The recent news

Compliance Law, like Regulatory Law, of which it is an extension, is an Ex Ante Law.

It translates into a set of obligations that companies must perform to ensure that harmful behavior does not occur, such as bribery, money laundering, pollution, etc.

This results in "structural" obligations, such as the establishment of a risk map, a third-party vigilance system, internal controls, the adoption of codes.

The practical question that arises is whether to punish a company, it is necessary but it is sufficient that the company has not adopted these structural measures, or if it is also necessary that within it or through the persons whom it must be accountable (through the corporate officers and the employees, but also the suppliers, the sub-contractors, the financed operators, etc.) there were behaviors that Compliance Law prohibits, for example corruption, money laundering, pollution, safety-related accident, etc.

The question is probative. Its practical stake is considerable.

Because to obtain the conviction the prosecuting authority will have to demonstrate not only a failure in the structural device but also a behavioral failure.

Si l'on considère que le Droit de la Compliance est à la fois sur l'Ex Ante et sur l'Ex Post, alors l'autorité de poursuite qui requiert une sanction doit démontrer qu'il y a un comportement reprochable (Ex Post) et qu'à cela correspond une défaillance structurelle (par exemple le compte bancaire anormal n'a pas été signalé) ; si l'on considère que le Droit de la Compliance est purement en Ex Ante, alors même s'il n'y a pas de comportement reprochable en Ex Post, la seule défaillance structurelle suffit pour que l'entreprise qui doit l'organiser en son sein soit sanctionné.

If we consider that Compliance Law is both on the Ex Ante and the Ex Post, then the prosecuting authority that requires a sanction must show that there is a reprehensible behavior (Ex Post ) and that this corresponds to a structural failure (for example the abnormal bank account has not been reported); if we consider that Compliance Law is purely Ex Ante, then even if there is no reprehensible behavior in Ex Post, the only structural failure is enough for the company to be sanctioned, even if it does its best efforts, even if no prohibited behavior will have accured in Ex Post.  

The second system, which is much more repressive and places a considerable burden on companies, even if there is no proven illicit behavior, is that of French Law, probably because of a tendency towards Ex Ante organization. ..

Mais il faut garder mesure. Et cette mesure est probatoire.

But we must keep measure. And this measure is probative.

This is what the Commission des Sanctions of the Agence Française Anticorruption -AFA (French Anti-Corruption Agency's Sanctions Committee) has just said, in its decision of 4 July 2019, SAS S. et Madame C.,(written in French) contradicting the position of its director, who acted as the prosecuting authority. This is yet another general proof of the autonomy of the Sanctions Committee vis-à-vis to the Administrative Authority of which it is a part, and in relation to its director, who nevertheless governs it. But, jurisdictional model obliges, he has here the status of prosecuting authority, is subject to the regime of this one and not to the regime of head of the entity. Demonstration of the "functional autonomy" of the sanctioning bodies within the administrative regulatory and compliance authorities.

Indeed, this important decision expresses with precision and reason the distribution of the "burden of the allegation" and the "burden of proof" on the prosecuting body and on the company pursued, as well as the role of presumption that the recommendations issued by the French Anti-corruption Authority can play.

Read the analysis below.

Europe is definitely the zone of the world in which the protection of persons is thought.

Elle le fait par des textes, dont le très fameux Réglement adopté en 2016 relative à la protection des personnes physiques à l'égard du traitement à caractère personnel et à la libre circulation de ces données, dit "RGPD", recopié par exemple en Californie par la loi du 12 juillet 2018, par des initiatives nationales, comme la prochaine loi française contre les discours de haine dans l'espace numérique, par de nombreuses études et rapports - le droit souple étant aussi importante que le Droit pénal en Droit de la Compliance, mais encore par des décisions de justice.

Europe does this by texts, including the very famous Regulation adopted in 2016 relating to the  treatment of personal data for their free circulation and the protection of peope concerned by them ( known as General Data Protection Regulation - GDPR ), copied for example in California by the Act of 12 July 2018, by national initiatives, such as the next French law against hate speech in the digital space, by numerous studies and reports - Soft Law being as important as Criminal Law in Law of Compliance  system -, but also by court decisions.

Indeed, judicial decisions were at the origin of the movement of the person protection, with the creation of a "right to be forgotten" by the 2014 Google Spain decision of the Court of Justice of the European Union.

The judgment of the CJEU on 29 July 2019, Fashion ID, is just as important. Like the previous one, it clearly settles an essential question: who must police consents in the digital space?

And the answer is: all the digital players who benefit from it.

As a result, there is an "intermesh" (on this notion which is the future of Compliance Law in the digital world, see Frison-Roche, M.-A., The contribution of Compliance Law in the Governance of Internet, 2019 ).

See below the analysis of the judgment.

 It is often observed, even theorized, even advised and touted, that Compliance is a mechanism by which public authorities internalize political (eg environmental) concerns in big companies, which accept them, in Ex Ante, because they are rather in agreement with these "monumental goals" (eg saving the planet) and that this shared virtue is beneficial to their reputation. It is observed that this could be the most successful way in new configurations, such as digital.

But, and the Compliance Mechanism has often been brought closer to the contractual mechanism, this is only relevant if both parties are willing to do so. This is technically true, for example for the Deferred Prosecution, which requires explicit consent. This is true in a more general sense that the company wants to choose itself how to structure its organization to achieve the goals politically pursued by the State. Conversely, the compliance mechanisms work if the State is willing to admit the economic logic of the global private players and / or, if there are possible breaches, not to pursue its investigations and close the file it has opened, at a price more or less high.

But just say No.

As in contractual matters, the first freedom is negative and depends on the ability to say No.

The State can do it. But the company can do it too.

And Daimler just said No.

___

Publicly, including through an article in the Wall Street Journal of June 28, 2019.

The company sets out in a warning to the market that it is the object of a requirement on the part of the German Motor Authority (Kraftfahrt-Bundesamt)  of an allegation of fraud, by the installation of a software, aimed at misleading instruments for measuring emissions of greenhouse gases on cars using diesel.

It is therefore an environmental compliance mechanism that would have been intentionally countered.

On this allegation, the Regulator both warns the company of what it considers to be a fact, ie compliance fraud, and attaches it to an immediate measure, namely the removal of the circulation of 42,000 vehicles sold or proposed by Daimler with such a device.

And the firm answers : "No".

_____

Which is probably only beginning, since a No ends the dialogue of Ex Ante to project in the Ex Post sanction procedures, calls 6 observations:

• 1. No doubt Daimler, a German car manufacturing company, has it in mind in this allegation of fraud calculating pollution of its diesel cars what happened to his competitor Volkswagen: namely a multi-billion dollar fine, for lack of compliance in a similar hypothesis (so-called dieselgate). The strategic choice that is then made depends on education through the experience of the company, which benefits as such from a previous case that has had a very significant cost. Thus educated, the question is to measure the risk taken to refuse any cooperation, when the company can anticipate that it will still result in such an amount ....

• 2. In addition, we find the difficulty of the distinction of Ex Ante and Ex Post. Indeed, saying No will involve for the company a cost of confrontation with the Regulator, then the peripheral jurisdictions or review courts. But in Germany, the Government itself, concerning a bank threatened with compliance proceedings and almost summoned by the US regulator to pay "of its own free will" a transactional fine, felt that this was not normal, because it must be the judges who punish, after a contradictory procedure with due process and after established facts. 

• 3.  However, this is only an allegation, of probable assertions, of what legally allows to continue, but which does not allow to condemn. The confusion between the burden of proof, which presupposes the obligation to prove the facts before being able to sanction, and the burden of the allegation, which only supposes to articulate plausibility before being able to prosecute, is very damaging, particularly if we are committed to the principles of Repressive Law, such as the presumption of innocence and the due process. This distinction between these two probationary charges is at the heart of the probatory system in the Compliance Law. Because Compliance Law always looks for more efficiency, tends to go from the first to the second, to give the Regulator more power, since businesses are so powerful ....

• 4. But the first question then arises: what is the nature no so much of the future measure to be feared, namely a sanction that could be taken later, against Daimler, if the breach is proven, or which will not be applied to the firm if the breach is not established; but what is the nature of the measure immediately taken, namely the return of 42,000 vehicles?

• This may seem like an Ex Ante measurement. Indeed, the Compliance assumes non-polluting cars. The Regulator may have indications that these cars are polluting and that the manufacturer has not made the necessary arrangements for them to be less polluting (Compliance) or even organized so that this failure is not detected ( Compliance fraud).

• This allegation suggests that there is a risk that thiese cars will polluting. They must immediately be removed from circulation for the quality of the environment. Here and now. The question of sanctions will arise after that, having its procedural apparatus of guarantees for the company that will be pursued. But see the situation on the side of the company: having to withdraw 42,000 vehicles from the market is a great damage and what is often called in Repressive Law a "security measure" taken while the evidence is not yet met could deserve a requalification in sanction. Jurisprudence is both abundant and nuanced on this issue of qualification.

• 5. So to withdraw these cars, it is for the company to admit that it is guilty, to increase itself the punishment. And if at this game, taken from the "cost-benefit", as much for the company immediately assert to the market that this requirement of Regulation is unfounded in Law, that the alleged facts are not exacts, and that all this the judges will decide. It is sure at all whether these statements by the company are true or false, but before a Tribunal no one thinks they are true prima facie, they are only allegations.
•  And before a Court, a Regulator appears to have to bear a burden of proof in so far as he has to defend the order he has issued, to prove the breach which he asserts exists, which justifies the exercise he made of his powers. The fact that he exercises his power for the general interest and impartially does not diminish this burden of proof.

• 6. By saying "No", Daimler wants to recover this classic Law, often set aside by Compliance Law, classic Law based on burden of proof, means of proof, and prohibition of punitive measures - except imminent and future imminente and very serious damages  - before 'behavior could be sanctioned following a sanction procedure.
• Admittedly, one would be tempted to make an analogy with the current situation of Boeing whose aircraft are grounded by the Regulator in that he considers that they do not meet the conditions of safety, which the aircraft manufacturer denies , Ex Ante measurement that resembles the retraction measure of the market that constitutes the recall request of cars here operated.
• But the analogy does not work on two points. Firstly, flight activity is a regulated activity that can only be exercised with the Ex Ante authorization of several Regulators, which is not the case for offering to sell cars or to drive with. This is where Regulatory Law and Compliance Law, which often come together, here stand out.Secundly, the very possibility that planes of which it is not excluded that they are not sure is enough, as a precaution, to prohibit their shift. Here (about the cars and the measure of the pollution by them), it is not the safety of the person that is at stake, and probably not even the overall goal of the environment, but the fraud with respect to the obligation to obey Compliance. Why force the withdrawal of 42,000 vehicles? If not to punish? In an exemplary way, to remind in advance and all that it costs not to obey the Compliance? And there, the company says: "I want a judge".

​______

Le 24 juin 2019, le Régulateur irlandais a publié un rapport visant à participer à la consultation publique lancée par le ministère de la Communication, portant à la fois sur la façon dont il convient de transposer la directive européenne sur les services audiovisuels  et sur la perspective d'une loi nationale sur la "régulation des contenus dommageables sur les plateformes en ligne".

Pour le Régulateur, le rapprochement des deux actes législateurs offre une opportunité d'une régulation globale des "médias en ligne", offrant à l'internaute une "sécurité" que la simple transposition de la Directive ne permet pas. Ainsi la seconde loi complétera la première.

Pour le Régulateur, la loi nationale à adopter doit permettre au Régulateur de donner une pleine sécurité à l'internaute irlandais ("online safety"), en retirant les contenants violents ou dommageables (le terme harmful est difficile à traduire par un seul mot en français) et en l'avertissant à propos de ceux-ci. 

Comme l'explicite le rapport (p.52) :

The BAI considers that the following four strategic objectives and responsibilities are relevant for an online safety regulator operating within the new media regulatory structure: • Rectifying serious harms occurring to Irish residents through their use of online services. • Ensuring that individuals and members of groups that are frequently subject to harmful online content can fully benefit from digital technology and social media. • Reducing online harms by introducing online safety rules for online platforms. • Promoting responsibility and awareness of online safety issues among the general population and industry. To fulfil these objectives and responsibilities, the BAI considers that the Online Safety Regulator could have the following three functions:

1. Operating a statutory mechanism to remove harmful online content that directly affects Irish residents (Rectification of Harm)

2. Developing and enforcing an online safety code for Irish-resident online platforms (Minimisation of the potential for Harm)

3. Promoting awareness of online safety issues among the public and industry (Preventing Harm). Ensuring that online services play a more effective role in tackling online safety issues can provide wide, “collective” benefits to large numbers of individuals simultaneously.

Visant expressément Youtube et Facebook, qui en Europe ont choisi de se localiser en Irland, le Régulateur demande une Régulation des plateformes de partage de vidéos qui doit, à travers un Code s'appliquant à eux, permettre de régir leur activité qui se déploie à travers toute l'Europe. Ce Code aurait vocation à rappeler en premier le principe de la libre expression. Tout en organiser la "sécurité en ligne" de l'internaute.

Le Régulateur irlandais des Médias sera en charge de cela. Et puisque les opérateurs sont localisés en Irlande, ses conceptions et ses actions auront donc un effet européen : comme le dit le Président de l'Autorité de Régulation lui-même : " This is a particularly important issue for this country, given that many of the majoar international platforms are based her. Ireland has a unique opportunity - and responsability - to lead the debate and chart the way forward in relation to online safety and regulation". 

____

"to lead" ?

Il n'est pas certain que les autres régulateurs nationaux ni la Commission européenne partagent une telle conception irlando-centriste de la régulation euroréenne des médias.

In what it presents as a set of guidelines designed by a risk-driven approach, the FATF published on 21 June 2019 recommendating to fight the use of crypto-assets and cryptocurrency platforms for launderind money and financing terrorism.

This fight against money laundering is (with the fight against corruption) often presented as the core of the Compliance Law. The FATF takes a large part of it. Even if this new branch of Law aims to crystallize other ambitions, such as the fight against tax fraud or climate change, or even the promotion of diversity or education and the preservation of democratie, the legislation of Compliance Law are mature in the matter of money laundering and the terrorism financing, as they are in the fight against corruption.

The news comes then not from the new legal mechanisms but rather from the new technological tools that could allow the realization of the behaviors against which these obligations of compliance have been inserted in the legal system. It is then to these technologies that the law must adapt. This is the case with crypto-assets and cryptocurrency platforms. Because these are rapidly evolving technologies, with the exercise of written guidelines in 2019 to inform the meaning of the provisions adopted in 2018, the FATF is taking the opportunity to change the definition it provides of crypto-assets and cryptocurrencies. So that a too narrow definition by the texts does not allow the operators to escape the supervision (phenomenon of "hole in the racket" - loophole)..  

___

In fact, in October 2018, the FATC (Financial Action Task Force) developed 15 principles applying to these platforms, to allow this intergovernmental organization to carry out its general mission to combat money laundering and the financing of terrorism. These June 2019 recommendations are to interpret them.

In this very important document, where it is expressly stated that it is a matter of fixing the obligations of those who propose crypto-assets and crypto-currencies, the notion of self-regulation is rejected. Il est writter : "Regarding VASP (virtual assets services providers) supervision, the Guidance makes clear that only competent authorities can act as VASP supervisory or monitoring bodies!footnote-119, and not self-regulatory bodies. They should conduct risk-based supervision or monitoring, with adequate powers, including the power to conduct inspections, compel the production of information and impose sanctions. There is a specific focus on the importance of international co-operation between supervisors, given the cross-border nature of VASPs’ activities and provision of services."

On the contrary, it is a matter of elaborating the control obligations that these service providers must exercise over products and their customers (Due Diligences), which must be supervised by public authorities. 

In order to exercise this supervision and monitoring, the national authorities themselves must ensure that they work together : "As the Virtual Assets Services Providers (VASP) sector evolves, countries should consider examining the relationship between AML/CF (Anti-Money Laundering and Counter Terrorist Financint) measures for covered VA activities and other regulatory and supervisory measures (e.g., consumer protection, prudential safety and soundness, network IT security, tax, etc.), as the measures taken in other fields may affect the ML/TF risks. In this regard, countries should consider undertaking short- and longer-term policy work to develop comprehensive regulatory and supervisory frameworks for covered VA activities and VASPs (as well as other obliged entities operating in the VA space) as widespread adoption of VAs continues".

After particularly interesting comparative law information on Italy, the Scandinavian countries and the United States, the report concludes: "International Co-operation is Key", because of the global nature of this activity.

Since the issue is not the global Regulation of these platforms and types of products, but only the possible modes of money laundering and terrorist financing to which they may give rise, the FATF recalls that neither crypto-products nor product suppliers are not referred to as such. As the guidance's title recalls, common to the 2018 document adopting the 15 principles and this interpretive document, these are "risk-based" rules. Thus, it is according to the situations that these - products and suppliers - that they may or may not present risks of laundering and financing of terrorism: depending on the type of transaction, the type of client, the type of country, etc. For example, from the moment that the transaction is anonymous, that is impossible to know the "beneficiary", or that it is transnational and instantaneous, which makes it difficult to supervise because of the heterogeneity of national supervisions little articulated between them.

In reports that public supervisors must have with crypto-product suppliers, they must adjust according to the level of risk presented by them, higher or lower: "Adjusting the type of AML/CFT supervision or monitoring: supervisors should employ both offsite and onsite access to all relevant risk and compliance information.However, to the extent permitted by their regime, supervisors can determine the correct mix of offsite and onsite supervision or monitoring of Virtual Assets Services Providers (VASPs). Offsite supervision alone may not be appropriate in higher risk situations. However, where supervisory findings in previous examinations (either offsite or onsite) suggest a low risk for ML/TF, resources can be allocated to focus on higher risk VASPs. In that case, lower risk VASPs could be supervised offsite, for example through transaction analysis and questionnaires".

This "adjustment" required does not prevent a very broad conception of the power of supervision. So, for nothing escapes the recommendations (and in particular the obligations that ensue for the suppliers of these products), the definition of the crypo-assets and crypo-currencies is this one: “Virtual asset” as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities, and other financial assets that are already covered elsewhere in the FATF Recommendations."

And for the same reason of effectiveness is posited the principle of technological neutrality: "Whether a natural or legal person engaged in Virtual Assets (VA) activities is a Virtual Asset Services Provider (VASP) depends on how the person uses the VA and for whose benefit. As emphasized above, ...  then they are a VASP, regardless of what technology they use to conduct the covered VA activities. Moreover, they are a VASP, whether they use a decentralized or centralized platform, smart contract, or some other mechanism.".

The interpretative guidelines then formulate the obligations that these platforms have with regard to the supervisors they obey(question of the "jurisdiction", ratione loci ; ratione materiae): " The Guidance explains how these obligations should be fulfilled in a VA context and provides clarifications regarding the specific requirements applicable regarding the USD/EUR 1 000 threshold for virtual assets occasional transactions, above which VASPs must conduct customer due diligence (Recommendation 10); and the obligation to obtain, hold, and transmit required originator and beneficiary information, immediately and securely, when conducting VA transfers (Recommendation 16). As the guidance makes clear, relevant authorities should co-ordinate to ensure this can be done in a way that is compatible with national data protection and privacy rules. ".

These platforms are not uniformly defined due to the diversity of their activities. Because it is their activity that makes them responsible for this or that regulator. For example from the Central Bank or the Financial Regulator: "For example, a number of online platforms that provide a mechanism for trading assets, including VAs offered and sold in ICOs, may meet the definition of an exchange and/or a security-related entity dealing in VAs that are “securities” under various jurisdictions’ national legal frameworks. Other jurisdictions may have a different approach which may include payment tokens. The relevant competent authorities in jurisdictions should therefore strive to apply a functional approach that takes into account the relevant facts and circumstances of the platform, assets, and activity involved, among other factors, in determining whether the entity meets the definition of an “exchange”!footnote-121 or other obliged entity (such as a securities-related entity) under their national legal framework and whether an entity falls within a particular definition. In reaching a determination, countries and competent authorities should consider the activities and functions that the entity in question performs, regardless of the technology associated with the activity or used by the entity".

____

Reading this very important document, it is possible to make 6 observations: 

1. Interpretative documents are often more important than rules interpretated themselves. En these guidances, first and foremost, these are major obligations that are stated, not only for platforms but also for national laws, and well beyond the issue of money laundering. So, it is laid: "Countries should designate one or more authorities that have responsibility for licensing and/or registering VASPs. ...  at a minimum, VASPs should be required to be licensed or registered in the jurisdiction(s) where they are created. ".This is a general prescription, involving a general regulation of these platform, which registered in a general way, will probably be supervised in a general way.

Secondly, it is a series of binding measures that is required of the National legal systems, for example the possibility of seizing crypto-values.

It shows that the soft Law illustrates the continuum of the texts, and allows their evolution. Here the evolution of the definition of the object itself: the definition of crypto-assets and crypto-currencies is widened, so that the techniques of money laundering and terrorist financing are always countered, without it being necessary to adopt new binding rules. We are beyond mere interpretation. And even more of the principle of restrictive interpretation, classically attached to the Repressive Law ...

2. Fort the effectiveness of the Compliance Law, definition become extremely broad. Thus, to follow the FATF, the definititon off a financial institution is as follows: "“Financial institution” as any natural or legal person who conducts as a business one or more of several specified activities or operations for or on behalf of a customer". This is more the definition of a company in Competition Law!footnote-120....Why ? Because otherwise, an operator finds a status allowing him to escape the category and obligations listed. The principle of efficiency implies it. The principle of "legality", derived from criminal law, has hardly any existence. But this also corresponds to the general evolution of the financial world, in which one no longer stars from the organ (for example to be a"bank") but of activity, but from an activity or a fonction whose metamorphoses are so rapid that it is almost impossible to define them ....

3. In the same way, the definition of crypto-assets or crypto-currencies: "“Virtual asset” as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities, and other financial assets that are already covered elsewhere in the FATF Recommendations". This definition is purely operational because nothing can escape the FATF: all that is financial or monetary, whatever its form or support, its traditional form or a form that will be invented tomorrow, is within its competence and, through a such definition, is under national supervisors. In Compliance Law, and since everything is based on risk analysis, the idea is simple: nothing must escape obligations and supervision.

4. Platform apprehension is done by the criterion of activity, according to the "functional" method. Thus, its supervision, or even its regulation, and its obligations of compliance, will apply, depending on what it does, to the Financial Regulator (if it does ICO) or to others if it only uses tokens as an instrument of exchange. If it makes several uses, then it would fall under several Regulators (criterion ratione materiae).

5. The principle of "technological neutrality" is a classic principle in Telecommunications Law. Here we measure the interference between the principles of Telecommunications Law and Financial Law, which is logical because crypto-financial objects are born of digital technology. This neutrality allows both technological innovation to develop and supervision to be unhindered for not having foreseen an innovative technology appearing after the adoption of the legal text. Here again, the effectiveness of Compliance and risk management are served, without the innovation being thwarted, which is often opposed.

6. What is expected of national public authorities is a very wide "interregulation". This is both "positive". Indeed, this includes financial matters but also the security of networks, or the protection of consumers. It can be called equilibrium interregulation in that all goals converge. But this is also an "interregulation" that can be described as balance. Indeed, the FATF is concerned about the protection of personal data. However, it emphasizes that the effectiveness of the Compliance system must stop. But the protection of personal data is also a part of Compliance Law.... This is one of the major challenges in the future: the balance between security and the fight against global evils(here the fight against money laundering and terrorism) and the protection of the privacy of individuals, as both fall under Compliance, but both have opposite legal effects: one the transmission of information, and the other the secret of the information. 

____