Defining compliance is not straightforward1. There is no consensus on the word compliance itself2. In French, the terms compliance and “conformité” are used alternatively, albeit with a preference for the first term. This reluctance, while not found when translating the word “comply or explain” into the related subject of corporate governance, is illustrative.
This shows two things. First, a dissatisfaction with the translation of the word compliance by “conformité” : intuitively, we perceive that the word “conformité” — which is common in legal terminology, notably in the fields of accounting and audit — fails to convey the unique nature of the concept of compliance. Second, a sense of oddity, in the literal sense of the word.
Literally, the notion of compliance is foreign to French legal culture. Modern French legal culture was built on the idea of legality, i.e. on the idea that there are rules that prescribe conduct, impose prohibitions and threaten those who violate them with a sentence, pronounced by a court of law. Legality provides for a vertical confrontation of each individual, of each enterprise, with the law, under the threat of a sentence pronounced by a judge. Compliance shows something else. It is less concerned with whether companies breach the rules which apply to them than with whether they implement an effective mechanism for preventing the risk of breaching those rules.
Compliance no longer relies solely on the vertical confrontation between the company and the law, but also on the creation of a horizontal environment within the company itself that tends to reduce the risk of infringements of the rules3. In the long term, it entails a doubling of companies’ liability, which is already enshrined in several pieces of legislation, notably the English Bribery Act of 2010 and the Sapin II Law of 2016 : in the future, companies will no longer be liable solely for breaking the rules that applied to them but also, and perhaps even more importantly, for not having put in place an effective mechanism to prevent the risk of breaching these rules. The impression of alienity could be blamed on the way in which compliance was introduced into French law : under the influence of coercion, of “violence”, as some write4.
The story is well known, especially with regard to an important chapter of compliance that is the fight against international corruption. Although France ratified the OECD Convention ‘on Combating Bribery of Foreign Public Officials’ as early as 2000, it has since remained a poor performer in the fight against international corruption, regularly criticized by the OECD and several non-governmental organizations. At the same time, moral disapproval and legal repression of international corruption has increased in most parts of the world.
This growing discrepancy has gradually created favorable conditions for the extraterritorial application of certain American laws and an outreach of American judicial power, particularly with regard to French companies : Alcatel-Lucent, Technip, Total, Alstom, to mention just a few, have been sanctioned by the US judicial authorities, sometimes for considerable amounts. These sanctions have led French companies of global stature to integrate under duress the compliance concerns specific to US law and, more broadly, the need to comply with US laws in certain areas of economic and financial activity.
They finally made the French public authorities aware of the need to remedy the de facto situation that had arisen and to replace it with a de jure situation, a procedural framework and legislation incorporating compliance concerns, in an attempt to contain the spillover of US judicial power. The resulting Sapin 2 Law is a text adopted in a defensive position : if it introduced the notion of compliance as never before in French law, it is first of all in the hope of leading the most active judicial authorities, American in particular, to decline their extra-territorial jurisdiction with regard to French companies. Strictly speaking, compliance is therefore a legal import product, which makes it difficult to draw up a definition.
Techniques and procedures
Nevertheless, we can start from a definition, which is widespread in practice, which is that proposed by the Cercle de la compliance, an association that has set itself the objective of studying compliance5. According to this definition, compliance would be “all the processes that ensure that the behavior of the company, its managers and employees complies with the legal and ethical standards applicable to them”. At first glance, this definition does not seem to say much that is not already known6.
If it is a question of saying that companies and their members are obliged to comply with the rules of law applicable to them, it is useless, as it is the very definition of law. If it is a question of saying that companies and their members voluntarily undertake to comply with the rules applicable to them, it is still useless : the consent of the addressees of the rule of law is not a condition for its application. If, finally, it is a question of saying that companies and their members can, beyond the legal standards applicable to them, also choose to comply with the ethical standards that they set for themselves, within the framework of an ethical charter for example, the idea is not new : it pre-existed the phenomenon of compliance, particularly in the field of corporate social and environmental responsibility. Nevertheless, the definition proposed by the Cercle de la compliance still says a lot, even if it may not say everything.
First of all, it says that what fundamentally characterizes compliance is not the legal disciplines it encompasses, but the techniques it introduces. The definition of the Cercle de la compliance refers in general terms to the “behavior of the company” and its members. This generality is a way of saying that compliance is potentially intended to concern all branches of corporate law — the fight against corruption, the fight against money laundering, the fight against tax and social fraud, social and environmental responsibility, product safety, personal data protection, etc. — and that it can be applied to all areas of corporate law — and that wanting to take a disciplinary approach to it — in competition law, tax law, banking law, etc. — is not an option and would not make much sense.
It is noteworthy in this regard that the concept of a compliance program first appeared in the United States in the 1990s as part of the Federal Sentencing Guidelines, i.e., federal guidelines for the enforcement of sentences, which cover the entire field of organized crime without any particular disciplinary connection.
In reality, compliance is best defined by techniques, and it is probably the word “process” that is most important in the definition proposed by the Cercle de la compliance. As far as we are concerned most immediately, the Sapin 2 Law introduced almost no new substantive rules into French law, but a whole new set of techniques and procedures.
Preventative techniques – principally with the implementation, in the most important companies, of a “compliance program” — include : a code of conduct describing the behavior to be banned as likely to constitute corruption or influence peddling ; an internal warning system ; risk mapping based on the business sectors and geographical areas in which the company operates ; procedures for assessing “third parties” (customers, suppliers and intermediaries) ; specific accounting control procedures ; a training system for staff most exposed to the risks of corruption and trading in influence ; a disciplinary system applicable to breaches of the code of conduct ; and a system for the periodic control and evaluation of all the above measures.
Law enforcement techniques also include the creation of a penal transaction without admission of guilt, the “convention judiciaire d’intérêt public”, which may include the obligation for the accused company to submit to a compliance programme, and the introduction of a “non-conformity penalty” constituting a kind of compliance penalty.
The aim of all these techniques is to encourage the largest companies to monitor the rules applicable to themselves, at their own expense, and to internalize the monitoring of these rules by describing the breaches that may occur (code of conduct), by facilitating the identification and reporting of such breaches (accounting control procedures and internal warning systems, in particular), and by organizing sanctions within the company itself (disciplinary sanction system). In this respect, these techniques are as much, and perhaps even more, a matter of organizational management and science as of law.
Moreover, it is clear that the central concern in the implementation of a compliance program is its effectiveness7. It is not enough that the program put in place meets the requirements of the face of the law alone. It must also, and even more importantly, be supported by the company’s management and assimilated by its members, particularly at the cost of a training effort. Basically, it is much more than a simple legal adaptation that is expected from the companies concerned : it is a change of culture in the very way they conduct their business ; it is a moral reform of the behavior of the company’s players that is sought.
Organization rather than law
For this reason, the term ‘compliance law’, which is sometimes suggested8 is open to discussion. It runs the risk of being simplistic : compliance is not primarily a legal phenomenon, but a more general organizational phenomenon that should be considered in the light of disciplines other than law. The term “compliance law” may even be misleading. It does not seem obvious at this stage that compliance is likely to become the source of a new law9.
The rules that it claims to guarantee the effective application of are ordinary rules of company law, considered in its various branches : rules of criminal law, with regard to the prevention of corruption ; of competition law, with regard to the prevention of abuses of economic power ; of financial law, with regard to the prevention of market abuse or money laundering, etc. The rules of company law, considered in its various branches, are the following : criminal law, with regard to the prevention of corruption ; of competition law, with regard to the prevention of abuses of economic power ; of financial law, with regard to the prevention of market abuse or money laundering, etc. The legal nature of these rules has not changed : they remain rules of “hard law” and “soft law”, prescriptions and incentives, to which are periodically added good practices and ethical standards that companies assign to themselves.
The authors of these rules have not been changed either : they are still the legislator and the regulators it has instituted – the French Competition Authority, the Financial Markets Authority, the Prudential Supervision and Resolution Authority, the Anti-Corruption Agency and, lastly, certain international organizations, such as the World Bank, and professional organizations.
In short, it seems that compliance fits naturally into the normative environment of regulation, of which it is an avatar, a form of extension. If compliance shows originality, it is above all, once again, in the techniques, both legal and management, that it requires the most important companies to implement in order to guarantee the effective application of the rules of corporate law that apply to them.
Companies as the actors of control
Perhaps this is where the definition proposed by the Cercle de la compliance would benefit from clarification. Without further clarification, it may give the impression that companies are only subject to compliance.
The essence of compliance is that the companies subject to it become active players in the enforcement of the rules that apply to them. To a certain extent, these companies are enlisted by the legislator in the enforcement of the rules that apply to them, as would be the case with court officials. They are required to set up a transparency system and watchdog units to statistically reduce the risk of infringement of the rules to which they are subject. For this reason, not all companies are concerned by compliance, but only “significant size” companies, according to the terms of the Sapin 2 Law.
These companies are those that have reached a size where they could avoid state control in the conduct of their business, are at the crossroads of many flows — of goods, capital, data and information — and can bear the cost of implementing a compliance program. It is logical, from this point of view, that compliance has primarily concerned banking and financial companies, which have a systemic dimension and position linked to the very nature of their activity : money trading. In the interests of efficiency, it is these companies, having reached a significant size, that are targeted by the legislator to become simultaneously subjects and actors of compliance. This is done at two levels : by controlling themselves, as we know ; and by controlling third parties” — customers, suppliers and intermediaries — whose integrity they must assess before entering into a business relationship with them.
In a way, the modern State seeks the relay and the leverage, the “armed arm”, of companies of significant size to maintain and extend the policing of economic activities that it can no longer afford to police on its own.
To account for this other characteristic aspect of compliance, it may then be preferable to define it as “a set of legal and management techniques, the implementation of which is imposed on companies of significant size in order to monitor the effective application of the legal and ethical rules applicable to them and to reduce the risk of infringement of those rules”.
This other definition shows compliance for what it really is : a discipline of the link between the legal function and the operational functions of the company. Drawing upon the consequences of the breadth of large companies, it seeks the means by which to bring about an institutional translation of legal imperatives, proceeding from the premise that it is not enough to merely “say the law” in the company in order that it be applied.
Lessons of failure
If one can agree on this definition, it becomes finally possible to find out what compliance is all about. Above all, it is a manifestation of the failure of modern states to control large companies themselves through the ordinary channels of the control of legality. As a result of the liberalization of economic trade and the globalization that has accompanied it, and the acceleration of technological progress, some companies have reached a size large enough to be able to escape, in fact and in law, from the control of the States in which they operate, and even from the very notion of territory.
These companies have found themselves in a position to develop globalized economic and financial crime, sophisticated criminal schemes that play on the differences between States, their legislation and their prosecuting authorities, as has been seen in several cases of international corruption or money laundering. They have become too big to prosecute, as English-speakers say, i.e. too big to be prosecuted and punished by the ordinary criminal or administrative process.
The failure of the criminal trial to crack down on the economic and financial delinquency of globlized companies is particularly edifying.
In France, only one company has been definitively convicted of bribery of foreign public officials10. This clearly does not correspond to the profile of the French economy, which remains one of the largest and most globalized in the OECD.
Compliance is learning from this failure. Since governments are unable to monitor the most active companies in the globalization process effectively on their own, they are enlisting them in monitoring the rules applicable to them by requiring them to organize transparency and monitoring techniques within their own organizations to reduce the risk of infringement of the rules to which they are subject.
This is, to be sure, the genius of compliance. It transfers the weight and cost of control that modern States no longer manage to exercise effectively over companies of significant size to the companies themselves and, in so doing, enables States to recover indirectly, in a mediated manner, the sovereignty they had lost over these companies.
This genius comes to light when companies suspected of having effectively failed to comply with the rules that applied to them are invited to incriminate themselves by carrying out at their own expense an internal investigation designed to shed light on the facts they are accused of — in short, to do the work of prosecuting authorities who do not have the means to do so.
But it’s also the misery of compliance. Basically, compliance is first of all the new police of economic activities developed by modern states, deprived of their resources and traditional means of action in the face of the most important companies generated by globalization, before being absorbed – and ennobled in reality – in a business ethic, a virtuous objective of good business conduct.
- The content of this article is based on the contribution previously published in french by A. Gaudemet in Commentaire, N°165 Printemps 2019, p. 109-114.
- Although the word compliance in English implies something stronger than mere “conformité”, namely obedience.
- F. Gros, « Coopérer contre soi-même », in Deals de justice, le marché américain de l’obéissance mondialisée, PUF, 2013, p. 173 et s.
- M.-A. Frison-Roche, « Le droit de la compliance », Recueil Dalloz, sept. 2016.
- This definition used to appear on the association’s website. It is no longer there since the website was redesigned.
- M.-A. Frison-Roche, op. cit.
- This refers to the notion of enforcement that is specific to U.S. law.
- M.-A. Frison-Roche, op. cit.
- Compare to M.-A. Frison-Roche, « Le droit de la compliance au-delà du droit de la régulation », Recueil Dalloz, Juil. 2018.
- Total, in the « Oil for Food » case, Paris, 26 February 2016, No. 13/09208, D. 2016.1240, note J. Lelieur ; adde French Cass. crim., 14 March 2018, No. 16-82.117.