The French “Sapin 2” law of 9 December 2016 has upended the anti-corruption practices of many French companies by requiring them to carry out an assessment of third parties to analyze their level of exposure to the risk of corruption before entering into a business relationship or when certain events arise. This assessment shall be based on a risk map drawn up by the company. This risk mapping shall consist of a regularly updated document designed to identify, analyze and prioritize the risks of exposure of the company to external solicitation for the purpose of corruption, depending, in particular, on the business units and geographical areas in which the company operates.[1]
To help companies implement their anti-corruption measures, the French Anti-Corruption Agency (“AFA”) issues numerous recommendations and carries out analyses of the behavior adopted on the market. In 2022, one of these surveys showed that 59% of the respondent companies considered that the evaluation of third parties was the most difficult measure in the anti-corruption system to implement.[2] In order to take these results into account, the AFA circulated a questionnaire in 2023 aimed at collecting best practices from companies in setting up a third-party assessment system, as well as any difficulties encountered to provide further details on its recommendations in a new publication.[3]
The responses show that 31.3% of respondents do not list all third parties involved in their activities, mainly due to difficulties in identifying them, their diversity and lack of resources in compliance teams.[4]
Regarding the data collected for the individual assessment of third parties, the questionnaire highlights the fact that companies collect much less information that could provide a basis for potential warnings, such as the history of incidents, professional references or the behavior of third parties. The quality of and access to information, the volume of information to be processed and the cost of due diligence are among the obstacles that prevent companies from carrying out their due diligence.[5]
The main factor considered to renew the assessment of a third party already onboarded is the duration of the contract, and particularly its renewal date. The level of risk as indicated by the initial assessment and changes in the situation of the third party come second and third respectively.[6]
In conclusion, although some pitfalls have been identified, the third-party valuation method proposed by the AFA in its 2020 recommendations appears to be familiar to companies and is not being challenged.
The survey also reveals several best practices to be implemented. For example, the establishment of two different procedures to handle stock (existing third parties) and flow (new third parties), the deletion of third parties after a period of inactivity, and the declaration of new or inactive third parties to the compliance department.[7]
Based on these results, the AFA has stated that many of the issues raised by companies will be the subject of more detailed recommendations in one of its new publications.[8]