The recent news

Dec. 5, 2019

MAFR TV : MAFR TV - case

Watch the video explaining the content, meaning and scope of the decision made by the Conseil d'Etat (French Council of State) on November 15, 2019, La Banque Postale v. Autorité de contrôle prudentiel et de résolution (ACPR).

The Autorité de contrôle prudentiel et de résolution - ACPR (French Authority of prudential control and resolution) pronounced a very high sanction, representing 7% of La Banque Postale's net annual result. The breach is constituted by the fact of not having prevented the use of the banking technique of the "money order" which was used to escape the freezing of the assets.

The Conseil d'Etat recalls that by nature if the assets are frozen, it is not possible that anyone is able to dispose of these assets. However, by the use of "money orders", persons targeted by asset freezing decisions, tools used in connection with the fight against money laundering and the fight against terrorism, had been able to circulate money to from accounts managed by La Banque Postale, of which they were not customers.

This case was not foreseen at the time when the Bank Postale was sanctioned by the ACPR for not having prevented such a use, the texts forcing it under its obligations of "conformity" to prevent this behavior of violation background gels on the part of his customers, but only that.

This case of a use of a means by a person who is not a customer of the bank was not foreseen at the time when the alleged facts took place and the Bank claims not to be able to be punished since in the repressive matter it is necessary to respect the principle of non-retroactivity of the texts, - in this case texts later supplemented to aim at such an assumption -, the non-retroactivity being a major principle itself related to the principle of the legality of the offenses and the penalties.

We are therefore in the hypothesis of a silence of the texts.

What to decide? Can the Bank be condemned and so heavily or not by the ACPR?

The Bank does not think so. 

It acted against this sanction decision firstly because those who used these money orders were not its clients. It has strong reasons to avail itself of this fact, since subsequently the texts needed to be modified to aim not only the use of this technique of money order by those who have a count in the bank and also by those who act with cash through the bank without a count, that is to say without an account holder to look at. Because we are in criminal matters, the restrictive interpretation and non-retroactivity of the text should lead to follow the reasoning of the Bank. But the Conseil d'Etat does not because it considers that implicitly but necessarily even with this subsequent modification of the text, it had aimed that use before.

By this way, the Conseil d'Etatuncil develops a very broad concept of the obligations of banks in their role in the fight against money laundering, and therefore a very repressive point of view, which permeates their "obligation of Compliance". Thus, when the bank also argues that it can not be sanctioned since for it this activity of money order is  deficit and that it did not cause harm to its customers even by assuming badly its obligations, theConseil d'Etat stresses that this is not a pertinent perspective since the Compliance obligations falls within the "overriding general interest of protection of public order and public security, to which the freezing of assets legislation responds".



Read the  judgment of the Conseil d'Etat ( in French). 

Dec. 4, 2019

MAFR TV : MAFR TV - case

Regarder le film de 5 minutes sur le contenu, le sens et la portée de l'arrêt rendu par la première chambre civile de la Cour de cassation du 27 novembre 2019, M.X.A. c/ Google.



Cet arrêt casse l'arrêt de la Cour d'appel de Paris qui valide le non-déférencement, après que la CNIL a demandé l'interprétation des textes, notamment du RGPD, parce que le droit à l'oubli doit limiter l'exception ici invoquée, à savoir le droit à l'information, même s'il s'agit d'une décision pénale concernant un commissaire-aux-comptes, car il s'agit d'une affaire privée et non pas ce qui concerne l'exercice de sa profession réglementée coeur du système financier. 



Lire la décision de la Première Chambre civile de la Cour de cassation du 27 novembre 2019, M.X.A. c/ Google

Nov. 28, 2019


Reference : Frison-Roche, M.-A., General presentation of the cycle of conferences on Les outils de la Compliance  (Compliance Tools) and  "Théorie générale de la cartographie des risques" (Legal Theory of Risk Mapping), conference made in French, in Département d'Economie de Sciences Po & Journal of Regulation & Compliance (JoRC),  La cartographie des risques, outil de la Compliance (Risk Mapping, as Compliance Tool), November 28th, 2019, Sciences Po, Paris. 





Summary of the conference

Risk mapping is both central to the obligations or practices of companies and little apprehended by the legal systems. It is not expressly referred to by the French legal system, except for the special national laws known as "Sapin 2" and "Vigilance". But if we are out of this field, because there is only a description and not a legal definition, even less a legal notion, we do not know what legal regime to apply to the action of mapping risks. It is therefore useful, indeed compelling, to define the legal concept of risk mapping. Starting from what is still the safest ground, namely these two special laws, to go towards less secure legal grounds, such as the doctrine of the authorities or the commitments of the companies, even the ISO certifications obtained in this matter. Through a few judicial decisions and legal reasoning, a legal notion of the action of mapping risks emerges.

It is advisable to proceed in 5 steps (the working document follows another approach).
The first, based directly on the two available laws, apprehends the action of mapping when it comes into execution of a special legal obligation. The decision rendered in 2019 by the French Commission des sanctions of the Agence Française Anticorruption (French Corruption Agency's Sanctions Commission) draws probate games as to the demonstration of the execution of the obligation and the probationary system can be extended. In the same way the decision of the French Conseil constitutionnel (Constitutional Council) in 2017 on the "Vigilance Act" shows that a mechanism referred to as a "modality" is legitimate with regard to the goal, which is, concerning this tool, the establishment of a responsibility for others. It is therefore the concern for the situation of others that can be targeted by the Law thanks to Compliance Tool, especially Risk Mapping.

The second theme aims to map risks as a fact of good management for a company, while the enterprise is not constrained by a legal obligation. This fact is a paradox because the Regulatory Authority and the Judge may, where the conduct that was to be prevented occurs, for example a market abuse or an anti-competitive behavior, either qualify as an aggravating circumstance or as an attenuating circumstance. Consideration of the theory of incentives should lead to the adoption of the American solution, that is to say the qualification of an effective cartography as a mitigating fact. European case law is not yet fixed, especially in terms of Competition Law's compliance.

The third theme is the mapping action carried out by an entity which, in doing so, exercises power over a third party. Because cartography is as much an obligation as a power, possibly on a third party. The Conseil d'Etat (French Council of State) in 2017 qualified risk mapping as an act of grievance, but doing so legitimately, since it was to prevent forest fires efficiently. This solution based on the teleology attached to Compliance Law can be transposed to other areas.

Going further, one may consider transforming this action from de facto status to legal status on the part of the company, if it thus identifies risks for third parties. It would thus give third-party creditors the right to be in a position to measure the risks that weigh on them. Risk mapping would thus be part of a broader unilateral commitment by powerful companies, recognizing the existence of risks for third parties to enable them to know their nature and extent. If this responsibility Ex Ante (characteristic of Compliance Law) is fulfilled, then the Ex Post liability of the company could no longer be retained. This is the ongoing issue of the Johnson & Johnson trial (2019 American judgment), in terms of medical compliance. Because if one can argue that there exists through this kind of risk mapping that the posology a "subjective right to be worried about the risks related to the taking of the drug", the patient remains free in the use of it. The question of whether third-party education is included in the mapping, since the alert is already included in it, is an open question. For now, the answer is negative.

Indeed and in a fifth time, appears the liberal definition of Compliance Law through the apprehension that the Law must make of the cartography of the risks. Beyond the rational act that any person has to control their risks for their own interest, by preventing the damaging effects of that from the crystallization of risk has in fact proved, it is a question of preserving an external interest for the preservation of which the Law must intervene because the subject of law, in particular the company will be less likely to be concerned.

By the imprint of the law, risk mapping expresses the concern for an external interest, either of a system or of a third party. But this support in Ex Ante implies force (Sapin 2, Vigilance, financial market information obligation) or will (social responsibility, ethical commitment, adoption of non-financial standards) relates only to information, its constitution, its intelligibility and its hierarchy. Then it is the actors exposed to the risks, able to understand in Ex Ante the extent as far as they are concerned, either the entity itself, or the thirds, to choose to run them to no.



  • Consult the two sets of slides as basis of the conference: 




Nov. 27, 2019



This Working Paper served as the basis for an intervention in the conference organized in the conference cycle organized by the Journal of Regulation & Compliance (JoRC) on the theme: Compliance Tools, in collaboration with many university partners: this first conference is organized in collaboration with the Sciences po Economics Department and is held on November 28, 2019 at Sciences po and deals with the more specific theme of Risk mapping.

It also serves as the basis for the book edited by Marie-Anne Frison-Roche, Compliance Tools, which will be released in the Regulations & Compliance collection.




Introduction and Summary.

 Most often we only describe the risk mapping mechanism, without qualifying it legally. The legislator does not do more. Thus, in the French legal system, in the law adopted in 2016 for fighting againt corruption, the so-called "Sapin 2 law", the article 17 describes cartography  as "la forme d'une documentation régulièrement actualisée et destinée à identifier, analyser et hiérarchiser les risques d'exposition de la société à des sollicitations externes aux fins de corruption, en fonction notamment des secteurs d'activité et des zones géographies dans lesquelles la société exerce son activité" " ("the form of documentation regularly updated and intended to identify, analyze and prioritize the risks of exposure of the company to external solicitations at the end of corruption, depending in particular on the sectors of activity and the geographic areas in which the company operates.").

In the law adopted in 2017 for obliging big companies to be "vigilant", the article 1 of this so-called "Vigilance law" of March 27, 2017 aims to do a "cartographie des risques destinée à leur identification, leur analyse et leur hiérarchisation ("map the risks intended for their identification, analysis and prioritization").

This is a description, not a definition, with the text only targeting the "form" that this piece of information takes, without saying more. The letter of the descriptive text inserted in the second part of article 17 referring to the first part thereof, which expressly covers it as a "modality" of "the obligation" to take "measures intended to prevent and prevent detect the commission, in France or abroad, of acts of corruption or trading in influence ". In the same way when consulting the documents by which the regulatory authorities, for example the Financial Market Authority, presents the way to properly identify the risks, including the risks of "non-compliance"!footnote-1734, there is a description of the ways of doing things, no definition, often no rights. We find this same tendency in Compliance itself, so often reduced in its presentation to a mechanical process, often not very legal, or only becoming so in its bad light: that of the sanction. This mechanical conception of Compliance as a process leads to proposing that machines and not human beings establish the tools, notably the risk mapping.

Because it is understood that cartography is only a "tool", the law designated it as a "modality". It is therefore a given that we must look for what the tool is made for. Either it is done so that the law is not ignored, mapping identifying for example the increased risk that it is not: it is usually referred to by the strange name of "risk of compliance". The mapping then allows the company to execute its "compliance obligation", that is to say to ensure in Ex Ante that the law is respected by eliminating in advance the risk that it will not be . Thus, in 2008, the OECD defined risk mapping by its objectives, namely to put in place efficient means to reduce the risk of fraud and corruption and to set up efficient investigations by focusing efforts on effective procedures "!footnote-1739.

Then there are the risks which do not concern the Law, and which the company manages as so many considerations for its action, such as economic, natural or political risks, as well as "market risks", about which the Authorities markets, as the Financial Market Authority regularly draws up a "risk map"!footnote-1740. But this mapping does not seem to concern Law, even though it is no longer the sole responsibility of the company's internal management. The more we read cards, the more we observe their diversity, without knowing whether they constitute a "modality" of an obligation, therefore constituting a legal object, or if it constitutes a good way of doing things, which is neutral. for the Law. But what does law today not mix with? Especially of a fact as important and significant and expensive as this one ...

However, we observe to what extent "risk mapping" has so far been little thought in law. Indeed, when it is exposed, and so often, that it includes both "economic risks", "political risks", and "compliance risks", when however as a whole it is not instrument of a Compliance Law, which organizes all of compliance, the lawyer who constantly orders no longer manages to follow: as "compliance" could be only part of a mechanism that itself is only part of "compliance"? There are very many writings which detail the cartography, which by a kind of mirror effect, draw up cartographies of the requirements country by country, texts by texts, sectors by sectors, law by law, cartography requirements. .. We are faced with a house of cards, always more meticulously described, without ever meeting any legal qualification. For example, does drawing up such a card constitute a legal fact or a legal act? I don't see the question even asked. Yet the consequences of diet are immense. Assuming that this is only a legal fact, can it be justified? The lawyers thought about it and instead found the door closed ... But why should it not be a legal act? The legal category of unilateral legal acts is there to welcome it. In this case, the risk mapping commits the company and we feel that regulators and judges are seeing it more and more. But if the company is engaged, with whom is it? More precisely still, if it becomes debtor of the obligation to map, even if no specific law prescribes it in a precise way, then there is necessarily a creditor beneficiary of this obligation. Who is he ? And why is it?

The essence of this contribution is to ask these questions. They are elementary. They open up avenues, those that the exercise of legal qualification, legal categorization and legal definition, opens up.

If for the moment it has been little practiced, risk mapping being strangely left to algorithms, capable of heaping up data and incapable of defining and qualifying legally, this may be due to the fact more general than Law and risk are rarely directly associated. The mechanism of good management that constitutes risk mapping, especially in organizations that are not companies but are in charge of administering and adopting this good method without constraint!footnote-1735, incites it even less that we can read that it would be for the meticulous entity to identify in advance in particular the "legal risk"!footnote-1731, that is to say the application that could be made of law, uncertain application, annoying application. How many successful seminars on "penal risk" ... As in defense, lawyers explain too generally that the Law is constituted to fight against the risk, which is a fact. In fact, we repeat over and over again that the legal system is there to "secure", sometimes reducing it to this technical performance due to its very nature, by the principle of "legal security", that the State by its permanence , its legitimate violence, its imperium, gives us in exchange the peace, that the contract by the "little law" which it constitutes offers to the parties which enact it a haven of security for this island of stability in a future that never quite knows; beware of us if we get out of the legal order because we fall back into risk ... Thus, either one is in the Law, subject to the Law, and one benefits from its specific security, which economists would readily refer to as "regulation", or one is in the freedom of action, and the 'then we are at risk .... It would be like for the markets, about which we must choose between liquidity and security: if we want freedom of action, then we need less regulation , and therefore less security, more risk .... This traditional opposition, so often relayed in economics, is called into question by the obligation of risk mapping because if these are established, it is not for know in itself but to combat them, beyond the traditional obligation of information on risks, of which there are many anchors in the branches of Law, in particular Company Law, in particular those exposed to the financial markets (I) .

Consequently, since there is under the classic information of the political pretension, of the will to "prevent" the evil, which is quickly transformed into the will to "promote" the good, the new appears. The novelty is first of all institutional (II). In this, the so-called "Sapin 2" law, through the establishment of the French Anticorruption Agency, institutionalized this mechanism by which companies "exposed" to financial markets and / and to international investors, and / and to international trade , present in a clear and orderly manner - that is to say by a map - the risks they have identified in their present and future actions, must more concretely account for their structural organization. Public authorities will supervise the companies exposed to these risks. Certainly banks are legally accustomed to it, but banks are in a sector which is regulated and supervised. What is remarkable is that the Compliance Law applies via the risk mapping requirement the legal technique of supervision to companies which operate in sectors which are not supervised, which are sometimes not even regulated. Thus, they become structurally transparent. The liberal principle according to which a company only reports on its behavior and not on its internal organization is undermined. Thus, by the only technique imposed by law, the transparency method, specific to supervised companies becomes general, as soon as a risk exists. This is a radical innovation, since the risk in question is not a sector risk and a general crisis is no longer to be feared. The rupture is thus effected with the Law of supervision which until now was unbreakable from the Law of Regulation, the obligation of risk mapping applying to any "crucial operator" exposed to the risk of corruption, in that this must be fought in a global manner.

Therefore, risk mapping is a tool which, beyond the simple description, takes its definition in a teleological way. Its aim is to prevent risks which compromise ambitions which are not always of an economic nature but which are of a political nature (III). The fight against corruption is only one example, the so-called "vigilance" law also requiring a "risk mapping" in the area of ​​human rights, while this technique is taken up by more or less binding texts in environmental matter. Certainly companies in a position to carry such political ambitions, by force - because of their position - or willingly - by their reason for being or by their policy of social responsibility - must support it, transforming them into major political actors . They cannot, however, take the place of the Public Authorities, which on the one hand fix the "monumental goals" which it is a question of achieving on the one hand and which on the other hand supervise in Ex Ante and in Ex Post the implementation and operation of these tools within crucial companies.

Nov. 21, 2019


Référence complète : contribution à l'organisation et à la tenue de la conférence de présentation de l'Association Henri Capitant, Faculté de Droit d'Oslo, centre de droit privé, 21 novembre 2019.

Par cette conférence de présentation et la discussion qui s'en est suivie avec les juristes réunis à l'initiative du professeur Mads Andenas, professeur de droit à la Faculté de Droit d'Oslo, les bases ont été posées de la constitution d'un Groupe norvégien de l'Association Henri Capitant.

Nov. 20, 2019


Référence générale: Frison-Roche, M.-A., Le législateur, peintre de la vie, in Archives de philosophie du droit (APD), Tome 61, 2019, pp. 339-410.

Résumé : Peindre si bien que la toile est un objet vivant est un exploit technique qui fût atteint par peu. Francis Bacon obtînt de la toile qu'elle fasse son affaire de préserver en elle la vie, tandis que Carbonnier, avec une semblable modestie devant la toile et le métier, obtînt que la Loi ne soit qu'un cadre, mais qu'elle ne laisse pourtant cette place-là à personne et surtout pas à l'opinion publique, afin que chacun puisse à sa façon et dans ce cadre-là faire son propre droit, sur lequel le législateur dans sa délicatesse et pour reprendre les termes du Doyen n'appose qu'un "mince vernis". Ces deux maîtres de l’art construisaient des cadres avec des principes rudimentaires pour que sur cette toile le mouvement advienne par lui-même. Ainsi la Législateur créée par Carbonnier offrit à chaque famille la liberté de tisser chaque jour son droit. Mais c’est pourtant bien au Législateur seul que revint et doit revenir l’enfance de l’art consistant à tendre la toile sur le métier. Il est alors possible, comme le fit Bacon, d’obtenir un objet immobile permet que surgisse sans cesse les figures mobiles. Les gribouillis réglementaires sont à mille lieux de cet Art législatif-là. 


Lire l'article.

L'article ne comprend pas de reproductions, celles-ci figurent dans le document de travail.

Lire le document de travail ayant servi de base à l'article publié, document de travail bilingue comprenant des notes de bas de page, des références techniques et de liens hypertextes.

Nov. 19, 2019


Toute la presse s'en fait l'écho

Le conseil d'administration de la Banque européenne d'investissement s'est réuni le 15 novembre 2019.

Il a décidé d'exclure les financements, sous quelque forme que ceux-ci prennent 




Nov. 16, 2019


The Finance Bill has proposed to the Parliament to vote an article 57 whose title is: Possibilité pour les administrations fiscales et douanières de collecter et exploiter les données rendues publiques sur les sites internet des réseaux sociaux et des opérateurs de plateformes (translation: Possibility for the tax and customs administrations to collect and exploit the data made public on the websites of social networks and platform operators).

Its content is as is in the text voted on in the National Assembly as follows:

"(1) I. - On an experimental basis and for a period of three years, for the purposes of investigating the offenses mentioned in b and c of 1 of article 1728, in articles 1729, 1791, 1791 ter, in 3 °, 8 ° and 10 ° of article 1810 of the general tax code, as well as articles 411, 412, 414, 414-2 and 415 of the customs code, the tax administration and the customs administration and indirect rights may, each as far as it is concerned, collect and exploit by means of computerized and automated processing using no facial recognition system, freely accessible content published on the internet by the users of the online platform operators mentioned in 2 ° of I of article L. 111-7 of the consumer code.

(2) The processing operations mentioned in the first paragraph are carried out by agents specially authorized for this purpose by the tax and customs authorities.


(3) When they are likely to contribute to the detection of the offenses mentioned in the first paragraph, the data collected are kept for a maximum period of one year from their collection and are destroyed at the end of this period. However, when used within the framework of criminal, tax or customs proceedings, this data may be kept until the end of the proceedings.

(4) The other data are destroyed within a maximum period of thirty days from their collection.

(5) The right of access to the information collected is exercised with the assignment service of the agents authorized to carry out the processing mentioned in the second paragraph under the conditions provided for by article 42 of law n ° 78-17 of January 6, 1978 relating to data processing, the files and freedoms.

(6) The right to object, provided for in article 38 of the same law, does not apply to the processing operations mentioned in the second paragraph.

(7) The terms of application of this I are set by decree of the Council of State.

(8) II. - The experiment provided for in I is the subject of an evaluation, the results of which are forwarded to Parliament as well as to the National Commission for Data Protection at the latest six months before its end. "


This initiative provoked many comments, rather reserved, even after the explanations given by the Minister of Budget to the National Assembly.

What to think of it legally?

Because the situation is quite simple, that is why it is difficult: on the one hand, the State will collect personal information without the authorization of the persons concerned, which is contrary to the very object of the law of 1978 , which results in full disapproval; on the other hand, the administration obtains the information to prosecute tax and customs offenses, which materializes the general interest itself.

So what about it?

Read below.