THE FRENCH ANTICORRUPTION AGENCY (AFA) PUBLISHES NEW GUIDELINES FOR PUBLIC AND PRIVATE ORGANIZATIONS

March 8, 2021

On January 12, 2021, the French Anti-Corruption Agency (AFA) published new guidelines for companies in the public and private sectors, laying out recommendations in order to ensure compliance with the French Anti-Corruption Law (Sapin II) sanctioned since the end of 2016.

These new guidelines result from a public consultation process, held between October 16, 2020, and November 16, 2020, involving more than 40 employees, including 13 associations, 7 business federations, 10 law firms and consultants, 5 central administrations, and 2 non-governmental organizations. The guidelines clarify that the recommendations are not mandatory, and other measures for preventing and detecting acts of corruption are permitted if they are in accordance with the law’s content.

The guide begins by stating that an anti-corruption system refers to the set of measures taken and procedures put in place by an organization to learn, prevent, detect, and punish acts of corruption.

The guide discusses the following three inseparable pillars:

THREE INSEPARABLE PILLARS

1. Commitment by top management to carry out missions, skills, or activities of the organization free of breaches of probity, as follows:

• Have exemplary personal behavior, both in word and in action, in matters of integrity and probity.

• Promote the anti-corruption system through personal communication.

• Implement sufficient means to achieve the effectiveness and efficiency of the law’s content.

• Be responsible for the correct management of this system.

• Comply with it to make decisions that are appropriate for you.

• Ensure that adequate and proportionate sanctions are imposed in case of behavior contrary to the code of conduct, or that could be identified as a breach of probity.

2. Knowledge of the risks to integrity to which the entity is exposed by elaborating a risk mapping.

3. The management of these risks, through the implementation of effective measures and procedures aimed at their prevention, the detection of possible behaviors or situations contrary to the code of conduct or which may constitute a violation of probity and the respective sanction. This management also includes monitoring and evaluating the effectiveness of these measures and procedures.

The measures and procedures described in Item 3 above are subdivided into prevention and detection, according to the tables shown below:

PREVENTIVE MEASURES AND PROCEDURES

1. The code of conduct and its procedures / policies.

2. Awareness of and training concerning the risks of a breach of integrity.

3. Third-party integrity assessment.

DETECTION MEASURES AND PROCEDURES

1. An internal alert system.

2. A monitoring system.

3. The management of observed deficiencies.

4. Ensuring the appropriate conservation and filing of measures and procedures and their method of preparation.

The guide provides additional recommendations for companies with more than 500 employees and sales of more than 100 million Euros.

Concerning the first pillar, described above, the following additional recommendations are established:

1. Definition of top management:

• Presidents, general managers, and managers of companies based in France, who employ at least five hundred employees and whose turnover exceeds 100 million Euros.

• Presidents, general managers and managers of companies belonging to an economic group whose head office is headquartered in France, whose staff includes at least five hundred employees and whose turnover exceeds 100 million Euros;

• Presidents and general managers of public establishments of an industrial and commercial nature who employ at least five hundred employees or belong to a public group whose workforce includes at least five hundred workers and whose turnover exceeds 100 million Euros.

• Members of the board of directors of public limited companies governed by article L. 225-57 of the French commercial code and who employ at least five hundred employees, or belong to a group of companies whose workforce includes at least five hundred employees, and where turnover exceeds 100 million Euros.

2. Senior management responsibility:

• Top management is committed to implementing a zero-tolerance policy in relation to any fact of corruption, promoting and disseminating a culture of anti-corruption compliance within the company and with third parties, prioritizing the prevention and detection of corruption.

• The implementation of the anti-corruption mechanism is the responsibility of senior management, which can, when appropriate, delegate operational implementation to an Anti-Corruption Compliance Officer, hereinafter referred to as “Compliance Officer.”

• Senior management defines the risk management strategy and ensures its implementation. It provides the implementation of a related action plan and the appropriate means to execute it, using indicators, monitoring, and audit reports, that the anti-corruption system is organized, efficient, and up to date.

3. Dedicated media:

• Human and financial resources proportional to the company’s risk profile.

• Anti-corruption compliance team.

• Recourse to external advice or service providers, if applicable.

• Implementation of tools such as third-party integrity assessment tools, internal alert, risk management, monitoring, e-learning, etc.

• Management of anti-corruption training.

• Production of reports and periodic evaluations.

4. Compliance officer:

• There must be communication with all employees concerning: (i) the entrusted missions, which take into account the strategic and organizational choices made and the characteristics of the company (namely: economic model, sector of activity, size), (ii) the elements that guarantee the independence of the Compliance Officer through their positioning in the organization chart and the modalities of access to the management body, the board of directors and the specialized commissions that emanate from it, (iii) articulation with other business functions and other areas of responsibility. compliance and (iv) the organization of the company’s anti-corruption compliance function, particularly the material and human resources dedicated to it.

• In an economic group, a central Compliance Officer and local Compliance Officers’ appointment is suggested.

• Senior management must ensure that the Compliance Officer always has: (i) access to any information useful for the performance of their duties, allowing them to have an accurate image of the company’s business, (ii) the independence of their action vis-à-vis other company functions and the ability to influence them and (iii) access to senior management to obtain support.

• Regardless of their position in the organization chart, it is essential that the Compliance Officer maintains a direct and regular link with senior management and has easy access to the Board of Directors.

• Senior management must ensure that the Compliance Officer has the necessary skills, especially: (i) ability to perform a cross-cutting function, (ii) knowledge of regulations related to anti-corruption compliance, as well as business activities and risk management techniques. This knowledge may have been acquired through training or professional experience.

5. An adapted internal and external communication policy:

• The company must communicate widely about its policy for preventing and detecting corruption to all its employees.

• Adapted to its structure and activities, the anti-corruption system’s internal communication necessarily includes the code of conduct, anti-corruption training, and the internal alert system.

• The company must also communicate, in appropriate terms, its anti-corruption policy to external partners to protect its employees from undue requests.

With respect to the second pillar described above, the following recommendations are established:

1. Risk mapping should take the form of regularly updated documentation designed to identify, analyze and prioritize risks, the company’s exposure to external requests for corruption purposes, depending on the sectors of activity and geographic areas in which the company operates.

2. Companies must carry out a mapping covering the risks of corruption and those of influence peddling.

3. Corruption risk mapping requires: (i) extensive knowledge of the company and its activities, including the managerial, operational, and support processes that these activities require for their implementation and (ii) identifying the roles and responsibilities of employees in a company, regardless of their levels.

4. Risk mapping is evolving in view of the need to periodically reassess risks and whenever there is a significant change in the company. To facilitate its updating, the mapping is part of a process of continuous improvement, allowing companies to strengthen control of their risks.

5. The risk mapping must be based on an objective, structured, and documented analysis of the corruption risks to which a company is exposed during its activities. The description highlights the potential impact of risks (severity) and their probability of occurrence (frequency), the elements likely to increase them (aggravating factors), as well as the responses provided under the existing risk control system or to be provided as part of an action plan.

6. The risk mapping must contain the following guidelines: (i) roles and responsibilities of the parties involved in the risk mapping, (ii) identification of the risks inherent in the company’s activities (identification of risk processes and scenarios), (iii) assessment of gross risks to identify the company’s level of vulnerability for each risk scenario identified in the previous step, (iv) assessment of net or residual risks. Therefore, it is a matter of reassessing the scenarios of gross risks, taking into account the existing and implemented risk control means, (v) prioritization of liquid or residual risks and preparation of the action plan, (vi) formalization, updating, and archiving of the risk mapping.

With respect to the third pillar described above, the following recommendations are established, primarily from the perspective of prevention:

1. Code of Conduct:

• It is a document that expresses senior management’s decision to engage the company in preventing and detecting corruption, being applicable and enforceable to all company employees.

• The code of conduct must be prepared jointly by the Compliance Officer and the company’s qualified people and validated by senior management.

• The code of conduct may refer to other documents, such as policies and procedures.

• The code of conduct must be prepared after the risk mapping to identify the risks that should initially be avoided.

• The code of conduct should provide examples of specific cases.

• The code of conduct presents the internal alert system designed to collect reports regarding conduct or situations contrary to its provisions.

• The code of conduct mentions the qualified function to answer questions from the team (for example, The Compliance Officer) and the procedures for contact.

• The code of conduct must be drafted in terms that make it intelligible and accessible to non-specialists. It can be translated into one or more languages.

• Must be updated regularly.

2. Awareness and training:

• A training system should be implemented for managers and employees most exposed to the risks of corruption and influence peddling.

• While the awareness system allows employees to be better informed and receptive to the issues presented to them, the training system must provide the knowledge and skills necessary to exercise an activity or trade. This fits into the company’s overall training plan.

• The training system must: (i) be coordinated with the other measures and procedures of the anti-corruption system and (ii) consider the specific risks to which the various categories of personnel are exposed.

• Awareness actions can be related in particular to (i) the code of conduct, reflecting the commitment of top management, (ii) corruption in general, its challenges, its forms, and the penalties incurred, whether disciplinary or criminal, (iii) the behavior to be adopted in the face of corruption, the role and responsibilities of each one and (iv) the internal alert system.

• This content must be adapted to the nature of the risks, the functions performed, and the geographical areas.

• The objective of the training should be to improve understanding and knowledge about: (i) the associated processes and risks, (ii) breach of probity, (iii) due diligence and measures to be applied to reduce these risks, (iv) the behaviors to be adopted in the face of an improper request and (v) the disciplinary sanctions incurred in case of non-compliant practices.

• Specific themes must be addressed due to the participants’ roles and the specific risks they face. Corruption detection tools can be a topic covered in training for employees in charge of a control function.

• The establishment of indicators makes it possible to monitor the training system, including training outsourcing. These indicators may include the following items: (i) rate of training coverage in relation to the target audience and (ii) number of hours of training on compliance and anti-corruption system.

3. Third-party integrity assessment:

• Definition and objectives of third-party integrity assessment.

• Articulation of the evaluation system with other systems (including the fight against money laundering and the financing of AML-CFT terrorism).

• Definition of third-party assessment methods.

• Methods for assessing the integrity of others.

• Assessment of the risk level of third-parties.

• Conclusions to be drawn from third-party assessments.

• Due diligence measures to be implemented during a business relationship.

• Monitoring the contractual relationship with the third-party.

• Renewal and updating of third-party assessments.

• Monitoring the third-party assessment process.

• Retention of third-party information.

We now move on to the third pillar, where the following recommendations are established from the perspective of detection:

1. The internal alert system:

• Definition and objectives, enabling the implementation of a channel for reports of misconduct.

• Articulation of the different alerting and centralization mechanisms in a single person responsible for their management.

• Organization of the alert system adapted to the company’s risk profile.

• Handling of complaints.

• Adequate communication of the internal alert system, insertion in the code of conduct, and elaborating a procedure that establishes clear rules.

• Filing of complaints and their handling, with the anonymity of the people involved’s personal data.

2. The monitoring system:

• The internal control and audit system’s contribution to the prevention and detection of risks of corruption.

• Companies generally have a general-purpose internal control and audit system, which can consist of up to three levels.

(i) The first level controls aim to ensure that the tasks inherent to an operational or support process have been performed according to the procedures defined by the company and that they can be conducted by operational or support teams or by the manager, (ii ) the second level controls aim to guarantee, according to a predefined frequency or randomly, the proper execution of the first level controls, whereas the second level controls can be performed by the Compliance Officer, the quality function, the risk management function or, if any, the management control function, in particular, and (iii) third-level controls, also called “internal audits,” Aim to ensure that the monitoring system meets the company’s requirements, being effectively implemented and updated.

• Anti-corruption accounting controls must: (i) ultimately ensure compliance with the same principles as general accounting controls (regularity, fairness, and fidelity of accounting and financial transactions), (ii) detecting transactions without cause or justification (for payments, in whole or in part, not caused for financing “cashier two”) and (iii) be based on the same methods as general accounting controls and include, for example, controls by sampling, by consistency review, by comparison with physical reality (inventory) or by confirmation by third parties.

• The formalization of anti-corruption accounting controls must take into account: (i) the object and scope of the controls, (ii) the roles and responsibilities in their implementation, (iii) the methods of sampling the operations to be verified, if applicable, (iv) the definition of a control plan, (v) incident management methods and (vi) the materiality limit or criterion that should lead to a control.

• Risk accounting entries must be examined and validated by an employee other than those who recorded them.

• Cross-validation between employees is satisfactory for entries below a defined threshold. Entries above this limit must require validation by management.

• Sampling methods must be defined based on a preliminary analysis of the various inputs and risks involved to allow representativeness.

• Accounting audits must cover all accounting systems to ensure that anti-corruption accounting controls comply with business requirements, are effectively implemented, and kept up to date.

• The correction of identified deficiencies also feeds an update of the corruption risk map and can be the subject of additional illustrations in the code of conduct and training materials dedicated to preventing corruption in coordination with the Compliance Officer.

• If the irregularity indicates suspicion or facts related to corruption, it must be immediately reported to the Compliance Officer and the company’s top management.

• Anti-corruption accounting controls can be implemented: (i) internally, by accounting and financial services or by specialized services (shared service centers, management control, internal audit, etc.) made available by the company for this purpose and (ii) externally, by third parties that the company contracts for such purpose.

3. Monitoring and evaluation of the anti-corruption system:

• This monitoring must meet four objectives: (i) monitor the implementation of anti-corruption measures and test their effectiveness, (ii) identify and understand deficiencies in the implementation of the procedures, (iii) define recommendations or other appropriate corrective measures, if necessary, to improve the effectiveness of the anti-corruption system and (iv) detect, where appropriate, facts of corruption.

• For each of the controls, there must be the object and scope, the person (s) responsible for the control, the appropriate control method (the type of measurement, supporting documents, analysis, and evaluation), and the sampling based on a risk analysis. Likewise, the plan must provide for the periodicity of the control, the formalization envisaged, the communication of the control results and the corrective measures that can be implemented, and the procedures for keeping documents related to the controls.

• If the irregularity indicates suspicion or reveals facts related to corruption, it must be immediately reported to the Compliance Officer and the company’s top management.

• Anti-corruption accounting controls can be implemented: (i) internally, by accounting and financial services or by specialized services (shared service centers, management control, internal audit, etc.) made available by the company for this purpose and (ii) externally, by third parties that the company hires for such purpose.

• The identification of the types of monitoring to be implemented.

Still, with respect to the third pillar described above, the following recommendations are established from the perspective of remediation:

1. Management and monitoring of observed deficiencies:

2. Disciplinary regime:

• Covers all measures that a company reserves the right to take in the event of behavior considered unlawful.

• In companies with at least 20 employees, internal regulations are mandatory.

• The sanction can then be pronounced against an employee only if provided for in the internal regulations.

3. Principle of sanctions ranking:

• The disciplinary sanction must be proportional to the fault committed.

• When violations of the duties of integrity and probity of personnel are discovered, disciplinary proceedings must be brought against them, with proportional sanctions imposed.

• Senior management is not obliged to wait for a criminal decision to be issued before applying disciplinary sanctions if the facts are proven, and their seriousness justifies it.

4. List of sanctions:

• The company can establish disciplinary sanctions to be applied to its employees, which favors the strengthening of risk control mechanisms for breach of probity.

5. Internal communication:

• The disclosure, in a format that guarantees total anonymity of disciplinary sanctions, can be determined by senior management to recall the zero-tolerance policy regarding any behavior contrary to integrity and probity.

Finally, the guide adds a section entirely dedicated to public entities, with provisions similar to those described here but adapted for the public service.

The Importance and Use of the Limitation of Liability Clause

The Legitimate Interest in the Processing of Personal Data

CGU's Lilac Guide to Combating Moral Harassment, Sexual Harassment, and Discrimination in the Public Service

The Unpredictability and the Excessive Burden Theories

Results from the US Securities & Exchange Commission Inspection in 2023

When Supporting Gender Equality Conflicts with Privacy Rights

Main Requirements of a NDA

The Fight Against Corruption in Singapore

Medication Leaflets of Generic and Patented Medicines

The effectiveness of anti-corruption clauses in international contracts

Contract Termination Clauses: When and How to Use Them

Petrobras at the Top of Brazilian Patent Applicants

The Corruption Perceptions Index in 2023

The Inheritance Loss due to Unworthiness

When to use Master Service or Goods Supply Contracts

Electronic Drug Labels

The Definitive Compliance Guide for Health Care in the USA

When Corruption Turns the Tables!

The Integrity Management Units, and the Brazilian Office of the Comptroller General’s Public Integrity Panel

The French Anti-Corruption Act (Sapin II): A Perspective After 7 Years in Force

Decisions by the Irish Data Protection Authority are undermined

FDA innovates with new guide for drug approval in the United States

Artificial intelligence and its regulation in Brazil

The Fight Against Fake News Around the World

Everything you need to know about ISO

How to Implement ERM

More Sanctions Applied By The Brazilian Data Protection Authority signal that Violations of the LGPD Will Not Be Tolerated

Brazilian Data Protection Authority Applies Second Penalty for Violation of the Data Protection Act

Antitrust and anti-corruption authorities are already monitoring the 2026 World Cup

Retaliation against non-disclosure agreements in the USA

SASE and what it can do for information security!

All there is to know about the Brazilian Freedom of Information ACT

Registration on the tranparency portal in Brazil

Technology as an ally to transparency and fighting corruption

Understanding why VPNs may be replaced by ZTNA

Improvements in compliance programs according to the OECD

Only the US and Switzerland effectively enforce their Anti-Corruption Laws Abroad

Israel Approves Limitation of Supreme Court Powers Amid Huge Controversy

Brazilian data protection authority applies first penalty for violation of data protection act

How data classification (or lack of it) affects your business

Discussing the conflict of interest in the federal government

Dealing with ethical dilemmas in business

Highest award ever paid by the US Securities and Exchange Commission to a whistleblower

The controversy on data sharing between Europe and the USA

The German supply chain due diligence act (LKSG)

United Nations guiding principles on business and human rights

How to investigate corruption

Dark patterns in data protection

U.S Department of justice updates its guide to corporate compliance programs

The EDPB publishes new guidelines for personal data protection

The sponsorship ethics of pharmaceutical and medical companies for physicians speaking in conferences

ANPD REGULATES THE APPLICATION OF ADMINISTRATIVE SANCTIONS

Prison after conviction in appellate courts

Transparency International launches the 2022 Corruption Perceptions Index

ANPD launches new security incident form

Why is the Whistleblower despised in the Fight against Corruption in Brazil?

The ANPD Guide on Cookies and Personal Data Protection

USA passes Anti-Money Laundering Whistleblower Improvement Act

The Impeachment of Authorities in Brazil explained

Brazilian Antitrust Law has been refined

And speaking of Patient Support Programs...

Self-regulation in the health care area: Europe's positive example

How goes Personal Data Protection in the United States of America?

Standardization and cost of stem cell Treatments in Brazil

Cookies remain in use, FLoC dies, Topics is born!

Research institutes and conflicts of interest

ANS' role is now Exemplary once again by Law. Read here what this means

The ANPD Opens a Public Consultation on High-Risk Personal Data Processing

What is Brazil missing in the fight against corruption?

In the US, Directors and Chief Compliance Officers will need to provide Certification

Brazilian Federal Pharmacy Council regulates the practice of Telepharmacy

Italy issues new Transparency Law in Healthcare Sector

The Ultimate Guide to Data Leakage

Regulation of the Overindebtedness Act is Approved

When Integrity Counts

Items required for the Compliance Program are changed by New Regulation

Brazilian Comptroller General Launches a Handbook for Handling Conflicts of Interest

Sexual harassment complaints at CEF and the integrity program

Information Wall – A Growing Need

ANPD is transformed into an Autonomous Agency

ANS' List of Procedures is exhaustive, according to the Brazilian Superior Court of Justice. What does this mean for us?

Overview of Compliance Investigations in 2021

The DPO is recognized in the Brazilian Classification of Occupations

The FDA unifies Premarket Review for Combination Products

Advances in Telemedicine Regulation in Brazil

FCPA 2021 Review - Hot Cases

Does doing the right thing deserve recognition?

How to Protect Your Personal Data

Lessons in Drug Promotion by the FDA

Changes to Legislation of the Brazilian Public Healthcare System (SUS) Bring Hope to Patients

Interfarma updates its Code of Conduct

Innovative Medicines Canada (IMC) updates its Code of Ethical Practices

How are whistleblowers treated in Europe?

PHRMA updates its code on interactions with health professionals

When gifts become a problem

UNODC'S best practices in the fight against corruption

When friendship drags you down

Data protection rules in the states of Virginia and Colorado, USA

Brazilian Data Protection Authority (ANPD) regulates personal data protection for small business

2021 corruption perceptions index

RECENT POSTS

O Legítimo Interesse no Tratamento de Dados Pessoais

April 15, 2024

O Guia Lilás da CGU no Combate ao Assédio Moral, Assédio Sexual e à Discriminação no Serviço Público

April 8, 2024

Os Resultados da Fiscalização da Securities & Exchange Commission nos EUA em 2023

April 1, 2024

The Legitimate Interest in the Processing of Personal Data

April 15, 2024

CGU's Lilac Guide to Combating Moral Harassment, Sexual Harassment, and Discrimination in the Public Service

April 8, 2024

Results from the US Securities & Exchange Commission Inspection in 2023

April 1, 2024

LINKEDIN FEED

Newsletter

Register your email and receive our updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

FOLLOW US ON SOCIAL MEDIA

Newsletter

Register your email and receive our updates-

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

FOLLOW US ON SOCIAL MEDIA

Licks Attorneys' Government Affairs & International Relations Blog

Doing Business in Brazil: Political and economic landscape

Licks Attorneys' COMPLIANCE Blog

THE FRENCH ANTICORRUPTION AGENCY (AFA) PUBLISHES NEW GUIDELINES FOR PUBLIC AND PRIVATE ORGANIZATIONS

March 8, 2021
No items found.

On January 12, 2021, the French Anti-Corruption Agency (AFA) published new guidelines for companies in the public and private sectors, laying out recommendations in order to ensure compliance with the French Anti-Corruption Law (Sapin II) sanctioned since the end of 2016.

These new guidelines result from a public consultation process, held between October 16, 2020, and November 16, 2020, involving more than 40 employees, including 13 associations, 7 business federations, 10 law firms and consultants, 5 central administrations, and 2 non-governmental organizations. The guidelines clarify that the recommendations are not mandatory, and other measures for preventing and detecting acts of corruption are permitted if they are in accordance with the law’s content.

The guide begins by stating that an anti-corruption system refers to the set of measures taken and procedures put in place by an organization to learn, prevent, detect, and punish acts of corruption.

The guide discusses the following three inseparable pillars:

THREE INSEPARABLE PILLARS

1. Commitment by top management to carry out missions, skills, or activities of the organization free of breaches of probity, as follows:

• Have exemplary personal behavior, both in word and in action, in matters of integrity and probity.

• Promote the anti-corruption system through personal communication.

• Implement sufficient means to achieve the effectiveness and efficiency of the law’s content.

• Be responsible for the correct management of this system.

• Comply with it to make decisions that are appropriate for you.

• Ensure that adequate and proportionate sanctions are imposed in case of behavior contrary to the code of conduct, or that could be identified as a breach of probity.

2. Knowledge of the risks to integrity to which the entity is exposed by elaborating a risk mapping.

3. The management of these risks, through the implementation of effective measures and procedures aimed at their prevention, the detection of possible behaviors or situations contrary to the code of conduct or which may constitute a violation of probity and the respective sanction. This management also includes monitoring and evaluating the effectiveness of these measures and procedures.

The measures and procedures described in Item 3 above are subdivided into prevention and detection, according to the tables shown below:

PREVENTIVE MEASURES AND PROCEDURES

1. The code of conduct and its procedures / policies.

2. Awareness of and training concerning the risks of a breach of integrity.

3. Third-party integrity assessment.

DETECTION MEASURES AND PROCEDURES

1. An internal alert system.

2. A monitoring system.

3. The management of observed deficiencies.

4. Ensuring the appropriate conservation and filing of measures and procedures and their method of preparation.

The guide provides additional recommendations for companies with more than 500 employees and sales of more than 100 million Euros.

Concerning the first pillar, described above, the following additional recommendations are established:

1. Definition of top management:

• Presidents, general managers, and managers of companies based in France, who employ at least five hundred employees and whose turnover exceeds 100 million Euros.

• Presidents, general managers and managers of companies belonging to an economic group whose head office is headquartered in France, whose staff includes at least five hundred employees and whose turnover exceeds 100 million Euros;

• Presidents and general managers of public establishments of an industrial and commercial nature who employ at least five hundred employees or belong to a public group whose workforce includes at least five hundred workers and whose turnover exceeds 100 million Euros.

• Members of the board of directors of public limited companies governed by article L. 225-57 of the French commercial code and who employ at least five hundred employees, or belong to a group of companies whose workforce includes at least five hundred employees, and where turnover exceeds 100 million Euros.

2. Senior management responsibility:

• Top management is committed to implementing a zero-tolerance policy in relation to any fact of corruption, promoting and disseminating a culture of anti-corruption compliance within the company and with third parties, prioritizing the prevention and detection of corruption.

• The implementation of the anti-corruption mechanism is the responsibility of senior management, which can, when appropriate, delegate operational implementation to an Anti-Corruption Compliance Officer, hereinafter referred to as “Compliance Officer.”

• Senior management defines the risk management strategy and ensures its implementation. It provides the implementation of a related action plan and the appropriate means to execute it, using indicators, monitoring, and audit reports, that the anti-corruption system is organized, efficient, and up to date.

3. Dedicated media:

• Human and financial resources proportional to the company’s risk profile.

• Anti-corruption compliance team.

• Recourse to external advice or service providers, if applicable.

• Implementation of tools such as third-party integrity assessment tools, internal alert, risk management, monitoring, e-learning, etc.

• Management of anti-corruption training.

• Production of reports and periodic evaluations.

4. Compliance officer:

• There must be communication with all employees concerning: (i) the entrusted missions, which take into account the strategic and organizational choices made and the characteristics of the company (namely: economic model, sector of activity, size), (ii) the elements that guarantee the independence of the Compliance Officer through their positioning in the organization chart and the modalities of access to the management body, the board of directors and the specialized commissions that emanate from it, (iii) articulation with other business functions and other areas of responsibility. compliance and (iv) the organization of the company’s anti-corruption compliance function, particularly the material and human resources dedicated to it.

• In an economic group, a central Compliance Officer and local Compliance Officers’ appointment is suggested.

• Senior management must ensure that the Compliance Officer always has: (i) access to any information useful for the performance of their duties, allowing them to have an accurate image of the company’s business, (ii) the independence of their action vis-à-vis other company functions and the ability to influence them and (iii) access to senior management to obtain support.

• Regardless of their position in the organization chart, it is essential that the Compliance Officer maintains a direct and regular link with senior management and has easy access to the Board of Directors.

• Senior management must ensure that the Compliance Officer has the necessary skills, especially: (i) ability to perform a cross-cutting function, (ii) knowledge of regulations related to anti-corruption compliance, as well as business activities and risk management techniques. This knowledge may have been acquired through training or professional experience.

5. An adapted internal and external communication policy:

• The company must communicate widely about its policy for preventing and detecting corruption to all its employees.

• Adapted to its structure and activities, the anti-corruption system’s internal communication necessarily includes the code of conduct, anti-corruption training, and the internal alert system.

• The company must also communicate, in appropriate terms, its anti-corruption policy to external partners to protect its employees from undue requests.

With respect to the second pillar described above, the following recommendations are established:

1. Risk mapping should take the form of regularly updated documentation designed to identify, analyze and prioritize risks, the company’s exposure to external requests for corruption purposes, depending on the sectors of activity and geographic areas in which the company operates.

2. Companies must carry out a mapping covering the risks of corruption and those of influence peddling.

3. Corruption risk mapping requires: (i) extensive knowledge of the company and its activities, including the managerial, operational, and support processes that these activities require for their implementation and (ii) identifying the roles and responsibilities of employees in a company, regardless of their levels.

4. Risk mapping is evolving in view of the need to periodically reassess risks and whenever there is a significant change in the company. To facilitate its updating, the mapping is part of a process of continuous improvement, allowing companies to strengthen control of their risks.

5. The risk mapping must be based on an objective, structured, and documented analysis of the corruption risks to which a company is exposed during its activities. The description highlights the potential impact of risks (severity) and their probability of occurrence (frequency), the elements likely to increase them (aggravating factors), as well as the responses provided under the existing risk control system or to be provided as part of an action plan.

6. The risk mapping must contain the following guidelines: (i) roles and responsibilities of the parties involved in the risk mapping, (ii) identification of the risks inherent in the company’s activities (identification of risk processes and scenarios), (iii) assessment of gross risks to identify the company’s level of vulnerability for each risk scenario identified in the previous step, (iv) assessment of net or residual risks. Therefore, it is a matter of reassessing the scenarios of gross risks, taking into account the existing and implemented risk control means, (v) prioritization of liquid or residual risks and preparation of the action plan, (vi) formalization, updating, and archiving of the risk mapping.

With respect to the third pillar described above, the following recommendations are established, primarily from the perspective of prevention:

1. Code of Conduct:

• It is a document that expresses senior management’s decision to engage the company in preventing and detecting corruption, being applicable and enforceable to all company employees.

• The code of conduct must be prepared jointly by the Compliance Officer and the company’s qualified people and validated by senior management.

• The code of conduct may refer to other documents, such as policies and procedures.

• The code of conduct must be prepared after the risk mapping to identify the risks that should initially be avoided.

• The code of conduct should provide examples of specific cases.

• The code of conduct presents the internal alert system designed to collect reports regarding conduct or situations contrary to its provisions.

• The code of conduct mentions the qualified function to answer questions from the team (for example, The Compliance Officer) and the procedures for contact.

• The code of conduct must be drafted in terms that make it intelligible and accessible to non-specialists. It can be translated into one or more languages.

• Must be updated regularly.

2. Awareness and training:

• A training system should be implemented for managers and employees most exposed to the risks of corruption and influence peddling.

• While the awareness system allows employees to be better informed and receptive to the issues presented to them, the training system must provide the knowledge and skills necessary to exercise an activity or trade. This fits into the company’s overall training plan.

• The training system must: (i) be coordinated with the other measures and procedures of the anti-corruption system and (ii) consider the specific risks to which the various categories of personnel are exposed.

• Awareness actions can be related in particular to (i) the code of conduct, reflecting the commitment of top management, (ii) corruption in general, its challenges, its forms, and the penalties incurred, whether disciplinary or criminal, (iii) the behavior to be adopted in the face of corruption, the role and responsibilities of each one and (iv) the internal alert system.

• This content must be adapted to the nature of the risks, the functions performed, and the geographical areas.

• The objective of the training should be to improve understanding and knowledge about: (i) the associated processes and risks, (ii) breach of probity, (iii) due diligence and measures to be applied to reduce these risks, (iv) the behaviors to be adopted in the face of an improper request and (v) the disciplinary sanctions incurred in case of non-compliant practices.

• Specific themes must be addressed due to the participants’ roles and the specific risks they face. Corruption detection tools can be a topic covered in training for employees in charge of a control function.

• The establishment of indicators makes it possible to monitor the training system, including training outsourcing. These indicators may include the following items: (i) rate of training coverage in relation to the target audience and (ii) number of hours of training on compliance and anti-corruption system.

3. Third-party integrity assessment:

• Definition and objectives of third-party integrity assessment.

• Articulation of the evaluation system with other systems (including the fight against money laundering and the financing of AML-CFT terrorism).

• Definition of third-party assessment methods.

• Methods for assessing the integrity of others.

• Assessment of the risk level of third-parties.

• Conclusions to be drawn from third-party assessments.

• Due diligence measures to be implemented during a business relationship.

• Monitoring the contractual relationship with the third-party.

• Renewal and updating of third-party assessments.

• Monitoring the third-party assessment process.

• Retention of third-party information.

We now move on to the third pillar, where the following recommendations are established from the perspective of detection:

1. The internal alert system:

• Definition and objectives, enabling the implementation of a channel for reports of misconduct.

• Articulation of the different alerting and centralization mechanisms in a single person responsible for their management.

• Organization of the alert system adapted to the company’s risk profile.

• Handling of complaints.

• Adequate communication of the internal alert system, insertion in the code of conduct, and elaborating a procedure that establishes clear rules.

• Filing of complaints and their handling, with the anonymity of the people involved’s personal data.

2. The monitoring system:

• The internal control and audit system’s contribution to the prevention and detection of risks of corruption.

• Companies generally have a general-purpose internal control and audit system, which can consist of up to three levels.

(i) The first level controls aim to ensure that the tasks inherent to an operational or support process have been performed according to the procedures defined by the company and that they can be conducted by operational or support teams or by the manager, (ii ) the second level controls aim to guarantee, according to a predefined frequency or randomly, the proper execution of the first level controls, whereas the second level controls can be performed by the Compliance Officer, the quality function, the risk management function or, if any, the management control function, in particular, and (iii) third-level controls, also called “internal audits,” Aim to ensure that the monitoring system meets the company’s requirements, being effectively implemented and updated.

• Anti-corruption accounting controls must: (i) ultimately ensure compliance with the same principles as general accounting controls (regularity, fairness, and fidelity of accounting and financial transactions), (ii) detecting transactions without cause or justification (for payments, in whole or in part, not caused for financing “cashier two”) and (iii) be based on the same methods as general accounting controls and include, for example, controls by sampling, by consistency review, by comparison with physical reality (inventory) or by confirmation by third parties.

• The formalization of anti-corruption accounting controls must take into account: (i) the object and scope of the controls, (ii) the roles and responsibilities in their implementation, (iii) the methods of sampling the operations to be verified, if applicable, (iv) the definition of a control plan, (v) incident management methods and (vi) the materiality limit or criterion that should lead to a control.

• Risk accounting entries must be examined and validated by an employee other than those who recorded them.

• Cross-validation between employees is satisfactory for entries below a defined threshold. Entries above this limit must require validation by management.

• Sampling methods must be defined based on a preliminary analysis of the various inputs and risks involved to allow representativeness.

• Accounting audits must cover all accounting systems to ensure that anti-corruption accounting controls comply with business requirements, are effectively implemented, and kept up to date.

• The correction of identified deficiencies also feeds an update of the corruption risk map and can be the subject of additional illustrations in the code of conduct and training materials dedicated to preventing corruption in coordination with the Compliance Officer.

• If the irregularity indicates suspicion or facts related to corruption, it must be immediately reported to the Compliance Officer and the company’s top management.

• Anti-corruption accounting controls can be implemented: (i) internally, by accounting and financial services or by specialized services (shared service centers, management control, internal audit, etc.) made available by the company for this purpose and (ii) externally, by third parties that the company contracts for such purpose.

3. Monitoring and evaluation of the anti-corruption system:

• This monitoring must meet four objectives: (i) monitor the implementation of anti-corruption measures and test their effectiveness, (ii) identify and understand deficiencies in the implementation of the procedures, (iii) define recommendations or other appropriate corrective measures, if necessary, to improve the effectiveness of the anti-corruption system and (iv) detect, where appropriate, facts of corruption.

• For each of the controls, there must be the object and scope, the person (s) responsible for the control, the appropriate control method (the type of measurement, supporting documents, analysis, and evaluation), and the sampling based on a risk analysis. Likewise, the plan must provide for the periodicity of the control, the formalization envisaged, the communication of the control results and the corrective measures that can be implemented, and the procedures for keeping documents related to the controls.

• If the irregularity indicates suspicion or reveals facts related to corruption, it must be immediately reported to the Compliance Officer and the company’s top management.

• Anti-corruption accounting controls can be implemented: (i) internally, by accounting and financial services or by specialized services (shared service centers, management control, internal audit, etc.) made available by the company for this purpose and (ii) externally, by third parties that the company hires for such purpose.

• The identification of the types of monitoring to be implemented.

Still, with respect to the third pillar described above, the following recommendations are established from the perspective of remediation:

1. Management and monitoring of observed deficiencies:

2. Disciplinary regime:

• Covers all measures that a company reserves the right to take in the event of behavior considered unlawful.

• In companies with at least 20 employees, internal regulations are mandatory.

• The sanction can then be pronounced against an employee only if provided for in the internal regulations.

3. Principle of sanctions ranking:

• The disciplinary sanction must be proportional to the fault committed.

• When violations of the duties of integrity and probity of personnel are discovered, disciplinary proceedings must be brought against them, with proportional sanctions imposed.

• Senior management is not obliged to wait for a criminal decision to be issued before applying disciplinary sanctions if the facts are proven, and their seriousness justifies it.

4. List of sanctions:

• The company can establish disciplinary sanctions to be applied to its employees, which favors the strengthening of risk control mechanisms for breach of probity.

5. Internal communication:

• The disclosure, in a format that guarantees total anonymity of disciplinary sanctions, can be determined by senior management to recall the zero-tolerance policy regarding any behavior contrary to integrity and probity.

Finally, the guide adds a section entirely dedicated to public entities, with provisions similar to those described here but adapted for the public service.

Related
No items found.

ABOUT US

Licks’ Blog provides regular and insightful updates on Brazil’s political and economic landscape. The posts are authored by our Government Affairs & International Relations group, which is composed of experienced professionals from different backgrounds with multiple policy perspectives.

Licks Attorneys is a top tier Brazilian law firm, speciallized in Intellectual Property and recognized for its success handling large and strategic projects in the country.

ABOUT US

Licks Attorneys Compliance’s Blog provides regular and insightful updates about Ethic and Compliance. The posts are authored by Alexandre Dalmasso, our partner. Licks Attorneys is a top tier Brazilian law firm, specialized in Intellectual Property and recognized for its success handling large and strategic projects in the country.

QUEM SOMOS

O blog Licks Attorneys Compliance fornece atualizações regulares e esclarecedoras sobre Ética e Compliance. As postagens são de autoria de Alexandre Dalmasso, sócio do escritório. O Licks Attorneys é um escritório de advocacia brasileiro renomado, especializado em Propriedade Intelectual e reconhecido por seu sucesso em lidar com grandes e estratégicos cases no país.

Follow Us on Social Media

Offices

Rio de Janeiro

Av. Oscar Niemeyer, 2000
9th floor, Aqwa Corporate
Rio de Janeiro RJ - Brazil
20220-297
Phone: +55 21 3550 3700
Fax: +55 21 3956 9444
info@lickslegal.com

Sao Paulo

Rua George Ohm, 230
Tower A CJ 112/113
Sao Paulo SP - Brazil
04576-020
Phone: +55 11 3033 3700
info@lickslegal.com

Brasilia

SH/Sul Zone 06, Unit A,
Complexo Brasil 21, Block E,
Rooms 515 and 516 – Asa Sul
Brasilia DF - Brazil
70316-902
Phone: + 55 61 3772 3700
info@lickslegal.com

Curitiba

Rua da Glória, 251, #601
Centro Cívico
Curitiba - Brazil
80030-060
Phone: + 55 41 2391 0680
info@lickslegal.com

Tokyo

Chiyoda Kaikan Bldg, 6F, 1-6-17
Kudan Minami Chiyoda-Ku
Tokyo - Japan
102-0074
Phone:+81 3 6256 8972
Fax:+81 (03) 6740 1453
japan@lickslegal.com

© Copyright 2024 Licks Attorneys

Selo COVID-19 FIRJAN e Albert Einstein
Covid-19 Safe Certified Office