Key points:
The Corporate Sustainability Due Diligence Directive has been approved by the EU legislators and will have significant consequences for EU and non-EU companies.
- The way in which the financial sector is dealt with in the Directive creates some uncertainties, in particular for large asset managers in scope.
- Firms should review the scope of the final text and identify whether they will be covered.
- Firms that are covered should consider the extent of their obligations, which will relate to their own operations and any "subsidiaries", which has an extended definition, and also upstream business partners in their "chain of activities".
Overview
The EU's Corporate Sustainability Due Diligence Directive (CS3D) will be highly consequential for those large EU and non-EU companies that fall within its scope. Despite some misleading commentary to the contrary, the financial sector is in scope of the CS3D as finally agreed by the European legislators in May 2024. In this article, we discuss the extent of these obligations and some uncertainties that remain, especially for asset managers in the private equity and venture capital sector.
1. Introduction
In May 2024, the EU's Corporate Sustainability Due Diligence Directive (CS3D) was finally approved, more than three years after the European Parliament asked the European Commission to bring forward a proposal on the topic. The application of the proposal to banks and other firms operating in the financial sector was a key stumbling block in the negotiations that finally led to a tripartite agreement in December 2023. That proposal was close to collapse when key member states withdrew their support for the compromise text at the eleventh hour, forcing the Belgian presidency to significantly narrow the scope. Though the core obligations under the final text remain largely the same as first proposed, the scope is dramatically different from any of the initial proposals.
In this short article, we will consider what the agreed scope means for financial services businesses and their clients.
2. Scope of CS3D
The financial thresholds under CS3D are significantly higher than in any of the proposed texts over the last two years, reducing the number of companies that will be covered: EU companies must have more than 1,000 employees and a net worldwide turnover of more than €450m; non-EU companies must have a net turnover in the EU of more than €450m (with no employee threshold).
If a company does not meet these thresholds but is the ultimate parent company of a group which, on a consolidated basis, does meet the thresholds, the parent company is also in scope. Due to the nature of CS3D's obligations, the latter scenario is roughly equivalent to a group-wide obligation.
Where an ultimate parent company meets the thresholds but is a holding company which does not engage in any management, operational or financial decisions affecting the group or any of its subsidiaries, it may pass the obligation down to one of its EU subsidiaries, though the ultimate parent company retains joint liability for any failure of the obligated EU subsidiary to discharge its obligations.
The CS3D also includes lower financial thresholds for companies involved in licensing and franchising arrangements with third parties, but generally these will have limited application in the financial services sector.
It is noteworthy that the final scope of the CS3D is significantly narrower than the Corporate Sustainability Reporting Directive (CSRD). It is estimated that around 5,300 EU companies will be in scope of CS3D, while around 50,000 EU companies will be in scope of CSRD.
3. Regulated financial undertakings
Financial firms are in scope of the CS3D, although investment funds themselves are generally scoped out.
The Directive expands the traditional definition of "company" to include those "regulated financial undertakings" that are included in the exhaustive list in Art 3(1)(iii) (RFU). These include, for example, credit institutions (ie banks), investment firms, AIFMs and UCITS management companies (which manage private and public investment funds respectively). It also takes account of newer types of financial undertakings such as crowdfunding service providers and cryptoasset service providers.
Notably, regulated financial undertakings of the types listed are captured regardless of their legal form; this is in contrast to other types of "company", which – to be in scope – must be in one of (or for third countries, a form equivalent to) the legal forms listed in the annexes to the Accounting Directive 2013/34. This will make it harder for financial firms to restructure to avoid obligations under CS3D.
4. The "chain of activities"
The active obligations imposed by the CS3D on an undertaking in scope extend to the undertaking's own operations, those of its subsidiaries and, where related to its "chain of activities", the operations of its "business partners". Each of these terms is therefore crucial in understanding the scope of the obligations.
The definition of "business partner" is broad, and covers those with whom the in-scope undertaking has a business relationship, including indirect relationships – so there is no requirement for the undertaking to have an agreement with the other organisation for them to be regarded as a business partner. However, the impacts of business partners are only relevant if they are in the in-scope undertaking's chain of activities.
"Chain of activities" is the term eventually chosen by European legislators to reflect upstream and downstream relationships with business partners. Although similar to the concept of "value chain" adopted by the CSRD, "chain of activities" is, in some respects, more limited. That limitation is of particular importance to the financial services sector.
As defined, the chain of activities encompasses upstream business partners related to the production of goods or the provision of services by the in-scope undertaking – essentially suppliers. This is similar to value chain, although that term has a more complex definition.
The CS3D's chain of activities also includes downstream business partners, but in a significantly more limited way: only business partners relevant to an undertaking's products (and even then, not across the entire lifecycle) are considered part of the chain of activities.
It is assumed that "product" in this context is intended to capture physical goods rather than financial products. This can be implied from the types of activities referenced – distribution, transport and storage, but not disposal – though is not explicitly stated and has caused some to query whether financial products have been effectively excluded.
Assuming that "products" refers to physical goods, which could be the subject of future non-legislative guidance, in effect this means that service providers of all types need not carry out due diligence in respect of business partners to whom they provide services. For example, a bank will not need to carry out due diligence on borrowers, and (subject to the discussion below) an asset manager will not have obligations relating to the activities of the fund's portfolio companies.
This restriction of the scope of the downstream obligations has led to some misleading claims that financial services are excluded from the scope of the Directive – this is not the case, as financial services businesses need still to consider their own operations, those of their subsidiaries and their upstream business partners. Even the Recital in the Directive itself is rather misleading: Recital 26 says: "... as regards regulated financial undertakings, only the upstream but not the downstream part of their chains of activities should be covered by this Directive". However, according to the text of the Directive itself, if a regulated financial undertaking did also supply physical products, they would apparently be covered by the downstream obligations in the same way as any other undertaking in scope of the CS3D in respect of those activities.
5. Responsibility for subsidiaries
As noted, parent undertakings have certain responsibilities in respect of their subsidiaries under CS3D. The parent must apply its mandatory due diligence policy to its subsidiaries, and must include its subsidiaries' operations in both the initial screening for adverse impacts, as well as the in-depth investigations where risks are likely to be elevated. The parent's responsibility to take appropriate measures against actual or potential adverse impacts may (depending on the circumstances) be more limited where the impact only relates to the subsidiary and not also the parent. Nonetheless, for complex corporate groups, this extension of responsibility is challenging both practically and conceptually, given that it subverts traditional concepts of separate legal personality and liability.
For certain types of asset managers, these provisions on responsibility for subsidiaries may have unwelcome (and possibly unintended) consequences.
The definition of "subsidiary" in CS3D Art 3(1)(e) incorporates the definition of subsidiary from the Transparency Directive (2004/109/EC). According to the Transparency Directive, a controlled undertaking is one in which the second company (the parent) has a majority of the voting rights, or is a member and also has either the right to appoint or remove the board or controls the voting rights pursuant to a shareholder or member agreement, or exercises dominant influence or control.
In most structures, the asset manager will not own the shares in an investee company. The shares will be owned by the fund under management and, as noted above, the fund is likely to be scoped out. However, it will be important to analyse, on a case-by-case basis, the relationship between the asset manager (and any companies in its group, such as the general partner of an investment fund) and the underlying investee company. This analysis should consider whether a parent/subsidiary relationship may exist between the regulated financial undertaking and the investee company according to this extended definition of "subsidiary". Such a relationship may exist indirectly, if the asset manager or one of its group companies is the "parent" of the fund which, in turn, is the "parent" of the portfolio company, or directly if there is a relationship with the investee company which meets the requirements of the definition. This is a complex analysis which may also depend on the law of the member state concerned and could lead to different results in different cases.
Asset managers – especially private equity and venture capital investors – will argue that, as financial owners with limited liability and no legal responsibility for management of the underlying company, adding this additional level of responsibility is inconsistent with their investment approach. There is specific legislation for financial market participants – most notably the Sustainable Finance Disclosure Regulation – and changing the legal rules applicable to them in CS3D will put at risk the fundamental principle of limited liability investing, and the segregation of portfolio companies, which isolates investors from cross-contamination.
As the Financial Markets Law Committee (FMLC) argued in a letter to the European Commission on 22 February 2023 (available at: https://fmlc.org/wp-content/uploads/2023/02/FMLC-Letter-to-the-EU-Commission-on-CS3D.pdf), an asset manager "is unlikely to have the requisite operational control and/or expertise to identify and mitigate sustainability risks and doing so may give rise to conflict with the duties of the portfolio company's board". Furthermore, the FMLC points out that legal responsibility for adverse environmental and social impacts currently rests – and should rest – with the board of directors of the portfolio company (and the board of directors of the parent company in that corporate group); it would have significant consequences to locate that responsibility with an investor. It would also be out of step with accounting rules, which do not allow financial consolidation in circumstances where shares are held for investment purposes, on the basis that it would be misleading.
Financial investors with diverse portfolios may not be equipped to understand pertinent risks across all sectors and in all geographies, inevitably leading to some of the compliance burden of CS3D falling onto the portfolio companies themselves, despite the intent of the legislation being to include only the very largest companies in scope.
It is important to note that this issue is only relevant to determining an asset manager's obligations under CS3D if it is in scope in its own right, and not to whether or not it is in scope in the first place. A parent company's financial thresholds will be assessed on the basis of its consolidated financial statements, and will not include the turnover or employees of its "subsidiaries" if they are included in its accounts at fair value rather than on a consolidated basis.
6. Active due diligence obligations
In-scope entities are subject to a relatively straightforward requirement to introduce and implement effective due diligence in respect of environmental and human rights adverse impacts. In practice, ensuring effective due diligence involves a multi-faceted approach which will (and is intended to) affect the way the entity does business.
The undertaking will need to revisit its due diligence and supplier onboarding processes to ensure that they will uncover the relevant environmental and human rights impacts where these might occur or are occurring. CS3D requires businesses to have a due diligence policy, which many already will have, but which may need to be revised to reflect the specifics of CS3D, such as the business's long-term approach to diligence or how it will verify compliance with the code of conduct (which must be applied to the business and its subsidiaries, and potentially business partners).
The risk mapping exercise is in two stages: (i) an initial screening for areas of heightened risk (which may be on account of, for example, sector or geography); and (ii) a more in-depth analysis of those risk areas to determine whether actual or potential impacts exist. Whilst the former can likely be conducted using public information, the latter will almost certainly involve investigation of the specific circumstances, as well as contributions from stakeholders.
7. Climate transition plans
In addition to the core due diligence obligations, in-scope undertakings also need to prepare a climate transition plan that, on a best-efforts basis, aligns their business plan and strategy to limiting global warming to 1.5 degrees in line with the Paris Agreement, as well as the EU's 2050 Net Zero commitment.
Although there is no explicit requirement for asset managers to roll the transition plan out to their investee companies, they will inevitably need to look at their investment strategy to determine its appropriateness in light of the targets it will also have to set.
It is not clear what "best efforts" must entail, but we can expect published plans to be a focus area for activists and stakeholders seeking to hold firms to account, as they have been in other jurisdictions.
8. Review of inclusion of financial services
The inclusion of financial services was a major sticking point in the negotiation of the Directive, with some member states arguing that regulated financial undertakings should be excluded entirely. And, according to the CS3D's Recitals, regulated financial undertakings do not completely escape responsibility for their downstream activities:
"Regulated financial undertakings are expected to consider adverse impacts and to use their so-called 'leverage' to influence companies."
However, even this obligation – which emanates from non-binding international standards – does not seem to be repeated in the operative provisions.
Nevertheless, the question may not be finally settled. Within two years of entry into force of the Directive (so, by July 2026), the Commission is required to present a report to the European Parliament and the Council on whether financial services and investment activities should be in scope, accompanied, if appropriate, by a legislative proposal. It remains to be seen, therefore, whether the CS3D's scope will be expanded – potentially even before it is fully effective in 2029.
9. Timing and next steps
CS3D entered into force on 25 July 2024. Member states have two years from this date to enact implementing law. The requirements will start to apply for the very largest companies in 2027, with all companies in scope by 2029.
Though 2027 may seem far away, considering the numerous elements of compliance that would need to be addressed by then, it would be advisable for firms to turn their attention to determining whether CS3D will apply to them sooner rather than later. Legal documentation and long-term commercial agreements should start to take account of CS3D as soon as possible, to ensure that an in-scope firm has all the rights and access to information it needs to comply. Asset managers should also begin to assess which, if any, companies will be regarded as subsidiaries under the provisions of the CS3D as implemented in relevant national law.
This article was first published in Butterworths Journal of International Banking and Financial Law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.