Compliance Tools E-Book

For information on Journal of Regulation & Compliance (JoRC) activities and publications, go to www.thejournalofregulation.com.

For all information the Larcier’s funds and new products in your area of specialisation, please consult our websites via www.larcier.com.

© Lefebvre Sarrut Belgium SA, 2021

Éditions Bruylant

Rue Haute, 139/6 - 1000 Bruxelles

© Journal of Regulation & Compliance (JoRC)

63, Rue de la Faisanderie, 63

75116 Paris - France

All rights reserved for all countries.

It is prohibited, without the publisher’s prior consent in writing, partially or completely to reproduce this work (especially by photocopying), to store it in a database or to communicate it to the public, in whatsoever form or manner.

ISBN: 978-2-8027-7040-4

Summary

Describing, Conceiving and Correlating Compliance Tools, in Order to Use Them Adequately

Marie-Anne Frison-Roche

Chapter 1. LEGAL AND ECONOMIC APPROACHES TO COMPLIANCE TOOLS

Legal Approach to Compliance Tools: Building by Law the Unity of Compliance Tools from the Definition of Compliance Law by its “Monumental Goals”

Marie-Anne Frison-Roche

An Economic Approach to Compliance Tools: Finality, Measure, and Effectivity of Constrained or Chosen Compliance

Laurent BenzoniandBruno Deffains

Chapter 2. RISK MAPPING, CENTRAL COMPLIANCE TOOL

Drawing up Risk Maps as an Obligation and the Paradox of “Conformity Risks”

Marie-Anne Frison-Roche

Compliance Risk Mapping: First Insight into the Challenges, Limits, and Best Practices

Nicolas Guillaume

Chapter 3. PLACE AND USE OF INCENTIVES IN COMPLIANCE SYSTEMS

Incentive Theory and Governance of Space Activities

Lucien Rapp

Resolving the Contradiction between “Sanction” and “Incentive” under the Fire of Compliance Law

Marie-Anne Frison-Roche

The Manifestations of Incentive Mechanisms in French Compliance

Marion Larouer

Data Sovereignty and Compliance

Hubert Tardieu

Incentive(s) and Self-Regulation(s): What Place for Compliance Law in the Audiovisual Sector?

About the contribution to compliance law of the litigation of audiovisual regulator’s soft law acts

Laurence Calandri

Compliance and Incentives: a Promising Tandem

Marie-Anne Frison-Roche

Chapter 4. THE REQUIRED EXPERTISES IN TERMS OF COMPLIANCE

Audit of Compliance Systems

Antoinette Gutierrez-Crespin

The Development of Attorneys’ Compliance Expertise

Sidne Koenigsbergand François Barrière

Compliance or the Passage from Ex Post to Ex Ante: a Copernican Revolution for the Criminal Lawyer?

Thomas Amico

Chapter 5. THE GEOGRAPHICAL DOMINANCE OF COMPLIANCE TOOLS

Geographical Dominance in the Choice and the Use of Compliance Tools

Introductory remarks

Jean-Baptiste Racine

Conception and Application of Compliance in Africa

M. Mahmoud Mohamed Salah

Anti-Corruption Compliance: Global Dimension of Enforcement and Risk Management

Roger Burlingame, Karen Coppens, Noel PowerandDae Ho Lee

Chapter 6. THE MEASURE OF COMPLIANCE TOOLS EFFECTIVITY

The Regulator’s Inspection of the Effectiveness of the Compliance Tools Implemented by the Company

Maxime Galland

The Maturity of the Compliance Tool’s User, First Criterion of the Choice of the Salient Tool

Aurélie Banck

Chapter 7. TRAINING, ALPHA AND OMEGA OF COMPLIANCE

Compliance Training: Through and Beyond Traditional Legal Training

Hervé Causse

Training: Content and Container of Compliance

Marie-Anne Frison-Roche

Training and Compliance, Two Correlated Information Transmission Tools

Théo Thouret

Chapter 8. TECHNOLOGICAL TOOLS AND COMPLIANCE BY DESIGN

Compliance by Design in Antitrust: Between Innovation and Illusion

Jean-Christophe Roda

The Normative Originality of Compliance by Design

Cécile Granier

Technological Tools, Compliance by Design and the GDPR: Data Protection by Design

Ludovic Pailler

Morality by Design

Samir Merabet

Conclusion

Subjective Rights, Primary and Natural Tools of Compliance Law

Marie-Anne Frison-Roche

Contents

Describing, Conceiving and Correlating Compliance Tools, inOrder to Use Them Adequately

Marie-Anne Frison-Roche (1)

Agrégée des Facultés de droit

Professor of Regulation and Compliance Law

Director of the Journal of Regulation & Compliance (JoRC)

Compliance, until recently, referred to a practice that was hardly discussed. Then articles and books addressed it, mostly through descriptions of the sanctions ordered and the procedures that led to them, a presentation made in order to better indicate how to avoid them, or at least to reduce their cost. It must be said that these procedures are often carried out in a spectacular way, like a Grand Guignol in which anyone approaching the stage becomes terrified or tempted to call for the adopting of laws aiming to block the efficacy of the legislation of others.

But from day to day, compliance is taking on a less threatening and theatrical form: mapping, in-house controls or training, implemented with good will and difficulty by companies which organize themselves as they can, condemned before they even take a step, or for having gone too far, or gone the wrong way, having to prove that they tried to do the best they could. We don’t know much about these tools. The sensational lighting of punishments falling like lightning bolts excessively masks the preventive nature that Compliance Law inserts into each of its instruments. This ex ante is however the mark of Regulation Law, of which Compliance Law constitutes the extension.

The multiplication of specialists of a given compliance tool, a given subject of compliance, aggravates the fragmentation in the field and makes it difficult to have an overall vision of compliance tools. This produces a major drawback in practice: the various rules of application develop enclosed in each compliance tool, in hundreds of small legal systems, isolated solutions that are stored on virtual shelves of platforms without coherency being able to emerge from this sole effort of their being made available to all. But in this huge jumble, who will be the librarian, the figure of whom Borges portrayed the very human art of classification and labelling?

We must not remain with the idea of a toolbox, this degrading expression for a set in which all the tools are piled on top of each other, in which they all are worth something and we draw one at random, to deal with a new case which arises and which we must close as soon as possible. No plan. No architect. Thinking rather of the art of a library, we must arrange compliance tools with respect to each other, in a prior conception of the whole, which allows us to have a more comprehensive understanding, through their insertion in the construction of Compliance Law. When we think of Jefferson’s Library, on which the US Congress is built, a library arranged around an idea (Memory, Passion, Reason), we can measure the extent to which we must have a good understanding of the world in order to arrange with simplicity each of the technical elements that take space on the shelves. As in a natural movement of things.

This overall view is all the more relevant given that the courts because they are familiar with the disputes from which no compliance tool can be exempt, make correlations between all of them because by seeking a solution for one of the tools, the judges remember the solution found previously for another tool, thereby elaborating a common doctrine in an orderly manner. Law as memory also works in this way. “Nothing is more useful than a good theory,” Vedel applied to Law this idea from physics.

This overall view is all the more necessary in that these tools must in turn be inserted into company strategies. Because so many forces, competences, people, time and money are definitively mobilized in companies by the implementation of all these tools, rather than being dead weight, they can just as well be profitable. They can only become so through the development of simple and common principles that justify them. It is also useful to make distinctions that do not always appear in closed monographs on each compliance technique, but which emerge according to the essential dividing lines, as distinctions according to country or sector. A first practical question arises: who, human beings or algorithms, should develop and use compliance tools? This an eminently practical subject, which also deserves consideration, which is now underway among companies, courts and legislators. The subject of compliance tools is eminently political and new sovereignties are taking shape, particularly in Europe.

On such bases, the book Compliance tools aims to understand these “compliance tools,” focusing specifically on those for which we have few studies although they are used on a daily basis, such as risk mapping, training and subjective rights, allowing to appear through other more transversal contributions the familiar tools, such as compliance programs, sanctions, whistle blowing or Judicial Public Interest Agreements.

In order to bring out this overall coherence or to improve it and to fight against a sometimes-inopportune uniformity incomplianceprocesses, a first chapter will present a legal and economic approach. A secondchapter underscores the role of risk mapping. A thirdchapter describes the action of incentives. A fourthchapter surveys the required expertise. A fifthchapter stresses the geographic salience. A sixthchapter details the measurement of effectiveness. A seventhchapter explores training. The eighthchapter examines the technological tools. The concluding article examines subjective rights.

_____

The book thus opens with a first chapter devoted to very general approaches, legal and economic, for compliance tools.

Marie-Anne Frison-Rochefirstly takes a Legal approach to compliance tools, aiming to legally build the unity of compliance tools from the definition of Compliance Law by its “monumental goals.” She underscores that “compliance tools” cannot be stacked one on top of the other. They form a system thanks to a unity which draws on the goals that all these multiple and different tools serve: the normative core is thus in the “monumental goals” by which Compliance Law is defined.

All the tools are configured by these goals: for mastering these techniques, it is essential to put them all in perspective of what Compliance Law is, which is designed teleologically with regard to its goals. As Compliance Law is the extension of Regulation Law, it is like it built on a balance between the principle of competition and other concerns that public authorities claim to handle. Compliance Law has moreover more “pretensions” in this respect, for example in environmental matters. All the means are then good, the violence of the tools combining without difficulty with the voluntary commitments since it is the goals which govern this field.

As substantive law demonstrates, a method of interpretation and levels of constraint which are common to all compliance tools are the result. Starting from the goals, in which legal normativity is contained, the interpretation of the various tools is thus unified. Moreover, the different degrees of constraint do not operate according to the consideration of the sources (traditional legal criterion) but rather by the goals, which trigger the articulation of the obligations of means and obligations of results. The obligation of the tools is for the company an obligation of results because it has mastery of the tools, while reaching the goals is certainly an obligation for it, because they are the very object of compliance, but this leads to an obligation of means because their determination is in the hands of the public authorities.

Laurent Benzoni and Bruno Deffains undertake an Economic approach to compliance tools through the purpose, effectiveness and measurement of “imposed and chosen” compliance. To do this, the authors refer to general works of economic analysis of Law to demonstrate that companies can find an interest in demonstrating in advance that they are obeying the law in a long-term strategy of reputation and reliability; this internalization imposed by compliance is then transformed by Corporate Social Responsibility and brings the system to the choices made by the company, which develops them rationally and not in an emotional outburst.

Thus, the compliance mechanisms cease to be “imposed,” with the company just minimizing the perspective of a future sanction to be “chosen,” with the company freely taking on a “responsibility,” for example for the environment or human rights protection, going beyond the legal requirements (which the “monumental goals” correspond to, which goes beyond the interest of partners and of the legal obligation). The investment calculation is more difficult for the second one, difficult to quantify, than for the first one (probability calculation). TheFrench Pacte law leaves room for “chosen compliance” but it is hard to measure its effectiveness: we await jurisprudence in its handling of Liability Law. Furthermore, with the status of “entreprise à mission” (company with mission) the goal becomes statutorily binding and the governance of the company must be modified so that the control of the means implemented takes place in-house. But supposing that companies only seek their competitive advantages, this only means, through this general interest service, conquering new profits, with the lucrative goal of chosen compliance showing the liberal nature of compliance.

The authors underscore that this “chosen compliance” implies evaluation analysis tools different from those used for “imposed compliance.” In “imposed compliance,” it means in application of the work of Gary Becker considering risk aversion, with the company calculating its chances of being penalized or not with respect to the gain obtained with the infraction (it being up to those who conceive Law to design it according to the model of incentives) and to the cost generated by the in-house conformity tools. The authors stress that the uncertainty of the legal solutions, particularly because of the importance here of Soft Law, makes these calculations difficult while the rationality of the agents is not total, with the outlook of being punished being rejected in itself while the respect of the rules is rather natural, as companies are thus “honest” (theory of cognitive bias) and do not want to be singled out (name and shame). The behavioural economy thus favours the expense in favour of “imposed compliance,” beyond the cost-benefit calculation.

In the case of “chosen compliance,” it is competition economics which designs solutions, because the company imposes on itself a constraint to get a competitive advantage out of it, in that these self-imposed constraints meet societal demands, external (for example, the environment) or internal (for example, cohesion in the company). The external gains are the positive image of the company with respect to the reputation of its competitors. These investments quickly lose their efficacy because all companies adopt the same ones, which transforms these practices into common legal standards. Internal gains are measured in organizational sociology by the adhesion to the company’s project, reducing the in-house inefficiency in a profit greater than the investment.

The general framework having thus been established, thesecond chapter of the book is devoted to the central tool of compliance which is risk mapping.

Marie-Anne Frison-Roche presents Drawing up risk maps as an obligation, containing the paradox of “conformity risks.” She underscores that there are few synthetic or theoretical legal studies about the risk mapping mechanism although it is the central tool in compliance, perhaps because it is more a matter of management than of Law. Risk mapping is described but does not receive any other legal qualifications than its being a “procedure,” suffering in this respect from a program that affects all of compliance, which is still poorly grasped by Law, often focused for the moment in the ex post of the sanction while compliance is ex ante by nature.

We move from disarray to incomprehension, noting the existence of “conformity risks” among the mapped risks: this is due in particular to the affirmations according to which we should not speak of “Conformity Law” as an ex ante obedience to Law. Reduced in this way to a sort of obedience to regulations, as the “conformity risk” is not a risk of mechanical disobedience to a regulation, this can be a simple element of a broader map of “risks.” But if we accept that the Law cannot be reduced, neither to regulations nor to mechanical obedience to them, then “conformity risk” is only an element of Compliance Law which refers to another definition. Indeed, Compliance Law is defined substantially by its “monumental goals” which exceed obedience to regulations.

Consequently, if the Law takes hold of risk mapping, it can at first appear as only an ancillary obligation of the main obligation, which consists of achieving the monumental goals. The ancillary obligation to draw up the maps is an obligation of results, while the main obligation to achieve the goals is an obligation of means. As this mapping is very diverse and only occasionally targeted by precise laws, it can also constitute no more than a legal fact, or, through the action of various charters, it can be a unilateral legal commitment.

But we can put forward the idea that it is in the process of becoming the basis of an autonomous legal obligation which is the responsibility of companies in a position to know certain risks, referring to the existence of a subjective right to know them and to measure them (“right to be disturbed”) of which the third parties who will be running the risks would be the holders, thus allowing them to choose to take the risks, or not.

Nicolas Guillaume then offers the first insights on the challenges, limits and good practices of the mapping of compliance risk. The author gives an overview of what risk mapping is for a company, not just an obligation in certain cases, such as corruption, but also and beyond that an excellent tool for designing and controlling its strategy.

He shows that this is due to the fact that legislation now incorporates the risk-based approach, with companies having to use these maps, sometimes having to put them in the service of an overall strategy, even if their handling may engage the liability of the company and its directors. The author emphasizes that the maps are very diverse because their objectives are themselves different, and their users are also different (which implies different insights into the same risks.)

The author consequently brings out principles common to all maps, which always evaluate risks according to their probability of occurrence and the severity of their consequences if they materialize. It is also important to grasp the “gross risk,” taken in the absolute, and the “net risk” which integrates the company itself in this apprehension of the probability and the gravity, generating a level of risk which is acceptable for the company.

On these common principles are superimposed specificities relating to the various risks; the author takes more particularly the case of corruption risk, because Compliance Law gives it a major place. The mapping that is characteristic to the specific risk then becomes finer in order for it to be relevant, while the criteria used here will be abandoned in another mapping having another purpose. The way of proceeding again becomes common to all the diverse mappings in the commitment of the company’s management bodies, the methodology of the in-house inquiries, meetings and benchmarks.

If the company thus deploys the art of risk mapping, it ceases to be merely a requirement of legislation which the company must obey, and becomes rather a central tool in the overall system of risk prevention and in the conception of the company’s strategies, nourishing the codes of conduct, the design of training and supervision programs, to finally deploy in the company a “risk culture,” which is essential.

Because these compliance tools allow for the establishment of rules where traditional law does not provide them, thethird chapter of the book is devoted to the place and the use of incentives in compliance systems.

Lucien Rapp demonstrates the articulation between Incentive theory and governance of space activities. The author studies the conditions of an application of the theory of incentives to the problems currently presented by the governance of space activities. These activities have been enriched by the presence of many private operators, without the market that is being established having yet been properly regulated.

The accumulation of debris in nearby space highlights the difficulty of maintaining a situation built solely on laws, in the absence of a specialized international organization and with the insufficiency of the international treaties in effect.

This article shows the contributions of the behavioural approach in Law and Economics, developing the interest that there would be to develop it.

Marie-Anne Frison-Roche then wonders how to Resolve the contradiction between “sanction” and “incentive” under the influence of the fire of compliance. Compliance and incentives at first glance seem to be in total opposition, for two major reasons. Firstly, because sanctions have a central place in Compliance Law and incentives assume an absence of constraint on operators. Secondly, because incentives are connected with self-regulation whereas Compliance Law assumes a strong presence of public authorities. So, we must choose: either compliance, or incentives! The efficacy of one or the others; the techniques of one, or of the others; the philosophy of one, or the other, and resigning ourselves to the loss that such a choice would necessarily imply.

But setting the terms in this way means taking a poor view of situations and reducing the scope of the solutions that they call for. If we use a rich definition of Compliance Law, we can, on the contrary, connect compliance and incentives. We cannot avoid it, but it is difficult, because it is probably in this regard that we more clearly perceive the clash of two cultures, which do not communicate, although technically they apply to the same situations. Indeed, because compliance was conceived by finance, everything is a tool for it. As such, the tendency to only think of a sanction as an incentive is very strong in Compliance Law, it continually manifests and will not stop. But whatever the reasons for thinking of it this way, the principles of the Rules of Law cannot disappear and, if we don’t want them to fade away, we must connect them, and this articulation constitutes an essential issue.

That is why it can literally be said that compliance has set fire to Criminal Law by its conception, logical but self-contained, of sanctions as simple incentives. For the Law to remain, attached to its capital letter and its refusal to just be a simple “tool,” we need to keep a very firm definition of Compliance Law centered on its monumental goal which is protection of people. The article aims to establish the principle and to set forth the procedures.

Marie Larouer presents The Manifestations of Incentive Mechanisms in French Compliance Law. The author first develops the idea by which the Law itself accepts the notion of incentive as being consubstantial with it, relying in particular on codes of conduct. Then she develops manifestations of incentive law as tools of compliance, first in terms of the fight against corruption: the decision of the sanctions commission of the Agence française anticorruption (French Anti-Corruption Agency) shows that the recommendations of this Agency encourage the company to comply, protecting it from a sanction if it submits to it but not forbidding it to organize itself in another way. Moreover, the ruling of the Commercial Chamber of the French Cour de cassation stated that the breach of a contractual obligation, which is only the resumption of a constraint housed in a compliance program which targets a third party, justifies the termination of the contract.

More generally, the author shows that the legal system encourages companies to integrate compliance by the publication of vigilance plans and extra-financial performances, while noting that companies do not always do so.

The article concludes that French Compliance Law in its use of incentives is only at its “beginnings.”

More generally, Hubert Tardieu, through the recourse to incentives, shows the links between Data Sovereignty and Compliance. After considering that Europe had, in terms of power, “lost the battle” of personal data, the author asks that this same error, which could be linked to a lack of interest at the outset, not be repeated for “company data.” As the European Commission affirmed its will in this direction in 2020, it is now necessary to build a “European ecosystem” for the sharing of industrial data in confidence.

For this, the author explains that it is necessary to develop “incentives for the sharing of company data,” in order to increase their available volume and fuel common progress in Artificial Intelligence between European companies and to use common complementary data, which none of them could generate alone, allowing for the creation of new services. These incentives can be new and adapted “regulations,” but also the adoption by the sector of a “common data model.” But the author stresses that it is necessary to move forward, particularly through experiments allowed by the “regulatory sandboxes.” This will allow for the deployment of data sharing, with compliance being able to contribute to it, a path for a sovereign Europe of shared industrial data, a monumental objective that could thus be achieved.

By drawing on a particular sector, Laurence Calandri also studies the pair formed between Incentive(s) and self-regulation, to ask the concrete question: What is the place for Compliance Law in the audiovisual sector? The author chose the audiovisual sector, a “pilot” in the field, to very precisely measure the way in which, in France, the jurisprudence of the Conseil d’État (French State Council) introduced a rationale of compliance by leaving operators free to organize themselves while supervising them.

After a reminder that by the decisions of 2016 Fairvesta and Société Numéricable, the French State Council allowed the judicial control of acts of soft law, in particular those issued by the Audiovisual Regulator, the author confronts this state of Law with the assertion of this Regulator that it is not the “policeman” of this sector. The French State Council follows it by isolating among its acts those which are only incentives and escape control by the judge, in the same way that acts of Soft Law adopted by companies of the sector, an expression of self-regulation, also escape litigation and are therefore “unjustifiable.” The author concludes that this completely renovates the governance of the sector, with the Regulator becoming more the arbiter of this new soft law.

Going back to a more general outlook and to finish this part, Marie-Anne Frison-Roche takes another look at the relationship between Incentives and Compliance, which she presents as a promising tandem to increase the usefulness of Compliance Law. As for sanctions, here too compliance and incentives initially appear to be in total opposition, because the incentives assume an absence of constraint on the operators, that they have a link with self-regulation and that Compliance Law supposes a strong presence of public authorities.

It is true that the theory of “incentives” targets mechanisms that do not directly involve constraint. But, in the same way that we can articulate “sanction” and “incentive” if we define Compliance Law by its “monumental goals,” we can also think more efficiently about the relations between public authorities and companies through a notion proposed here: “incentive compliance.” To do this, it is essential that we start from a dynamic of Compliance Law through its monumental goals.

If Compliance Law is defined by placing its legal normativity in the “monumental goals” that it pursues, for example the elimination of corruption, the detection of money laundering in order to eliminate its underlying criminality, or as effective protection of the environment, or the concrete concerns of human beings, then what matters is not the means themselves, but rather the effective movement towards these “monumental goals.” Consequently, the burden that was previously the responsibility of public policies carried out by States because they are conclusively unable to handle this, is now internalized within companies which are in a position to work towards these goals: the “crucial operators,” because they have the scope, and the technological, informational and financial means.

With this outlook, and with the internalization of public will causing a split with the government structure linked to a territory which deprives Policy of its coercive power, incentive mechanisms appear to be the most efficient means to reach these monumental goals which express sovereignty. They appear as “natural” means, both negatively and positively defined. Negatively in that they do not require ex ante institutional sources that are clearly identifiable and localized, nor do they require an ex post sanction power: it is sufficient to substitute interest for obligation. Positively, incentives relay through operators’ strategies the form that was so often criticized and mocked in public action: the “plan.” The duration is thus introduced via the compliance mechanism, as we see through its development in concern for the environment (“Climate plan”), or through the mechanism of education, which can only be conceivable over time.

This project, which claims to build the future, is however that of politicians and companies, who use their power deployed over time to materialize it. The future of Europe probably depends on this.

In the same way that a tool is nothing without the company that uses it, with the public authority supervising it, it is not appropriate without a professional who uses it adequately. That is why the fourth chapter of the book aims to identify the expertise for handling the various compliance tools.

In this regard, Antoinette Gutierrez-Crespin presents the competences required for the development of a compliance system audit. The author identifies what characterizes a “compliance audit.” It differs from a “compliance program,” which is an instrument of constraint, and even from an in-house inquiry, which aims to detect breaches, the compliance audit aims to measure the risks of discrepancy from compliance requirements, or even to identify areas for improvement.

Starting from this definition, it is explained how a Compliance audit is carried out concretely, with a risk-based approach, and who the actors are (in-house and from outside the company).

François Barrière and Sidne Koenigsberg present the competences required for the development of an attorney’s expertise in terms of compliance. The authors observe that many law firms are now developing expertise in compliance, either in departments or in teams. They emphasize that this expertise is achieved through specialization, which makes it possible to support companies, in ex ante (in mergers for example) and in ex post (in litigation) in continuum between the two.

Moreover, this expertise is built in a collaborative way between the team of lawyers and the company concerned, which reinforces this necessary continuity.

Thomas Amico shows that compliance, because it produces a shift from ex post to ex ante, constitutes a Copernican Revolution for criminal lawyers. After referring to various definitions of Compliance Law, the author stresses the usefulness of the criminal lawyer in that he, being familiar with the ex post that constitutes the sanction, can provide good advice in the ex ante in which new compliance mechanisms are being developed, such as risk mapping or third-party assessment.

The criminal lawyer therefore naturally has his place there, whether it concerns the powers exercised by an administrative authority or Criminal Law in the strict sense. In that he can “anticipate criminal proceedings,” the criminal lawyer is therefore best able to ensure that the company does not expose itself to them, in particular in a good mastery of internal investigations, thus ruling out the criminal risk.

But a tool must be adjusted, not just to the company and its activity, but also to the country, the region, and the legal system in which it is deployed. The right balance between what must be applied everywhere and the rooting in the traditions is a major factor and a particularly delicate one to have succeed in practice. That is why the fifth chapter covers the geographic salience of the compliance tools.

Jean-Baptiste Racine contributes a synthesis of several contributions from this perspective because compliance tools include both a global dimension and a local dimension. He also shows The geographic salience in the choices and the use of compliance tools. The author puts into correlation Compliance Law and “Global Law”: he underscores the balance of power that the former expresses, particularly from the United States, and even if it therefore “tends to become universal,” the particularities remain, if only in the implementation.

Mohamed M. Salah develops the Conception and application of compliance in Africa. The author presents the way in which compliance, which may seem “insurmountable” in Africa, particularly with regard to corruption, or even terrorism, a severity offset by the prevalence of the group’s solidarity on the Weberian conception of Law, which however seems set for “deployment” in Africa.

He describes the way in which, in certain African countries, the mechanisms of compliance were established, under the influence of international institutions requiring first of all the autonomy of economic structures with respect to social structures and then relaxing them so that they are more “human” and thus more “sustainable.” Under the aegis of the United Nations, programs to fight corruption have been deployed in particular. But the African Union and sub-regional organizations have also contributed to designing and applying programs against corruption, for example through the adopting of uniform laws. Furthermore, the extraterritorial effect of foreign laws, particularly the FCPA, Bribery Act and Sapin 2, increases this anchoring of compliance.

The author shows that this anchoring translates into a transformation of the branches of Law. Firstly, Banking and Financial Law welcomes it more readily, since it tends to be globally standardized, with African laws taking part in this globalization, and imposes on financial institutions and beyond a general obligation of vigilance, particularly with regard to the risk of money laundering and financing of terrorism, an obligation to alert and specific criminal liability of legal entities. Secondly, all African legislation aims to combat corruption through compliance, which mainly aims at prevention.

But the author measures the effectiveness (“i.e. their aptitude to produce the results sought”), often still limited, of these tools. This is mainly due to the conjunction between the size of the informal sector, hampering in particular the identification of the actors, and the weakness of state structures which, along with the low level of banking services and the weak culture of writing and recording, leaves the system without crucial operators who can be entrusted with the materialization of Compliance Law.

The author concludes that it is not the risk of national sanction that leads operators to respect the compliance rules, but rather the fear of losing markets by the external threat of international actors and the damage to their reputation, locally and abroad. With the weakness of state structures diminishing the effectiveness of compliance as it affects everything else, he stresses that they must be reinforced, particularly to consolidate the effectiveness of judicial control.

More specifically, compliance should be less expensive, because African countries often cannot bear the cost, only the subsidiaries of the large foreign private groups can do so, which leads to the abandonment of compliance to the will of the private sector, a regrettable phenomenon, while public supervisors do not have the means to carry out their control function.

In a more transatlantic perspective, Karen Coppens, Roger Burlingame, Noel Poweland Dae Ho Lee describe the international fight against corruption and risk management. The authors show that companies certainly face a diversity of legal systems due to their multiple locations but, in reality, in terms of the fight against corruption, the French, British and American authorities are developing similar requirements in a common spirit, which should be sufficient to satisfy the legal subjects.

In reading the texts, particularly on soft law, from the French Anticorruption Agency, the Department of Justice and the Serious Fraud Office, it appears that the primary concern is the effectiveness of the conformity program adopted by the companies. The authorities of the three countries also stress the need for the company’s governing bodies to actively promote and disseminate the culture of anti-corruption compliance.

For the three authorities, it is more precisely necessary that this program be adapted and customized, that the governing body commit itself in its effective compliance and that a code of conduct, effective training and communication actions be implemented, and the program should be based on structural mechanisms for in-house inquiry and whistle blowing, and all these elements be covered by an evaluation.

The authors show that beyond the specificities of each of the systems, the three authorities are united in the fight against corruption, which reduces the insecurity of internationally exposed companies. This overview shows that the concern for effectiveness is common and deserves to be presented at both ends of the chain: on the sides of the company and the regulator, echoing the two general approaches which opened this book.

As such, thesixth chapter of the book is devoted to measurement of the effectiveness of compliance tools.

Maxime Galland shows the strength of the control by the regulator of the effectiveness of compliance instruments implemented by the company. The author underscores the complexity of measurement of the effectiveness of compliance tools because the measurement of risks cannot be mechanical. The exercise has a cost, the advantage of which does not appear immediately, with the essential being in the behaviours that the company masters with difficulty while it is the results that are evaluated, because the compliance tools must be “effective” and produce tangible results.

To do that, the regulator intervenes in ex ante so that the applicable texts are understandable by the company and so that the tool works. When a non-conformity occurs, beyond the sanction that it justifies, the regulator must build on this measurement of the ineffectiveness that the sanction made possible to lead operators to improve their systems. Thus, it is in terms of “compliance effort” that the regulator’s control works, particularly through the observation of an “embodied exemplarity,” and especially by those in the company who have decision-making authority.

From the standpoint of the company to which all the tools are offered by service providers,Aurélie Banckdesignates the maturity of the compliance tool user as the first criterion of the choice of the salient tool. The author stresses the practical necessity for the company to show at the first request the documents certifying the reality of the compliance mechanisms. IT tools help companies to achieve this, but the essential factor is that each person in the company learn to use these various tools.

To achieve this, it is important that thecompliance officer not necessarily chose the tool which suits him or her best and that he or she likes, but rather the one that suits the person who will use it, for example sales teams in the field, making sure that this tool integrates the specificity of the sector and the company. The adjustment of the software must therefore meet the maturity of these users in the company: these users must have a “culture of compliance” to take advantage of its tools. Tools that are more rudimentary that others can be effective if the culture of compliance is still weak, and sophisticated tools can be useless if a prior minimum base has not been acquired. The author thus shows the articulation to be made between the maturity of the users and the technicality of the tools, as the two must move forward together.

Continuing to articulate the ex ante and the ex post, because training is often a major requirement of compliance programs inflicted as sanctions but constitutes the best prevention through the insertion of a “culture of compliance” in the company, theseventh chapter covers training, the alpha and omega of compliance.

In this regard, Hervé Causse shows that Compliance training goes through and beyond traditional legal training. The author emphasizes that compliance training is not only required by law, but also that it is necessary. To conceive and practice it, it is certainly necessary to integrate new knowledge, often from outside of Law, but it is also necessary to preserve the qualities of traditional teaching of classical Law. That is why training constitutes an essential aid and asset for companies.

The author shows that the international dimension specific to the subject and the cultural confrontation that it reflects must be integrated into traditional legal systems. Training helps to achieve this by highlighting the practical imperatives of which compliance relays the concerns. To achieve this, the author maintains that it is above all the classical qualities of lawyers and teachers that are required; with classical Law thus finding a resurgence, as teaching methods are revitalized by this new Compliance Law. Its teaching must therefore be anchored both in traditional legal principles and in the techniques specific to compliance mechanisms.

Then Marie-Anne Frison-Roche describes training as the content and container of Compliance Law. Firstly, as training is a specific compliance tool, it is supervised by regulators. It even becomes mandatory when it is contained in compliance programs. Because effectiveness and efficiency are legal requirements, the author shows the margin of maneuverer that companies must design them and how they can measure the results.

Secondly, as each compliance tool includes, more and more, an educational dimension, we can take each of these tools, one by one, to bring out this teaching perspective. In this way, even condemnations and requirements can be lessons: lessons given and lessons to be followed. The question is then to know who, in this very pedagogical Compliance Law, are the “teachers?” Isn’t it the regulators themselves?

Lastly, Théo Thouret shows that Training and Compliance are two correlated information transmission tools. The author draws on the fact that, in general, Compliance Law aims to disseminate information and training, by its nature, is a process for transmitting information, to bring the two together. Inasmuch as Compliance Law internalizes in “crucial operators” the obligation to disseminate information (within a group, with respect to stakeholders and authorities, but also between crucial operators), it is therefore logical that they develop training programs, not adjacently but as a principal action, because of this identity.

Training is a means of ensuring that information will be “well received,” i.e. understood, assimilated and used by its recipient for the purpose that its transmission had intended. The regulatory and supervision authorities thus control the effectiveness of the obtaining of this effect. The author lastly takes two examples, one of spontaneous adoption of a training program for compliance, operated by the Total Group, the other forced adoption, operated by the Johnson & Johnson Group, to illustrate its general demonstration.

Although training seems to be a rather human affair, a very substantial place is now however given to what many people present as the future of compliance: machines. Intelligent, learning and deciding machines… is complianceby design the tool of the future in which the technicality of compliance drowns the Law?

The importance of this question justifies that theeighth chapter of the book is thus devoted to technological tools and compliance by design. It is more a question of having an idea of what must be done, in the face of tools that are so innovative that they could even take the place of those whose job it was to serve. The dashing Mephistopheles is never far from Faust, who would prefer to lose himself rather than appear to be in decline.

Thus, Jean-Christophe Roda draws on the particular example of Compliance by design in antitrust to show that in general these techniques are located between innovation and illusion. He studies more specifically the requirement of the European Commission, i.e. an “antitrust compliance by design,” which seems to him for the moment to be a rather confused idea but one which responds to the hypothesis of violation of Competition Law by so-called “smart” technologies, for example aligning prices without intervention.

The author takes up solutions already identified, but he does not include the automatic in-house reporting of situations that incite anti-competitive behaviours justifying greater vigilance by the company itself because complianceby design must, according to him, integrate the rules themselves and not just be a simple warning system. In the same way, the “transparency of algorithms” will make it possible in ex post to sanction those who have programmed or to consider their use as aggravating, which is not a mechanismby design in the strict sense, since this does not in itself produce respect for the rule. In Competition Law, complianceby design is thus “the coding of the goals of Competition Law, with relatively simple instructions: do not set prices collectively, do not exchange a particular category of information,” or block access to sensitive information. This could go further, towards a kind of education, with the software “learning” to refuse to perform tasks leading to offenses. The Law could encourage this through responsibility, which is beginning to take shape.

But the author believes that for the moment there are obstacles, which are more technical than legal. It is indeed necessary that lawyers and computer programmers understand each other…, and therefore agree to think a little bit differently, both of them. It is possible. But the complexity of Competition Law, associated with the margins of interpretation, is such that a binary translation is almost impossible, although the algorithm technique seems to require this. In the economic technique, we find the same pitfalls, for example in the calculation of market power, determining in antitrust compliance by design. Not to mention the ethical part of Competition Law, which is difficult to encode.

Cécile Granier develops the analysis of this difficulty by demonstrating The normative originality of compliance by design. The author develops the idea thatcomplianceby design represents a “normative originality,” in that it targets, through a complex relationship between the obligatory and the voluntary, to ensure the effectiveness of the “primary standards” contained in the “monumental goals” set by the public authorities. The normativity of complianceby design is original because these processes are situated as of the implementation of the technical processes, to which the expression “by design” refers, which reinforces the ex ante dimension of compliance law, with IT embedding this normativity in the structures themselves, through a marriage of technology and compliance.

The result is an “automated” application of the standard, integrated in a computer program, which for example blocks the access to data if the user has not correctly expressed his consent, a chain of events mechanically caused by the effect of past events (or non-events, as insmart contracts), a whole functioning in total ex ante, outside of any perspective of feared state sanctions, with the constraint being reintegrated in the technical aptitude. This primacy of the technical aspect raises the question of the interpretation of the standards thus incorporated, a question that the author leaves open because it could lead to machines which themselves “interpret” the standards. This automated application is presented as more “efficient,” an essential quality in the compliance atmosphere because in this way the standard does not depend on private actors and can benefit from their technical power. But we can assess today that the author of the secondary technical standards himself inserts standards which should only be presented on the first level, with the company inserting its own practices and values, withcompliance by design being related to self-regulation.

Moreover, the author shows that in the very conception of the standard, in thedesign, the question is to designate the author of the standard’s integration into the algorithm and the insertion procedures. As the author is within the company, this would constitute a privatization of the standard, because the standard, even second level, cannot be totally free of the insertion of values, with compliance thus overwhelming the organization of the sources of Law. In a situation that the author refers to as an “unknown,” unless “lawyer-programmers” appear, the lawyer is disqualified by his technical incapacity because it involves technological insertion, the translation from legal forms to an algorithm, by the translation of computer code and then by insertion into the IT architecture of the company, transforming the legal rule itself.

For example, through the choice of the severity of the mechanical sanction implemented on the secondary level to give effectiveness to a prohibition enacted on the first level. The author thus shows that this control of the effectiveness of the first level standards, an effectiveness control that is implemented on the second level, directly impacts the first level standards. For example, deciding to request the authorization, or the expression of consent, or to forbid access, when content has been disapproved by a first level standard, a first level standard which does not specify the mode of control of this reprobation to whichcomplianceby design must connect itself. But becausecomplianceby design is not self-regulation, the public authorities control its implementation, as the CNIL (French Data Regulator) did for Android. Cécile Granier emphasizes the fact that this type of control will be further developed.

Returning to a more singular technical situation, Ludovic Pailler compares Compliance by design and GDPR, to show how we can technically implement the protection of personal data as of the design stage. The author considers that the GDPR changed the “paradigm” of data protection to bring it into compliance, in that those in charge of the processing must ensure the effectiveness of the rules defined by this regulation, which they must demonstrate. Furthermore, the data processed by the algorithm is “a means ofcompliance” when it is used for vigilance plans and all other tools, with this brick being common to all of Compliance Law. To respect Law, and in particular to protect people, complianceby design continues to integrate “conformity” as of the design of its tools by technical standards (Privacy Enhancing Technologies – Pet’s), legalized by the GDPR.

The author analyses the technological means of data protection from the design of the tool, which complement the Law and the contract. They are included in the “measures” required to protect people, for example transfers to third countries, with these technological means being classified according to their degree of effectiveness. While the operator is free in the choice of the technology, the Law requires and controls that it be not just effectively protecting but also robust, easy to use and compatible with the user’s tools. The author emphasizes that the notion of “effectiveness” encompasses these particular requirements. This effectiveness, which must be proven a priori (“documented”), is checked by the authorities through the verification of the appropriateness of the technical measures, their efficient implementation and their concrete effect.

Even if the operator is only subject to the state of the art, he or she must develop his technical resources, with the help of the authorities (see the “compliance pack” of the CNIL [French data regulator]). Even if the authorities seek to optimize the costs borne by the company, it must nonetheless bear them, with the putting in context and the purpose of the processing implying that the measurement of their proportionate nature is evaluated with respect to the goal, which can cause a very large burden. So, if the risk is very high for people, it will be necessary to include techniques that provide still more protection than those of Compliance Law, as of the moment when it is no longer limited to simple “conformity” with the regulations. This is what we observe with regard to personal data.

With the same concern for finding solutions, Samir Merabet considers what Morality by design should be able to be. After thinking about the general relations between Law and Morality and their points of contact, the author advances the hypothesis that it could find a space of materialization in the technology of artificial intelligence, even though many people are worried about its adverse effects. The author considers that compliance is only a method while ethics would be the way in which morality is incorporated in a relaxed way into Law: the technology of “artificial intelligence” could thus express the moral rule; “complianceby design could be the appropriate tool to ensure the effectiveness of moral rules without falling into the envisaged excesses.”

The author draws on examples to consider that technology must both express the moral rule and make it effective. This seems possible to him, all the more so because this moral rule can find an equilibrium through its mode of elaboration, because it is jointly developed between the State and the economic operators, with this collaboration taking the form of general principles defined by the State and means chosen by the company. Its content would also be characterized by the search for a “right balance,” which would be found by this distribution between the primary moral principles whose expression would be the act of the State and the secondary moral principles whose expression would be delegated to companies.

Taking therefore what would be the principles of compliance, the author applies them to artificial intelligence, showing that these techno­logies include not just the principle of neutrality but also the ethical principles of non-maliciousness, or even benevolence (first principles), which the companies then decline in secondary principles. Therefore, “compliance can be put to good use to convert these fundamental moral principles into derived moral rules, a source of greater effectiveness.”

Thus arriving at a “morality by design,” the overall system has an additional effectiveness tool. This supposes that the fundamental and derived rules are of an acquired moral quality because, for the moment, the technological tool can only guarantee their effectiveness and not the moral quality of the rules implemented. In the determination of the “moral rules of application,” the company thus has margins of freedom, used through technological tools.

Starting from these optimistic statements, and as the book is resolutely devoted to the future and what could be its positive aspects, it ends with an open conclusion in the form of a concluding article, a part devoted to subjective rights.

Marie-Anne Frison-Roche presents subjective rights as the compliance tools which prefigures what is in the process of becoming Compliance Law. In the traditional conception of the architecture of sectors regulated by Law and in Compliance Law which extends the state regulatory techniques, subjective rights have little place. But this configuration is no longer relevant; on the contrary, subjective rights are now at the core and will be so more and more. They are and will be the first tools of Compliance Law because they constitute a “tool” of great efficacy to ensure the entire functioning of a system of which the goals are so difficult to achieve. Because all available means must be used to materialize these goals, the public authorities not only draw on the strength of the crucial operators, but also distribute prerogatives to the people who, thus encouraged, activate the compliance system and take part in the realization of the “monumental goal.” Subjective rights can prove to be the most effective tools for actually achieving the goals set, to the point that they can be considered “primary tools.”

But it is appropriate to have more pretension and to conceive of subjective rights as the most “natural” tools of Compliance Law. Indeed, because all of the “monumental goals” by which Compliance Law is defined can be seen as for the protection of people, i.e. for the effectiveness of their prerogatives, by a mirror effect between the subjective rights attributed as means by Law to people and the subjective rights which constitute the very goal of all Compliance Law, particularly the protection of all human beings, even if they are in a situation of great weakness, with subjective rights becoming a “natural tool” of Compliance Law.

We are only on the edge of their deployment and it is probably with regard to subjective rights, materialized by the companies themselves under the supervision of public authorities in zones connecting sovereigntyand humanism, that the digital space in which we now live could in the future be regulated, so that we are not suffocated and so that it constitutes a civilized space for people.

Because for this homo faber who sometimes seems sated from inventing every morning a new “compliance tool,” who imagines them without defects, who projects them as if writing by magic a future in which each comma would have already been written by a machine, we must remember that Homo sapiens has the wisdom to keep in mind that he doesn’t know, that the tools are not intelligent and if they might not have defects, they cannot in any case have projects.

The tools must be left in their proper place, so that the principle of a free human being referring to a Law exterior to all and to which all refer remains our common principle, without the matrix ever dictating to us, softly, each of our steps.

This human liberty, which goes with the risk taken, the possible choice, the acceptable error, the accepted failure, the welcome unknown and the future that we don’t know, the desired action, concern for others, the uncalculated, must remain the beating heart of compliance tools.

Chapter 1 LEGAL AND ECONOMIC APPROACHES TO COMPLIANCE TOOLS

Legal Approach to Compliance Tools: Building by Law the Unity of Compliance Tools from the Definition of Compliance Law by its “Monumental Goals”

Marie-Anne Frison-Roche (1)

Agrégée des Facultés de droit

Professor of Regulation and Compliance Law

Director of the Journal of Regulation & Compliance (JoRC)

“Compliance tools” cannot be stacked one on top of another. They form a system thanks to the unity drawn from the goals that all these multiple and different tools serve: the “monumental goals” by which Compliance Law is defined.

As all the tools are configured by these goals, it is essential, in order to master all of these techniques, to put them all into the perspective of the nature of Compliance Law, which is designed teleologically with regard to its goals. As Compliance Law is itself the extension of Regulatory Law, it is like it built on an equilibrium between the principle of competition and other concerns that public authorities claim to handle. Compliance Law has moreover still more “pretentions” than Regulatory Law in this regard, for example in environmental matters or concerning human rights. All the means are then good, the violence of the tools combining without difficulty with voluntary commitments because it is the goals which govern this branch of Law, the tools all converging, in a European definition of Compliance Law, towards the same goal: the protection of human beings (I).

As substantive law demonstrates, a method of interpretation and levels of constraint which are common to all compliance tools are its result. Starting from the goals, in which legal normativity is contained, the interpretation of the various tools is thus unified and their correlation is done by jurisprudence without it being necessary to elaborate legislation that would bring them all together. Moreover, the different degrees of constraint do not operate according to the consideration of the sources (traditional legal criterion) but rather by the goals, according to the legal distinction between the obligations of means and obligations of results: the articulation occurs between the tools, of which the establishment is an obligation of results, and the goals, of which the materialization is only an obligation of means (II).

I. The teleological nature of Compliance Law, attaching all the tools to the monumental goals they serve

Let us start from the definition of Compliance Law. This definition explains the substantive law that applies to the various compliance tools and the way in which they will develop in the future. Because its tools will vary, by technology, by the diversity of the choices of the various entities that build them; on the contrary, the monumental goals will be stable and unfold over time. As legal normativity exists within them, companies will be constrained or encouraged to always refer to these goals, guarantees of legal safety for them.

Compliance Law is a new branch of Law that should not be reduced to simply a way of making pre-existing rules more effective, which would limit it to being only a formal Law of ex ante