Legal compliance requirements increased signi cantly in recent years. Environmental concerns, consumer protection, global standard-setting and the political and social fall-out of large corporate failures, e.g., WorldCom6, Enron7, and the Global Financial Crisis are some examples of drivers of increased regulatory complexity. Legislation such as the Sarbanex-Oxley Act [ 30 ] and the Foreign Account Tax Compliance provisions of the US [ 2 ] and voluntary frameworks such as the Basel III Accord of the Basel Committee on Banking Supervision [ 1 ] are examples of regulatory responses that have had a global impact on compliance practices of a ected institutions. The impact of these compliance requirements captured the interest of a wider research community as is evident in projects such as COMPAS8, OPENLAW9, EU Cases10,, etc.

Essentially, these projects have been addressing compliance from the regulatory perspective, which can be understood broadly as \the act and process of ensuring adherence to the law". Compliance management requires the identi cation of relevant compliance requirements, the design of processes to ensure compliance with those requirements and the monitoring of actions to ensure that policies and processes are appropriately implemented and result in actual compliance. These compliance projects, however, focused mainly on \discovering, extracting and representing di erent requirements from laws and regulations that a ect a business process" [ 4 ]. In addition, they focused on simpler { often binary { requirements rather than the more complex, value-based requirements. In other words, existing e orts primarily focus on the identi cation and management of formal { generally simpler - compliance requirements related to corporations and public agencies.

The term \compliance"11 is however far broader. It is not con ned to compliance with the law but extends to compliance with ethical and societal norms and nonbinding soft law such as industry standards and codes. Compliance responses are therefore more granular regarding the various dimensions of rules and regulations, for example the social, organizational, ethical, legal, e ectiveness, implementation, and the validity of legal requirements as discussed in the legal quadrant of the rule of law [ 11 ]. The legal quadrant has been drawn from a socio-legal approach. It shows how the type, degree and quality of compliance leans on the di erent regulatory values of the instruments included in the four di erent sections of the quadrant (hard law, policies, soft law, and ethics) (see Figure 2(b)).

Compliance refers to conformity with rules, i.e. ful lling requirements or demonstrating conformity with regulatory constraints in an ethical and responsible manner. Compliance by Design (CbD) refers broadly to the set of formalised rules that are considered in the design stage of a business or regulatory process. Legal compliance by design (LCbD) is another general term that is mainly focused on the legality of the compliant business process as a whole. Compliance through Design (CtD), on the other hand, explicitly encompasses the social and institutional aspects of legal compliance (i.e. legal interpretation processes, institutionalization, the interface between modelling and coordination, and the relation between the regulated entity and citizens, consumers, and the law). This approach requires us to view the legal compliance challenge through a socio-legal lens to understand and properly de ne appropriate compliance responses. By incorporating the socio8 http://cordis:europa:eu/fp7/ict/ssai/docs/finalreport-compas:pdf 9 https://info:openlaws:com/openlaws-eu/ 10 http://eucases:eu/start:html 11 Di erent expressions and approaches can be found in the current literature on compliance, according to di erent elds and purposes, with di erent meanings | mainly Compliance (C), Regulatory Compliance (RC), Compliance by Detection (CbDt), Compliance by Design (CbD), and Legal Compliance by Design (LCbD) [ 12 ]. legal aspect into the compliance problem LCtD takes the compliance problem to a whole new level of complexity while promising a more appropriate, ethical and responsible response to complex compliance requirements.

In our previous survey [ 12 ], we brie y touched upon the LCbD and LCtD, and focused on how these have been discussed in literature to extract, analyse, represent and validate the legal requirements from a technical perspective. In this paper, we succinctly present the analysis of results of existing literature that cover social, ethical, and institutional dimensions to determine to what extent legal compliance challenges are approached holistically.

The structure of the paper is as follows: next we discuss related work (Section 2) followed by a precise elaboration on the research methodology (Section 3). Then clustering of the legal terms required for LCbD and LCtD and preliminary results are discussed (Section 4) before concluding the paper with some nal remarks and pointers for future research (Section 5). 2

Existing literature on regulatory compliance is diverse, pointing to the fact that it is a complex topic having deep roots in the compliance domain. However, this literature is often not focused on the interpretation of the rules regulating the relevant business processes [ 18 ] thus has restricted scope in terms of validity of the legal requirements used for their veri cation. There are di erent uses of `regulatory compliance' in the literature. We can group them into two sets. The rst one points to the conformity of business processes with (i) internal corporate policies and protocols, (ii) external policies and technical standards (e.g. ISOs, W3C, etc.), (iii) legal requirements (as a whole), (iv) ethical values (as a whole: deontological principles or civic virtues), and (v) privacy and data protection requirements (e.g. fair information practices or, lately, GDPR constraints). The second one refers to formalised rules after the extraction process, i.e. the automated attribution of regulatory e ects to certain conditions, requirements or constraints previously de ned.

Essentially, compared to regulatory compliance, legal compliance is more granular and have a wider scope for the law to be e ectively implemented. It encompasses a di erent approach focusing on the implementation of legal provisions instead of business processes, policies, or principles. There can be a number of e ective ways of complying with the law but some may be inappropriate as they are too costly for the business or may have a negative impact on society (e.g. exposing data to risk). Compliance o cers need to choose the most appropriate option that is more e cient (cost-wise) and does the least damage (to the entity and to society). Hence we identi ed eight distinct dimensions (such as hard law, soft law, policies, and ethics etc.) of legal compliance describing various aspects that need to be considered when automating the compliance function. Based on these dimensions, we clustered the available literature into various classes to gain more understanding on these dimensions. Despite the fact that the state-of-the-art provides a rich set of approaches and frameworks there is clearly less focus on legal compliance in general, and LCbD and LCtD { in particular. Thus, we learned from these approaches and developed a di erent interpretive framework.

The authors in [ 8 ], surveyed the rule-based system speci cations modelling approaches in the context of the semantic web. [ 26 ] tries to understand the relationships between risk management and internal controls to guide the research agenda in business process risk management, compliance and internal controls. [ 23 ] studies the existing compliance approaches for extracting the required information for modelling requirements. In the context of the COMPAS Project [ 25 ], the authors provide an overview of the state-of-the-art in compliance languages with the emphasis on languages for regulatory and legislative provisions. Their survey identi es various aspects of compliance, discovery, modelling and reporting.

In contrast, [ 3 ] studies the challenges faced by the industry and available solutions. Their survey focuses on the reluctance to address the compliance problem in the industry sectors and shortcomings of the available solutions. A rather similar survey on the practice of regulations analysis from an Information System and eGovernment Services perspective is reported in [ 29 ].

The survey in [ 9 ], on the other hand, focuses on how modelling languages are used to align the compliance requirements with business processes. Their work is somewhat similar to the survey presented in [ 8 ]. However, this work focuses on the security policies, trust management in the context of privacy and inter-organisational compliance requirements modelling. In contrast, [ 15 ] surveys formal languages for modelling business process compliance requirements with the focus on design-time compliance, and highlight the capabilities and limitations of the surveyed languages chosen from temporal and deontic families of logics. Their survey is somewhat similar to the work of [ 25 ] and [ 13 ] where authors survey existing compliance approaches for extracting information to representing normative requirements.

An evaluation of functional and non-functional capabilities of compliance management frameworks in the context of business process compliance has been reported in [ 14 ]. Their evaluation is based on three assessment criteria, namely: (i) compliance management solutions, (ii) methodology, and (iii) architecture of the evaluated compliance solutions. The authors evaluate various functional areas of regulatory compliance from a business process management perspective, e.g., the strategy model and the business process model etc. [ 6 ], on the other hand, present a literature review based on the generalisability and applicability of business process frameworks. They only cover the implementation results of the surveyed frameworks.

[ 16 ] surveys the dominant trends and issues in business compliance over four dimensions, namely: (a) variables of general business process modelling (for example, information, location, resources), (b) temporal aspects of process modelling, and (c) the distinction between formal approaches based on veri cation or validation. [ 28 ], on the other hand, analyse business literature from a risk management perspective. These include risks such as regulatory non-compliance, nancial frauds, natural disasters, and data leakages to name but a few. In contrast, [ 23 ] systematically investigates the holistic view of security in process-aware information systems along the process life cycle and the type of actions. However, both surveys put aside regulatory compliance. They exclude in particular approaches to representing and checking the compliance of regulatory frameworks thus have a di erent scope. More recently, [ 17 ] examined whether existing compliance management frameworks (CMFs) are able to provide modelling and reasoning support for various types of normative requirements. They primarily examined the conceptual foundations of the selected CMFs against pre-de ned evaluation criteria and the obligation modalities representing various classes of normative requirements.

Summing up, existing surveys focus mainly on business processes and regulatory systems. Even those that are more centred on legal services appraise the market dimension. They do not encompass a broader socio-legal or public aspect. 3

This survey aims to gain a detailed understanding of the current literature in the legal compliance domain, investigate how legal compliance is perceived in literature, identify the areas where legal compliance needs to be correctly understood, and identify future challenges in regards to LCtD. To achieve this, in the ongoing work, we will address a main research question: what are the main characteristics of legal compliance through design (LCtD)? And to gain deeper insights about legal compliance, we propose two sub-questions: (a) what are the di erences and similarities between legal compliance by design and regulatory compliance, and (b) what are the gaps in the existing compliance regime required to be lled for a successful (semi-) automation of the compliance function? With the proposed questions, we aim to determine the main characteristics of legal compliance through design (LCtD ) from a social, ethical and institutional perspective, which is required to assess the validity of legal requirements, so that they can adequately re ect the overall compliance problem.

To achieve this, we systematically surveyed a large corpus of existing literature on regulatory compliance. We began by scrutinizing several structured literature survey approaches mainly from requirements engineering techniques for model-driven development [ 24 ], software engineering [ 22,21 ] and information systems [ 31,5 ], and adopted a hybrid systematic literature review approach comprising the hermeneutic circle and the guidelines for conducting literature review proposed in [ 5 ]. We adopted hermeneutic circles as it allowed us to conduct systematic literature surveys by applying more rigorous methods when searching for literature compared to the structured surveys (see,[ 7 ] for shortcoming of structured literature surveys). The guidelines proposed by [ 5 ], on the other hand, provide a multi-phased methodology as illustrated in Figure 1, to extract, analyze, and report literature; and embeds a number of tools and procedures within each phase to manage the related e orts. ltssooooupp litsseyaanh lifrrtteeaou T sssceer o P ts/ tsu Inpu tupO

Adobe Acrobat Professional

JEBREF PHASE 1: Identi cation and Extraction of Articles

PHASE 2: Preparing for Analysis

NVIVO PHASE 3: Actual Coding Relevant Databases

JebRef Library

Primary & Secondary Papers

Proposed High Level Pre-Condi cation

Scheme

Sources

Tree-Level Nodes

Coded Content

PHASE 4: Analysis and Write-up Literature Review Report

We conducted our survey in three phases namely: (i) identi cation and extraction of articles, (ii) preparation for analysis and coding, and (iii) analysis and write-up.

Phase-1 (Identi cation and extraction of articles): The literature identi cation and extraction process started by querying prominent scholarly databases such as Google Scholar, SpringerLink, ScienceDirect, ACM Digital Library, Web of Science, IEEEXplore and free search database DBLP with the keywords to extract literature related to the scope of our survey. To this e ect, we rst identi ed a list of terms, concepts, and keywords related to the questions such as \legal compliance", \law enforcement", \hard law", \legal compliance management" to name a few, and then combined the identi ed terms by using logical operators to restrict our search right from the beginning to compliance publications. Moreover, we observed that there are several concepts/terms that are used in literature representing the same themes|for example, \conformance" for \compliance", and therefore we also included them in the search queries. Our queries resulted in more than 100 hits each time but to keep the collected literature manageable, we employed various ltering techniques such as proximity operators and lemmatization to ne grain our search results. We collected 324 articles highly related to the questions of our survey. We then created a JabRef12 library containing all the collected 324 articles in portable document format (PDF).

Phase-2 (Preparing for analysis and coding)13: In the next phase, we prepared the collected literature for actual coding and analysis in later stages. The preparation was carried out in two sub-phases. In the rst sub-phase, a rigorous assessment of each collected article following the guidelines from [ 22 ] was conducted. This sub-phase aimed to ensure that the collected articles are relevant, credible, and of high quality. It involved assessing the quality of the article by looking at its contents, identifying di erences and similarities 12 http://www:jabref:org/ 13 Phase 2 and Phase 3 of the adopted approach [ 5 ] are complementary to each other hence, we combined them into one phase. between articles and recording them. Also, we evaluated the traction that the article has received using the Google Scholar citation index. This allowed us to ascertain the scienti c relevance and impact of the article. The described procedure resulted in discarding 35 articles and selecting 289 articles for the nal analysis.

In the preparation phase for the actual coding, we derived a pre-codi cation protocol addressing the main goals of the survey according to the criteria described in [ 5 ]. In this step, we rst de ned (and collected the commonly used) de nitions of the concepts which helped us to align such de nitions with the main concepts/themes of the clustering created at an earlier stage. In addition, we also gained a thorough understanding of the objectives and key concepts and their relevant characteristics (as de ned in the clustering) in order to better position our survey among mainly focusing regulatory compliance. After this, we started actual coding of the collected literature using a qualitative analysis tool NVivo 12 plus (version 12.2.0.443) on an Intel 5 Core 2.00 GHz machine. The objective of coding was to gain more insights from the collected articles about speci c concepts, terms or themes. For the coding purpose, we used a sample of mostly commonly used concepts from the clustering and created 126 nodes across 4 main themes namely: ethics, hard law, soft law and policy each with varied level of hierarchy. We did not consider creating the coding depth more than 5 levels of hierarchy to keep the complexity of the analysis manageable.

Phase-3 (Analysis and write-up): In the nal phase, we analysed the coded concepts and derived the descriptive overview of the selected literature, painting a more vivid picture of the overall status of the compliance domain. In addition, to gain deeper insights, we also analysed the relationships between various concepts|and/or even across the concepts and themes. In addition, we applied matrix interaction|a boolean search to evaluate the correlation between di erent passages and coded themes to detect if some theme had been already coded. This helped us to remove redundancies and achieve a clean analysis for nal a write-up. 4

The authors of [ 12 ] posited that (semi-) automated legal compliance is not merely complying with the applicable text of the requirements but complying with the conceptual models extracted from various sources covering a multitude of requirements stemming from various social, political and legal aspects such as negotiations, compromises, agreements, privacy, institutional power etc. Essentially, this re ects that legal compliance has a strong relation with these aspects. Hence, the role of social, political and economic conditions (as pre-conditions), and governance and ethical requirements and enactment processes for the rule of law must be aligned when designing legal compliance systems to achieve LCtD. However, in the context of legal compliance, there is a limited understanding of which legal concepts are relevant for deploying the rule of law. To address

Fig. 2: Legal quadrant and clustering of legal concepts (a) fragment of clustering; and (b) legal quadrant of rule of law [ 11 ]; this|in the context of our survey, we clustered14 365 distinct legal concepts and terms divided across 8 sub-sets of concepts as illustrated in Figure 2(a). The clustering is based on the legal quadrant for the rule of law [ 11 ] comprising the notion of implementation of the rule of law which involves concepts such as binding power, social dialogue, privacy and trust, sanctions etc.|and sources for the validity of the legal norms (i.e., legality) that emerge from four di erent types of regulatory sources|hard law, policy, soft law, and ethics|with some distinctive properties15.

The developed clustering provided the basis for a deeper analysis to map and frame the pre-processed literature on legal and regulatory compliance. We created 126 nodes in NVivo software for coding purposes from 40 important and most commonly used legal terms selected from 8 sub-sets of the clustering. The intuition behind coding was to know how these concepts have been used in the literature and investigate their relationships. We applied a number of coding strategies and compared various nodes representing legal concepts through di erent mapping schemes such as one-to-one mapping, symmetrical and association etc., to study the correspondence between them and degree of relationship, if any. Figure 3 illustrates the example of coding comparison of legal concepts related to hard law. We created a coding comparison matrix for each sub-set of legal concepts for example ethics, policy and soft law etc.

For each coding we used the Pearson's correlation coe cient [ 20 ] `r' to measure the strength of the relationship (linear correlation) between legal concepts that 14 Due to con dentiality reasons we only provide a short explanation and fragment of the clustering. 15 As the detailed discussion on the legal quadrant is out of the scope of this paper, we refer interested readers to [ 10,11 ] for further details. appear in the matrix. The value of association `r' varies between 1 r +1 [ 27 ], where +1 is positive linear correlation, 0 is neutral or no linear correlation, and 1 is negative linear correlation.

The Pearson correlation coe cient for the sample data set is computed as: r = rxy = n P xiyi

P xi P yi pn P x2 i (P xi)2pn P yi2 (P yi)2 where x is the sample size; and xiyi are the individual sample points indexed with i. Figure 3 illustrates, the correlation (strength) of relationship of various legal concepts in hard law that tends to be positive; for example, the Pearson correlation for judicial systems and case law r = 1; and for acts and enforcement is r = 0:66575 which clearly indicates that these terms have signi cant relevance to the implementation of the rule law.

In contrast, we employed Jaccard's coe cient [ 19 ] to compare the similarity, diversity, and distance of the legal concept from the selected sub-sets in the collected literate to understand which and how frequently a legal concept had been discussed in the collected literature. The Jaccard's similarity coe ent and distance for the sample are computed as:

J =

M10

M01 + M10 + M11 where M11 is the total number of attributes with both attributes having the same value 1; M01 is the total number of attributes with attribute of A is 0, and attribute of B is 1; M10 is the total number of attributes with attribute of A is (1) (2) dj = 1

J (3) Figure 3 illustrates that several legal terms have been discussed in the literature in the context of hard law but the density of their appearance varies. For example, the concept of judicial system and case law has been more discussed (J = 0:571429) compared to acts and enforcement (J = 0:138462) and sanctions and enforcement (J = 0:090909), respectively. In measuring the presence of several legal concepts in hard law, we noted 52% of 106 coded concepts had 0 similarity index, which means these concepts have not been discussed in the analysed literature.

Figure 4 re ects the overall results of the analysis of collected literature across the four themes of the legal quadrant. Figure 4(a) exhibits that for the most, legal concepts have a strongly positive relation with the 1541 references16 found in literature, which re ects their signi cance for the implementation of the rule of law, and only a few concepts exhibit a negative relation. However, legal concepts in the context of hard law have been only marginally considered in existing literature. This means that the fundamental interpretative procedures, liberties, and constitutional principles (e.g., proportionality, interpretation, and reasonable standard) are scarcely cited, because the technical literature mainly focuses on the relevant aspects of CbD for business process management.

In contrast Figure 4(b) and Figure 4(c), respectively, provide interesting results for both the strength and appearance of the legal concepts for ethics and policy where several concepts in the context of ethics have not been considered, and the degree of relationship for the legal concepts for policy is signi cantly weak compared to hard law. For example, we observed that virtue ethics, which are a fundamental pillar for political theories of republicanism, is put aside. Again, authors prioritize the principle of what is relevant for the elds in which CbD is developed.

Finally, Figure 4(d) also exhibit somewhat mixed results for soft law which shows a slightly higher degree of relationship between various terms/concepts but less presence in the literature. Essentially, our literature analysis results validate that the existing body of knowledge does not fully cover majority of the concepts/themes that are important to properly address the legal compliance problem in general, and legal compliance by design (LCbD) and through design (LCtD) |in particular. 5

In this follow-up paper of the pre-survey that we carried out on regulatory and legal compliance [ 12 ], we tested the idea that legal compliance and LCtD have a broader scope and complexity than regulatory compliance and LCbD. We do not 16 Here references refer to the number of times the term has been referred in various articles. d ) n d c ( a n

a e L r J is

) n c

( p h

t 4 x . e view them as discrete categories, but as an overlapping conceptual continuum. The formalisation of legal compliance is possible, but through institutional regulatory models bringing together both machine and human interfaces. There is however still some work to be done. The link between concepts stemming from the practical dimension (such as legal services, legal professions, law rms etc.) and the normative and institutional one (legal norms and systems) should be better known and understood, as technological studies have tended to prioritize market-driven strategies over the social construction of a public space. In future works we will address the overlaps between LCtD and LCbD, explaining the added complexity of LCtD both from the public and private domains. We will reformulate the problem as a challenge stemming not only from regulatory systems but also from the broader spectrum of the rule of law in order to develop new functional, conceptual and computational models for interpreting, representing and (semi-) automating compliance.

This research was partially funded by the Australian Government-funded Data to Decisions Cooperative Research Centre (http://www:d2dcrc:com:au/), and Meta-Rule of Law (DER2016-78108-P, Spain). Views expressed herein are not necessarily representative of the views held by the funders.