Gifts and hospitality are one of the most common, and most misunderstood, sources of corruption risk. They sit at the intersection of commercial reality (maintaining relationships) and regulatory expectation (preventing undue influence). In France, the Agence française anticorruption (AFA) has made the topic particularly concrete through its practical guide on gifts and invitations, designed to help organisations build a defensible, risk-based policy under Loi Sapin II.
This article summarises what the AFA recommends, and translates it into an operational approach that mid-size compliance teams and legal departments can actually run.
Why the AFA focuses on gifts and hospitality
Under Loi Sapin II (Article 17), in-scope companies must implement an anti-corruption programme, including a code of conduct, risk mapping, third-party due diligence, internal controls, training, and monitoring. In practice, gifts and hospitality touch several of these pillars at once:
- They are a frequent trigger in enforcement cases globally because they can conceal bribery in plain sight.
- They often involve many employees (sales, procurement, executives) and many small decisions, which is where consistency breaks.
- They create accounting and audit exposure if not recorded, justified, and approved.
The AFA’s position is not “ban everything”. It is “control it proportionately, based on risk, and keep evidence.” The guide emphasises clarity, traceability, and the ability to demonstrate that your rules are applied consistently.
Read the AFA practical guide on gifts and invitations (PDF)
What the AFA means by “gifts and invitations”
A recurring problem in audits is that companies define the scope too narrowly. The AFA guide encourages organisations to clearly define what is covered, using simple language employees can apply.
In a typical anti-corruption framework, “gifts and hospitality” may include:
- Physical gifts (including promotional items)
- Meals and entertainment
- Event invitations and tickets
- Travel and accommodation linked to business events
- Benefits granted to third parties (for example, a customer’s employee)
The compliance risk is not only the item itself, but the context (timing, recipient, decision power, business purpose, repetition, and transparency).
AFA’s core principle: a risk-based policy, not a generic rulebook
The AFA guide’s logic is consistent with modern anti-bribery frameworks like ISO 37001: you do not manage gifts and hospitality with one universal rule, you manage them with risk assessment and controls.
That means your policy should reflect:
- Your sector and typical business practices
- Your exposure to public officials and state-owned entities
- Your use of intermediaries (agents, distributors, consultants)
- High-risk activities (tenders, procurement decisions, licensing, inspections)
- Geographic footprint and country risk
For compliance officers, this is where the management of risk assessment becomes operational: you translate your risk map into decision rules, approval workflows, and evidence.
How the AFA recommends structuring a gifts and hospitality policy
A strong policy is not long. It is unambiguous, easy to execute, and produces records that withstand scrutiny.
1) Put non-negotiable principles up front
The AFA guide stresses that employees need simple anchors that apply in every situation. Examples of principles commonly expected by regulators and aligned with AFA guidance include:
- Legitimacy: there must be a genuine business purpose.
- Proportionality: the value must be reasonable and not excessive.
- Transparency: it must be declared, and when required, approved.
- No influence: it must not be linked to a decision, benefit, or favourable treatment.
- No concealment: no cash, no hidden benefits, no personal side deals.
These principles matter because they help you handle edge cases that no threshold can cover.
2) Define what is prohibited, clearly
The AFA guide pushes for clarity on “hard stops”, not just “recommended behaviour”. Your prohibited list should reflect your risk profile, but typically includes items that are inherently difficult to justify or trace.
Rather than relying on vague wording, define prohibited situations such as:
- Anything that looks like a personal advantage with no business purpose
- Anything that could be perceived as buying influence during sensitive periods (tenders, renewals, inspections, disputes)
- Anything routed through third parties to bypass company rules
If your organisation interacts with public officials, make the rules even clearer, and align them with local public ethics requirements.
3) Set thresholds, but treat them as triggers, not “permissions”
The AFA guide encourages companies to set clear monetary thresholds, while also warning against a “below the limit means safe” culture.
A practical way to operationalise this is:
- Low-value items can be allowed with declaration (or simplified declaration).
- Above a defined limit, pre-approval is required.
- Above a higher limit, enhanced approval and stronger justification is required.
The exact limits should be set internally based on your risk mapping and business reality. What matters to AFA in an audit is that your limits are justified, communicated, and consistently applied.
4) Clarify who can approve what, and when
AFA expects a process that is not only written, but workable. That includes:
- Who must approve (line manager, compliance, legal, procurement, ethics committee)
- Whether approval must be obtained before giving, offering, or accepting
- How exceptions are handled, including who can grant them and how they are documented
A common pitfall is building an approval process so heavy that employees bypass it. Proportionality is part of compliance effectiveness.
5) Require traceability through a register
The AFA guide places major emphasis on traceability. In practice, that means maintaining a gifts and hospitality register, even if you also have an expense system.
A register is not just a spreadsheet for auditors. It is a risk control that enables monitoring, trend detection, and escalation.
Here is a field set that is typically audit-friendly and aligned with AFA’s intent:
Register field | Why it matters in an audit | Typical evidence |
|---|---|---|
Date and location | Helps assess timing (for example, tender period) | Calendar invite, expense claim |
Giver and recipient identity (and organisation) | Enables conflict checks and repeat patterns | CRM record, vendor/customer data |
Recipient role and decision power | Higher-risk recipients need stronger controls | Role description, third-party profile |
Description and estimated value | Supports proportionality and threshold triggers | Invoice, receipt, valuation note |
Business purpose | Tests legitimacy and necessity | Agenda, meeting notes |
Approval status and approver | Demonstrates governance and accountability | Approval workflow record |
Linked third parties or intermediaries | Detects circumvention routes | Contract file, due diligence file |
Notes on red flags and mitigations | Shows risk-based decisioning | Compliance assessment note |
How the AFA expects you to assess risk for gifts and invitations
The AFA guide’s practical message is that gifts and hospitality are not “one risk”. They are a cluster of risks that change depending on context.
A compliance team can make this manageable by assessing risk with a small number of repeatable factors.
Risk factors the AFA logic typically prioritises
When deciding whether to allow, approve, or prohibit an item, consider:
- Recipient type: private counterpart vs public official, or state-owned entity
- Decision proximity: is a decision pending that could benefit the company?
- Frequency and accumulation: repeated low-value items can become high-risk
- Value and nature: luxury, travel, family inclusion, side benefits
- Business purpose and agenda: is there a documented professional justification?
- Transparency: is it recorded, approved, and properly booked?
- Intermediary involvement: is a third party offering it “on your behalf”?
You do not need a complex model, but you do need a consistent one.
A simple decision model that matches AFA expectations
Many mid-size companies succeed with a “traffic light” assessment that employees can understand and compliance can defend.
Situation | Risk level | Recommended control response |
|---|---|---|
Low-value courtesy gift with clear business context, infrequent, fully recorded | Lower | Declare, record, spot-check |
Moderate hospitality (meal/event) with agenda, recurring relationship, value near threshold | Medium | Pre-approval, record, manager accountability |
High-value benefit, travel, invitation without agenda, sensitive timing, or decision-maker recipient | High | Compliance review, enhanced approval, consider refusal |
Any scenario suggesting concealment, quid pro quo, or bypassing controls | Critical | Prohibit, escalate, investigate if needed |
This is the type of structure that makes your policy enforceable and supports a credible audit trail.
Controls the AFA expects beyond the policy
AFA guidance is clear that a policy alone is insufficient. The organisation must show that the policy is embedded and monitored.
Accounting and booking controls
Even a well-written gifts policy fails if expenses are booked in a way that hides their nature. AFA’s broader Sapin II expectations link anti-corruption controls to accounting controls.
Operationally, that means:
- Clear expense categories for gifts, hospitality, travel, and entertainment
- Supporting documents attached to expenses (invoices, attendee list when relevant, business purpose)
- Periodic reconciliation between the register and expense data
Training and communication
AFA expects the rules to be understood by exposed populations. The highest priority groups usually include:
- Sales and key account teams
- Procurement and vendor management
- Executives and assistants managing hospitality
- Anyone interacting with public officials
Training is more credible when it is scenario-based and aligned with your own thresholds and workflow.
Monitoring and continuous improvement
AFA’s auditing approach is not only “do you have a register”, but also “what do you do with it”. Use the register to monitor:
- Top recipients and repeat recipients
- Peaks around tender periods or end-of-quarter
- High-risk roles receiving benefits
- Exceptions and overrides
- Third parties associated with gifts and invitations
Then document remediation actions, for example tightening thresholds, adjusting approval rules, or targeted training.
Common pitfalls the AFA guide helps you avoid
Companies often fail on gifts and hospitality for predictable reasons. AFA’s guide is useful because it targets these operational gaps.
“We have thresholds, so we are safe”
Thresholds are necessary, but they do not capture timing, influence, repetition, or public-sector exposure. AFA expects judgement supported by process.
“We track expenses, so we do not need a register”
Expense tools rarely capture the compliance context (recipient role, decision sensitivity, red flags, approvals). A register is how you demonstrate compliance logic, not only spending.
“Approvals happen informally”
If approvals are done in chats or verbally, you lose evidence. In an AFA audit, missing evidence usually means the control is treated as ineffective.
“Third parties handle hospitality, so it is not our problem”
If an intermediary offers a benefit to win business for you, it can still create liability and a Sapin II compliance failure. AFA expects alignment with third-party risk management and clear contractual expectations.
How to implement an AFA-aligned approach in a mid-size company
A proportionate approach can be implemented without building a bureaucracy.
Start with a minimum viable program
A practical baseline that is typically defensible includes:
- A short gifts and invitations policy (principles, scope, prohibitions, thresholds, approvals)
- A single intake and approval channel
- A register with required fields
- Quarterly monitoring and documented follow-up
Then scale with your risk map
As your risk mapping matures, you can refine by:
- Role-based rules (for example, additional checks for procurement)
- Public official specific process
- Stronger checks for high-risk geographies or business lines
- Integration with third-party due diligence files
Where technology helps (without replacing judgement)
Gifts and hospitality is high-volume, distributed decision-making, which is exactly where automation improves control quality.
Used correctly, AI and workflow automation can:
- Standardise intake data (so requests are complete the first time)
- Route approvals based on risk triggers (recipient type, value, timing)
- Automate evidence collection (invoice, agenda, approval record)
- Produce audit-ready reporting (exceptions, trends, hotspots)
Naltilia’s platform is designed to support this type of operational compliance work, including regulatory risk assessment, remediation actions, tailor-made policies, automated data collection, and compliance workflow automation. The key is not “more tech”, it is fewer manual steps and stronger evidence.
Frequently asked questions
Does the AFA require a gifts and hospitality policy under Sapin II? Under Loi Sapin II, companies in scope must implement an anti-corruption programme, and the AFA expects practical controls that address common corruption channels. The AFA’s practical guide explains how to build and evidence a gifts and invitations policy as part of an effective programme.
Should we ban all gifts and hospitality to be safe? AFA’s approach is risk-based, not a blanket ban. Many organisations allow reasonable, transparent gifts and hospitality with thresholds, approvals, and traceability. Overly strict rules can lead to bypass behaviour, which creates more risk, not less.
Do we need monetary thresholds, and what should they be? Thresholds are strongly recommended because they make rules actionable. The amounts should be defined internally based on your risk mapping, sector norms, and exposure (especially to public officials). What matters most is that thresholds trigger appropriate approvals and are consistently applied.
Is an expense tool enough, or do we need a separate register? Expense tools rarely capture the compliance context needed to demonstrate risk-based decisioning (recipient, role, decision sensitivity, red flags, approvals). A dedicated register, or an equivalent structured record, is typically the most defensible approach.
How do we handle gifts and hospitality offered by third parties (agents, distributors, consultants)? You should treat third-party offered benefits as part of your corruption risk perimeter when they can benefit your business. This usually requires contractual rules, due diligence, and a way to declare and approve sensitive cases.
What evidence should we keep for audit purposes? Keep evidence that shows legitimacy and control operation: approvals, invoices, agendas or business purpose notes, recipient identification, and register entries. Also keep monitoring outputs (spot checks, exception handling, remediation decisions) to demonstrate that the control is not only documented but effective.
Make your gifts and hospitality control audit-ready
If your gifts and hospitality process lives in emails, chats, and scattered expense notes, it is difficult to prove consistency in an AFA-style audit. A robust programme is not only about writing the policy, it is about running it with traceable approvals, structured records, and measurable monitoring.
Naltilia helps compliance teams move from ad hoc decisions to an operational system by automating risk assessment workflows, collecting the right evidence, and tracking remediation actions in one place. If you want to see what an AFA-aligned, audit-ready workflow can look like in practice, you can visit Naltilia and request a walkthrough.
