France - The Exclusive Networks CJIP: A Masterclass in Corporate Compliance and Cooperation

The recent Convention Judiciaire d'Intérêt Public (CJIP) signed between the French National Financial Prosecutor's Office (PNF) and Exclusive Networks Corporate SAS on 16 June 2025 provides a compelling case study of how modern corporate compliance challenges unfold and how strategic cooperation can significantly influence outcomes. This landmark agreement, involving a €16.07 million penalty, offers valuable lessons for multinational corporations operating in high-risk jurisdictions.

The Case: From Acquisition to Investigation

Exclusive Networks Corporate SAS, parent company of the EXN Group, is a global cybersecurity specialist operating in over 45 countries with €1.559 billion in turnover in 2023. The case stems from problematic practices inherited from the 2015 acquisition of Transition Systems Asia (TSA) in Southeast Asia, where local practices involved using transaction margins to create funds for marketing operations, compensating low-margin transactions, or covering stock obsolescence losses.

The unraveling began with a whistleblower report on 22 January 2021 from a former risk and compliance manager who had identified €3.7 million in at-risk payments across five Asian countries between 2018 and early 2019. Despite the company's executive committee approving corrective measures in August 2019, including blacklisting 47 third-party agents, problematic practices persisted.

Following the PNF's preliminary investigation launched on 17 September 2021 and a search of company premises on 8 March 2022, EXN proactively cooperated with authorities. The company approached the PNF "in a spirit of cooperation" to conduct internal investigations that could contribute to the criminal investigation. EXN transmitted all internal investigation and audit reports to the PNF, along with numerous supporting documents and accounting analyses. This comprehensive cooperation included providing detailed Excel tracking files that totalled $20.784 million in fund usage between 2017 and August 2020.

The investigation ultimately identified €4,235,401 in payments presenting criminal indicators to 65 third parties across Indonesia, Malaysia, Vietnam, Thailand, and India between 2016-2022. These payments were made to agents and service providers for services that appeared unjustified and potentially benefited representatives of local resellers or end clients, including public officials.

The CJIP imposed a penalty of €16,074,511, significantly reduced from the theoretical maximum of €745 million due to the company's cooperation and corrective measures. The penalty comprised disgorgement of illicit gains (€8,930,284) and an afflictive portion (€7,144,227), with payment scheduled over twelve months.

Beyond the financial penalty, the agreement establishes a mandatory three-year compliance monitoring programme under the supervision of the French Anti-Corruption Agency (AFA). This programme includes an initial audit to assess the current state of the group's anti-corruption system, targeted audits to ensure effective deployment and efficiency regarding identified risks, and a final audit. EXN has committed to provisioning up to €1.5 million to cover the costs of this AFA oversight, with unused funds to be returned upon completion of the mission. The AFA will report at least annually to the Financial Prosecutor on the programme's implementation, with the possibility of early termination after two years if all obligations are met satisfactorily.

Three Critical Lessons for Corporate Compliance

1. Never Underestimate the Risk of Information Leakage

The Exclusive Networks case powerfully illustrates how internal information can surface unexpectedly and with devastating consequences. The company's troubles began not with external investigation, but with a whistleblower who had intimate knowledge of the compliance failures. This former risk and compliance manager possessed detailed documentation of problematic practices, internal audit findings, and management responses – or lack thereof.

When the whistleblower initially raised concerns internally in 2019, identifying €3.7 million in at-risk payments, this should have been treated as a critical moment requiring immediate and comprehensive remediation. Instead, while the company implemented some measures, including blacklisting 47 third parties, the underlying issues persisted, and new workarounds emerged.

The lesson is clear: when problematic behaviour is identified within an organisation, companies must act decisively on remediation and seriously consider self-reporting to authorities. The alternative – hoping issues remain contained – is a dangerous gamble that can result in far more severe consequences when information inevitably surfaces through other channels.

2. Cooperation is Key to Favourable Outcomes

The Exclusive Networks case demonstrates the tangible benefits of full cooperation with investigating authorities. Following the search of its premises in March 2022, EXN proactively approached the PNF "in a spirit of cooperation". The company conducted comprehensive internal investigations and transmitted all relevant reports, audit findings, and supporting documentation to prosecutors.

This cooperation was explicitly recognised as a mitigating factor in the penalty calculation. The PNF specifically cited "the active cooperation demonstrated during the criminal investigation" as one of the circumstances that reduced the afflictive portion of the fine. Other cooperation-related mitigating factors included "the relevance of internal investigations conducted" and "the unequivocal recognition of the facts by Exclusive Networks Corporate SAS".

The contrast between potential and actual penalties is striking: while the theoretical maximum penalty could have reached €745 million, the actual penalty of approximately €16 million represents a significant reduction that reflects, in part, the company's cooperative approach.

3. The True Cost of Compliance Failures: "If You Think Compliance is Expensive, Try Non-Compliance"

Former US Deputy Attorney General Paul McNulty's famous observation that "if you think that compliance is expensive, try non-compliance" finds perfect illustration in the Exclusive Networks case. The company's compliance failures resulted in costs far exceeding any reasonable compliance investment:

• Direct financial penalty: €16.07 million
• Compliance monitoring costs: Up to €1.5 million provisioned for AFA oversight
• Three-year compliance programme: Mandatory monitoring by the French Anti-Corruption Agency
• Operational disruption: Investigation, legal costs, and management time
• Reputational impact: Public disclosure of corruption-related practices.

The PNF explicitly identified "insufficient compliance programme" as an aggravating factor in penalty calculation. Conversely, the effectiveness of the internal alert system that enabled identification of the facts was recognised as a mitigating factor. This contrast underscores that while compliance systems require investment, their absence or inadequacy proves far more costly.

The case also highlights the importance of compliance having "a seat at the right table." The whistleblower was a risk and compliance manager who had direct access to senior management and the risk committee. However, the persistence of problematic practices despite internal alerts suggests that compliance concerns were not given sufficient weight in decision-making processes.

Conclusion

The Exclusive Networks CJIP serves as a comprehensive case study in modern corporate compliance challenges and enforcement responses. It demonstrates that in today's interconnected business environment, compliance failures in any jurisdiction can have global consequences. The case reinforces three fundamental principles: the critical importance of treating internal compliance alerts seriously and considering self-reporting, the significant benefits of full cooperation with authorities, and the reality that robust compliance programmes, while requiring investment, are far less expensive than the consequences of their absence.

For multinational corporations, particularly those operating in high-risk jurisdictions or those that have grown through acquisitions, the Exclusive Networks case provides a roadmap for both avoiding similar pitfalls and responding effectively when compliance issues arise. The company's ultimate cooperation and recognition of facts, while costly, likely prevented far more severe consequences and provides a foundation for rebuilding trust with stakeholders and regulators alike.

Link to the CJIP >> 
Link to the Press release >>