The EU institutions have reached a provisional compromise and are continuing final technical negotiations for the legislative text of the EU Corporate Sustainability Due Diligence Directive (CSDDD) after a lengthy four-year legislative process. Noting their intermediary and gatekeeper functions, the inclusion of the financial sector is among the most controversial issues. In contrast, recent domestic supply chain laws, including the German Supply Chain Duty of Care Act (the German Act), do not specifically differentiate between different sectors. We summarise current developments here.
“Regulated financial undertakings” under the CSDDD
Although a final text of the CSDDD is not yet available and public statements seem to differ the current stance indicates that the financial sector will be specifically defined and generally remain in scope of the upcoming CSDDD. However, regulated financial undertakings will only be obliged to fulfil compliance in their own operations and ‘upstream’ due diligence in their supply chains, leaving a gap in their downstream operations which might be particularly relevant for the financial sector. In previous drafts, the definition of ‘supply chain’ for the financial sector referred to activities of clients who receive loans, credit, and other financial services, as well as other companies in the same group whose activities are related to the contract in question, excluding SMEs that receive loans, credit, financial resources, insurance, or reinsurance services from such companies as well as end-consumers. In addition, it seems that the obligation to adopt and put into effect a transition plan for climate change mitigation (Art. 15 CSDDD) also applies to large regulated financial undertakings.
The regulatory landscape
This does not come with huge relief for the financial sector in Europe. After all, supply chains cannot be left unconsidered today. Requirements to account for ESG factors and risks have always been part of all pillars of financial market regulation, as the statutory provisions are neutral when it comes to sources of risks. With growing attention from the regulators, respective requirements are now increasingly clarified in the legal framework. This affects the latest CRR and CRD review, supervisory guidance (e.g., the European Banking Authority (EBA) guidelines on loan origination and monitoring) as well as ESG-related reporting and disclosure requirements like the Sustainable Finance Disclosure Regulation (SFDR), Taxonomy-Regulation and the Corporate Sustainability Reporting Directive (CSRD). However, by requiring the implementation of responsible business practices – albeit with an obligation of means rather than results – the CSDDD goes far beyond the existing requirements. While adding CSDDD requirements might have been an opportunity to introduce a level playing field for behavioural requirements for regulated financial undertakings, it could have also created increased challenges in navigating the complex and evolving regulatory landscape that is not entirely consistent already now and, thus, would have come with additional compliance challenges and increased costs.
One remaining issue with the CSDDD is its applicability to non-EU regulated financial undertakings that invest in companies that are based in the EU or have operations in the EU. It is not always straightforward to understand how non-EU regulated financial undertakings fit into the definitions of the EU regulatory frameworks, which could lead to regulatory gaps and potential legal challenges. This is particularly relevant given that the CSDDD drafts so far have referred to these definitions. Also, it is not explicit whether non-EU financial sector entities would have to comply with the CSDDD requirements only in regard to their investments made within EU Member States or to their global operations. This raises concerns about how non-EU companies will be impacted and whether they will be subject to the same reporting requirements as EU-based companies.
The German Supply Chain Duty of Care Act (the German Act)
Germany was among the frontrunners in regulating duties of care for supply chains. The German Act is effective since January 2023 and does not differentiate between industry sectors. The only decisive criterion for applicability is number of employees. Regulated financial undertakings may be affected by the German Act in two ways: (i) as suppliers and part of the supply chains of the real economy, i.e. companies that fall under the scope of application of the Act (downstream); and (ii) as obliged companies with duties of care along their own supply chains (upstream and to a limited extent downstream.
On the first, regulated financial undertakings would be considered direct suppliers of services to obliged companies, provided there is a concrete link between the financing services and the products or services of the obliged company. In this case, regulated financial undertakings will be affected indirectly by the German Act as the obliged companies – their customers – have to impose human rights compliance obligations on them via their contractual relationships. On the second, regulated financial undertakings will be affected directly as obliged companies themselves. In that context, it is important to differentiate between the entities’ upstream and downstream supply chains. While the former triggers the obligations under the German Act as for any other obliged company, the situation regarding the latter is more complex and requires individual assessments of the activities of regulated financial undertakings.
Downstream supply chains for regulated financial undertakings
The environmental and social impacts of financial products and services are often less direct or visible than those of real-economy companies, triggering questions about the starting point of the supply chains for regulated financial undertakings. The explanatory memorandum to the German Act implies a narrow interpretation. It emphasises that financial service providers are not automatically subject to due diligence obligations beyond specific transactions. Notably, involving end customers would only be justified for transactions significant enough to warrant specific information and control capabilities (e.g. large loans surpassing regulatory thresholds). For insurance companies, asset management is not considered part of the supply chain and for services limited to brokerage, diligence responsibilities do not extend to end customers at all.
Recently, the German Federal Office for Economic Affairs and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle) (BAFA), which is the competent supervisory authority for compliance with the German Act, published a new guidance paper (“Handreichung“)on their website, dealing with the application of the German Act to the credit, financial services and insurance industries. The new BAFA guidance follows the narrow interpretation of the supply chain concept for regulated financial undertakings and provides a number of clarifications.
According to the guidance paper, customer relationships are excluded from the definition of their supply chains. For credit institutions, this means that their due diligence responsibilities do not extend to the business activities of their corporate clients engaged in banking transactions, including deposit-taking, lending, and securities issuance. Procurement transactions typically do not include routine refinancing activities or debt sales, unless a specific link exists between the refinancing transaction and the provided banking service. Transactions on the interbank market, including those with central banks, are generally not subject to due diligence obligations due to the lack of such a link. Moreover, the performance of financial transactions, such as swaps and derivatives, does not fall within the scope of the German Act’s obligations, as they don't establish a typical supplier-provider-relationship. The same principles apply to factoring, leasing, and insurance operations.
BAFA’s competence as supervisory authority for compliance with the German Act also as regards credit and regulated financial undertakings or insurance companies is not affected by a potentially overlapping authority of the European Central Bank (ECB) or the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) for these companies and institutions. According to the CSDDD, it is up to the individual member states to decide which supervisory authority is responsible for supervising compliance with the CSDDD and expressly includes existing authorities for the supervision of regulated financial undertakings.
What lies ahead?
With the adoption of the CSDDD, the German Act might be adjusted in a way to clarify a rather limited application for regulated financial undertakings. Ultimately, the impact of the CSDDD on regulated financial undertakings will depend on the final text of the directive, as well as the specific investments and operations of each institution. It is therefore important for regulated financial undertakings to closely monitor the final developments and start taking proactive steps to manage supply chains. We will keep you updated here.