This post first appeared on the Climate Risk Disclosure Lab website. The Lab is a collaboration between the Global Financial Markets Center at Duke Law, Duke’s Nicholas Institute for Environmental Policy Solutions, and the National Whistleblower Center.
Building upon prior European Union (“EU”) disclosure initiatives including the 2010 Timber Regulation and the 2017 Conflict Minerals Regulation, the EU is on course to introduce a new regulation mandating the disclosure of corporate risks associated with climate, environmental, governance and human rights. The EU is proposing this due diligence and corporate accountability directive to increase public awareness about the actions – or inactions – companies are taking to address these risks.
Climate change poses significant systemic financial risks to world markets. Over the past decade, the demand for disclosure of climate-relevant financial risk information has increased from asset managers, securities issuers, lenders, credit rating agencies, insurance companies, index providers and stock exchanges that together control trillions of dollars of investments and financial products. Nearly all types of market participants use climate-related risks as a significant driver in decision-making, capital allocation, pricing, and value assessments.
On October 9, 2020, the EU took the next procedural step towards adopting their regulation, releasing a draft report and draft directive from the European Parliament Committee on Legislative Affairs. The draft report and draft directive contain policy recommendations that will form the basis of a formal proposal ultimately issued by the EU Commission.
The draft directive proposes a broad disclosure regime incorporating what are commonly referred to as environmental, social and governance (“ESG”) factors. Additionally, the draft directive requires businesses to undertake rigorous actions relating to publication, communication, stakeholder coordination as well as adopting grievance mechanisms open to all stakeholders.
A new global standard for corporate disclosure
If adopted, the EU directive will constitute the global standard for mandatory corporate ESG risk disclosures. Even though U.S. financial regulators have contemplated adopting an integrated ESG disclosure regime for almost fifty years, they have not yet acted. Policymakers, stakeholders, the Securities and Exchange Commission (“SEC”) Investor Advisory Committee and even SEC Commissioners have strongly urged U.S. regulators to take action, warning that by not acting other jurisdictions will impose their disclosure regimes on U.S. issuers. The proposed EU due diligence and disclosure rules will do just that.
Significant provisions of the draft directive that should be of interest to U.S. companies doing business in the EU are set forth below:
- The Directive applies to all U.S. companies conducting business in the EU.
Article 2 applies to (a) all business enterprises incorporated, domiciled, or established in the EU, as well as (b) non-EU enterprises doing business in the EU (e.g., selling goods or services). The Directive applies to all “undertakings” governed by a Member State, whether private or state-owned, and includes all economic sectors including the financial sector. The draft also encourages Member States to give preference to companies that comply with the directive.
- The scope of the mandatory corporate disclosures includes the environment, human rights and governance risks.
Article 3 defines the categories of risks to be disclosed and includes:
- Environmental risks, focusing on impacts “that may impair the right to a healthy environment,” including climate, the sustainable use of natural resources, and biodiversity and ecosystems. The draft specifically references risks involving “climate change, air and water pollution, deforestation, loss in biodiversity, and greenhouse emissions.”
- Governance risks, focusing on “the good governance of a country, region or territory,” which defined to encompass corruption and bribery, and situations in which a business “becomes improperly involved in local political activities, makes illegal campaign contributions or fails to comply with the applicable tax legislation.”
- Human rights risks, focusing on “potential or actual adverse impact that may impair the full enjoyment of human rights by individuals or groups of individuals in relation to internationally recognized human rights understood, at a minimum,” as those expressed in the International Bill of Human Rights, the United Nations human rights instruments and the ILO Declarations and Conventions.
- The Directive requires companies undertake risk assessments and establish strategies to address identified risks.
Article 4 requires companies to determine whether their business cause or contributes to environmental, human rights or governance risks, as well as substantial ongoing public disclosures. “Risk” is defined in Article 3 as a potential or actual adverse impact on individuals, a group and other organizations.
If a company concludes it does not cause or contribute to these risks, it must publish a statement along with the risk assessment to that effect. The company is obligated to identify and report any new risks that emerge in the future. Alternatively, where a company does identify risks, the company is obligated to establish a due diligence strategy that:
- describes the risks and the level of severity and urgency;
- publicly discloses “detailed, relevant and meaningful information” about its value chain, “including names, locations and other relevant information concerning subsidiaries, suppliers and business partners”;
- describes the policies and measures taken to cease, prevent or mitigate the identified risks;
- prioritizes multiple risks; and
- explains the methodology of the deployed strategy and certifying stakeholder consultation.
In addition to the above, companies must publicly disclose how their due diligence strategy relates to their business strategy, ensure that the environmental, governance and human rights policies of their business partners align with their due diligence strategy, and “regularly verify” that suppliers and subcontractors comply with their relevant obligations. The due diligence strategy must also be communicated to workers, business relationships and stakeholders (Article 6) and reviewed once a year (Article 8).
- Companies must establish grievance mechanisms allowing persons to voice concerns to the company concerning the existence of environmental, governance, and human rights risks.
Article 9 mandates that companies establish grievance mechanisms to permit persons to anonymously voice concerns regarding environmental, governance or human rights risks. Grievance mechanisms must be “legitimate, safe, equitable, transparent, rights compatible and adaptable” and “provide for timely and effective responses to stakeholders, both in instances of warnings and complaints and in instances of remediation.” While the grievance mechanism is akin to a whistleblower program, it does not provide a comparable substitute to the U.S. regime.
- Companies can incur liability and penalties for failure to comply with Directive.
Failure to meet the due diligence requirements can result in direct liability of the company and of any related business relationships. Under Article 14, EU members shall designate a governmental authority to oversee compliance and conduct investigations as set out in Article 15. If a governmental authority uncovers determines there have been non-compliance, the company will be afforded an opportunity to correct the violation. Failure of the company to act will result in the imposition of a financial penalty. Repeated offenses can result in the levying of criminal penalties against the offending company, Article 19.
Under Article 20 a company’s compliance with the Directive obligations is not defense to civil liability for the harms caused by or contributed by the company or its business partners.
Financial whistleblowers are needed for successful ESG disclosure policy and law
While the U.S. is not leading in ESG disclosure policy and law, the U.S. has set the global standard in financial whistleblower programs. Whistleblowers acting in accordance with the SEC and Commodity Futures Trading Commission (“CFTC”) whistleblower programs established by the 2010 Dodd-Frank Act, have assisted U.S. financial regulators and enforcement authorities in successfully exposing, detecting, and prosecuting financial fraud, waste and abuse under U.S. securities and financial laws. The SEC and CFTC Whistleblower programs protect whistleblower identities, guarantee awards commensurate to a whistleblower’s role in a successful prosecution, reimburses them for economic damage, as well as provides swift access to U.S. federal courts.
Although the EU does have a whistleblower directive set to be enacted in 2021 as well as whistleblower protection laws in some of its member states, these regulations fall short of the robust U.S. federal whistleblower programs. In addition, while the EU draft directive contains a requirement that businesses establish an internal grievance mechanism, it is no substitute for a robust national whistleblower regime similar to the U.S.
The role of whistleblowers in exposing hidden climate-related risk information will be essential to insuring the transparency and accountability of the EU’s proposed mandatory corporate climate disclosure regime. This is why it’s critical that the EU also invest in improving on its 2019 Whistleblower Directive and expanding protections within its member countries.
Next steps for the draft Directive
The draft report will be submitted to the European Commission, with a request that the Commission submits a formal legislative proposal following the recommendations set out in the draft report. When the Commission issues its formal proposal, it will be forwarded to the Council of Ministers of EU Parliament and the Governments of EU Member States for their respective considerations to proceed on parallel tracks. The earliest date projected for its issuance is first quarter of 2021,
Each EU Member State will review the proposal for comity with their national laws. Currently, a number of Member States have either adopted (France, Netherlands) or are in the process of adopting in 2021 (Germany, Switzerland, Norway) due diligence standards.
When the Council of Ministers and the Member States have settled on their respective drafts of the Directive, a trilogue will commence between the Council of Ministers, Member States and the Commission to settle on a unified version. Estimates for the publication of final version directive may be at least two years away.