ComplianceTech ®.Pour lire cette fiche en français, cliquez sur le drapeau français
Full reference: Frison-Roche, M.-A., Risk Mapping: is it legally different when it is made by Regulatory Bodies or by Regulated Enterprises?, in Newsletter MAFR - Law, Compliance, Regulation, 17th of August 2020
Read, by freely subscribing, other news of the Newsletter, MAFR - Law, Compliance, Regulation
Summary of the news
Each year, the Autorité des marchés financiers (French financial markets regulator), the European Central Bank and the Agence française anti-corruption (French anti-corruption agency) publish risk maps. At first glance, risk maps established by the regulator aim to both help regulator and the regulated company to face risks by anticipating them. These documents would only be an assistance brought to firms in their Compliance mission and not an injunction from the regulator to take into account the risks that it emphasizes.
However, Law forces firms to do their own risk maps under penalty of sanctions. Since the regulator has previously published its own risk map, can companies, obliged to write theirs, deviate from it? If the firm follows the map published by the regulator, can it protect itself against this if it is accused of not having fulfilled its compliance obligations? On the contrary, if the operator does not follow regulator's risk map, can this be blamed on it? Formally, regulator's risk maps do not come with an injunction to take it into account but, as everyone knows, any recommendation from a regulator or supervisor must be taken into account.
The legal solution could here be the implementation of a system of "comply or explain" which would mean that if the firm decides to no follow the risk map established by the regulator, it must be able to justify its choice.
To go further, read: