Sapin II

What does the concept of compliance officer cover under the French anti-corruption law, Sapin 2?

This rather long post describes what is expected of a compliance officer, which is of some importance when it comes to implementing the French Sapin 2 law, but it also summarises both

  • answers to questions asked by a number of clients,
  • the practices observed
  • and, of course, reference texts such as the law, the French Anticorruption Agency’s (AFA) practical guide and the Agency’s audit reports.

A rather long foreword

The AFA’s audit reports, have a consistent structure, at least for those to which I have had access, in 9 parts and not 8 as one might have imagined, to stick to the 8 obligations described in II of art 17 of the Sapin 2 law.

The 9th part, which is in fact the first of the reports, deals with the involvement of the management body.

This 9th (or first) part corresponds to the AFA’s reading of I of Art. 17 of the Act, which states « I. – The chairmen, chief executive officers and managers of a company […] are required to take measures to prevent and detect the commission, in France or abroad, of acts of corruption or trading in influence in accordance with the procedures set out in II ».

Basically, because 8 obligations are described in II of Article 17, their implementation is primarily the responsibility, no pun intended, of the directors of the company subject to the Sapin 2 mechanism « II. – The persons mentioned in I shall implement the following measures and procedures ».

And for obvious reasons of availability of these managers, the operational implementation of the corruption prevention system can be delegated – in its execution – to a compliance function. The delegation is of execution, not of responsibility, as the AFA’s practical guide, « The anti-corruption compliance function in the company », reminds us in IV, page 16. This point is of the utmost importance.

The AFA begins its reports by developing the commitment of the management body, which most often includes

  • A sub-section aimed at taking stock of the position taken by managers with regard to the prevention of corruption in their company. Without going into detail, the aim of this section is to list the weak – or strong – signals sent out by the management body regarding the prevention of corruption, and to assess their scope and effectiveness.
  • Another sub-section, and the one we are interested in here, is devoted to the resources implemented – or dedicated to managing the implementation of measures to prevent corruption. Here, the AFA takes stock of what it has observed in terms of the organisation of the compliance function within the audited entity, and the qualities, or shortcomings, that it attributes to it.

The positioning of these developments in the Agency’s audit reports is obviously not accidental and demonstrates the interest it takes in the compliance function, both in terms of its embodiment and its organisation. One might even be forgiven for thinking that the quality of this first part sometimes sets the overall tone of the audit report.

As usual, although the AFA does not describe precisely what is expected in its inspection reports, it is possible, with the help of its practical guide, published in 2019 and still relevant, to determine who meets the conditions for such a role.

Because many companies are wondering about the content of this non-standardised function, as the introduction to the practical guide discreetly states[1], its scope and its responsibilities, this article will attempt to draw up a profile of the compliance officer, the compliance director, the compliance function, or whatever you want to call it. 

This is not an attempt to define the compliance officer, since he or she is not in the minds of auditors or legislators. There are no peremptory or definitive statements in these lines, but rather an approach based on the AFA’s observation, in its reports and publications, of market practices and, of course, of the indispensable hindsight and common sense that are the permanent friends of any compliance function.

A defintion

The aforementioned AFA guide defines the tasks of the compliance function as « all actions aimed at ensuring compliance with legal standards and the circulation of guidelines applicable to the prevention of corruption, and more generally to breaches of the duty of probity, by an organisation, its managers, employees and third parties with whom the organisation has relations ». A vast programme.

A cross-functional function

The compliance function is cross-functional in the sense that it embraces all the company’s processes, as the mapping of corruption risks is supposed to do. This does not mean that the function is meant to command the company’s other processes or functions, but that it is meant to communicate and coordinate with them.

Let’s not forget that the function is responsible for designing and steering the deployment of the anti-corruption system, managing the programme, monitoring its deployment and acting as the compliance point of contact.

To do this, it is more than useful to be in contact with everyone, and with all the company’s functions, and to be able to understand the implementation of the anticorruption system at any point in the company.

A special position – spokesperson for the governing body, with quantifiable resources

Once again, to make the link with the commitment of the management body, an absolutely essential point for any compliance function.

In fact, the AFA’s guide clearly states that the management body « ensures the conditions for effective governance of anti-corruption compliance[2] ».

The guide states quite clearly, and this point is never denied in the audit reports that we have been able to consult, that « its position and the resources allocated to it reflect the commitment of the management body to the prevention and detection of corruption[3] ».

 

In other words, the function is taken all the more seriously if it is as close as possible to senior management, and if visible resources (and if possible proportional to the task in hand) are allocated to it.

 

A simple reading of the Agency’s audit questionnaires shows that the question of the resources allocated to the function is of paramount importance in its eyes. It could therefore be said that without resources, there is no possible compliance function.

In addition to acting as the spokesperson for the management body, the function must, by its very nature, be exposed to knowledge of sensitive issues: assistance in making difficult decisions, implementation of restrictive rules or processes, knowledge of sensitive and potentially legal cases. The compliance function also has the role of adviser to the executive.

Genuine independence

Because the role of the compliance function is to ensure compliance with anti-corruption standards, in application of the law or applicable legislation, it must be able to resist pressure – theoretical, of course – from senior management, from an operational or functional function or department.

Let’s not forget that the compliance function has only one objective in mind: to ensure that the law is respected, and nothing but the law. That’s a lot, especially for Sapin 2 law.

A lot, because the text covers many technical areas, all the company’s processes, and requires considerable energy. And deploying this energy uniformly across a Group requires independence, so as not to favour or penalise anyone.

The law applies to everyone, everywhere in the company. And its implementation cannot please everyone, that’s obvious. And ‘displeasing’ does not go well with any kind of dependency, or not for very long. That’s only human.

One point needs to be made here: the task that the law and the Agency have assigned to compliance functions is a particularly onerous one.

And some people in the company sometimes feel that the function is making too many demands.

Let them rest assured, the level of requirements is already such that it is highly unlikely that a compliance officer would add complexity to an already dense field. On the contrary, they would rather struggle to enforce the minimum requirements of the law. The imperatives of the law and the AFA’s recommendations are such that there is no particular need for creativity to add to them.

Independence is also characterised by direct or immediate access to the Group’s management bodies. Once again, this point is absolutely essential. How can you be the spokesperson for a body, how can you impose the word of the law, without having the support of and access to an executive? How else can you be taken seriously? Of course, this does not mean that the compliance function is the executive. It simply means that, thanks to its proximity to the executive, everything that emanates from it is not the result of its own will alone, but has been accepted and validated by the highest level of the company.

To conclude on the question of independence, it goes without saying that any compliance management function that is under the iron fist (even if benevolent) of any other function whatsoever would not meet this requirement, and must therefore be outlawed.

The compliance function is, atmost in France, a new, demanding, dense, non-standardised and unregulated function. And to be able to impose itself, or more broadly, to do its job properly, it must be independent, and have only the texts as its guide.

Should this function therefore be assumed by a robot, impervious to the weaknesses of the human being and entirely devoted to the application of its function?

The answer is in the question. The only way to take on this new and onerous task is through the highly subjective concept of credibility with all employees, managers, administrators, regulators – in short, with all the internal, external and sometimes imposed components of the company.

And this credibility takes the form of various signs, which can be listed as follows.

Knowledge of the company

(or humility towards it):

Either you know your company, because you’ve been working there long enough to know most of its inner workings, its strengths and weaknesses, its internal (geo)policy, and the whole of its activity, which is sometimes highly technical or not very accessible, and it will be relatively easy to get across messages relating to regulatory requirements, which are not always intuitive and not always pleasant. Because they are considered to be part of the organisation, the messages will be easier – or less difficult – to convey to a potentially resistant audience.

Or you are new to the company, which can often be the case for a compliance function, and you will need to demonstrate unfailing attentiveness, modesty and humility. Lack of knowledge of the organisation will be more than compensated for by an ability to listen and to teach, which will undoubtedly be the hallmark of a highly credible person. Imposing without explaining, being peremptory without knowing how the organisation works, would be deleterious. And perhaps even irrecoverable.

Academic training

Is specific training another component of the credibility of the compliance function? A delicate subject. It all depends on your point of view. Empirically, we can safely say that many compliance officers have undergone legal training, or alternatively, that many legal functions find themselves appointed to fulfil this role because they are familiar with legal matters.     

Is such training therefore a necessary condition for carrying out this task?

The answer is probably no, but this type of academic training can help. Not that you need to be a lawyer to read the AFA’s texts or productions, but legal training enables you to measure the interactions with other texts related to anti-corruption, and to anticipate the Agency’s requirements in a way, by reading them as a lawyer. And it has to be said that compliance issues, particularly in Anglo-Saxon environments, are dealt with by lawyers.

Having said this, some compliance officers who have not undergone legal training give full satisfaction to the Groups that employ them, as well as to their employees, in the performance of their duties.

Multiple skills

The multiple skills of a compliance officer are more important than just legal training.

The Sapin 2 law deals with all the company’s processes, and the compliance officer must be able to understand intimately how the company operates and the particularities of its business.

Without being an accountant, the compliance officer must also understand the company’s finances; without being an IT specialist, he or she must have a few reflexes when it comes to information systems; without being a project manager, he or she must be able to deploy the various measures set out in art. 17 of the Sapin 2 law; without being a managing director, he or she must be able to be listened to and understood by one of them; without being Sherlock Holmes, he or she must be able to investigate alerts; without having taken a vow of silence, he or she must be discreet…

In short, the compliance officer within the meaning of the Sapin 2 law is a kind of chameleon, quite unprecedented in contemporary corporate french life, and it is above all his versatility that should be favoured.

This is why, apart from lawyers, this role is sometimes assigned to people in charge of risks and internal control.

This is because these roles are most often taken on by highly versatile functions. I will no doubt be criticised for forgetting, quite unintentionally, certain other functions that are responsible for this noble task, but the idea here, as you will have realised, is to paint a fairly general picture of compliance, for which a thousand variations or other possibilities could be envisaged.

A final point relating to the credibility of the function: the level of experience expected. The answer to this question is simpler than you might think.

The french compliance field is young, with little case law, and its doctrine is often developed by professionals, without too many purely conceptual or theoretical aspects.

Sapin 2 compliance has not been around for 10 years, so lack of experience in the field is not a handicap, and once the above conditions have been met, there is nothing to prevent someone with relatively little experience from fulfilling this role with great dignity.

As Corneille happily put it, « To well-born souls, value does not wait for the number of years ».

But it is important not to lose sight of the fact that youth is not a handicap, as long as the conditions of independence, knowledge of the company and proximity to the management body are me

It goes without saying that a great deal of experience is an advantage in itself: knowledge of the company, or companies, a common language or past with the management team, a career consisting of different positions that have enabled you to accumulate skills in different areas, are all assets that can boost confidence in the performance of such a cross-functional role.

Lastly, this position is open to a particularly broad spectrum of experience, and therefore age: from barely thirty years old to post-retired. One thing is clear: there are no rules! And the limits of the spectrum, whether little or very experienced, as different as they may be, present different characteristics, useful for the needs of the cause.

A specific title?

As a corollary to this development, is there a particular title or position that would support this compliance function better than any other? The answer is probably no. It doesn’t matter whether it’s the Legal Department, the Risk Department, the Company Secretary’s Office, the Compliance Department (in the first instance, of course), the Audit Department or the Internal Control Department.

The only thing that matters is the skills that you want to put into it, but the AFA will consider as valid those positions where independence, proximity to the governing body and technical credibility are present. The title is of little importance.

Other issues may also arise when the question of compliance comes up.

Collegial body or single person?

The responsibility for the mission, and the practice, show that compliance management should only be the responsibility of one person.

Compliance committees are a common and useful practice, and networks of compliance officers are a necessity. These 2 cases are the sign of a coherent organisational approach to compliance.

On the other hand, as far as the management of the function is concerned, it would appear, and the practices observed confirm this, that there should be a single head.

Again, for the same reasons: independence, proximity to management and credibility. Since the system introduced by Sapin 2 is eminently vertical, and linked to the management body, the compliance function must also follow this path. To embody the « tone at the top » demanded by the AFA.

Beyond this requirement, it is probably one more guarantee of the function’s strength.

Possible outsourcing?

This is a question that is asked less and less by companies, given the scale of the task of implementing a Sapin 2 programme.

Even if the AFA’s practical guide seems to indicate that the compliance function is necessarily salaried, when it compares it to the DPO function, there is nothing to prevent a company from delegating the function to third parties. And these third parties could be consultants, or lawyers, because they are subject to particularly stringent confidentiality requirements.

But this delegation cannot be « too long ». The function can be performed temporarily by third parties. To outsource on a permanent basis would, in a way, be contradictory to the principles governing the function. As the function embodies the expression of the company’s highest hierarchical level, it would not accommodate any form of outsourcing in the long term.

In the short term, on the other hand, for the structuring of a corruption prevention system, entrusting the keys to a third party can reinforce the long-awaited credibility, before of course handing over the project deployed to an employee of the company, who would manage it in the medium and long term.

So there you have it, a number of answers to general questions, in bits and pieces, relating to this fairly recent profile, particularly in the world of industry and non-financial services.

Publications les plus lues