Complying with Sapin II and AFA Guidance in 2022

Sapin II passed in 2016 and the French Anti-Corruption Agency (AFA) began publishing guidance for corporate compliance programs in 2017. Since then, the AFA has refined and continued to update their guidance, with the most recent update published in January 2022. We’ll dive into what’s changed since 2016, and what progress French companies have made since the original guidance below. But first, let’s take a look at the AFA’s eight key components of a corporate compliance program:

The AFA’s 8 key requirements of complying with Sapin II

1. Code of Conduct

Under Sapin II, you must have a corporate code of conduct that establishes conduct expectations for employees and stakeholders connected to the business.

2. Internal Whistleblowing Hotline

Employees must have access to an internal reporting system, so they may report potential misconduct or code violations.

3. Risk Mapping

The company’s risk exposure to potential opportunities for corruption must be identified, analysed, prioritised, and regularly updated.

4. Third Party Due Diligence

Third parties including vendors, customers, suppliers and more should be monitored in accordance with the risk map.

5. Accounting Controls

Internal and external accounting controls must be established to ensure transparency in record-keeping.

6. Training for Employees and Leaders

Employees and managers who are most at-risk of being exposed to opportunities for corruption must be trained on how to identify and avoid it.

7. Disciplinary Policy

Policies to sanction those found guilty of engaging in corruption must be established and documented.

8. Internal Controls

Companies must document, monitor, and evaluate the measures implemented in accordance with AFA guidance.

Sapin II and AFA Guidance for corporate compliance

Compliance Requirements Framework

It’s essential to note that the eight requirements listed above still apply, according to the AFA’s updated guidance released in January 2022 and the previous update released in December 2020. Those requirements fit into an overarching framework, starting with three “inseparable pillars:”

  • Senior management’s commitment to anti-corruption
  • Risk mapping
  • Risk management

The risk management pillar is further broken down into prevention, detection, and corrective action. The original eight requirements now fall into one of those buckets, as laid out in this chart.

Case law on mergers and acquisitions guidance

While the AFA originally specified that misconduct preceding a merger would result in criminal liability only for the entity that engaged in the misconduct and not the new structure, new case law from the Cour de Cassation states otherwise. A court decision on November 25, 2020 states that the acquiring company may now face criminal liability for previous misconduct by the company they are acquiring.

The AFA published new guidance on corporate mergers and acquisitions in March 2021 to reflect the new case law. This update had a significant impact on the compliance work that goes into the preparation for a merger.

Guidance for foundations and public associations

The 31 January 2022 update from the AFA included guidance exclusively for associations and foundations, regarding the control of risk around probity. Click here to read the update in French.

What is the biggest challenge in complying with Sapin II and AFA guidance?

According to Maria Lancri, partner at Squair Law, risk assessments and third-party due diligence continue to be the biggest challenge facing French companies. “It’s the most challenging in any jurisdiction…and in France, the guidelines are quite mandatory,” Lancri explains. “You have to follow the methodology that is required by the agency or explain why you did not and how your methodology is however efficient,” as opposed to US and UK regulations, which allow companies to follow a risk assessment methodology that fits their unique purpose, and then explain to regulators why they followed that method.

Have French companies made progress in complying with Sapin II and AFA guidelines?

According to Lancri, compliance is taken much more seriously in France than it was just a few short years ago, thanks in part to the passage of Sapin II, GDPR, and France’s corporate “duty of care” law in quick succession from 2016-2017. With three significant corporate regulations coming into force at the same time, which apply not just to large companies but also to the small businesses who want to do business with them, compliance is now seen as necessary to doing business in France.

“It is a common understanding that compliance is here for good, and that it is not only paperwork but that it is a serious matter to implement,” says Lancri. While the work is underway to make compliance a key business function, French companies are still facing significant challenges, including properly resourcing and staffing their compliance departments, training senior management on anti-corruption guidelines, and making employees aware of key compliance elements such as hotlines. For example, while companies around the world experienced a spike in hotline activity during the COVID-19 pandemic, hotline activity in France has remained largely stagnant, according to Lancri.

Sapin II and the EU Whistleblower Protection Directive

On 17 December 2021, the EU Whistleblower Protection Directive came into force. While Sapin II provided France with an existing whistleblower protection framework, there are differences between the requirements of Sapin II and the Directive. These include:

  • Protection of non-employees
  • Ability to bypass Sapin II’s internal reporting requirement and report externally in some situations

France transposed the EU Whistleblower Directive into French law on 16 February 2022. Click here to learn more about the requirements of the EU Whistleblowing Directive, or continue reading for more information on how France will update Sapin II to align with Directive requirements.

What’s next for corporate compliance in France?

AFA’s Gifts and Hospitality Guidance

In 2020, the AFA issued new guidance on gifts, travel, and entertainment—ironic timing, considering the pandemic put an end to all of the above in March 2020. However, such activity is likely to resume soon, and since this guidance is now over a year old, the AFA will be citing it in upcoming audits.

Sapin III

A new version of Sapin II—Sapin III—was proposed on 19 October 2021. Sapin III is expected to be made official shortly after the French legislature transposed the EU Whistleblower Directive into French law in February 2022.  The eight pillars of Sapin II will remain intact, and the AFA will maintain its role as advisor and controller of corporate compliance in France. Sapin III will include public stakeholders and clarify the role of Haute Autorité pour la Transparence de la Vie Publique (HATVP) as a controlling body of these stakeholders. Additionally, some changes and updates are anticipated with the passage of Sapin III:

  • An updated whistleblower definition to align with the EU Whistleblower Protection Directive

  • Ability to report directly to an external channel without requiring an internal report first

  • Extension of the anonymized data retention time to facilitate long, complex cases

  • New list of forbidden retaliation actions and their sanctions

  • Support measures for the whistleblower, especially financial and psychological

  • Clarification on applicable sanctions which will be strengthened with a new criminal panel

  • The  geographic territoriality will be extended broadly, and the criteria of the legal entity to be headquartered in France will be removed


While the AFA continues to refine their guidance for corporate compliance programs, the Convercent team is here to help navigate the challenges French companies are facing. Click here to learn more about complying with Sapin II, and if you’d like to know how our targeted compliance solutions can help you meet AFA guidance, request a demo below.

Request a demo