Compliance professionals in France have new guidance on how to evaluate and monitor third parties for compliance with Sapin II, the country’s overhauled anti-corruption law. Now comes the challenge of hammering those guidance principles into a sturdy structure that works for your own organization.

For compliance officers at large global organizations, already subject to U.S. or British anti-corruption standards, these procedures will seem quite familiar. All the big components of any third-party compliance oversight program are there: risk assessment, training, monitoring, periodic reviews, documentation.

The guidance runs for more than 3,000 words. It elaborates on points such as where to find criteria to rate a country’s corruption risk (the Corruption Perception Index from Transparency International); how long to keep documentation on third parties (for five years after the relationship ends); and who qualifies as a beneficial owner whose identity you must determine (anyone with at least 25 percent control of the company, per the latest amendments to the EU Anti-Money Laundering Directive).

For compliance officers in France, perhaps trying to implement strong third-party oversight for the first time, the main point is to understand how this guidance wants your third-party oversight program to operate.

Fundamentally, the goal is to “depersonalize” the organization’s hiring of third parties, so that the processes of due diligence and monitoring always work effectively. That is, vigorous risk assessment, due diligence, and monitoring – in an ideal compliance program, those things will always happen, regardless of the people involved: the third parties performing the service, the business executives who want to hire them, and even the compliance officer overseeing the risk.

For example, one section of the guidance says: “The organization shall ensure, in particular for providers or intermediaries, that use of a third party is justified and that its provision meets a proven need. It also identifies the reasons which lead to retaining this third party and not a competitor.”

The point of that clause is to force the company to articulate a legitimate, defensible business reason for choosing its third parties. If past practice had been to use a third party solely for his or her favored political status (brother-in-law of the defense minister; daughter of the prime minister; cousin in the royal family), that illegitimate purpose would now be exposed.

Likewise, another clause says: “Specific provisions [in the third party’s contract] describe the services by the organization or by the third party, as well as the remuneration and the terms of payment.” The point there is to put a formal structure and logic to what the third party does, and how money reaches the third party to perform its services.

Remember, “sales commissions” have been a wonderful way to hide bribes that intermediaries pay on a company’s behalf. If a company must articulate why it selected one third party over its competitors, and what that third party is hired to do, and how much money the third party receives for those services – altogether, those steps pressure a company’s ability to hire some minister’s nephew with a vague employment contract, using his commissions as a slush fund for bribes. Which is the whole point of Sapin II and these procedures.

Know What to Do, and What Not to Do

To fulfill all these procedures will, most likely, require a blend of internal and external help. For example, the due diligence requirements are tedious and painstaking to do manually; companies will want to consider whether outside vendors (Steele or others) can deliver a more automated approach to the task.

On the other hand, the procedures also push companies to use a Three Lines of Defense approach to selecting and monitoring third parties: the operating units that need third-party help; compliance functions that monitor the corruption risk; and internal audit teams that assure controls work as intended.

The Three Lines of Defense approach is usually a wise strategy, but remember: it presumes that all three lines agree on the objective, and know what they are supposed to do. So, an internal training need exists, too – one where compliance officers should play a strong role.

For more information about Steele’s anti-bribery anti-corruption tools and services, please contact a Steele third-party compliance expert at + or by email at