French Anticorruption Authorities Issue New Guidance Regarding Internal Investigations

Key Takeaways

  • Companies in France should have detailed procedures covering investigations of wrongdoing and should also clearly lay out employees’ rights and obligations during such investigations.
  • Investigative tools must be proportionate to the wrongdoing and should respect the privacy rights of employees.
  • Companies in France should be engaged in an iterative process of updating policies regarding investigating misconduct.

On March 14, 2023, the French Anticorruption Agency (AFA) and the National Financial Prosecutor’s Office (PNF) jointly issued an updated guide (“Guide”) relating to internal anti-corruption investigations.  The Guide attempts to balance diligent anticorruption efforts with the rights of employees.   The updated Guide provides recommendations for all companies, regardless of size, to implement systems for internal investigations that respect individual rights. Large companies are also subject to additional obligations in this area.  First, as we have written about previously, pursuant to Article 17 of the Sapin Act, companies with at least 500 employees and turnover exceeding 100 million euros are required to implement programs to prevent and detect corruption, including a whistleblowing system.  Second, the Waserman Act in March 2022 expanded the mandate for whistleblowing programs to reach all companies with at least 50 employees.

The Guide follows a draft version of guidelines that the AFA and PNF submitted for public comment and review. They received nearly 350 comments from professional federations and associations, companies, and law and consultancy firms. What does the guide recommend?

Prior to an Investigation. The Guide details several internal policies that companies should consider adopting as “good practice” before an investigation begins. The Guide recommends that companies create a written set of policies, including a description of the step-by-step process of the investigation, the events that may trigger an investigation, the composition of an investigation team, and the tools available to the company to conduct the investigation. It also recommends companies develop a “charter” for the benefit of employees to explain their rights and obligations during investigations (for example, when serving as a witness in such an investigation).

Conducting an Investigation. Once the company uncovers facts that could lead to an investigation, the Guide makes several recommendations for how to proceed. As an initial matter, the Guide stresses that the tools available to companies to investigate misconduct are more limited than those possessed by prosecuting authorities. Additionally, the Guide explicitly recognizes that an employee is required to participate in an investigation under their duty of loyalty to their employer.  An employer, for its part, must respect procedural protections for employees and must conduct an investigation that is proportionate to its legitimate investigative objective.

Whether the company will conduct an internal investigation is determined by the company’s management body or “qualified persons” designated by it. The Guide recognizes that the company can create a “special or ad hoc committee” to decide how to respond to an internal alert, especially when those alerts are particularly sensitive. This committee may be comprised of key company personnel within various functions such as legal, internal audit, compliance, human resources, and/or finance. Any individual on such a committee must be independent (i.e., not involved in the alleged misconduct) and free from conflicts to ensure the objectivity of the investigation.

Employers should take note that while the General Data Protection Regulation (GDPR) does not require an employee’s consent to collect and process their data for a necessary investigation, the GDPR does mandate that an employer must inform the employee of such collection and processing as soon as possible and not less than a month after obtaining such data (unless such a revelation would compromise evidence).

The Guide makes clear that a company must inform its employees of the tools it may use for an investigation. A company may not use a tool to monitor employee activity about which the employee was not informed (usually through their employment contract). The Guide details several monitoring tools that would and would not be permitted—i.e., the files saved by an employee on a computer’s hard drive are presumed to be professional and open to monitoring while there is a presumption against the monitoring of “personal” files on a work computer (though labeling such documents as personal is not determinative).

The Investigation Report. The Guide strongly recommends that a company draft an internal investigation report. It suggests the report include all the investigative acts carried out, all the facts established, and a description of the facts that gave rise to the investigation. Should the internal investigation take place at the same time as a preliminary criminal investigation or judicial investigation, the company may make the report available to those respective authorities. Companies need not provide an internal investigation report to an employee subject to the investigation.

Follow-Up to the Investigation. If the internal investigation confirms facts likely to qualify as a criminal offense or breaches of the anti-corruption code of conduct, the Guide imposes a duty for the investigators to report such facts to the decision-making body within the company (which may involve legal personnel), which will determine next steps. Generally, employee misconduct should result in disciplinary sanctions according to legally sufficient processes (and may include criminal sanctions if the facts dictate a referral for prosecution). Internally, the Guide suggests several courses of action for companies upon the conclusion of its internal investigation.

  • If the internal investigation was inconclusive but the company still suspects a risk of corruption, the company should consider conducting an external audit—for example, an investigation by outside counsel.
  • The company should continuously review and improve the organization’s anti-corruption framework to prevent recurrence.
  • If the Code of Conduct does not cover the type of misconduct uncovered by the investigation, the company should update the Code to include that misconduct and redistribute the amended version to employees. The company should consider updating training materials to include the scenario highlighted by the investigation.
  • The company should evaluate the need to update or strengthen the procedure for assessing the risk of corruption posed by interactions with third parties.
  • The company should assess the need to update or strengthen accounting and internal control procedures if those in place failed to detect the transactions that allowed the underlying misconduct to occur and not be detected.

In the end, the guidance recommends that companies make plans for how to open and conduct investigations regarding misconduct—remaining vigilant in the face of possible misconduct by consistently reviewing and amending its policies while keeping employees apprised of such policies.

Leave a Reply

Your email address will not be published. Required fields are marked *