Navigating third-party risk: Disclosure laws are here and proliferating in 2024
The world of third-party risk is heating up significantly with the proliferation of laws requiring public reporting of information relating to the environmental and human-rights impacts. These laws frequently require companies to obtain information from their third-parties and/or suppliers.
It’s more crucial than ever to focus your third-party program appropriately so you have the information you need. Here is a handy guide of top laws to keep your eyes on:
Modern slavery reporting laws
In 2015, the UK created its Modern Slavery Act requiring companies meeting the law’s threshold to publish a statement on their website describing the company’s efforts to prevent, detect, and eradicate modern slavery from its activities and supply chain.
Similar laws now exist in California, specifically, the California Transparency in Supply Chain Act, as well as in Australia.
Canada is the most recent entry into the mix. It’s disclosure law came into force recently, with the first companies due to publish their statements in May this year. The Canadian law has the most teeth of any we’ve seen so far, with violators able to be fined up to $250,000 CAD.
Check requirements carefully, as many of these laws are extraterritorial. It doesn’t matter if you’re headquartered in the country or state for many modern slavery disclosure laws. It’s all about turnover numbers and sales in-country.
The European Corporate Sustainability Reporting Directive (CSRD)
The current landscape is dominated by the European Union’s Corporate Sustainability Reporting Directive, or CSRD.
CSRD requires in-scope firms to report about activities meeting a double-materiality standard. That is, companies of a certain size must disclose activities and risks from and to the environment, including human rights, and those that would affect the financial future of the company.
The first in-scope companies will report in 2025 on their activities from 2024. CSRD requires companies to gather information from their supply chain to properly perform their risk assessments and strategy creation. This means that many companies that are outside of the scope of CSRD reporting themselves will need to provide information to their customers, which will significantly broaden its reach.
It’s also important to note that CSRD has extra-territorial reach. If your company reaches certain financial thresholds for products or services sold into the EU, you may end up with a reporting requirement despite not being headquartered in the EU.
Corporate Sustainability Due Diligence Act
There’s never a dull day when it comes to the Corporate Sustainability Due Diligence Directive, frequently known as the CSDDD.
This piece of legislation has been on a serious rollercoaster. Two of the three European bodies agreed to language of the law in December 2023, much sooner than had been expected. Everyone thought it would be smooth sailing, with the law in place before June.
But then, at the end of February, Germany brought down the hammer. Sources said that Germany was concerned about the burden the reporting standard would put on smaller and medium-sized businesses. This concern was compounded because Germany already has a similar disclosure law in the German Supply Chain Act.
Headlines came out describing the CSDDD as dead. But then, in mid-March, Germany negotiated a deal that brought the CSDDD back to life. The law is somewhat watered down and the timeline for implementation is longer, but the law is highly likely to come into force when the third of the three European bodies votes on the agreed-upon language of the directive.
The law requires organizations to report on its activities that may cause environmental and human rights risks, including in the supply chain. The law has many prescriptive due diligence activities that will need to be reported on.
Additionally, the law includes legal liability for damages to private individuals if negligence in due diligence caused harm that would have been prevented if due diligence was properly completed.
The most notable factor is the penalties, which are up to 5% of net worldwide turnover for violations.
SEC climate disclosures
After many months of waiting, the Securities and Exchange Commission, (SEC) finally announced its climate disclosure rules.
Companies regulated by the SEC will have major obligations to manage climate risk and to publicize how they’re doing so. Certain companies will need to disclose their greenhouse gas (GHG) emissions within the next two years, and all companies regulated by the SEC will have to disclose things like how the board of directors is overseeing climate-related risks.
They will also need to disclose the process the company is using to identify, assess and manage material climate-related risks, among other things.
Of course, the lawsuits began immediately. Many are based on the idea that Congress has not authorized the SEC to regulate climate disclosures, and investor concerns over the climate is not within the SEC’s remit. It remains to be seen what the final outcome will be, but in-scope companies should start planning now for disclosures.
California climate disclosures
Lastly, two different California laws relating to climate disclosures are caught up in court. A lawsuit filed January 30, 2024, is challenging two new California climate disclosure and financial reporting laws, Senate Bills 253 and SB 261, for unconstitutionally requiring disclosure by qualifying public and privately-held businesses of GHG emissions and climate-related risks throughout their value chain.
The laws are meant to go into effect in 2026.
What to do now
While there is much to be done because of all of the new reporting requirements, these laws are, in many ways, excellent news for compliance officers.
As due diligence is becoming so multi-faceted, compliance officers should talk to the other areas of the company that are likely performing due diligence to expand the budget and streamline the company’s due diligence questionnaires. Make the process simpler wherever possible. IT, finance and procurement are great places to start to pool money.
While it is challenging to keep up-to-date on everything, it is also valuable to do so. Reporting requirements and disclosure laws are proliferating and likely to continue to do so. The more prepared you are now, the better.
