entail: a) an infringement of the organizational procedure of the service, established by the code of conduct; b) an infringement of ethical legal obligations, defined by the code of conduct; and c) an infringement of the provisions of the code of conduct regarding an intervention in the legislative area. In assessing due diligence of the third parties public subjects should take into account the provisions of the code of public procurement, including the verification of prerequisites for barring a participant from taking part in a procurement process such as accusation of a corruption crime.
Besides that, the annex to the Recommendations contains a list of model risk scenarios for the subjects of the public sector in three areas: payment of subsidies, human resources management and public procurement.
*Établissement public à caractère Industriel et Commercial (EPIC) is a specific category of public corporations in France including industrial or commercial enterprises controlled by the State and some research institutes and infrastructure operators. Not all companies whose capital is owned by the State belong to this category: the specific feature of the EPICs is that they are established only in accordance with a separate special law.
**It should be highlighted that not only the French companies meeting the established criteria, but also the foreign subsidiaries of French companies and the subsidiaries of foreign companies located on the French territory and satisfying the adopted criteria are subject to the requirements of article 17 of the Law.