Dec. 12, 2017


🚧 Compliance : before, now, after

by Marie-Anne Frison-Roche

to read this Working Paper in English ↗️ click on the British flag

Pour lire la version française de ce working paper, cliquer sur le drapeau français. 

This working paper serves as a support for the article to be published in the book written in French, Ingall-Montagnier, Ph., Marin, J.-Cl., Roda, J.-Ch. (dir.), Compliance : l'entreprise,le rĂ©gulateur et le juges, in the Serie Regulations, co-edited by Éditions Dalloz and the Journal of Regulation and Compliance (JoRC).

This work uses by links the Compliance and Regulation Law bilingual Dictionnary.


Summary. We have to admit it. Because in front of so numerous and so disparate Compliance rules we pain so much to figure out, we are constraint to go in so changing directions, that we console ourselves with their weight, their cost and our misunderstanding by affirming that Compliance is "complex" and "transdisciplinary", as if complicated words could mask our disarray. But "Compliance" is not a cataclysm, a bomb sent by the Americans to annihilate Europe, the new form of a Cold War in legal dress, it is a way of seeing things that comes from afar, with its own coherence and which must first be understood.

If one understands where this new corpus comes from, which now obliges companies to prove that they effectively take on the fulfillment of certain goals that go beyond them, notably the fight against money laundering, tax evasion, but also the fight against the sale of human beings or the struggle for the preservation of nature and Earth, then we can continue the story.

Indeed, not all companies are targeted by such internalization of "monumental goals" within them." An ordinary firm is destined to develop itself in order to achieve a goal which is its own. The concern of these goals can only be for the "crucial firm. "If there is to be a change in the corporate project, then it can only depend on its" position "in a system, a financial, economic, social, global system, or because it has itself decided that it would be so. The company then bears the burden of proof that such a discourse of new responsibility corresponds to a behavior and an effective culture. The weight of the rules already exists today. And it is for the moment that now, in a negative and passive way, Compliance is perceived, by those who "undergo" it (companies), even by those who apply it (public authorities).

The transformation towards a "culture of trust" is the issue between today and tomorrow, because tomorrow, it is a relationship of trust that could be built between these companies and the public authorities, because they would share information (systemic issue), because they would agree on the less technical monumental goals (protection of human beings issue).

In this perspective, "Compliance" is above all a bet, that of the place of human beings in globalized markets.


When one looks at what is gathered under this term of Compliance, one is struck, even discouraged by the junk it seems to covers . The reader comes across financial law, environmental law, company law, international contract law, criminal law, administrative law, procedural law, labor law, human rights law, law of enforcement, private international law. It is thus confronted with branches of law and prefers by prudence to expose cases, or to move in sectorial perspective, often having some inclination for the banking. But compliance seems to circulate everywhere, in all cases, in all sectors, in all branches. A bit like a virus.

One ends up wondering if a situation can claim to escape .... It is believed all the less if we purely and simply associate "Compliance" and "Conformity", as it is done in French language (where Compliance is often translated by "ConformitĂ©"), that is to say the obligation to comply with all requirements of the legal system, the obligation for a legal entity to conduct behavior in accordance with the rule of law, a requirement that applies to all rules, regardless of their level and content, a requirement that imposes on any subject of law, a category of which companies are parties but which exceed them, going from particular persons to States!footnote-974.

It should then be admitted that Compliance is Law itself. If it were only that ... But it would be, through the activism of the subjects themselves, a so imperious, a so imperial Law, that it would show itself as an always respected Law, always in action , a kind of "implacable Law". Its application should be ensured, always, by all and in all places. The effectiveness of this application should be constantly proved by subjects, who have all become agents of effectiveness of the rule. And sometimes, it is presented as: the coming of a world where finally all the rules of law would be respected by all and in all places. By this is "passion of Law" that the French author Carbonnier identified as the mark of our society and that he took care to denounce!footnote-975.

If one reads the book that Carbonnier devoted to this theme in 1996!footnote-975Droit et passion du Droit, which concerns the theme of the 'passion' for legal norms but also relies the passion for judges, we note that Carbonnier highlights rather than the most adequate legal system is the one that applies little, he observes that happy families weave each their own law, he insists that the strongest bonds are not legal, he concludes that the law is only a "mince vernis Ă  la surface des choses" (thin glaze on the surface of things). Today, the compliance elephant has overturned these China remarks!footnote-979.

Or to use a vocabulary of classic processuallist lawyers, by the Compliance one has the impression that the "law to the state of peace" was swept by the "law always to the state of war". It seems that the more the regulatory authorities sanction, the more the Regulators claim to have the proof of their "power"footnote-976. In the same way, the more companies spend and hire under Compliance, the more they are sanctioned, and the more it is claimed that the devices would be "effective".

These two behaviors, on the part of the public authorities and on the part of companies, refer to the fact that the law itself should be evaluated according to its effectiveness thus appreciated: in short, the strong signals are multiplied!footnote-978, as the criminal sanctions and the different deals, with a very wide diffusion, and the more the system would be successful. With transparency as mantra, the very one on which Carbonnier wrote with suspicion in 1993footnote-982. The key is to be able to show the highest possible numbers of success, to base yourself and to consider everything that can be countedfootnote-977.

Indeed, in terms of compliance, the numbers are impressive, both in terms of their aggregation and of their amount. The sanction imposed on BNPP remained in the memory. When one goes in the companies having modified their structure to satisfy their "obligation of compliance", whose "duty of vigilance" is the natural extension, the impression is that of a fatalism, like what, of cartographies drawn up in reporting implemented, of compliance services internationally organized in ethics by design, a feeling exists that this Ex Ante device will not prevent Regulators, prosecution authorities to punish when they want, for what they want, for an amount they want, the Ex Ante and the Ex Post having become a continuum, which pulverizes the principle of legality, the proofs being no longer required because of the presumptions, the heterogeneity of the texts covering any line of intelligibility. Since "no one is supposed to ignore compliance" ....!footnote-983.

This impression of "compliance madness", backed up by this "passion for the law", is reflected by this usual definition of compliance as "the set of processes that make it possible to ensure the conformity of the company's behavior, its managers and employees to the legal and ethical standards applicable to them ", this conformity having to be" effective ", this effectiveness having to be permanently given to be seen by the company, by the manager, by the employee.

This already seems difficult to satisfy, even for those who would still be guided by the "love of the law" that Rousseau saw in the heart of every citizen. But this definition is still too narrow .... The company should still ensure the compliance of those in its charge, that is to say including manufacturers, subcontractors or distributors. But this is still too narrow.

From another perspective, it is not enough to apply the texts, it is necessary that the company concretizes the purpose for which the text was adopted, for example that it actually contributes to the fight against money laundering. And this in a global perspective, because effectiveness and efficiency lead to bringing global phenomena - such as money laundering, human trafficking, corruption or climate change - into the company from the moment that the company is global itself footnote-980.

For the moment, firms have the impression that they are being beaten for no reason, or even "ransomed"!footnote-981. Mirroring, at best, they resign themselves to applying without understanding, all these expensive devices that accumulate, a new plague of Egypt in an otherwise prosperous economic valley, the divine ransom of their success.

This representation is not accurate.

It probably comes from the fact that Compliance appeared to be a sort of tsunami, hostile and unpredictable, while it is a rational and justified movement. If we do not know "where compliance comes from" (I), we can not understand it, or even admit it. This historical understanding, which situates compliance, and in the United States and in a systemic crisis, allows a better understanding of the current situation, which is that of a crossroads(II). What will the future be? It is in our hands, because it is political choices that will build the system of compliance that will govern Europe, or even that will allow to build it (III).




Compliance requirements in a legal form were born in the United States during the financial crisis of 1929. New demands were made on economic operators who had caused an unprecedented crisis, a crisis that was ruled out ( A). This internalization in operators of goals different from those which they pursue remained, but moved when the internalization has been operated in operators who are not the cause of crises but which are chosen to prevent them because the context has become such that they are alone to be able to operate this prevention function (B).



A crisis brings information. The economic crisis that hit the United States in 1929 brought so much that in 2008 the Fed plunged there to understand what was happening and what actions should be made. It appeared that this crisis of 1929 was caused notably by behaviors within the banking and financial establishments which, if they had known them before, would have been stopped, because they were destructive of the markets, the economy and the people. But because by principle the company is a "black box" for the market, this space in which people, goods and capital circulate, the functioning of credit companies was not observed and market abuses were not apprehended in Ex Ante.

Even as model of the pure market, the financial market, even the most regulated one, did not penetrate companies and did not apprehend by supervisory authorities those actors whose internal behavior entailed a systemic risk. Roosevelt created the Securities and Exchanges Commission (SEC) by a 1933 law, including the principle of the prohibition of market abuse, distancing the ordinary law of ordinary markets (competition law) for which the firm remained opaque, while for the Financial Markets Law  the principle of transparency became central.

At the same time, the principle of compliance, that is to say the obligation for companies whose purpose is to keep the financial markets, to feed it, to draw on its wealth, to ensure intermediation, etc., to report permanently to the Public Regulatory Authority, which may enter the supervised enterprise as it sees fit. The couple between Regulation and Supervision is already tied!footnote-999.

But it is because the company touches the object that it can damage it, as the company is listed for example, that it is subject to all the regulations of the Compliance , it is in the power of the Regulatory Authority. This is the price to pay for access to the liquidity of financial markets, the Law now allowing access to it only those that do not hinder the correlated principle of the integrity of the markets.

There is therefore a very close link and a strong and shared reason between the power of Compliance and the financial sector. Compliance can then be defined as an internalisation of the goal of prevention of a general financial crisis in the companies likely to trigger it by the use they have of the financial market.

The Compliance system then sets the company a sort of "criminal-born" portrait: Thus, the American laws that are still cited as the major relays of Compliance, such as the Sarbanes-Oxley Act of 2002, Act which organizes the market information, is a reaction to the scam spun for years by the star-business of the financial markets, Enron!footnote-984.

The financial crisis of 2008 will have shown that this internalisation was not enough.


The first information given by the 2008 crisis was the inadequacy of the whole previous system. It is therefore not enough to identify the companies likely to bring down a system and, because the consequences of their failures go beyond their own downfall, be content to internalize this systemic concern that does not matter to them.

The first "lesson" of the crisis of 2008 is that the risk is not so much lodged in the behavior of the companies, which would be by tendency "criminals", the holder of the virtue eventually becoming impossible (until we find the whistleblower, that is to say the troublemaker of a self-captured system of connivance), but in the information.

The information then becomes the same inside and outside companies, the distinction between Corporate Law and Financial Markets Law disappearing, that between the shareholder and the investor as well.

The reliability of the information then becomes the primary issue, the trusted third party becomes the key figure, the certification of information becoming the most valuable information, even more than the information on which it bears, each recalling that information is a public good.

The financial and then the economic crisis of 2008 shows that it is these trusted third parties that have failed, the auditors first and then the regulators. The idea remains that it is up to a third party, who by definition has the quality of being impartial, to bring this information of reliability on the accounting speech or on the retrospective or predictive discourse that constitute the reports required by Company Law.

But still it is necessary to leave the crisis. From the first crisis evoked, Europe went through a war, while the United States found world domination. What will we find in the exit of the crises of 2008, of which we have not yet left? This is the question today.



Compliance is at a crossroads. For now, we only hear complaints, and from all sides. Complaints from the States, which complain of no longer being masters of their destinies, capped on the pole by Regulators which set standards on political issues, such as the environment and plunge directly into the decisions of powerful companies, then that the Competition Law trivializes the States! (A) Complaint from companies which refuse to be the payers of a system imposed on them! (B). In a system where we speak only of concordance, benevolence, and empathy, Compliance has sowed discontent everywhere, while everyone and everything folds in front of him ....


In fact, the strength of the States has been modified, and by the capacity of people, goods and capital to circulate, and by their own behaviors which, for the most part, made them beggars of the financial markets. Technology has increased the end of dependence of people and businesses on geography, while the relationship between the State and the border remains the same. Technological companies, newly born, are perhaps masters of the world, and organize themselves into quasi-governments.

By the term "globalization", which describes in ellipse this new balance of powers!footnote-1000, the States reacted by the system of Compliance. Indeed, the rules and sanctions of Compliance have an extraterritorial effect, always underlined and often criticized, pulverizing the classic Private International Law which one emphasizes that it constitutes only by internal Public Law intended primarily so that each system remains protected at his home.

But States and public authorities, it is not the same thing. If the seconds belong to the first, they are not equivalent. A government and a regulator, that's not the same thing. The State has, by nature, a political dimension that the Public Authority may not have. And when it is Regulatory Authority, for example Banking and Financial Regulation Authority, by nature it does not have it.

Thus, we are currently at a crossroads, because we no longer know where are the States, the public authorities and the regulatory authorities, the three not operating in Russian dolls, in the compliance systems that are, by nature , global.


The crossroads is for companies particularly marked. If it is illustrated by two signposts, on the first, there would be the dizzying prospect of "nothing" (1), on the second, there would be the windfall no less dizzying "everything" (2).

1. The dizzing prospect of Nothing

Companies are in a similar situation. Indeed, we can consider that companies are the big losers of Compliance. Indeed, faced with the sputtering of legal systems by the factual phenomenon of globalization!footnote-985, States have decided to extricate themselves from their own limits and, without worrying more about this measure implied by their sovereignty!footnote-986, have internalized rules and goals in companies, no longer considering the behaviors or situations of these!footnote-987, but taking into pure consideration each other's strengths and weaknesses.

Indeed, by cynicism, realism, or pragmatism, States have issued a definitive statement of failure to achieve goals alone, such as the effective fight against corruption or arms trafficking or terrorism. Not wanting to disappear, because a state can not be reduced to being a mere ordinary provider and should tend to bring security not only today but tomorrow, not only to one person but also to a group, States have maintained the pretense of these legitimate goals, in whose name peoples elect rulers and legitimate violence is exercised by the institutions.

The conclusion of the syllogism is obvious: the public authorities have therefore imposed on all enterprises in a position of power the obligation to achieve security goals for the benefit of the social group of which the State is in charge. This is the current definition of all Compliance mechanisms for breaches of probity, which constitute the core of Compliance.

Companies are subject to it, even though they do not necessarily have the information, even if they do not have reprehensible behavior, even if they are not in a particular sector, but they are in a global position and they are the only ones to be able to act, by structuring themselves to be actively the only ones which will do  what a global State would do if it existed.

Companies are therefore reduced to nothing, are structured either before being sanctioned, or under penalties of compliance or settelment or technic of deferred prosecution agreement (DPA). It is always the same idea to achieve what counts : internalisation in the company, captive of an aim of general interest which exceeds it and which it must execute.

But by doing so, and one can hear the complaint of corporate chorus rising off, the situation turns like a glove.

2. The windfall that is looming from the "All"

The companies that are most affected by compliance mechanisms are financial institutions and banks (particularly affected by prudential compliance), the digital industries (notably through data compliance) and the health industries. They are also the most powerful in the world, Compliance does not limit or organize their power as could the Liability Law "if we took it seriously"!footnote-988, but coming to increase it.

Indeed, if the banks know all about us, it is because of KNC (Know your client), compliance rule by which they are forced to fetch information they did not have, for transmitting them to regulators , possibly foreigners. Thus, it is by force that their power is increased.

In the same way, because the fight against terrorism is a goal shared by all compliance systems, either as underlying the fight against money laundering, or as a primary goal, US digital companies have indicated that they put their data into effect in order to prevent this global scourge more effectively.

We do not see how this would be denied to them even though they were forced to pursue such a goal and the companies reiterated that they wanted to have only a banal business plan, asking that Compliance would not extinguish them from the economic ordinary. This can not be so much less rejected than it is usual to emphasize the part that ethics takes in Compliance.

Thus, compliance is inserted in Codes of Ethics, Codes of Conduct, sometimes required by regulators themselves, Codes that constitute a global self-regulation, that the French author GĂ©rard Farjat criticized!footnote-1001 but in which the German author GĂĽnther Teubner sees today the emergence of a "global Constitutional Law"!footnote-1002.

Companies are also tempted by the windfall of compliance. And this "Global State", it is them that constitute it. And it is not on Wall Street that it is building ; it's in Menlo Park and Palo Alto.

But we are at a crossroads. All is not written. Political choices are to be made. And it is now.



The future is not said. It can be very sad, the state, businesses and individuals would lose. This future is looming though. It would be a new market, that of Compliance, occupied by new specialists, consultants of all kinds, increasing the confusion and cost of the system (A). Public authorities and companies have three challenges to overcome, whereas Compliance is a very important foundation for the future: first, it is necessary to build a real "Compliance Law" (B), then it is necessary to spread a "culture of compliance" (C), we must finally give a political impetus for the emergence of a "Europe of Compliance" (D).


Compliance is what we have said about Regulation: it's "so complicated", it's "so technical", it's "so complex", it's "specialist business". When we say that it is the future, it is only to say that for the person who will have the courage to plunge into so many regulations, there will be hours of work to defend those who will inevitably be pursued and who would inevitably survive only by writing a settlement, but that his life of compliance specialist will be financially easy.

There is indeed a proliferation of specialists, offering gigantic programs covering all the branches of law in all countries, before moving on to other subjects such as all management techniques, to better pass to the ethical obligations, as we move from an Olympic pool to another Olympic pool, stating that the whole of this program must be assimilated by all the staff. Companies then know that they are truly "doomed" to compliance..

But this corresponds to a very poor definition of Compliance.

Because precisely Compliance must not be apprehended as well.

If we think so, so closely, then tomorrow it will be just that. At the expense of companies, blindness struck, setting up endless processes and machines. At the expense of the States, continually pursuing the hostile operators, adopting at the chain of the texts which they do not understand anymore themselves, exceeded even before being printed.



No system can stand on aggression. Thus the Law of Procedure, which organizes the confrontation in a lawsuit, of a party against the other and of the parties against the judge, is based on an agreement of all: the usefulness of a lawsuit and the rationale rules of procedure, including speaking up!footnote-989. However, the tensions are such in terms of compliance that this condition seems barely fulfilled.

One could, however, agree on two basic things. Compliance must be a matter of law!footnote-1003. This would make it possible to remove it from arbitrariness, to classify its rules, to limit its uses. The staging of Compliance in the Law, by the constitution of a "Law of Compliance" would be a first agreement, the ethical dimension, welcome, or managerial, or political, should not allow to extract the rules and cases legal principles, thus placing limits on powers, and Regulators and Public Authorities.

For a long time, as Vedel has shown, the "Economic Law" did not exist!footnote-990, because legal effects were directly imputed to facts, which is not enough to constitute a branch of Law, which alone can form a foundation for the State and for the subjects of law that produces legal certainty for the future and may bear the imprint of a policy. Laurence Lessig has made the same demonstration about the Digital Law.

In order for a branch of the law to be constituted, as economic law constituted with reference to the notion of the marketfootnote-991, a mechanism of intelligibility must first be established. Regarding Compliance Law, it is the "monumental goals"!!footnote-992 that could give this intelligibility, concrete goals and abstract goals, as the fight against corruption, against money laundering, against pollution, but also the struggle for the environment, for education, which can be expressed by a single abstract aim: "care for others".

Then you have to draw the "circle of agents" who brings to bear and concretize the Compliance Law that we have to give birth to!footnote-993. We have to measure that in the coming times new branches of Law can appear, that the Politics has not disappeared but that it must recognize its limits, that it expresses in this its sovereignty, by the opening of the circle to others, being like the others an agent of goals' realization which surpasses all of us: to protect human beings against ignoble traffic of which we are customers, to try to save the planet which we devour ourselves.

To know our limits, to oppose them to ourselves, to stand up against our immoderation: that is the principle of Compliance.

How could one settle for another definition?

In this circle, are the States, because Compliance being built on monumental goals, it is a State affair. In this circle are businesses, but not all. Only those who are in a position to realize such goals. It is first and foremost the "crucial operators"!footnote-994, whose public service companies, public interest entities, essential infrastructure managers or system operators are examples. It is then the operators, in the indifference of their public or private nature, who make ask their will to pursue an interest that exceeds the immediate interest. Ethical commitments and Corporate Social Responsibility are not the preserve of crucial or powerful operators. Tracing this circle is the first and most important thing to do.

The means and methods of the Law of Compliance still need to be determined and stated. It is in these circles, where no one should not be excluded, where the soft Law should not exclude the hard Law, where the sanctions do not exclude the contracts, but the standards are in the aims and where the essential remains the intelligibility of the system. Not only for the technicians that we are, but for the population, because the goals concern the protection of others, through the concern for terrorism, sales of the human in all (prostitution for example) or in part ( organs, for example), the protection of the environment, the Law of Compliance must be understood for everyone.

We cannot conceive of a Compliance Law without building in a same time a common Culture of Compliance.


It is surprising to note that, no doubt a reflection of a technical society, denounced for example by the German author GĂĽnther Anders!footnote-1004 and, in a more legal perspective, by the French author Jacques Ellul!footnote-1005, the notion of "legal culture", so important in the classical conception of the Law whether in France, Germany or Great Britain, today is defeated by a conception of law as a set of technical rules designed to secure the projects of people,that but only that, the notion of "legal culture" now seems to be a sort of romanticism of bad quality!footnote-1006!footnote-1006.

This is the same issue in Compliance Law. Either, we consider that it is about mechanically designed processes, wounds coming from a hostile God whose only Ex Ante algorithms can limit the effects whereas in Ex Post lawyers will negotiate a reduction of the sanctions. Compliance will develop between experts. And for very important financial amounts.

But that can not work fully that way. If we show that in its very nature the mechanism of the "whistleblower" supposes that the one who will extract the relevant information to bring it to the one who will use it to serve the purpose, for example fight against market abuse, is a weak legal character, modeled on those who denounced the Enron scandal.

Moreover, because one wants to extend the "monumental goals" beyond the breaches of probity to seek to achieve global goods, such as saving the planet, everyone must become aware of the goals. But this is not the hardest because people are often more sensitive to them than are board members...

The hardest thing is to inculcate all the people who are in the companies, whatever their level of responsibility and their location. The object of this learning can only be the purpose of the rules, the reasons for the constraints, the reasons for acting.

Indeed, the Compliance Law, which is presented as the most mechanical set of mechanical standards, is on the contrary a living set of provisions that have only one Monumential Goal: the concern for the human being, the concern for others, staying in time. And that, every human being is willing to understand it. This is what must be disseminated as "Culture of Compliance". Through simple and permanent principles. This is the basis of a trust pact between the State and the Crucial Operators.



The creation of such new branch of law, so ambitious, so voluntary, presupposes such a "pact of trust"!footnote-995 between the Politics and the Crucial Companies, which must unite to rely on the population, sometimes referred to as shareholders and stakeholders.

But we need also a space. We have to build it.

For now, even though the "monumental goals"!footnote-996 are global, the building space is not global. Everything flows there, especially people!footnote-1007, which for the moment forbids putting the person at the center of the market, justifying the criticism made in the "Total Market"!footnote-997 .

The solution is without doubt the construction of a Europe of Compliance.

We need it. This is enough to avoid the question of means and difficulties. Let's do it.





comments are disabled for this article