Deciphering the third-party Due Diligence measure 




The Sapin 2 law was passed in France in 2016 and must be complied with since 2017. This law aims to bring French legislation up to the highest European and international standards in terms of the fight against corruption, fraud and trading in influence.

Private companies and “public industrial and commercial undertakings” that meet 2 cumulative criteria are concerned:

– Staff of 500 people or more

– Turnover of 100 million euros or more.

Any entity with headquarters based in France belonging to a group of this size is also subject to this regulation.

Companies must implement 8 internal measures to prevent and detect risks, among which: produce mapping of corruption risks, train and raise awareness of staff, implement an internal alert system, and roll out procedures for the evaluation of third parties.

 The French Anti-corruption Agency is the supervising body: following an audit, it can refer the case to the Sanctions Commission. Administrative sanctions can be as high as 1 million euros for companies.

This law is particular in that the company director can be held personally responsible for his/her company’s failure to comply. He/she can receive a fine of up to 200,000 euros.

All business contacts myst be evaluated: the company’s clients, suppliers and sub-contractors. The company itself must also be evaluated, its directors, shareholders and its ultimate beneficiaries.

The difficulty with this approach lies in:

  1. The sequenced identification of targets to be evaluated and, in the case of non-French companies in particular, identification of shareholders and ultimate beneficiaries can be very complicated.
  2. The validation of their integrity: to do this, it is necessary to examine hundreds of sanction lists internationally, identify risks of collusion between public and private, and supervise the press to identify weak signals.

This is all the more complicated in that it involves several departments in a company: sales, finance, credit management, purchasing and legal, and in large groups sometimes the Risk & Compliance department.

First and foremost, there must be real determination by Senior Management to become engaged in the procedure. Subsequently, we recommend:

 – Reducing the scope of the investigation in year 1: after mapping of risks, it is preferable to segment the portfolio according to countries with significant risk levels (where corruption is reputed to be higher), the most exposed sectors of activity, and methods of payment.

– Appoint a Risk & Compliance manager whose role will be to ensure collection, analysis, updating and archiving of information

– Acquire an online tool for consultation of international sanction lists, court decisions, PEP, public companies…

– Conduct an indepth investigation (due diligence report)  of the legal entity and/or the directors and ultimate beneficiaries featuring on these lists, “red flags”, in order to evaluate actual risks for your business relationships.

Great care must be taken, as this last stage involves regulated activity and I recommend calling on the services of a specialised company possessing a private investigation agency licence.

Compliance Sapin 2 Law

Comply with the Sapin 2 law in France necessitating evaluation of your stakeholders and their UBO; assess opportunities and threats related to your business environment.