ESG Compliance: Understanding the Patchwork of ESG Regulations

California Transparency in Supply Chains Act (CTSCA)

The California Transparency in Supply Chains Act was one of the first laws created to enable consumers to hold companies responsible for modern slavery and human trafficking in their supply chains. Enacted on January 1, 2012 the Act requires that companies meeting the following criteria post annual, public disclosures on the steps they take to combat forced labor in their supply chains:

• Companies which identify themselves as a retailer or manufacturer on their tax returns AND

• Meet the legal definition of doing business in California AND

• Have annual worldwide gross receipts exceeding $100,000,000

Under the Act, companies are required to provide regular disclosures about their efforts to prevent modern slavery in five key areas:

1. Verification: The organization engages in the verification of supply chains to verify that human trafficking and modern slavery aren’t present.

2. Audits: That the organization conducts audits of supply chains and third, fourth, and Nth parties to ensure compliance with organizational standards for supply chain transparency and governance.

3. Certification: That the organization requires third-parties to affirmatively certify that materials as well as vendors abide by laws and regulations in their own countries regarding forced labor and modern slavery.

4. Internal Accountability: That the organization maintains and enforces internal controls to ensure that employees and contractors meet company standards for avoiding modern slavery in the supply chain.

5. Training: That the organization provides supply chain & management personnel with training on avoiding human trafficking, forced labor, and modern slavery in the organizational supply chain.

Sustainable Finance Disclosure Regulation (SFDR)

The Sustainable Finance Disclosure Regulation went into effect in March of 2021 and is aimed at creating more transparency around ESG for financial organizations. SFDR applies to insurance, investment, banking, and other financial firms operating within the EU.

Financial entities are required to provide detailed guidance, presented in a format in accordance with standards set out in the regulation, on how they reduce any harm that may result from their investments in the environment or society more broadly. SFDR aims to:

• Standardize ESG reporting across EU financial institutions

• Improve transparency and accountability for sustainability claims made by financial institutions

• Enable investors and clients to make informed comparisons between various financial institutions based on sustainability comparisons

CSRD applies to financial organizations that meet 2 of the following 3 criteria:

• >250 Employees

• >€40M in Annual Turnover

• >€20M in Total Assets

Or

• Listed companies on EU marketplaces (except for micro-companies with less than 10 employees or below 20 million euros in turnover)

Key Supply Chain Transparency Considerations for Third-Party Risk Management Programs

Organizations can suffer enormous reputational damage, in addition to fines and liability for forced labor found in the supply chain. It is critical that third-party risk management professionals ensure visibility throughout the supply chain. TPRM Programs should ensure not only to consider third parties, but also perform a careful examination of fourth, and Nth party vendors in the extended supply chain.

Anti-Bribery and Anti-Corruption (ABAC) Compliance Requirements

U.S. Foreign Corrupt Practices Act

The Foreign Corrupt Practices Act relates directly to corporate governance and poses significant penalties for organizations that attempt to bribe foreign officials. FCPA prohibits organizations from bribing or otherwise unduly influencing foreign officials or candidates for office in order to gain or retain business. FCPA applies to corporate shareholders, company offices, and employees and can extend to actions almost anywhere in the world.

Violating FCPA can result in individual criminal liability with up to 5 years in prison for individuals found guilty, and up to $2,000,000 in fines per violation for corporations.

Bribery Act of 2010 (UK)

Companies that do business in the UK need to ensure their policies, systems, and training and development programs are in compliance with the Bribery Act of 2010. The Bribery Act applies to all companies that do business in the UK, regardless of the country where the bribery activity takes place.

The act contains four types of offenses:

1) Offering or giving a bribe to another person.

2) Being bribed by another person.

3) Bribing a foreign public official.

4) A corporation failing to prevent bribery by associated persons.

The penalties for violating this act can be serious. For individuals, 10 years imprisonment and/or a fine is the maximum penalty. For corporate offenses, the maximum penalty is an unlimited fine. Corporate offenses can also entail other serious consequences including debarment from contracts, disqualification of company directors, and asset confiscation.

Key ABAC Considerations for Third-Party Risk Management Programs

ABAC shouldn’t be anything new to third-party risk management departments. However, many organizations only consider ABAC compliance when onboarding new vendors without monitoring risk throughout the lifecycle of the contract. Consider using a third-party risk management platform that enables you to practice continuous ABAC monitoring across the vendor lifecycle.

Beyond Reporting: Laws that Mandate Affirmative ESG Action

U.S. Conflict Minerals Law (Section 1502 of the Dodd-Frank Act)

The Dodd-Frank Act was enacted to increase oversight of the banking industry after the 2008 U.S. financial crash. Section 1502 of the Dodd-Frank Act mandates that publicly traded companies disclose their use of conflict minerals including titanium, tin, gold, and tungsten.

Under the law, if conflict minerals are “necessary to the functionality or production of a product”, companies must be transparent about their use. These elements are often mined in conflict zones, and the trade of conflict minerals is linked to armed conflicts in Congo and other nearby countries.

Companies that profit from these minerals have a responsibility to investigate their supply chains, identify risks regarding conflict minerals, and report their findings and efforts to the SEC (U.S. Securities and Exchange Commission). There are two criteria a company must meet for their law to apply to them: 1) They file reports with the SEC under the Securities Exchange Act, and 2) The minerals are “necessary to the functionality or production of a product,” whether the products are directly manufactured by the company or if they are manufactured under third-party contracts.

If a company meets both pieces of criteria, they must conduct a Reasonable Country of Origin Inquiry for their vendors and suppliers of fine minerals, establish a process for due diligence, obtain an audit (specifically, an IPSA - independent private sector audit), and file a report with the SEC. Although assessing the source of minerals is outside the scope of companies’ main operations, failing to do so entails reputational, operational, and financial risks.

German Supply Chain Due Diligence Act

Set to be enacted on January 1, 2023, the German Supply Chain Due Diligence Act aims to better protect international human rights and the environment. The act is one of many other recent laws aiming to eliminate forced labor on a global scale and improve working conditions within supply chains. It focuses specifically on protection from modern slavery, forced labor, and child labor. It also aims to protect workers from dangerous work conditions including harm caused by pollutants, exposure to toxic chemicals, and unsafe disposal of hazardous waste.

Along with the European Corporate Due Diligence Draft Directive, the German Supply Chain Due DIligence Act represents a significant shift in the approach of governments to ensuring ESG Compliance. Reporting requirements are rapidly being superseded by laws that place a significant burden on organizations to both monitor and eliminate worker and environmental abuse from their supply chains.

ESG risk management is a major component of the requirements under The Supply Due Diligence Chain Act. Under the act, companies are obligated to conduct rigorous assessments to ensure due diligence regarding human rights and environmental standards. The first step under the act is analyzing and assessing risks within supply chains. This analysis must be conducted a minimum of once per year, and also every time the company takes on a new product or service. Risk areas specified in the act include the following:

• Environmental Damage

• Minimum Wage

• Child labor and forced labor

• Unlawful seizure of land and waters

• Torture

• Discrimination

• Freedom of association

• Problematic employment and working conditions

• Occupational health and safety

Starting in January 2023, companies with activities in Germany that have more than 3,000 employees will be impacted by the German Supply Chain Due Diligence Act. Covered companies must update their processes for supply chain due diligence and align activities with the stipulations of the act. Ensuring compliance is crucial for ESG due diligence.

European Corporate Due Diligence Draft Directive

On February 23, 2022, the EU released draft legislation aimed at promoting transparency and ESG into EU supply chains. If adopted as currently written, the European Corporate Due Diligence Directive would constitute one of the most sweeping regulations and will affect ESG throughout the supply chain. Organizations would be required to:

• Integrate due diligence into policies

• Identify actual or potential adverse human rights and environmental impacts

• Prevent or mitigate potential impacts

• Bring to an end or minimize actual impacts

• Establish and maintain a complaints procedure

• Monitor the effectiveness of the due diligence policy and measures

• Publicly communicate on due diligence.

EU member states will be instructed to create civil and financial penalties for companies that fail to comply, and victims would be granted a private right of action against organizations for failures that could have been avoided with appropriate due diligence measures.

Additionally, the draft directive requires that companies with more than 500 employees and in excess of 150 million euros of revenue per year “need to have a plan to ensure that their business strategy is compatible with limiting global warming to 1.5 °C in line with the Paris Agreement.”

Key Considerations for Third-Party Risk Management Programs

If enacted as written, the European Corporate Due Diligence Draft Directive and German Supply Chain Due Diligence laws will create sweeping change for entities operating within the EU. Affected organizations will need to perform a thorough review of their current supply chain, and create documented processes for eliminating forced labor and environmental degradation throughout the extended supply chain. We expect that the European Corporate Due Diligence Directive will likely solidify ESG as a major component of an effective TPRM compliance program.

ESG Compliance Enforcement

Today, much ESG compliance is a voluntary activity, but this “‘soft law”’ is likely to quickly become “‘hard law”’ in the future as various government regulators both in the U.S. and European Union move forward to implement new ESG regulations.

What started out as a way to discourage investing in companies that did not have an ESG focus has now evolved to positive momentum and greater investments flowing into companies that have high ESG measurements. These metrics have also made their way into executive briefings at annual company reporting events.

Next Steps for ESG Compliance

For large organizations, having a focused, dedicated approach to ESG is becoming a requirement. A good place to start is to look at ESG risks at every stage of your supplier relationships, and consider:

• Using ESG criteria when making new vendor sourcing decisions

• Identifying which ESG compliance requirements apply to your organization

• Onboarding and tiering vendors based on their ESG scores to help dictate further diligence

• Building a vendor profile that includes current ESG ratings and scores visible throughout the enterprise

• Continually assessing and monitoring third parties against specific ESG requirements such as supplier reputation, sanctions, geo-political issues, financial governance, and transparency

• Building regulatory-specific reporting against standards and requirements

Companies need to be proactive to effectively manage ESG risk. Ensuring that third-party risk management programs incorporate ESG risk management enables companies to position themselves well for the day when (not if) ESG regulations are implemented.

To learn how Prevalent can help you achieve your ESG compliance goals, request a demo today.