Oversight of third-party vendors will soon take on a new human rights twist for many local and foreign financial firms doing business in the European Union thanks to the new Corporate Sustainability Due Diligence Directive.
The European legislation, otherwise called CS3D, forces firms to impose a moral code of conduct on their direct and indirect business partners. Performing efficiently be enough. A firm must ensure that they and their suppliers — even those far beyond their local borders — do not violate human rights, biodiversity, and the environment. “Ultimately, the European Commission wants local and non-local firms operating in the EU to care about the well-being of the workers in the companies which help them produce and then use their goods and services,” says Nicolas Lockhart, a partner at the law firm of Sidley Austin in Geneva. “Firms must also care about the broader environmental impact of producing their goods and services.”
The new regulatory requirement means that risk, compliance, and procurement managers at financial firms and others in the EU must incorporate the potential for human and environmental rights infringements by their suppliers into operational risk metrics. “Financial firms can no longer think only about market risk, credit risk, IT risk or operational risk due to acts of nature and human error,” says Rupert Brown, chief technology officer for Evidology Systems, a London-based regulatory compliance technology firm. Operational risk increases if workers become unavailable to perform important functions. Governments might target individuals or groups of individuals. In addition, a firm may also be forced to end its relationship with a supplier if the later cannot meet its human rights obligation under the CS3D.
Although analyzing and mitigating climate change is a critical requirement of the CS3D, the human rights element appears to be causing more angst for C-level executives. Some compliance and risk managers at US banks operating in Europe tell FinOps Report that conducting due diligence for human rights violations throughout a supply chain will be more difficult because human rights violations are subjective. “Unlike the case with climate change, a firm cannot quantify the level of risk or mitigation with human rights violations,” says one risk manager. “A regulator could more easily dispute the qualitative analysis.”
However, some legal experts counter that the concept of human rights as a “soft issue” is fallacious. “The term human rights is broad reaching and the CS3D refers to international standards adopted by the United Nations Human Rights Conventions and other international labor organizations,” says Sally Alghazali, an attorney specializing in human rights and international trade law at Clark Hill in Washington, D.C. Human rights incorporate workplace rights, such as the right to enjoy just and favorable conditions, a fair living wage, safety and reasonable work hours, and the prohibition of forced and child labor. Human rights also include the freedom of association, as well as the right to food, shelter and health services. “Even if only one person is harmed, it is a human rights violation,” says Alghazali.
Under the CS3D, the supply chain that must be monitored includes all firms in the upstream and downstream activities. The upstream supply chain refers to any firm helping a company manufacture its products and services. In the case of a financial firm, upstream suppliers could include telephone and office supply companies, disaster recovery facilities, cybersecurity providers, call centers, data storage providers and IT software developers. Suppliers for downstream activities include companies which transport and store products and services.
“The CS3D does not differentiate between a direct and an indirect business partner in terms of the nature of due diligence that is required,” explains Tim Baines, partner with the law firm of Mayer Brown in London specializing in ESG regulations. A direct supplier would have a contract with the firm in-scope, while an indirect supplier would have a contract with the supplier.
The CS3D does not specify how far along the chain of suppliers a firm must go to perform due diligence review on indirect suppliers. As a result, the number of companies subject to due diligence could range from several dozen to several hundred. The saving grace for financial firms is that their implementation of the CS3D will be limited to upstream activities. “Financial firms won’t be accountable under the CS3D for due diligence obligations on suppliers for downstream activities,” says Alghazali. “The requirement was explicitly excluded by the European Commission following opposition from interested parties and EU member states.”
When it comes to compliance, effort is what matters. “A firm will not be fined if a human rights violation is committed by a supplier as long as the firm can document it performed adequate due diligence,” says Lockhart who specializes in EU and international ESG law. However, a firm can be fined if it fails to take steps to prevent a supplier from continuing to commit a human rights violation after it discovers the violation is likely occurring.
A firm which violated the CS3D could be fined as much as five percent of total worldwide revenues calculated in the previous year the fine will be imposed. For an EU or non-EU parent firm, the penalty could be substantial based on consolidated revenues of subsidiaries. An EU-domiciled firm could be fined by multiple regulators — one in each country in which it does business. A non-EU domiciled firm operating in multiple countries would be fined by only a single regulator, based in the country in which most of their EU revenues are generated, says Lockhart. The CS3D also allows firms in-scope to be subject to civil litigation by individuals or groups of individuals in a European court. Some human rights attorneys predict a tsunami of lawsuits from injured parties seeking damages.
Each EU member country must implement the CS3D into local law by July 2026 and must communicate the relevant texts of the laws to the EC by July 2025. Deadlines to comply with the C3SD range from over three to five years from July 2024 depending on annual revenues and the number of employees for two consecutive years. However, firms need to start preparing for the CS3D from now for two key reasons. “It will take time to set up a compliance framework for the CS3D and other countries are considering similar supply chain requirements,” says Alghazali. These countries include the US, Canada, Mexico, the United Kingdom and Australia.
There is no equivalent to the C3SD in US federal law although the Uyghar Forced Labor Prevention Act comes close with the high level of due diligence required to comply with human rights requirements in the supply chain. It remains to be seen how local European regulators will transpose the CS3D’s harmonized framework of requirements into their respective countries’ laws when it comes to the amount of due diligence and monitoring required. Regulators must address the overlap with existing local employment and other laws.
France and Germany have implemented laws similar to C3SD, but European legal experts say the CS3D has stricter due diligence requirements for suppliers, lower thresholds for applicability, and higher penalties for violations. Firms which follow Germany’s regulation lkSG are likely to have a head start over their peers in preparing for the CS3D, because of a greater overlap in requirements.
Although the UK will not adopt the CS3D, UK firms doing business on the continent must abide by its provisions if they exceed regulatory thresholds. The UK’s Modern Slavery Act of 2015 appears to have less bite than the CS3D. Firms doing business in the UK with annual revenues of at least GPB36 million in the country only have to explain in an online registry how they are mitigating the potential for human trafficking and slave labor in their supply chain. “Unlike the CS3D, the UK’s Modern Slavery Act does not require firms to actually perform due diligence on suppliers,” says Brigitte Weaver, an attorney with Katten Muchin Rosenman in London, specializing in EU employment law. “Firms only have to report on what actions they have or have not taken.”
Ultimately, EU-based companies with at least 1,000 employees and over E450 million in total worldwide revenues must comply with the CS3D. Firms with more than 5,000 employees and over E1.5 trillion in global revenue will have a three-year grace period from July 2024, while those with over 3,000 employees and over E900 million in global revenues will have a four-year grace period. For non-EU based companies, the deadlines for implementing CS3D are based only on annual revenues generated within the EU. Non-EU companies with more than E1.5 billion in revenues within the EU must get ready by July 2027 while those with more than E900 million in EU-based revenues must be ready by July 2028 and those with more than E450 million and less than E900 million by July 2029.
Banks aren’t the only type of financial firms which will have to deal with the CS3D. Individual funds aren’t in scope, but fund management firms which actively manage underlying funds are affected. Parent firms which only own shares in a subsidiary could end up exempt under certain circumstances. Large bank-owned fund administrators and custodian banks which safekeep institutional fund assets in Europe could fall under the CS3D’s requirements in two ways. They could be required to perform due diligence on others and they could be the subject of due diligence as members of a financial firm’s supply chain. Legal experts caution that even European securities depositories and clearinghouses which process securities transactions might be in scope.
The largest global and EU-domiciled banks could have human rights specialists in a centralized environmental, social and governance (ESG) team within their legal, risk or compliance departments. Small to mid-sized banks and fund managers might not be as well versed. Ideally, the procurement or legal department of a financial firm will have a single list of all direct suppliers. If not, each business line will have to provide its own list. A firm’s direct suppliers will have to be questioned about their suppliers.
In-scope firms must set up a telephone hotline in Europe to take calls from employees and other whistleblowers reporting potential human rights violations. They must also designate a single individual as point of contact for regulators. The assigned individual must be based in Europe even if the parent firm of the EU-domiciled entity is located outside the continent. Whistleblowers located within the EU would be protected under the EU’s whistleblower regulation while those outside the EU might not.
Although the requirements for performing due diligence under CS3D could vary depending on each EU member country’s interpretation, the differences will hopefully be minimal. Therefore, doing the maximum amount of effort in fulfilling due diligence is the best option, say legal experts. Self-attestation from suppliers will likely not be enough for regulators and there are no sources of data from commercial third-party providers on human rights violations committed by companies. “Firms could forward questionnaires to suppliers and do more research from public news sources about government regulations on human rights in the country in which the supplier is located, research about the particular supplier’s track record, and research about the track record of its industry sector,” recommends Sidley Austin’s Lockhart.
Mayer Brown’s Baines suggests that, because of the potential large number of suppliers which must be scrutinized, firms prioritize their due diligence efforts based on the severity and likelihood of the potential impact of human rights violations. “Purchasing IT equipment which originates from a jurisdiction where there are known instances of forced labor will merit much more scrutiny than procuring IT consultancy services from an entity whose employees are based in Europe,” he says.
The due diligence work for the CS3D would likely be handled by compliance and procurement departments, or they could outsource the task to external auditors. “Regardless of who completes the due diligence work, the findings would likely make their way to a financial firm’s risk department which would then analyze the potential for human rights violations,” says Brown. Outsourcing the due diligence work won’t absolve the financial firm in scope for the CS3D from regulatory penalties if the analysis isn’t thorough enough.
Risk managers might decide to do their analysis the old-fashioned way– through spreadsheets. “We will grade the importance of the supplier to the firm and the potential for a human rights violation using high medium and low grades,” one risk manager at a US-headquartered global bank tells FinOps Report. Using new technology solutions, installed by IT managers, is also an option. Evidology’s QED platform, for one, allows financial firms and others to determine the risk of human rights violations for a particular supplier using an “argumentation-based” modeling of CS3D supply chains. Each supplier becomes part of a tree of interdependent suppliers and will be designated one of three risk levels– high, medium, and low.
Once a firm performs due diligence and calculates the potential for human rights violations along its supply chain, its legal department could take the next step. The CS3D calls for firms in scope to “engage” with a supplier to reduce potential human rights violations or remediate an existing one. The CS3D doesn’t define the term “engage” but a firm’s legal department could recommend either contractual changes to the relationship or terminating the relationship. Based on the CS3D’s requirement for all parties in the supply chain of activity to comply with its terms, it stands to reason that a financial firm could force a direct supplier to end its relationship with another firm, or indirect supplier, by threatening to lose the financial firm’s business.
A procurement manager will likely have to explain the CS3D’s new obligations to an affected supplier and potential new suppliers as the typical point of contact. Those who don’t agree to fulfill the directive’s requirements won’t be hired. A firm’s legal department will likely handle the end of any business relationship with an existing supplier. Terminating a partnership is the last resort as firms will likely want to negotiate as much as they can with a vendor to avoid the costs of finding another supplier or taking the activity in-house.
Meeting the EU’s new mandated moral code won’t come cheap. Industry talk is that initial compliance costs for the CS3D could easily amount to over E1 million for doing due diligence work, rewording legal contracts, installing new technology, and training in-house staff and external suppliers. There will also be ongoing costs for monitoring suppliers.
While C-level executives at financial firms might cringe thinking about how the CS3D will affect their fees and bottom lines, legal experts warn that taking such an attitude is counterproductive. “Compliance directors need to care about human rights because they must be prepared to ask the tough questions for due diligence and deal with any unpleasant responses,” asserts Katten’s Weaver. “Compliance with the CS3D can’t be a check-the-box exercise.”
Leave a Comment
You must be logged in to post a comment.