The origins and challenges of compliance

By Blandine CORDIER-PALASSE, Revue Lamy Droit des affaires, RLDA 7104, supplement to no. 165

There is a multi-stakeholder expectation that compliance should be taken into account. This is sometimes at the top of the management agenda. The expectation is expressed more by pressure from investors than by regulatory pressure. And compliance officers are rising through the ranks in organisations that are closest to governance. Today, knowing how to anticipate compliance risks has become strategic.

What is compliance? First, we will define what compliance means for a company. Then we will identify its legislative origins and its scope. We will also look at the role of governance in its effectiveness. We will then show the impact of an intelligently implemented compliance programme on corporate strategy. We will then discuss the key role of the compliance officer. In addition, we will look at the skills that the compliance officer must have if he or she is to succeed in his or her role within the company.

What is compliance?

Compliance is a fairly recent term. It can be defined as "the set of processes used to ensure that the behaviour of the company, its managers and its employees complies with the laws, regulations, standards, professional practices and ethical requirements applicable to them".

This term was first used in the United States. It was during the Great Depression of 1929 and the manoeuvres of certain banking operators. In Europe, the term was first used in the 1960s in connection with the codification of competition law. More recently, awareness of the globalisation of economic life and the growing role of the major players on the Internet have highlighted many of the components of compliance. These are designed to guard against certain risks and malfunctions. All this has finally conquered the entire business world. This conquest has particularly taken place in the field of governance, with CSR and its components.

The English word "Compliance comes from the verb to comply. This verb itself comes from the Latin complire, which gave rise to accomplish. The English suffix ply in to comply means consent. To comply therefore means to agree to act according to a set of rules. These rules have sources other than the law alone.

In French, the terms conformité and compliance are often used interchangeably. It is thought that compliance is a translation of the English term compliance. But compliance and conformité do not mean the same thing. When we use the word compliance, we are aiming for identity in form - we will thus speak of "A carbon copy. When the law takes the form of an obligation, things are simple. By complying with legal obligations, you respect the law, you are "compliant". But when the law says what you must not do, for example that you must not pay bribes or enter into commercial agreements, things become more complex.

At first glance, you might say that if a company is not prosecuted for bribery or cartel behaviour, it is not paying bribes. Consequently, it has not formed cartels with its competitors. Both are hidden crimes, committed by intelligent individuals. They will use their knowledge of the company to conceal the fraudulent acts and erase all traces of them. If there is no visible corruption, this does not necessarily mean that there are no corrupt acts. The same applies to breaches of competition law. If there are no prosecutions for cartels, it does not mean that there is no cartel!

It is therefore legitimate for the company's stakeholders - shareholders, employees, civil society, customers, suppliers and partners - to consider that just because a crime has not been identified does not mean that there is none. They therefore ask the question: how can the company's management be sure that no offence has been committed? What measures has it implemented to prevent and detect this offence? And it is precisely these voluntary rules that the company will adopt to ensure that no offence has been committed. These rules will constitute the company's compliance corpus.

Philippe Montigny¹ said. "No wonder. Compliance is a set of rules that a company adopts in order to respect the spirit of the law.. These rules must meet stakeholders' expectations. But laws, and even more so stakeholder expectations, are changing. Management bodies need to play a watchdog role. They need to understand what compliance will be like in the future, so that they can prepare for it.

Origins and legislation of compliance

Founding texts

One of the sources of compliance is the Foreign Corrupt Practice Act. This is a 1977 US federal law, published to combat bribery of public officials abroad. The aim was to meet the challenges of financial security. It had an international impact. Since then, many countries have passed similar legislation. These include Austria in 1982, Germany in 1992, the United Kingdom with the UK Bribery Act in 2010, Spain in 2010, Italy in 2012, Brazil and China in 2013, and Russia with several regional anti-corruption laws.

The 1997 OECD Convention is the world's leading instrument in the fight against bribery. It establishes legally binding standards aimed at making bribery of foreign public officials a criminal offence. The Convention now combats bribery in international business transactions. The OECD's objective is to promote development, reduce poverty and improve confidence in markets. A large proportion of corruption originates in exporting countries. What sets the OECD Convention apart from other multilateral instruments for combating corruption is that it targets the "briber" rather than the "bribed". It has been ratified by all 37 OECD member countries and 7 non-member countries. It helps public authorities and companies to improve their legislation and standards.

Recent developments

In France, the Sapin II Act transposes these international rules into French law. In particular, it transposes the 1997 OECD Convention, the United Nations Convention against Corruption and the Council of Europe Criminal Law Convention on Corruption of 21 January 1999. Here are just a few of the texts.

It represents a major step forward: twenty years ago, bribes were tax deductible in France! Since 9 December 2016, this law on transparency, the fight against corruption and the modernisation of public life has required the implementation of a heavy preventive anti-corruption system.

In Europe, the compliance mechanism is developing in some of the founding areas of the European Union. These include competition law, financial law and environmental law. American law has largely influenced these mechanisms. It has contributed to the development of specific rules of compliance.

The European General Data Protection Regulation (GDPR)² imposed these data obligations. This regulation has made each and every one of us, as consumers, customers and social networking enthusiasts, aware of the constraints. Above all, it has made us aware of the need to protect certain sensitive information.

The European Union has already contributed to the development and consistency of these rules. This has been done both within the Union and in relation to US law. It is likely that a "European compliance law" will help to make EU law more independent of US law. This autonomy will thus contribute to the European project.

France, for its part, adopted regulations on the fight against money laundering and terrorist financing very quickly. This followed the 40 recommendations of the Financial Action Task Force (FATF) and the first European directive.

The areas covered by compliance

But all this must not be confined to risk management alone, because, as mentioned above, that would be taking a strategic risk. In fact, the areas of application of compliance are vast. By way of example, here is a non-exhaustive list of the areas concerned:

-insider trading and confidentiality of information ;
-the responsibility of directors and the prevention of potential conflicts of interest;
-the fight against corruption, influence peddling, misappropriation of public funds and favouritism ;
-antitrust, export control ;
-financial and environmental crime ;
-fraud of any kind;
-human rights ;
-social and environmental responsibility (SER).

This list shows that the world of compliance is actually very broad, because if we are talking about "compliance", we are mainly interested in the way we act within the company. And here we enter the field of
This must be applied holistically and operationally, both to parent companies and to all the group's entities and subsidiaries. It is for this reason that rating agencies now assess companies' practices and publish measurement indicators.

Compliance: the role of governance

Governance and compliance, the same vision: no governance without compliance and no compliance without governance! Good governance orchestrates the forces at work, aligning the Board of Directors, management, shareholders and employees around a single strategy for sustainable growth, while taking account of all stakeholders.

The Sapin II Act makes this clear: "The chairmen, chief executive officers and managers of a company employing at least five hundred employees, or belonging to a group of companies whose parent company has its registered office in France and whose workforce includes at least five hundred employees, and whose turnover or consolidated turnover exceeds €100 million are required to take measures to prevent and detect the commission, in France or abroad, of acts of corruption or influence trafficking".

Thus, within the Board, directors will have to integrate compliance issues into the various decisions they will have to take. It is very different for a board to set a sales growth target of 3 % while asserting zero tolerance/no compliance; or to set 3 %, whatever the terms and risks of non-compliance. Taking compliance into account may therefore lead them to decide to forego opportunities or lower targets because of proven problems - or even just risks - of conflits of interest, corruption, cartels, etc.

Compliance risks can have a real impact on a company, including at operational level. It is therefore essential for these issues to be raised to the highest level of the organisation, so that the management body can make informed decisions. To this end, it is essential that the Board puts in place a means of being regularly informed. It should be informed both from internal sources and from external sources, including independent experts.

The Board of Directors/ComEx or CoDir tandem

There is a great deal at stake in the Board of Directors/Comex or CoDir tandem: in effect, one gives direction, but does not hold all the cards, while the other, which does hold all the cards, has a duty to give them to the Board. Moreover, conducting a reflexion on the trust between the Board of Directors/Comex or CoDir, particularly on the risks that the Comex may tend to play down in order to focus first on the financial results, can be a first step in establishing effective governance.

The Board of Directors has a key role to play in compliance policy: that of driving it forward. It must show that it is not only interested in this issue, but that it makes it a prerequisite for achieving sales and objectives. It must have feedback on the risks of legal non-compliance, non-compliance with best practice, or non-compliance with public expectations, at a very detailed level. For example, not having the ISO 37001 standard will undoubtedly mean not being able to respond to certain public tenders in certain countries.

One of the ways it does this is by setting up an ethics/compliance committee, often in conjunction with a risk committee. These committees play an essential role in defining the ethics and compliance programme and then rolling it out. In addition to these committees, the Board will have to ensure, through its management, that rules, controls and, if necessary, sanctions are actually put in place, without which the compliance policy runs the risk of being a dead letter and a chattering charter when, on the contrary, these principles must be translated into objectives and results.

La compliance must be announced as a priority at the highest level of the company. Above all, it must be a value that people embrace. Compliance is a way of being, before being a way of doing!

Stakeholders need to feel that compliance is supported at the highest level by corporate governance. It is also embodied in the teams and relayed in particular by middle management. It is reflected in the exemplary behaviour of each individual. If we feel that compliance is being lived out in very concrete terms by everyone, including by benevolent management, this helps to establish the reality and credibility of the approach and the commitment.

Compliance and strategy

But compliance is not just a managerial discipline. It also has a strategic dimension, since a failure to comply with legal obligations or business ethics can result in very high financial costs (fines, investigations, advice, etc.), a high risk to image and reputation, and personal civil and criminal liability for managers.

It would therefore be wise for governance to consider it not as a "cost" but as a genuine strategic investment. To be successful, this paradigm shift will require the implementation of genuine change management. To begin with, senior management must :

-List the issues facing the company;
-Ensuring that there is no legal non-compliance, so as to avoid unnecessary expenditure instead of more strategically relevant investment;
-define the challenges according to markets, services and products;
-Study functional, operational, image and reputation risks in order to anticipate problem areas;
-Prepare the company for the impact of the programme on its operations, not in terms of constraints and costs, but rather in terms of investments and changes to its way of doing things, or even its business model, and for the possibility of sensitive revelations such as the uncovering of reprehensible practices;
-design the optimum organisation, taking account of the company's culture.

Compliance is also an economic weapon: instead of seeing it simply as a set of legal constraints, over the last twenty years or so companies have organised themselves to define "good practices". One example is the International Chamber of Commerce's (ICC) Anti-Corruption Commission, which plays a leading role in drawing up international trade rules and disseminating best practice. The challenge was to collectively work out what needed to be defined to ensure compliance with the law, while at the same time defining what was "good for business".

Companies that have signed up to the United Nations Global Compact not only intend to make the effort themselves, but also to ensure that their suppliers and other stakeholders do the same. When such attitudes and behaviours are taken into account in commercial relations, it is clear that we are talking about real competitive advantages!

Finally, ISO standards have taken over.

Still from a strategic point of view, it is worth noting that after the law, professional practices, good practices and standards, the third reference framework for compliance stems from ethical requirements and public expectations. These include human rights, environmental and social concerns and other CSR issues. If companies do not take these issues seriously enough, they can quickly become the subject of legislation. As a result, their implementation can become more complicated.

The strategic challenge here is to identify the emerging expectations of public opinion - the stakeholders - and to respond to them with good practice, and credible good practice at that! Of course, the expectations of the public are often complex and ill-defined, but sometimes a news item crystallises them, without erasing their complexity. We're thinking of the issue of personal data at the GAFAs or the emergence of movements such as #metoo, etc... In these cases, strategic intelligence must also cover these areas.

Finally, in the early days of compliance policies, it was thought that the "tone" should be set by the "top", the famous "tone at the top". However, we have come to realise that middle management is just as crucial. Successful implementation of compliance is everyone's business. That's why the presence of relays and levers - such as the compliance officer - is fundamental.

Implementing the compliance policy - the chief compliance officer

One of the keys to implementing such a change is the appointment of a Chief Compliance Officer. He or she will be the real conductor of the orchestra, playing the score for the Comex, the theme of which is set by the Board of Directors. He or she will work in a highly cross-functional, multi-disciplinary and matrix fashion with the Legal, Risks, Human Resources, Sustainable Development and Operational Departments. The aim is to analyse all legal, operational and non-financial risks, to assess the impact of all international regulations and sector-specific professional standards on the business, to take account of the expectations of external stakeholders, etc...

The Sapin II law is made up of eight pillars which, although they essentially concern the prevention of corruption, serve as a basis for developing the programme. In addition, there is the compliance approach to a number of issues. This law has both increased and established the role of the compliance officer. We will mention all the issues, without going into detail:

And let's not forget that the Sapin II law is only the French version of international regulations on the prevention of corruption applicable to international groups. And as we have seen, many other regulations, standards and geopolitical issues need to be addressed as part of a holistic, global approach to compliance. The aim is to define and implement the company's strategy. It is therefore clear that the compliance officer must have the independence, means and resources needed to carry out his duties. The most important of these is to bring issues, even those sensitive to the Audit Committee, to the attention of the Chairman. It is the role of corporate governance to create the conditions, particularly in terms of trust, that are conducive to effective action.

It's also easy to see why we're seeing a real upward trend in the compliance function. A few years ago, companies were looking to us to recruit young people. They were often attached to the legal department, to set up 'compliance' programmes. Increasingly, they are realising the importance of relying on more experienced profiles. They understand the business and the workings of the company and know how to interact with the various corporate functions. They have already acquired a good deal of experience in compliance, so they are capable of setting up, deploying and monitoring the programme. The aim is to train and raise awareness among managers and operational staff, and to be perceived as legitimate and credible.

In terms of skills, compliance officers must have a strong legal awareness. They also need to understand business and speak the language of operational staff. They need to be fairly close to top management, while at the same time being able to challenge it. The aim is to have a free hand to implement a solid, effective compliance programme, rolled out holistically across all the group's entities and aligned with the company's strategy. This requires a certain maturity and authority, but also courage. The aim is to change the "we've always done it this way" attitude.

Towards an 'Ethics and Compliance' department

We will conclude with the proposal to create a department bringing together all the components. The department would then be headed by a Director of Ethics and Compliance. We know that, when the Compliance function exists in a company, it is not always asked to intervene in strategic decisions from the outset. Yet this legitimacy is key.

The Director "Ethics and Compliance has an orchestral leadership role, but also a cross-functional one. He or she is in close contact with General Management, operational staff and the legal, risk, finance, human resources and vertical functional departments. He reports to the governance bodies and infuses the culture right down to the teams on the ground. What's more, he or she gives the role a truly strategic dimension. Some companies give this director a place on Comex. They regularly invite him or her to attend Board meetings, and in some cases they even do so. From now on, this function will listen to the various stakeholders. The importance of this role in compliance and governance has been emphasised. The director's soft skills "Ethics and Compliance is fundamental. Its aim is to ensure that the Group develops a culture of ethics and compliance.

We will conclude by saying that compliance is one of the foundations of 21st century business strategy. It is a necessary - but not sufficient - condition for a company's performance and longevity. The weak will see it as an additional constraint. The strong will see it as a mode of governance for the whole company. It is a way of respecting the men and women who are the company's customers, employees and suppliers. More globally, it is about the ecosystem of all its stakeholders.

(1) P. Montigny, Chairman of CIRCE Finance, Chairman of the Certification Committee, ETHIC Intelligence.

(2) Reg. No. 2016/679, Apr. 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, known as the GDPR, applicable from May 25, 2018.

Blandine CORDIER-PALASSE

Chairman BCP PARTNERS, Co-founder Le Cercle de la Compliance