When the French Anti-Corruption Law, Sapin II was enacted in 2016, it was largely seen as a constraint. The new law had eight pillars. Most crucially it introduced personal liability for executives, but backed by mandatory audits by AFA, the French government’s anti-corruption agency.
Ten years on, and its prescriptiveness has become an accelerator for compliance culture. For payments platform Edenred in France, taking compliance seriously has resulted in winning a finance award from the Future of Finance. It worked because it forced organisations to articulate what they actually had in place; and most discovered they had very little. In the UK, the Economic Crime and Corporate Transparency Act (ECCTA) has also introduced a ‘failure to prevent’ measure, which holds executives personally responsible. It is less prescriptive than Sapin II, but still shifts some responsibility to the senior team. Corporates are already working on updating their processes and proving their compliance.
Sapin II’s 8-pillar architecture has become a universal blueprint
The eight pillars of Sapin II map almost perfectly on to ISO 37001 and the UK Bribery Act “adequate procedures” standard. Indeed, the French regulator effectively codified what best practice already
looked like.
The pillars are:
- Code of conduct. Defines and prohibits behaviours constituting corruption or influence peddling.
- Internal whistleblowing system. Provides a secure channel for employees to report suspected violations.
- Risk mapping. Identifies, analyses, and prioritises the company's exposure to corruption risks.
- Third-party due diligence. Assesses the integrity of clients, suppliers, and intermediaries relative to corruption risks.
- Accounting controls. Ensures books and records cannot be used to conceal corrupt acts.
- Training. Educates managers and staff most exposed to corruption risks on the code of conduct and procedures.
- Disciplinary regime. Sets out sanctions applicable to employees who violate the code of conduct.
- Internal monitoring and evaluation. Periodically audits and assesses the effectiveness of the compliance programme itself.
The key insight of Sapin II’s implementation is that prescription forces diagnosis. Companies have had to go through the process of testing, documenting and providing evidence for each component. This diagnostic quality is the common thread across strong frameworks in any jurisdiction. It is a key element that ECCTA, and other ‘failure to prevent’ laws. are seeking to implement.
The compliance-culture paradox
Sapin II challenges a common assumption: that rules produce compliance, and culture produces ethics, but never shall they meet. At Sixthfin, we have worked with organisations on mandatory risk mapping exercises, and found that putting legal, finance, operations and sales in the same room, often leads to a genuine conversation about how the business actually works.
As a result, we’ve identified three game-changers for behavioural change, that goes alongside
compliance. These are: naming the risk, a training mandate and tone from the top.
- Naming the risk. This involves creating a risk map, which forces business units to own their
corruption exposure, not delegate it to legal. - The training mandate. Companies develop targeted, role-based training (not tick-box e- learning), which creates genuine awareness moments.
- Tone from the top, backed by consequence. The conversation shifts at board level with the CEO and compliance officer are made personally liable.
Getting new anti-fraud measures like ECCTA and Sapin II right comes from the top. The difference between paper compliance and real change is always whether the CEO treated it as a risk question or a legal question. At Sixthfin, with our Sapin II experience, we’ve seen a repeated difference. There are companies that copy-pasted a code of conduct and ticked the training box, versus those that used the French anti-corruption agency’s audit as a board-level moment to make real, effective change. Although rules create the compliance, culture is what happens when leadership decides compliance matters.
So having achieved board involvement, how can companies embed compliance?
Most compliance programmes fail not because policies are bad, but because the second and third lines of defence are disconnected from how the first line actually operates. In Sapin II deployments, the companies that passed the French anti-corruption agency’s audits with minimal friction had one thing in common: they embedded compliance in the process, rather than bolting it on top of it. We found this happened where an operational shift occurred. It included:
- Procurement & third parties: due diligence on intermediaries stopped being a legal sign-off and became a structured workflow with documented outputs, escalation paths and refresh cycles.
- Finance & accounting: the accounting controls pillar (often the most underestimated) forced a direct link between the compliance framework and the financial control environment.
- HR & disciplinary: compliance metrics enter performance reviews. The whistleblowing mechanism becomes a live system with response SLAs, not a PDF on the intranet.
This works even in small compliance teams working in large, complex organisations. In our experience, the answer isn’t more headcount, it is process design and tooling that makes the right behaviour the path of least resistance for the business.
This approach played out well for Edenred, one of Sixthfin’s clients in France. The leading services and payments platform is one of the CAC 40, the top 40 companies in France. It operates globally in 45 countries, managing a volume of business of nearly 50€ billion and generating an annual revenue of
3€ billion. Their approach was so successful, they won an award!
The Future of Finance event awarded Edenred a special prize for their implementation of anti- bribery accounting controls. The CFO and Internal Controls Director received it jointly. The jury did not give the award for the compliance programme, they gave it because it solved a genuine financial governance problem at scale. Truly a shift from compliance to cultural change!
From the jury’s perspective, Edenred created central oversight without destroying local agility. They had standardised financial processes across 100 entities in 23 countries, with 1 control standard.
This produced outputs that finance leaders really care about: auditability, consistency, control efficiency. Edenred demonstrated that digital infrastructure is the only realistic answer to the compliance scalability problem.
UK companies are applying compliance rules and cultural change.
Sapin II preceded ECCTA, and at Sixthfin, we learnt from it. In the UK, companies are already managing the ECCTA process and encouraging a culture shift within their organisations. This enmeshing of culture and compliance are what turns compliance into an engine for growth. Done will, it brings together people from across the business to turn rules into change. This distributed ownership is what “embedding compliance beyond the policy” looks like in practice. Any organisation can make this happen by framing the compliance programme in the language your CFO uses, making it useful for them and you gain allies across the organisation.
Link to website: https://sixthfin.com/en/
The post How France’s Sapin II Law Turned Shock Into A Universal Blueprint For Anti-Fraud Measures appeared first on The Fintech Times.
