Complying with Sapin II and AFA Guidance in 2021

Sapin II passed in 2016 and the French Anti-Corruption Agency (AFA) began publishing guidance for corporate compliance programs in 2017. Since then, the AFA has refined and continued to update their guidance, with the most recent update published in December 2020. We’ll dive into what’s changed in the new update, and what progress French companies have made since the original guidance below. But first, let’s take a look at the AFA’s eight key components of a corporate compliance program:

The AFA’s 8 key requirements of complying with Sapin II

1. Code of Conduct

Under Sapin II, you must have a corporate code of conduct that establishes conduct expectations for employees and stakeholders connected to the business.

2. Internal Whistleblowing Hotline

Employees must have access to an internal reporting system, so they may report potential misconduct or code violations.

3. Risk Mapping

The company’s risk exposure to potential opportunities for corruption must be identified, analysed, prioritised, and regularly updated.

4. Third Party Due Diligence

Third parties including vendors, customers, suppliers and more should be monitored in accordance with the risk map.

5. Accounting Controls

Internal and external accounting controls must be established to ensure transparency in record-keeping.

6. Training for Employees and Leaders

Employees and managers who are most at-risk of being exposed to opportunities for corruption must be trained on how to identify and avoid it.

7. Disciplinary Policy

Policies to sanction those found guilty of engaging in corruption must be established and documented.

8. Internal Controls

Companies must document, monitor, and evaluate the measures implemented in accordance with AFA guidance.

What is the latest update to complying with Sapin II and AFA Guidance for corporate compliance?

New Compliance Requirements Framework

It’s essential to note that the eight requirements listed above still apply according to the AFA’s updated guidance released in December 2020. However, those requirements have now been fit into an overarching framework, starting with three “inseparable pillars:”

  • Senior management’s commitment to anti-corruption
  • Risk mapping
  • Risk management

The risk management pillar is further broken down into prevention, detection, and corrective action. The original eight requirements now fall into one of those buckets, as laid out in this chart.


New case law on mergers and acquisitions guidance

While the AFA originally specified that misconduct preceding a merger would result in criminal liability only for the entity that engaged in the misconduct and not the new structure, new case law from the Cour de Cassation states otherwise. A court decision on November 25, 2020 states that the acquiring company may now face criminal liability for previous misconduct by the company they are acquiring.

The AFA published new guidance on corporate mergers and acquisitions last week to reflect the new case law. This update will have a significant impact on the compliance work that goes into the preparation for a merger.

What is the biggest challenge in complying with Sapin II and AFA guidance?

According to Maria Lancri, partner at Squair Law, risk assessments and third-party due diligence continue to be the biggest challenge facing French companies. “It’s the most challenging in any jurisdiction…and in France, the guidelines are quite mandatory,” Lancri explains. “You have to follow the methodology that is required by the agency or explain why you did not and how your methodology is however efficient,” as opposed to US and UK regulations, which allow companies to follow a risk assessment methodology that fits their unique purpose, and then explain to regulators why they followed that method.

Have French companies made progress in complying with Sapin II and AFA guidelines?

According to Lancri, compliance is taken much more seriously in France than it was just a few short years ago, thanks in part to the passage of Sapin II, GDPR, and France’s corporate “duty of care” law in quick succession from 2016-2017. With three significant corporate regulations coming into force at the same time, which apply not just to large companies but also to the small businesses who want to do business with them, compliance is now seen as necessary to doing business in France.

“It is a common understanding that compliance is here for good, and that it is not only paperwork but that it is a serious matter to implement,” says Lancri. While the work is underway to make compliance a key business function, French companies are still facing significant challenges, including properly resourcing and staffing their compliance departments, training senior management on anti-corruption guidelines, and making employees aware of key compliance elements such as hotlines. For example, while companies around the world experienced a spike in hotline activity during the COVID-19 pandemic, hotline activity in France has remained largely stagnant, according to Lancri.

What’s next for corporate compliance in France?

AFA’s Gifts and Hospitality Guidance

In 2020, the AFA issued new guidance on gifts, travel, and entertainment—ironic timing, considering the pandemic put an end to all of the above in March 2020 and those activities have not yet widely resumed. However, with widespread vaccination on the horizon, such activity is likely to resume soon, and since this guidance is now over six months old, the AFA will be citing it in upcoming audits.

Sapin II and the EU Whistleblower Protection Directive

At the end of this year, the EU Whistleblower Protection Directive will come into force. While Sapin II has provided France with an existing whistleblower protection framework, there are differences between the requirements of Sapin II and the Directive. These include:

  • Protection of non-employees
  • Ability to bypass Sapin II’s internal reporting requirement and report externally in some situations

While it’s not yet decided how France may update their corporate whistleblowing requirements, it is clear that all French (and European) companies with 250 or more employees are required to have a hotline in place as of December 17, 2021. Click here to learn more about the requirements of the EU Whistleblowing Directive.


While the AFA continues to refine their guidance for corporate compliance programs, the Convercent team is here to help navigate the challenges French companies are facing. Click here to learn more about complying with Sapin II, and if you’d like to know how our targeted compliance solutions can help you meet AFA guidance, request a demo below.

Request a demo