Should companies design and implement a compliance program (Part 1)?
On February 10, 2012, the Autorité de la concurrence (French Competition Authority, hereinafter the “FCA”) published its Framework-Document on antitrust compliance programs[1].
As underlined by the FCA, “compliance programs are instruments that enable economic players to increase their chances to avoid breaches of all kinds of rules that are applicable to their activity, including competition rules”.
Compliance programs are based both on measures aimed at creating within the company a culture oriented towards compliance with competition and antitrust rules (training and awareness of corporate officers and employees) and on internal control, audit and whistle-blowing systems designed to minimize the risk of infringements (prevention, detection and punishment).
Following a public consultation process initiated in October 2011, the draft Framework-Document has been substantially amended to take into account the collected comments and observations. The final version of this document provides companies with valuable information on how to implement an efficient and comprehensive compliance program (Part 1 article), and on how the FCA may take such programs into consideration when prosecuting antitrust infringements (to be addressed next month in Part II article).
The content of the compliance program
The Framework-Document, that recommends structuring a compliance program around 5 so-called key points, the only elements likely to guarantee the ex ante efficiency of the program (A), does not completely and fully meet the needs and expectations of companies (B).
a) The five “commandments” of the FCA
When we published in the past an article on compliance programs[2], the French Competition Council (that later became the FCA) encouraged the adoption of this type of programs, without however issuing any types of recommendations on how to build up a credible and efficient program.
In its Framework-Document, and even though it recalls – following the example of the European Commission – that there is no such thing as a “one size fits all” program, the FCA recommends structuring a compliance program around 5 “commandments” referred to as “essential”:
- The existence of a clear, firm and public position adopted by the company’s management bodies and, more broadly, by all managers and corporate officers for compliance with competition and antitrust rules: for the program to be as efficient as possible, needless to say that the management must clearly and publicly express its commitment to abide by competition and antitrust rules.
- The commitment to appoint one or more persons empowered, within the company or organization, to develop and monitor the compliance program: the implementation of an antitrust compliance program must necessarily be accompanied by the appointment of a referring compliance officer within the company. Such compliance officer, appointed by the company’s management bodies, must “devote” himself/herself to the supervision of the implementation of the program and be provided with the sufficient human and financial resources to fulfill his/her mission. Endowed with a real capacity to act, such compliance officer must notably have the ability to directly access the company’s supervisor bodies (for instance in case of discovery of an infringement).
- The commitment to put in place effective information, training and awareness measures: the introduction and development of a true “competition- & antitrust- oriented culture” implies necessarily the adoption of information/training/awareness measures in the workplace. Foresighted, the FCA suggests providing information on the existence of the compliance program to business partners and shareholders.
- The commitment to set up effective control, audit and whistle-blowing systems: the control of conformity with the compliance program must take place at the level of each individual. The FCA suggests taking collective actions (by adding specific provisions to the company’s internal rules and regulations), individual actions (by inserting specific clauses in employment agreements) but also issuing individual certificate of compliance for staff members. It also recommends carrying out legal and commercial due diligence investigations when the company undergoes significant changes (acquisition of a new company or branch of activity) likely to create new risks under French competition and antitrust laws. In addition to these control and audit systems, the FCA also advocates the implementation of whistle-blowing policies and procedures, enabling employees to report proven or possible infringements of antitrust rules of which they are aware.
- The commitment to set up an effective oversight system: the effective follow-up of the compliance program must be ensured through the setting up of a system of penalties, in particular disciplinary sanctions, for infringements of the company’s policies with respect to compliance with antitrust rules.
In the end, and even though the FCA acknowledges that the fact that a company is a small- or medium-sized enterprise (“SME”) may allow several features of its compliance program to be “significantly” adapted, it remains that these five key components are necessary in all cases to ensure the effectiveness of the compliance program.
The framework thus defined by the FCA and that forms the common base of all compliance programs is relatively rigid.
b) Drawbacks and deficiencies of the Framework-Agreement
1) The content of the Framework-Documents is too burdensome
While the FCA, by setting forth in its Framework-Document a complete description of what is a good compliance program, should be given credit for providing companies with a tool that will help them design their own program, the Framework-Document institutes a burdensome (because inalterable) framework, even though it may, on a case-by-case basis, be envisaged to adapt the recommendations according to the specificities of the situation of each company (# 20). It is therefore up to each company to determine which compliance program it intends to implement to meet the above-mentioned five requirements.
Yet, the requirements on the content of the compliance program, as laid down in the Framework-Document, are such that it is difficult for a company to figure out to which extent it may adapt the content of the program to its own situation without impairing its effectiveness.
How can a SME, with its own resources, meet the expectations of FCA with respect to the appointment of a person “devoted” to the implementation of the compliance program, the grant of “sufficient” human and financial resources, the creation of whistle-blowing system, or even the training of all staff members ?
2) The content of the Framework-Document interferes with French labor law
The compliance program, as described in the Framework-Document, will necessarily interfere with the application of labor law within the company. Implementing a system to control conformity with the program at the level of each individual could require the incorporation of news provisions in the company’s rules and regulations or the insertion of new clauses in employment agreements (# 22-4, a).
Also, the implementation of a whistle-blowing system raises a number of issues, notably on how the reporting employee will be concretely “protected against retaliatory measures” (# 22-4, b).
Further, how will it be possible to set up the system of penalties, in particular disciplinary sanctions, encouraged by the FCA (# 22-5, b)? Since the imposition of disciplinary sanctions is strictly regulated by French labor law, the contemplated system of penalties must in no way hinder the application of mandatory labor law rules.
3) The content of the Framework-Document interferes with the protection of personal data
As an integral part of the compliance program, the implementation of a whistle-blowing system will have to be duly authorized by the Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority, hereinafter the “CNIL”), especially when such systems entail the transfer of data to a foreign country. In this respect, it should be noted that since the CNIL extended in 2010 the scope of its single authorization to facts related to breaches of competition law, the whistle-blowing system will be governed by the CNIL’s simplified authorization procedure.
4) The content of the Framework-Document and the protection of confidentiality
Alerted during the public consultation process on the absence of confidentiality of the information exchanged in the framework of the compliance program, the FCA remains silent on this issue.
It is, however, a fundamental question in the implementation of a compliance program that provides for the appointment of a person in charge of collecting all competition-related information (# 2), including notably all information on antitrust infringements (# 4b) and the performance of due diligence investigations (# 4, c).
Under French law, these persons, who are typically in-house lawyers, do not benefit from the legal privilege. The absence of confidentiality protection means in practice that very sensitive information likely to be used against the company will be compiled by and around the appointed compliance officer.
In this respect, it should be recalled that companies are particularly exposed to this risk because during dawn raids ordered by the FCA, the investigators are entitled to access and seize, without restriction, any and all documents relating to the subject-matter of the investigation, including email accounts that are considered as indivisible and unseverable[3].
The lack of protection of the information exchanged during the implementation of the compliance program – that is notably aimed at searching for potential infringements within the company – raises a real problem of legal certainty for companies.
[1] http://www.autoritedelaconcurrence.fr/doc/framework_document_compliance_10february2012.pdf
[2] See article entitled Practical guidelines for designing and implementing a successful compliance program published in our March 2009 e-newsletter
[3] See article entitled Seizures of electronic data: the Cour de cassation indirectly validates the investigation methods applied by the French Competition Authority published in our April 2011 e-newsletter