‹  To homepageCompliance solutions
Compliance Reference

An introduction to the French Anti-Corruption Law (“Sapin II”)

On December 9, 2016, the French Parliament (Parlement français) successfully passed Law No. 2016-1691 on Transparency, Fighting Corruption, and Modernising Economic Life, also known as “Sapin II,” in recognition of the contributions made by France’s former Minister of Finance, Michael Sapin, who is largely responsible for its passage. Sapin II is largely billed as the French Republic’s efforts at modernizing its capacity to combat corruption and hold companies complicit in such activities accountable.

Prior to the enactment of Sapin II, the French legal framework for combating bribery and corruption had fallen considerably behind several of its European counterparts, prompting widespread calls for France to undertake domestic reform aimed at aligning its anti-bribery and corruption capacity to prevailing international norms. Broadly speaking, Sapin II accomplishes this objective by legally requiring certain French companies (discussed more fully below) to adopt and maintain a compliance program based on eight principal pillars. Failure to comply with Sapin II’s requirements can result in anything from a warning to the imposition of serious financial sanctions by the agency responsible for the administration of Sapin II.

The principal requirement of Sapin II is the codification into French law of the obligation by certain French companies to adopt and maintain corporate compliance programs with the overall effect of deterring both corruption and influence peddling (broadly construed). Pursuant to Sapin II, affected companies are obliged to adopt specific policies and measures designed to mitigate the potential that legally proscribed activity will occur in a commercial environment. In that vein, Sapin II is predicated on eight fundamental pillars that requires organizations and their subsidiaries (whether located in France or abroad) to adopt:

  1. A code of conduct specifically defining and illustrating the different types of behavior to be prohibited as likely to characterize corruption or influence peddling;

  2. An internal alert system to permit the collection of reports from employees relating to the existence of malfeasance or situations contrary to the company’s code of conduct;

  3. A risk map (assessment) in the form of “regularly updated documentation” intended to identify, analyze, and prioritize the risks of exposure of the company to external solicitations for for the purposes of corruption that is predicated on the company’s activities and geographic reach;

  4. Procedures for assessing the situation of customers, first-tier suppliers, and intermediaries with regard to the risk mapping required by section 3, above (due diligence);

  5. Accounting and sufficient controls (either external or internal) intended to ensure that the books, registers and accounts of the company are not used to conceal acts of corruption or influence peddling;

  6. A training system for managers and staff most exposed to the risks of corruption and influence peddling;

  7. A disciplinary system that permits the organization to appropriately sanction the employees of the company causing violations of the code of conduct; and

  8. An internal control and evaluation system with respect to all of the foregoing measures.

To enforce and oversee the implementation of these requirements, Sapin II created the French Anti-Corruption Agency (Agence française anticorruption) with broad authority to audit both the existence, quality and effectiveness of anti-corruption compliance programs required by the law and the execution of judicially-ordered compliance remediation plans under the terms of French deferred prosecution agreements (Convention judiciaire d'intérêt public or CJIP). Pursuant to such agreements, any entity accused of corruption—irrespective of the size thresholds established by the coverage provisions of Sapin II (discussed more fully below)—may be furnished with the opportunity to enter into settlements with the French government while avoiding admission of guilt. Under CJIPs, the Public Prosecutor may require such companies to pay a “public interest fine” of not more than thirty percent of the entity’s average annual turnover for the past ten years; implement a compliance program under the supervision of the French Anti-Corruption Agency for a maximum period of three years; and/or compensate the victims of the corruption or influence peddling schemes, to the extent any victims can be positively identified.

Sapin II also empowers the French Anti-Corruption Agency to promulgate guidelines to assist covered entities in establishing effective compliance programs that meet the requirements of the new law. While the guidelines—last updated in 2021—are not legally authoritative, they are highly instructive for covered entities wishing for more concrete guidance from the Anti-Corruption Agency with respect to the implementation of a compliance program that encompasses the eight pillars mentioned above.

Sapin II’s coverage and jurisdictional reach

Sapin II applies to both companies established pursuant to French law with at least 500 employees and with a turnover of more than € 100 million; and to companies established pursuant to French law that are part of a company group with a total of at least 500 employees, where the parent company is headquartered in France, and the group has a consolidated turnover above € 100 million. Coverage under Sapin II also includes state-owned companies and subsidiaries of entities directly subject to the aforementioned requirements. Therefore, even foreign subsidiaries of French companies are required to comply with Sapin II’s requirements. Notably, the requirement to establish an effective anti-corruption compliance program also extends to chairpersons of covered entities, chief executives, managers, and members of the management board. In this regard, Sapin II is notable for imposing legal liability on such persons for failing to comply with Sapin II’s anti-corruption compliance program requirements, with fines of up to € 200,000 for individuals and € 1 million for covered entities.

Also notable is the jurisdictional reach of French criminal laws directly implicated by Sapin II. Under these provisions, liability under French criminal law regarding bribery and corruption-related offenses also extend to foreign companies operating in France and extraterritorially to foreign companies that belong to a French corporate group of a certain size. Additionally, even where the offense is committed overseas by a French national, French criminal laws would operate to punish the individual in question provided the same or similar offense is punishable under the laws of the foreign jurisdiction where it is committed—with the notable exception of acts involving public corruption and influence peddling, which may be prosecuted regardless of whether they constitute an offense in a foreign jurisdiction, in line with a strong public policy preference that universally condemns such behavior. In this respect, Sapin II is extremely similar to other landmark anti-bribery and -corruption regimes like the U.S. Foreign Corrupt Practices Act (“FCPA”) and UK Bribery Act (2010), which contain similar jurisdictional features to maximize the overall impact of the law in question.

A focus on Sapin II’s due diligence requirements

As previously mentioned, one of the eight pillars of Sapin II is a requirement that covered entities adopt what is effectively a third party due diligence program with respect to their customers, first-tier suppliers, and intermediaries, although the French Anti-Corruption Agency encourages companies to voluntarily expand the universe of due diligence to encompass any third party with whom a covered entity interacts. The express purpose of such due diligence is to ascertain whether a covered entity should enter into a new relationship with a third party or, maintain such a relationship, or terminate the relationship altogether.

As the aforementioned guidelines emphasize, the due diligence required by a covered entity under Sapin II are similar in scope and substance to other international anti-bribery and corruption due diligence requirements. This process includes, but is not limited to: (1) collection of relevant information from a variety of internal and external sources concerning both the targeted third party and its ultimate beneficial owners; (2) a holistic assessment of the third party’s risk level based on the information collected and an analysis of the prospective or existing relationship in conjunction with consideration of geographic risk and the third party’s prior history of misconduct; and (3) a final determination as to whether a covered entity should approve, suspend, or terminate a particular third party relationship based on the results of the assessment. The due diligence process under Sapin II is supplemented by ongoing monitoring requirements again mentioned in the context of the Anti-Corruption Agency’s 2021 guidelines. In connection with this requirement, covered entities are primarily obliged to ensure that complete transparency exists regarding payments made by and to third parties to ensure that the compensation and payment methods comply with the overall terms of the contract in question. Unusual activity that deviates from contractual norms should be considered cause for concern that covered entities must address directly with the third party implicated. Finally, Sapin II—like all other due diligence regimes—broadly requires covered organizations to periodically repeat the due diligence process with respect to affected third parties at regular intervals. The update requirement echoes similar regulator and enforcement authority expectations that organizations have an ongoing duty to ensure that their activities conform to the letter of the law. Because third parties are often implicated in cases involving corruption and influence peddling, Sapin II and other similar regimes emphasize the need for covered entities to pay particular attention to their activities in a compliance context.