UK Businesses: the role of Integrity Due Diligence in EU sustainability compliance

Even post-Brexit, the EU's Corporate Sustainability Due Diligence Directive (CS3D) impacts UK businesses which have significant EU ties, enforcing stricter compliance around human rights and environmental sustainability. In this article we explore how Integrity Due Diligence will play a crucial role in compliance with the new legislation, and outline practical steps that UK companies can take to reduce their risk.

CS3D's reach into the UK, and why it matters:

CS3D applies to EU companies with more than 1,000 employees and a net worldwide turnover exceeding €450 million, as well as non-EU companies generating more than €450 million in turnover from the EU, wherever their parent companies are headquartered. This includes the UK subsidiaries of multinational groups headquartered outside the EU, where the wider group’s European operations meet this threshold. Numerous businesses in the UK which superficially appear unaffected by the new legislation may consequently be covered. Non-compliance with CS3D legislation can result in hefty fines of up to 5% of group turnover, therefore it is crucial for multinational companies to take the risk seriously and prioritise compliance to avoid potentially expensive consequences..

The value of addressing CS3D’s standards even if not covered currently:

As more companies adopt CS3D standards, the landscape of best practice compliance will likely shift, meaning even those companies which are not covered by the new rules may be subject to reputational damage and criticism if it can be shown they are implementing lower standard than their peers. The UK’s proposed Commercial Organisations & Public Authorities Duty (Human Rights and Environment) Bill also signals a move towards similar regulations in the UK, with other jurisdictions also increasingly prioritising this area of legislation.

The trajectory is clear, and businesses will benefit from considering whether adopting these new standards earlier rather than later may serve them better in the longer term. Indeed, aside from the mitigation of regulatory risks, the benefits of raising standards to proactively comply with CS3D include: strengthening supply chains, enhancing reputation, achieving sustainable growth, and attracting ESG-conscious investors and partners.

Why Integrity Due Diligence matters for CS3D:

Integrity Due Diligence (IDD) comprises the gathering of public record and market data to understand the potential risks and opportunities presented by a third party, and goes into more depth than Know Your Customer (KYC) checks. Most large UK companies will already be familiar with KYC/IDD requirements under existing legislation like the Sanctions & Money Laundering Act 2018, the Bribery Act 2010, and the Modern Slavery Act 2015, each of which makes businesses responsible for identifying and preventing possible breaches of these acts. However, CS3D seeks to significantly expand the scope of concerns and to ensure that companies are responsible for identifying and addressing the human rights and environmental impact of their actions, both inside and outside Europe. Businesses will be made truly accountable for such risks throughout their global value chains, necessitating a much broader and deeper approach to evaluating the risks in these chains.

To comply with the CS3D, draft guidance calls for companies to implement a structured due diligence process designed to identify, prevent, mitigate, and account for actual and potential adverse human rights and environmental impacts in their operations and wider extended enterprise. As multinational companies should already be undertaking some level of IDD to meet their legal responsibilities around bribery, corruption, slavery, and financial crime risks, adapting their current processes to cover these new risks in an appropriate level of detail represents a logical next step in strengthening their compliance posture.

Key features for IDD under the CS3D:
 

• Leverage existing processes: some multinationals may already have mature and established IDD processes ready in place, thus, instead of building a new supply-side focused IDD tool from scratch, it is important for the companies to revisit their existing processes, identifying any potential gaps in their processes where IDD for third parties are required under the new CS3D, so to ensure a more robust, future-proofed and cost effective solution.
• A risk-flexible approach to IDD: rather than defining one single IDD process, suppliers should triage by inherent risk (such as jurisdiction of origin for items supplied, spend level, or dependence on the supplier for ongoing operations), with the level of IDD conducted then proportionate to the level of risk presented. Most businesses benefit from having at least three-levels of IDD, with the most rigorous level undertaken for higher-risk suppliers and those rated lower-risk receiving only high-level checks. The inclusion of a solution that is able to monitor your third parties for sanctions and adverse media risk is also high on the list for many clients.
• Ensuring global consistency: Managing consistency in IDD processes across different regions can be challenging, especially for multinational firms. A centralized approach should be adopted to establish core IDD standards and frameworks for the entire organization. However, regional teams must also have the flexibility to adapt these standards to align with specific local regulations and cultural contexts. This collaborative approach ensures both global consistency in due diligence efforts and the agility to navigate local complexities effectively.
• Going beyond public data: While digital tools and databases provide valuable information, they may not uncover nuanced local risks. Utilising expert human sources in the relevant market can bring insights that go beyond public records, especially in regions with limited transparency. This approach can uncover issues like political connections, hidden ownership structures, or local environmental concerns that could pose risks under CS3D.
• Clearly defined risk scoring and next steps: Gathering data serves no purpose without a clear framework for evaluating that data. Any approach to IDD should be designed with clear processes around what type of findings will not be considered acceptable, and the steps for escalating those findings for full consideration (for example, by ESG experts, risk specialists or lawyers).
• Monitoring effectiveness: Companies should build any IDD compliance programme so that risk elements can be analysed across the third party population, with processes in place to monitor how effective the programme is at identifying and mitigating risks and to implement changes to improve performance where needed.

Note that the European Commission is expected to unveil the new Omnibus Regulation at the end of February 2025, to streamline a number of regulations including CS3D. While the aim of the new package is to reduce burdens on businesses, pressure will still be mounting on companies to meet the new compliance expectations.

Turning compliance into an opportunity:

Implementing a thoughtful, risk-based IDD approach not only supports compliance with CS3D but also strengthens supply chains and enhances a company’s market reputation. Proactive IDD can also attract ESG-conscious investors and foster trust with customers, turning regulatory compliance into a competitive advantage.

For more information on how Deloitte can support you with building and running a modern IDD compliance framework, please contact Jorge Rivera (jorrivera@deloitte.co.uk) or Yiyun Ding (yiyunding@deloitte.co.uk) in our Corporate Intelligence Services team.