March 22, 2020


This working paper is the basis for an article in the French Law Journal Le Clunet.


When we compare the terms "Compliance" and "Extraterritoriality", it is often with dissatisfaction, even anger and indignation. On the momentum, after having expressed a principle of disapproval of such a merger, attention is focused on how we can fight against it, to break the link between Compliance and Extraterritoriality. But do we have to go so fast? Is this negative initial assessment correct?

Indeed, thus gone, it is frequently explained that the binding mechanisms of Compliance are suffered, that they come from abroad!footnote-1750, that they apply with efficiency but in an illegitimate way, without agreement of the one who must submit to it, whose resistance is therefore certainly ineffective but nevertheless justified. In the same spirit, when we start to shell the cases, like so many scars, sort of rosary, even crown of thorns, BNPP case!footnote-1718, Astom case!footnote-1717, etc., the wounds not yet closed turn into reproaches made against the rules, public authorities, even reproaches made against named people.

We are leaving this kind of complaint against X, which targets what would be this appalling "Compliance", this Law which would be both hostile and mechanical which would not have been able to stay within the limits of borders, Compliance being thus placed in contrast to sovereignty and protection, which presuppose staying within its limits!footnote-1716 and being able to protect companies from abroad. More concretely, this presentation targets more directly the United States, which uses "the legal weapon", slipped under what is then designated as "the artifice of the Law" with extraterritorial scope. But this effect would in reality be the very object of the whole: their hegemonic will to better organize at least a global racket, notably through the Foreign Corrupt Practices Act (FCPA) and at best a world government through notably the embargoes.Those who believed otherwise would be naive or foolish. This silences the opponents because who likes this costume? So the world would be put in a ruled cut; what the mafia could not have done, Compliance Law would have obtained, offering the whole world to the United States thanks to the extraterritoriality of its national Law.

Compliance Law would thus become the very negation of Law, since it has the effect, even the purpose (barely concealed by strategic, powerful and shameless States), of counting borders for nothing, whereas Public International Law, in that it is built between the sovereign subjects of law that are the States presupposes the primary respect for borders to better exceed them while Private International Law takes the same postulate to better welcome foreign Law in situations presenting a foreign element!footnote-1726. Jurists believed in the force of Law; by Compliance, we would return to the sad reality that only the powerful, here the United States, dominate and - ironically - it is under the pretext of Law that they do it. It would be necessary to be well duped, or accomplice, to see there still legal where there is only the balance of powers. When one is more intelligent or skilful than that, one understands that the "small" can only be "subject" to the Compliance Law, one would have to be powerful to be the normative source and its enforcement agent. It is then towards this mis-named Department of Justice (DoJ) that the fearful, hateful and resigned glances turn. 

If you see it that way, what should you do then? The answer is obvious: react!

It is necessary to save the sovereignty, France, companies, the Law itself. If that is how the question is posed, how can we disagree? It is therefore necessary to destroy the Compliance Law and the extra-territoriality of American Law which had found this "Trojan horse", an expression so frequently used. This is the basis for the administrative reports available, for example the Berger-Lellouche!footnote-1719 parliamentary reports and the Gauvainfootnote-1720 report. Both of them broadly develop the two preceding claims, namely that the extra-priority of compliance mechanisms is illegitimate and harmful, since it is a mechanism invented by the Americans and harming the Europeans, or even invented by the Americans to harm Europeans, the description being made in much more violent terms than those used here. The description seems acquired, the reflections therefore relate to the remedies. The reaction is most often to "block" the Compliance Law in its extraterritorial effect.

But without discussing the effectiveness of the remedies proposed downstream, it is necessary to return to this description so widely shared made upstream. Because many elements on the contrary lead to affirm that ComplianceLaw first of all and by nature can only be extraterritorial and that it must be. Whether or not the State in which it was created has malicious intentions. The description which is made to us most often describes particular cases from which we draw generalities, but we cannot reduce Compliance Law to the already cooled cases, as BNPP case, or to the always hot case of the American embargo on Iran. Furthermore, one cannot take the issue of embargoes and draw conclusions, legitimate for it, but which would apply to the whole of Compliance Law. The fact that theCompliance Law is a branch of Law at the stage still of emergence can lead to this confusion which consists in taking the part for the whole, but it is very regrettable because what is justified for the embargoes does not is in no way relevant for all Compliance Law, of which precisely the Law of embargoes is only a small part, even an abusive use. This overlapping is not often perceived, because the definition of Compliance Law and its criterion are not clearly enough defined, namely the existence of a "monumental goal"!footnote-1725, which does not exist in an embargo decided unilaterally by an order decreed by the President of the United States, but which exists in all other cases and fully justifies extraterritoriality, extraterritoriality which is even consubstantial with Compliance Law (I).

Once we have distinguished the embargoes, as an atypical, sometimes even illegitimate part, of Compliance Law, we should continue this work of distinction by emphasizing that the United States has certainly invented Compliance Law!footnote-1721 but only developed a mechanical concept for the prevention and management of systemic risks. Europe has taken up this systemic conception of the protection of systems, for example financial or banking, but superimposed another conception, drawing on its deep humanist tradition!footnote-1722, whose protection of personal data is only an example and whose monumental goal is the protection of the human being. This primary concern then justifies the European use of Compliance mechanisms to interfere with global objects regardless of their location, especially the environment, and to block the entry onto the ground of objects that enter, which is contrary to Competition Law but builds a legitimate barrier under this Compliance Law, in the indifference of an extraterritorial origin (II).

Indeed, this branch of the new Law which is Compliance Law is not reducible to Competition Law!footnote-1723, any more than it is not reducible to a method. It is a substantial, extraterritorial Law because the "monumental goals" which give it substantial unity are extraterritorial. This can directly contribute to the future of a Europe which on the one hand will be able to pursue, in an extraterritorial manner, monumental humanist goals, in the field of the environment or the protection of personal information or access to the Law (in particular by the technique of compliance programs) and which, on the other hand, by the techniques of traceability of products!footnote-1724, will have the means not to bring in products manufactured in an indecent manner, except in countries which do not grant value than in Competition Law to enter the WTO.



Read the developments below.


Nov. 27, 2019



This Working Paper served as the basis for an intervention in the conference organized in the conference cycle organized by the Journal of Regulation & Compliance (JoRC) on the theme: Compliance Tools, in collaboration with many university partners: this first conference is organized in collaboration with the Sciences po Economics Department and is held on November 28, 2019 at Sciences po and deals with the more specific theme of Risk mapping.

It also serves as the basis for the book edited by Marie-Anne Frison-Roche, Compliance Tools, which will be released in the Regulations & Compliance collection.




Introduction and Summary.

 Most often we only describe the risk mapping mechanism, without qualifying it legally. The legislator does not do more. Thus, in the French legal system, in the law adopted in 2016 for fighting againt corruption, the so-called "Sapin 2 law", the article 17 describes cartography  as "la forme d'une documentation régulièrement actualisée et destinée à identifier, analyser et hiérarchiser les risques d'exposition de la société à des sollicitations externes aux fins de corruption, en fonction notamment des secteurs d'activité et des zones géographies dans lesquelles la société exerce son activité" " ("the form of documentation regularly updated and intended to identify, analyze and prioritize the risks of exposure of the company to external solicitations at the end of corruption, depending in particular on the sectors of activity and the geographic areas in which the company operates.").

In the law adopted in 2017 for obliging big companies to be "vigilant", the article 1 of this so-called "Vigilance law" of March 27, 2017 aims to do a "cartographie des risques destinée à leur identification, leur analyse et leur hiérarchisation ("map the risks intended for their identification, analysis and prioritization").

This is a description, not a definition, with the text only targeting the "form" that this piece of information takes, without saying more. The letter of the descriptive text inserted in the second part of article 17 referring to the first part thereof, which expressly covers it as a "modality" of "the obligation" to take "measures intended to prevent and prevent detect the commission, in France or abroad, of acts of corruption or trading in influence ". In the same way when consulting the documents by which the regulatory authorities, for example the Financial Market Authority, presents the way to properly identify the risks, including the risks of "non-compliance"!footnote-1734, there is a description of the ways of doing things, no definition, often no rights. We find this same tendency in Compliance itself, so often reduced in its presentation to a mechanical process, often not very legal, or only becoming so in its bad light: that of the sanction. This mechanical conception of Compliance as a process leads to proposing that machines and not human beings establish the tools, notably the risk mapping.

Because it is understood that cartography is only a "tool", the law designated it as a "modality". It is therefore a given that we must look for what the tool is made for. Either it is done so that the law is not ignored, mapping identifying for example the increased risk that it is not: it is usually referred to by the strange name of "risk of compliance". The mapping then allows the company to execute its "compliance obligation", that is to say to ensure in Ex Ante that the law is respected by eliminating in advance the risk that it will not be . Thus, in 2008, the OECD defined risk mapping by its objectives, namely to put in place efficient means to reduce the risk of fraud and corruption and to set up efficient investigations by focusing efforts on effective procedures "!footnote-1739.

Then there are the risks which do not concern the Law, and which the company manages as so many considerations for its action, such as economic, natural or political risks, as well as "market risks", about which the Authorities markets, as the Financial Market Authority regularly draws up a "risk map"!footnote-1740. But this mapping does not seem to concern Law, even though it is no longer the sole responsibility of the company's internal management. The more we read cards, the more we observe their diversity, without knowing whether they constitute a "modality" of an obligation, therefore constituting a legal object, or if it constitutes a good way of doing things, which is neutral. for the Law. But what does law today not mix with? Especially of a fact as important and significant and expensive as this one ...

However, we observe to what extent "risk mapping" has so far been little thought in law. Indeed, when it is exposed, and so often, that it includes both "economic risks", "political risks", and "compliance risks", when however as a whole it is not instrument of a Compliance Law, which organizes all of compliance, the lawyer who constantly orders no longer manages to follow: as "compliance" could be only part of a mechanism that itself is only part of "compliance"? There are very many writings which detail the cartography, which by a kind of mirror effect, draw up cartographies of the requirements country by country, texts by texts, sectors by sectors, law by law, cartography requirements. .. We are faced with a house of cards, always more meticulously described, without ever meeting any legal qualification. For example, does drawing up such a card constitute a legal fact or a legal act? I don't see the question even asked. Yet the consequences of diet are immense. Assuming that this is only a legal fact, can it be justified? The lawyers thought about it and instead found the door closed ... But why should it not be a legal act? The legal category of unilateral legal acts is there to welcome it. In this case, the risk mapping commits the company and we feel that regulators and judges are seeing it more and more. But if the company is engaged, with whom is it? More precisely still, if it becomes debtor of the obligation to map, even if no specific law prescribes it in a precise way, then there is necessarily a creditor beneficiary of this obligation. Who is he ? And why is it?

The essence of this contribution is to ask these questions. They are elementary. They open up avenues, those that the exercise of legal qualification, legal categorization and legal definition, opens up.

If for the moment it has been little practiced, risk mapping being strangely left to algorithms, capable of heaping up data and incapable of defining and qualifying legally, this may be due to the fact more general than Law and risk are rarely directly associated. The mechanism of good management that constitutes risk mapping, especially in organizations that are not companies but are in charge of administering and adopting this good method without constraint!footnote-1735, incites it even less that we can read that it would be for the meticulous entity to identify in advance in particular the "legal risk"!footnote-1731, that is to say the application that could be made of law, uncertain application, annoying application. How many successful seminars on "penal risk" ... As in defense, lawyers explain too generally that the Law is constituted to fight against the risk, which is a fact. In fact, we repeat over and over again that the legal system is there to "secure", sometimes reducing it to this technical performance due to its very nature, by the principle of "legal security", that the State by its permanence , its legitimate violence, its imperium, gives us in exchange the peace, that the contract by the "little law" which it constitutes offers to the parties which enact it a haven of security for this island of stability in a future that never quite knows; beware of us if we get out of the legal order because we fall back into risk ... Thus, either one is in the Law, subject to the Law, and one benefits from its specific security, which economists would readily refer to as "regulation", or one is in the freedom of action, and the 'then we are at risk .... It would be like for the markets, about which we must choose between liquidity and security: if we want freedom of action, then we need less regulation , and therefore less security, more risk .... This traditional opposition, so often relayed in economics, is called into question by the obligation of risk mapping because if these are established, it is not for know in itself but to combat them, beyond the traditional obligation of information on risks, of which there are many anchors in the branches of Law, in particular Company Law, in particular those exposed to the financial markets (I) .

Consequently, since there is under the classic information of the political pretension, of the will to "prevent" the evil, which is quickly transformed into the will to "promote" the good, the new appears. The novelty is first of all institutional (II). In this, the so-called "Sapin 2" law, through the establishment of the French Anticorruption Agency, institutionalized this mechanism by which companies "exposed" to financial markets and / and to international investors, and / and to international trade , present in a clear and orderly manner - that is to say by a map - the risks they have identified in their present and future actions, must more concretely account for their structural organization. Public authorities will supervise the companies exposed to these risks. Certainly banks are legally accustomed to it, but banks are in a sector which is regulated and supervised. What is remarkable is that the Compliance Law applies via the risk mapping requirement the legal technique of supervision to companies which operate in sectors which are not supervised, which are sometimes not even regulated. Thus, they become structurally transparent. The liberal principle according to which a company only reports on its behavior and not on its internal organization is undermined. Thus, by the only technique imposed by law, the transparency method, specific to supervised companies becomes general, as soon as a risk exists. This is a radical innovation, since the risk in question is not a sector risk and a general crisis is no longer to be feared. The rupture is thus effected with the Law of supervision which until now was unbreakable from the Law of Regulation, the obligation of risk mapping applying to any "crucial operator" exposed to the risk of corruption, in that this must be fought in a global manner.

Therefore, risk mapping is a tool which, beyond the simple description, takes its definition in a teleological way. Its aim is to prevent risks which compromise ambitions which are not always of an economic nature but which are of a political nature (III). The fight against corruption is only one example, the so-called "vigilance" law also requiring a "risk mapping" in the area of ​​human rights, while this technique is taken up by more or less binding texts in environmental matter. Certainly companies in a position to carry such political ambitions, by force - because of their position - or willingly - by their reason for being or by their policy of social responsibility - must support it, transforming them into major political actors . They cannot, however, take the place of the Public Authorities, which on the one hand fix the "monumental goals" which it is a question of achieving on the one hand and which on the other hand supervise in Ex Ante and in Ex Post the implementation and operation of these tools within crucial companies.


OCDE, Bueb, J.-P., Risk mapping methodology. Developping practical tools for procurement, 2008,  : "OBJECTIVES OF RISKS MAPPING • Put in place efficient means to reduce risks of frauds and corruption; • Have more efficient investigations by concentrating the efforts on “sensitive” processes, methods or persons. "


Financial Markets Authority, Risk Mapping, 2017


Dyens, S., La nécessité de dresser une cartographie des risques juridiques, 2012. In this article which presents the Law as a risk for the action of the State and the good end of public policies, it is a question of organizing well in Ex Ante the administrations.

Oct. 1, 2019

Teachings : Compliance Law

Résumé de la leçon.

Le Droit de la Compliance semble être synonyme d"extraterritorialité, en ce qu'il se fit connaître d'une façon spectaculaire en 2014 par la décision américaine sanctionnant la banque française BNPP.  L'on a dès lors souvent assimilé "Compliance" et extraterritorialité du Droit américain, englobant les deux dans la même opprobre.Celle-ci est par exemple d'une grande violence dans le rapport dit "Gauvain" de 2019. Mais sauf à croire que le Droit n'est que l'instrument pur du Politique, en raison des "buts monumentaux" poursuivis par le Droit de la Compliance, celui-ci ne peut avoir en tant qu'instrument qu'une portée extraterritoriale, sauf à être utilisé par une Autorité locale pour ne servir qu'un but local. Dans cette hypothèse, précise et restreinte, l'extraterritorialité du Droit de la Compliance doit être combattue, ce qui est fait par la Cour de la Haye dans sa jurisprudence de 2018. Mais pour résoudre cette question particulière, l'on risque de détruire l'idée même de Droit de la Compliance, lequel suppose l'extraterritorialité. Et au moment même où le continent asiatique est en train d'utiliser le Droit de la Compliance dans une définition mécanique pour mieux s'isoler. 

Si l'on prend les autres sujets sur lesquels porte le Droit de la Compliance, lequel excède la question des embargos, l'on peut même soutenir qu'il a été fait pour ne pas être brider par les territoires, lesquels sont à la fois l'ancrage des Etats et leur intrinsèque faiblesse. L'internalisation dans les entreprises permet cela. Elle le permet tout d'abord par le mécanisme de "l'autorégulation". En effet, si l'on fait un lien, voire une identification entre la Compliance, l'éthique et l'autorégulation, alors la question des frontières ne se pose plus. Ainsi, l'entreprise s'auto-instituant non seulement comme un "néo-constituant" mais comme un ordre juridique complet, y compris dans le règlement des différents et dans les voies d'exécution (enforcement par le bannissement). La question de l'efficacité est donc réglée mais ouvre alors celle de la légitimité.  C'est pourquoi l'Europe a vocation à porter une conception extraterritoriale d'une définition pourtant européenne de ce qu'est le Droit de la Compliance. C'est ce à quoi les arrêts de la Cour de justice de l'Union européenne du 24 septembre 2019 viennent de mettre un coup d'arrêt. 


Se reporter à la Présentation générale du Cours de Droit de la Compliance.


Consulter le Dictionnaire bilingue du Droit de la Régulation et de la Compliance.


Consulter la Bibliographie générale du Cours de Droit de la Compliance


Consulter la bibliographie ci-dessous, spécifique à cette Leçon relative aux enjeux pratiques du Droit de la Compliance