Compliance in France in 2019

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

France’s investigations and white-collar crime landscape is at a turning point in 2019. After a long-awaited alignment of its anti-corruption arsenal on international standards with the 2016 Sapin II law, the priorities of French legislators and regulators are now twofold: completing the implementation of the 2016 reform, and bringing change to other areas to continue building a French compliance law that meets or exceeds international expectations.

Indeed, France’s investigations landscape has primarily revolved around anti-corruption compliance and enforcement, following the implementation of the 2016 Sapin II law. The focus today is on the newly created French Anti-Corruption Agency (AFA), which is now both providing guidance and monitoring compliance, with comprehensive audits at major corporations.

Following this momentum, French legislators also approved in late 2017 and 2018 key pieces of legislation that are a major topic for the French investigations and compliance sector today. The 2017 Corporate Duty of Vigilance law imposed obligations on large corporations and their subsidiary, supplier and subcontractor networks following the 2013 Rana Plaza accident, and the 2018 anti-fraud law gave investigators and prosecutors more tools to fight tax fraud.

All in all, 2019 will be an exciting year as France’s body of compliance law is finally taking a more definitive, coherent shape.

Anti-corruption: the continued effects of Sapin II

A paradigm shift for the French compliance landscape

The 9 December 2016 law on transparency, corruption and modernisation of the economy, nicknamed Sapin II after the minister in charge at the time, is France’s comprehensive anti-corruption reform and a response to laws such as the FCPA and the UK Bribery Act. The law toughened corruption sanctions, imposed stringent compliance obligations on large corporations and created the AFA.

That law also introduced major procedural changes for white-collar cases, with the creation of the deferred prosecution agreement (DPA) equivalent called the ‘judicial public interest agreement’ (CJIP), which gives prosecutors transactional tools to negotiate with corporate plaintiffs for a limited number of offences. It also mandated large companies to implement anti-corruption compliance programmes, under the supervision of the AFA.

The AFA enters the age of enforcement and continues its guidance efforts

While the AFA is not an independent administrative agency, and therefore does not have the ability to impose or seek sanctions for specific acts of corruption, it is now fully taking its role attributed by article 1 of Sapin II: a mission of helping authorities and other relevant persons to prevent and detect bribery and other corruption-related offences.

The AFA started its guidance mission by publishing a set of recommendations to corporations in late 2017[1] that helped them create programmes that comply with the requirements of the new law. It is expected to continue in 2019 with an upcoming series of six guides on certain anti-corruption aspects. They draw from the agency’s experience in its controls and in its support to corporations. The first one, published in February 2019, specifically covers the anti-corruption compliance function, its articulation with other corporate roles, as well as its structure and resources.

Another aspect of the AFA’s guidance mission in the corporate realm that is gaining steam in 2019 is its ‘support to economic actors’. It is independent from the AFA’s audit function, and is handled by a dedicated office within the agency. In October 2018 the office published a charter explaining the services it offers, including a possibility of ‘individual support’ to help set up compliance programmes or answer corruption-related questions that may arise.

A key part of the AFA’s enforcement role is its compliance monitoring function, after CJIP agreements or court decisions. That role, attributed by Sapin II, gained the AFA some international recognition when in June 2018, as part of a joint investigation on French Bank Société Générale, the DOJ declined to impose a separate compliance monitor because the bank had already agreed to AFA supervision in a CJIP agreement with French prosecutors.

Finally, and perhaps most importantly, the AFA continued its audits at corporations that are mandated by the law to have anti-corruption compliance programmes. Carried out at the initiative of the AFA’s director or upon request of authorities or approved NGOs, the audits verify that the company has proper compliance programmes in place. Although AFA investigators do not have the police powers required for coercive searches (unlike competition, tax or judicial police dawn raids), they can request any information or professional document useful for the audit, and conduct interviews with managers and employees. Audited corporations cannot claim professional secrecy to decline to answer questions or requests for documents, and individuals or entities may be fined in case of obstruction.

Mandatory anti-corruption compliance programmes under Sapin II

Since June 2017, companies incorporated in France and exceeding a certain size threshold[2] are required to have an anti-corruption compliance programme that meets certain specifications. Under the law, presidents, directors and managers of qualifying companies may be held liable personally for failure to implement a compliance programme.

Compliance programmes under Sapin II must be tailored to prevent acts of bribery and influence peddling, and must include the following measures:

  • a code of conduct;
  • an internal whistleblowing mechanism;
  • a regular corruption risk mapping exercise;
  • a risk assessment process;
  • third-party due diligence procedures;
  • accounting controls;
  • training programmes for employees exposed to high risks of corruption and influence peddling;
  • disciplinary procedure; and
  • an audit mechanism to assess the effectiveness of the compliance programme.

The AFA provided guidance on these aspects with its 2017 recommendations and its ‘Guide on the corporate anti-corruption function’ in January 2019,[3] and may answer some questions through its office in charge of supporting economic actors.

Whistleblowing procedures

In addition to the ‘whistleblower’ aspect of the mandatory compliance programme laid out above, the Sapin II law also introduced a new legal framework that has enhanced the status and protection of whistleblowers in France.

This framework provides for:

  • a wide definition of a whistleblower;
  • protection against potential retaliation and discriminatory measures (such actions would be considered null and void under French labour law);
  • criminal penalties for anyone who tries to prevent a whistleblower from making a report (a year’s imprisonment and a fine up to €15,000 for an individual, or a fine of up to €75,000 for a company); and
  • a three-stage reporting process that enables individuals to blow the whistle anonymously internally or, in case of inaction or imminent danger, directly to judicial or administrative authorities and the public.

These measures were supplemented on 19 April 2017 by a decree[4] aimed at implementing this framework, which came into force on 1 January 2018. Under this decree, all companies having at least 50 employees in France are required to set up ‘clear and confidential’ reporting procedures.

Before implementing or modifying existing whistleblowing procedures, companies are advised to undertake a prior consultation of the relevant employees’ representative bodies (eg, works council, health and safety committees).

AFA guidance of October 2017[5] allows these broader whistleblowing obligations to be ‘bundled’ with the whistleblowing part of the mandatory compliance programme at qualifying large corporations.

The new enforcement climate after Sapin II and the upcoming ‘blocking statute’ reform

One of the objectives of Sapin II was to show that France was willing and able to take on the challenge of international bribery by itself, reducing the need or justification for foreign countries to impose fines on its domestic companies based on extraterritorial jurisdiction.

The offence: tougher cross-border white-collar enforcement

The changes initiated by Sapin II extended well beyond anti-bribery, with prosecutors now pursuing tougher penalties and fines never seen before in the French criminal system.

This led to the landmark lower court sentence against Swiss Bank UBS AG for illegal bank solicitation and aggravated tax fraud laundering. On 20 February 2019, UBS was fined €4.5 billion, multiple times the amount offered by prosecutors in CJIP settlement talks. While appeals have been filed and the amount may change, this is undoubtedly an issue corporations will take into account when deciding whether or not to settle with a CJIP.

To avoid prosecution of French companies by other countries, prosecutors are making government investigations more ‘international’, if not American: heavier prosecutor-led investigations, in particular from the National Financial Prosecutor’s Office (PNF), use of transactional tools and very high fines are now commonplace. Parties should, however, keep in mind that while the CJIP mechanism is currently promoted by prosecutors, the risk of the case being brought to court (especially if the Prosecutor does not offer a CJIP) should not be forgotten, as offering this transactional option is not mandatory.

In the same manner, the use of investigating magistrates, a fixture of French criminal procedure, is steadily declining in white-collar cases with some prosecutors now trying to make the bulk of the investigative work happen in the more confidential preliminary investigation phase they supervise.

Finally, the case to follow this year will arguably be Airbus, which the PNF, the UK Serious Fraud Office and the DOJ are investigating for alleged bribery – and for which transactional tools including US/UK DPAs and French CJIPs are or will very likely be on the table.

The defence: the upcoming reform of the French blocking statute

Heavy fines on French corporations on sanctions matters (such as the US$8.9 billion fine for French Bank BNP Paribas in 2014) or anti-bribery (like Alstom’s 2014 US$772 billion fine) based on extraterritorial jurisdiction have become a very sensitive issue in the French political space. Several congressional investigations on that matter, ongoing or completed since 2014, and a recognition, across party lines, of the need for more protection of French companies’ data and documents have incited the government to act upon the issue.

Since 1968 the French have had a blocking statute designed to prevent the abuses of entering discoveries or subpoenas on French entities or individuals. It criminalises the transmission of information to foreign courts outside the channels set forth by treaties (such as the 1970 Hague convention for civil matters or the Mutual Legal Assistance Treaty for criminal issues). Although it was applied recently (in an attempt to conduct depositions in the Executive Life case), it is widely considered as not strictly enforced (noticeably by the US Supreme Court in its 1987 Aerospatiale decision).

After several failed reform attempts by previous legislatures, French MP Raphaël Gauvain was tasked with writing a report on that topic, and is working closely with the Ministry of the Economy’s economic intelligence office on a reform proposal that would create a more easily enforceable transmission regime, in conjunction with certain recent changes introduced by the EU General Data Protection Regulation (GDPR).

Very few details about the reform and the report are public at the moment, but the proposal will likely include higher monetary penalties for violations to give the law a real deterrent effect. Press sources mention a reform of in-house legal privilege as being one of the proposals. In any case, should this reform finally be enacted, it will arguably be the centrepiece of cross-border investigations developments this year.

The duty of vigilance law

The ‘duty of vigilance’ refers to an obligation on companies to prevent social, environmental and governance risks related to their operations that may also extend to the activities of their subsidiaries and business partners (subcontractors and suppliers).

This duty takes place in an international context marked by various human tragedies, including the collapse in 2013 in Bangladesh of the Rana Plaza building, which caused the deaths of 1,138 people. It had been demonstrated that these factories acted as subcontractors for various Western brands, particularly European ones.

In response, the international community has called for corporate accountability for human rights, asking companies to respect these basic rights.

Nevertheless, regulations in this area have long remained ‘soft’, such as the UN Guiding Principles on Business and Human Rights, adopted in 2011 – a set of guidelines for states and companies to prevent, address and remedy human rights abuses committed in business operations.

While norms on this topic have long remained non-binding, simply encouraging companies to regulate themselves through the voluntary adoption of internal rules, we have observed in recent years a trend towards the ‘hardening’ of human rights obligations for businesses. This movement is embodied in France by the enactment on 27 March 2017 of the corporate duty of vigilance law.

The corporate duty of vigilance: a source of new obligations for companies

The newly enacted corporate duty of vigilance law applies to companies with at least 5,000 employees within their company and in their direct and indirect subsidiaries when their registered office is in France, and 10,000 employees when their registered office is located abroad.

This may apply in particular to French subsidiaries of foreign companies or global groups insofar as they meet the above-mentioned requirement. Approximately 150 French parent corporations could fall within the scope of this new law.

The ‘vigilance plan’ is the key measure of the duty of vigilance, requiring qualifying companies to set up a plan containing measures designed to identify and prevent the occurrence of risks of human rights violations, serious physical or environmental damage, and safety risks.

In line with the spirit of the Sapin II-mandated compliance plan for bribery, the vigilance plan should cover items such as:

  • risk mapping;
  • procedures for evaluating subsidiaries, subcontractors and suppliers with whom an established commercial relationship is maintained;
  • appropriate actions to mitigate risks or prevent serious violations;
  • a mechanism for alerting and collecting alerts; and
  • a mechanism for monitoring the measures implemented to assess their effectiveness.

Lawmakers intended to include in the scope of this law the activities of the parent company but also its subsidiaries and any other companies that participate in the supply chain of the group (eg, suppliers, subcontractors) either directly for the parent company or for one of its subsidiaries.

While companies have been required to establish a vigilance plan since the law entered into force in 2017, other provisions of the law, such as the report on the effective implementation of the plan, will only apply from the date of the report for the first financial year opened after the publication of the law. This means 2019 (ie, the report for fiscal year 2018) for companies whose financial year is open from 1 January.

No more sanctions but a potential source of liability for companies

While the fines initially provided for in the event of non-publication of the plan were struck down by the Constitutional Council because of the sanctions’ excessive breadth, thus reducing the scope of the law in terms of corporate social responsibility, the corporate duty of vigilance remains a potential source of liability that corporations should take into account.

Indeed, qualifying large companies remain required to publish the vigilance plan in their annual report. Failing this, the judge may subject the company in question to an injunction and the possibility of engaging the company’s civil liability in the event of failure to fulfil its obligations, in particular in the event of damage occurring in one of the companies referred to in the plan. This fault-based liability may lie in the non-existence or inadequacy of the plan, failure to implement it, or if the ordering company has done nothing to prevent or minimise the damage.

The occurrence of an accident in a subsidiary or subcontractor does not therefore mean that liability is automatically triggered, as the company must have committed a fault. Companies are only bound by a duty of care that consists in thoroughly implementing the vigilance plan. Liability on these grounds is not automatic if the company is compliant.

The corporate duty of vigilance in 2019: first report

Two years after the law was enacted, NGOs have started criticising certain companies for their non-compliance. They also highlighted the lack of dialogue between companies and stakeholders such as employees, suppliers, subcontractors, NGOs and representatives of civil society in the drafting of compliance plans.

They are lobbying the French government to obtain a consolidated list of companies falling within the scope of the French statute to facilitate their monitoring and the reintroduction of penalties in case of non-compliance.

France stands out as a pioneer on vigilance, but enforcing this law will be a challenge without coercive sanctions. However, the absence of penalties should not encourage companies to breach these obligations, as they are a potential source of liability and activist litigation.

The Anti-Fraud Act

Enacted on 23 October 2018, the anti-fraud law is branded as the companion bill to a recent law softening sanctions for good-faith errors, balancing it with more anti-fraud tools and stricter sanctions for aggravated fraud cases.

The end of the Bercy Lock

Until now, tax authorities had to file a complaint after obtaining a favourable opinion from the tax offences commission to launch prosecutions against the taxpayer.[6] This system was commonly known as the Bercy Lock. Article 36 of the Anti-Fraud Act puts an end to this requirement and imposes a duty on the tax administration to report the case to the public prosecutor whenever the value of duties avoided exceeds €100,000 and the tax administration applied:

  • the 100 per cent penalty for opposition to tax audit;[7]
  • the 80 per cent penalty provided for concealed activity,[8] fraudulent practices or abuse of law,[9] failure to declare foreign accounts,[10] life insurance or trusts or smugglers;[11] or
  • the 40 per cent for deliberate breach, abuse of law[12] or failure to file a tax return after a formal notice to pay[13] if, during the six previous calendar years, the taxpayer was imposed one of the 40 per cent, 80 per cent or 100 per cent penalties listed above or had been the target of a tax fraud complaint by the tax administration.

The reporting threshold is halved and the 40 per cent penalty always triggers reporting when the taxpayer is bound by an obligation of transparency with the High Authority for the Transparency of Public Life (HATVP; the agency that collects French public servants’ transparency declarations on their assets).

The French guilty plea and DPA in most tax fraud cases

The Anti-Fraud Act also provides the possibility for taxpayers to enter into a French version of the guilty plea – the CRPC. In force since 2004, this procedure allows the defendant to avoid a formal trial if the latter acknowledges the alleged facts against him or her and accepts the penalties proposed by the public prosecutor.[14]

The law also provides legal persons with the possibility of concluding a CJIP in the event of tax fraud.[15] The legal person is allowed to conclude a legal transaction with the public prosecutor to avoid criminal proceedings in return for the payment of penalties and its submission to an anti-corruption compliance programme supervised by the AFA.

In addition, it is worth mentioning that article 23 of the Anti-Fraud Act raises the maximum amount of the penalties for tax fraud and aggravated tax fraud to twice the income derived from the commission of the offences.[16] When it comes to legal persons, the fine could be up to 10 times the income derived from the commission of the offences.[17]

Creation of a tax police

Articles 1 and 2 of the Anti-Fraud Act provide for the creation a special unit known as the ‘tax police’ within the Ministry in charge of Public Accounts. The service will be placed under the authority of the public prosecutor.[18]

This unit will be formed of judicial customs officers and tax administration agents, and will have judicial police powers.

The ‘name and shame’ solution is extended to tax fraud

The tax administration may decide to publish the tax penalties applied to legal persons following breaches of their tax duties of a particularly serious nature (abuse of law or fraudulent acts and an evaded duty amounting to at least €50,000), provided it obtained a favourable opinion from the tax offences commission.[19]

The publication is made on the tax administration website for a maximum period of one year. Challenging the penalties will suspend the publication or, in some cases, allow its withdrawal.

Sapin II was only the first step in what is becoming a coherent body of compliance obligations, which case law and legal practice will fine-tune. France wants to set new standards in compliance law and is giving itself the tools to do so.

The authors wish to acknowledge the contributions of Grégoire Durand and Clément Truchon-Bartès to this chapter.


2 This requirement, according to article 17 of the law, applies to any private company or public entity of an industrial or commercial nature, which has (i) more than 500 employees or is part of a corporate group whose parent company is headquartered in France and employs more than 500 people; and (ii) whose annual turnover or annual consolidated turnover exceeds €100 million.

4 Decree No. 2017-564.

6 Former article L228 French Tax Procedural Code (Livre des procédures fiscales).

7 Article 1732 French Tax Code (Code général des impôts).

8 Article 1728,1, c French Tax Code.

9 Article 1729 b and c French Tax Code.

10 Article 1729-0 A French Tax Code.

11 Article 1758 French Tax Code.

12 Article 1729 a and b French Tax Code.

13 Article 1728, 1 b French Tax Code.

14 Article 495-7 French Code of Criminal Procedure (Code de procedure pénale)

15 Article 41-1-2 French Code of Criminal Procedure.

16 Article 1741 French Tax Code.

17 Article 131-38 French Criminal Code (Code pénal).

18 Article 28-2 French Code of Criminal Procedure.

19 Article 1729 A French Criminal Code.

Unlock unlimited access to all Global Investigations Review content