France's anti-corruption enforcement regime, the Agence française anticorruption (AFA), took a significant step forward earlier this month when it imposed its first direct financial penalty under Sapin II (France’s principal anti-corruption statute, which requires covered companies to implement specified anti-corruption programmatic elements as overseen by the AFA). The Agency fined both a company and its chairman without first issuing a compliance injunction, signaling a willingness to move directly to monetary sanctions.

Together with the AFA’s latest findings on whistleblowing trends and compliance failures, the decision serves as a warning that gaps in anti-corruption programs may carry immediate financial consequences.

We summarize below the key takeaways and what it means for multinational entities with a French footprint.

Background

Following an audit of a French holding company and its group conducted between June 2024 and July 2025, the AFA found breaches of seven of the eight mandatory compliance obligations under Article 17 of Sapin II. The deficiencies included:

  • No corruption risk mapping across the group
  • No enforceable code of conduct or associated disciplinary regime at a key subsidiary
  • No third-party due diligence procedures (customers, suppliers, intermediaries)
  • Inadequate anti-corruption accounting controls
  • No training program for exposed personnel
  • No internal control and evaluation system

Rather than first directing the company to remediate (as the AFA has done in the past), the AFA referred the matter directly to the Enforcement Committee for sanctions. The Committee imposed a €350,000 penalty on the company and a €60,000 personal fine on its chairman, against statutory caps of €1 million and €200,000, respectively.

Key Takeaways

  1. The AFA can skip the warning shot. The Enforcement Committee confirmed that the AFA has full discretion to bypass the compliance-injunction route and proceed directly to financial penalties. There is no legal requirement for a “second chance.” Companies should assume that a first inspection may result in an immediate fine.
  2. Compliance is judged as of the audit close, not the hearing date. The company argued that it had substantially remediated its program by December 2025, and that the Committee should assess compliance as of its decision date. The Committee rejected this. Where the AFA refers a matter directly for sanctions, the relevant date for determining whether a breach occurred is the date of the final control report (here, July 2025). Remediation after that date goes only to mitigation of the penalty amount. The takeaway: by the time you receive your audit report, it is already too late to avoid a finding of breach.
  3. Personal liability risks. Senior leaders with operational control should treat Sapin II compliance as a personal obligation, not merely a corporate one. The Committee separately sanctioned the company’s chairman and legal representative, finding that as founder, main shareholder, and chairman of the supervisory board, he had the authority and resources to ensure compliance.
  4. Parent company compliance piggybacking is insufficient. Although this decision concerned a French holding company, the AFA’s broader 2025 activity report reinforces the point: in a follow-up review of nine French subsidiaries of foreign automotive groups, the AFA found that anti-corruption programs were routinely copied from parent companies without meaningful local adaptation and implementation. Problems included no subsidiary-specific risk mapping, codes of conduct lifted from the group (7 of 9 cases), centralized whistleblowing channels, and internal audits that rarely addressed Sapin II’s specific requirements. Overall, multinational companies should consider tailoring their compliance programs to reflect the specific risk profile of individual group entities, ensuring that programmatic elements – such as risk assessments, internal controls, training, and reporting channels – are calibrated to each entity’s particular risk exposure rather than applied through a single, umbrella approach.
  5. Whistleblowing is becoming a central detection channel. Under DOJ’s Corporate Whistleblower Awards Pilot Program and the March 2026 Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy, individuals who report corporate misconduct directly to DOJ may be eligible for a share of forfeited proceeds with companies having only a 120-day window from receiving an internal complaint to self-report before potentially losing eligibility for a declination. This effectively signals that any delay in escalating and investigating internal reports may carry direct legal consequences. A comparable dynamic exists in France, where Sapin II’s mandatory internal alert system and whistleblower protections (further reinforced by the EU’s Whistleblower Directive from March 2022) mean that reports funneled through required channels can just as readily surface to the AFA, making prompt internal triage equally critical for companies operating under the Sapin II framework.

Next Steps

Companies subject to Article 17 (including French subsidiaries of international groups with an excess of 500 employees and more than €100 million in revenue) should consider the following steps:

  1. Conduct a gap assessment. Benchmark your current program against all obligations under Article 17. Do not wait for an AFA audit to identify deficiencies.
  2. Localize, don’t globalize. For multinational group companies, ensure that each group entity’s compliance program is designed around programmatic elements tailored to that entity’s specific risk profile and applicable regulatory framework – such as jurisdiction-specific risk mapping, a locally adapted code of conduct, dedicated compliance personnel, and a local whistleblowing channel, rather than relying on a mere translation of the parent’s global program.
  3. Document everything, from day one. Given the Committee’s ruling that compliance is measured at the audit-report date, companies under audit should consider engaging external counsel in connection with rigorously documenting remedial steps, timing, and effectiveness.
  4. Brief senior leadership. Ensure – via training and communication – that board members, chairpersons, and legal representatives understand their potential personal exposure under Sapin II.
  5. Monitor the AFA’s evolving guidance. The AFA is expected to publish updated guidance on third-party due diligence following its 2025 public consultation. Treat these publications as benchmarks for compliance.

Womble Bond Dickinson (US) LLP’s White Collar Defense Lawyers | Womble Bond Dickinson navigates domestic and international clients in all manner of white collar, regulatory, corporate, and congressional investigations. Our team includes a distinguished roster of veteran defense attorneys, former federal prosecutors and U.S. Attorneys who served at the highest levels of the Department of Justice and at leading United States Attorneys’ Offices. Our team includes Chambers Ranked (Band 1) lawyers and alumni of the U.S. Department of Justice, the SEC’s Enforcement Division, the U.S. Senate, House of Representatives, and in-house compliance specialists of publicly traded companies.