What Every Multinational Company Should Know About…Supply Chain Integrity

Both enforcement agencies and consumers increasingly are focused on manufacturers’ supply chains. Human rights enforcement frameworks increasingly have real teeth. Both the United States and the European Union either have, or are in the process of adopting, real enforcement mechanisms to protect against the importation of goods made using forced labor. As a sign of things to come, Germany’s Supply Chain Diligence Act and Norway’s recent Transparency Act impose affirmative human rights due-diligence obligations on companies and create an enforcement structure with severe penalties for non-compliance. When placed on top of other legal regimes that focus on supply chains, including the Australian Modern Slavery Act, the Uyghur Forced Labor Prevention Act, and the California Transparency in Supply Chains Act, companies that operate or source abroad need to implement comprehensive due diligence and other measures designed to ensure the ethical sourcing of their goods.

Just as importantly, manufacturers will face tangible reputational risks if forced-labor issues are exposed in their supply chains. (When Joe Rogan is talking about forced labor in supply chains, you can bet the subject has become of mainstream significance.) As transparency in supply chains increases and issues are exposed (whether by government seizures, consumer-focused compliance-assessment tools, or media exposure), both media and consumers have more data at their fingertips. And, according to one recent survey, that information matters: 60 percent of consumers have said they would switch products if they knew human trafficking or forced labor was used to create them. Thus, the consumer base — and, hence, the bottom line — are acutely at risk for manufacturers who fail to properly assess their supply chains.

Supply Chain Due Diligence and Compliance

The significant legal and reputational risks associated with the use of forced labor makes supply chain due diligence and compliance of critical importance to today’s multinational companies. Demands for transparency and accountability from shareholders, lenders, and other key stakeholders, coupled with stricter regulatory requirements, has increased the need to take “to the ground” compliance best practices for diligent monitoring and adherence to compliance best practices. Not only does supply chain compliance mitigate potential legal risks, it serves the important role of safeguarding corporate reputations, ensuring ethical practices, and building sustainable relationships with suppliers and customers.

Companies looking for guidance regarding the supply chain integrity expectations of the U.S. Government can find help in the January 31, 2019 OFAC $996,080 settlement with a Californian cosmetics company, e.l.f. Cosmetics, Inc. (ELF), for alleged violations of the North Korean Sanctions Regulations. This settlement occurred after ELF voluntarily reported what it termed the “unknowing” importation of 156 shipments ($4.4 million) of false eyelash kits from two suppliers in China that contained materials independently sourced by suppliers from North Korea.¹

OFAC determined that even though the apparent violations were self-disclosed, aggravating factors included that “ELF is a large and commercially sophisticated company that engages in a substantial volume of international trade” and that “ELF’s compliance program was either non-existent or inadequate throughout the time period in question.” In particular, OFAC was most concerned that while ELF was putting substantial efforts into international quality control, it was not putting equal efforts into its international regulatory compliance. As OFAC stated:

Throughout the time period in which the apparent violations occurred, ELF’s OFAC compliance program was either non-existent or inadequate. The company’s production review efforts focused on quality assurance issues pertaining to the production process, raw materials, and end products of the goods it purchased and/or imported. Until January 2017, ELF’s compliance program and its supplier audits failed to discover that approximately 80 percent of the false eyelash kits supplied by two of ELF’s China-based suppliers contained materials from the DPRK [North Korea].²

OFAC made clear that the lack of compliance and due diligence was a major driver of the enforcement action. As OFAC states:

This enforcement action highlights the risks for companies that do not conduct full-spectrum supply chain due diligence when sourcing products from overseas, particularly in a region in which the DPRK, as well as other comprehensively sanctioned countries or regions, is known to export goods. OFAC encourages companies to develop, implement and maintain a risk-based approach to sanctions compliance and to implement processes and procedures to identify and mitigate areas of risks. Such steps could include, but are not limited to, implementing supply chain audits with country-of-origin verification; conducting mandatory OFAC sanctions training for suppliers; and routinely and frequently performing audits of suppliers.³

What is notable is that OFAC treats supply chain regulatory risk management, including comprehensive audits at both the company and at suppliers, and training at the suppliers as being virtually mandatory, at least for companies sourcing from high-risk countries. Given that U.S. companies routinely operate in and source from countries that have caused repeated OFAC violations, such as Brazil, China, India, and Mexico, the grounding of the penalties in such broad risk factors is notable. OFAC in effect treats the lack of supply chain due diligence and compliance measures as the equivalent of knowledge of the potential alleged violations.

Underscoring the importance that OFAC and other agencies are placing on supply chain due diligence and compliance, OFAC approvingly notes key details regarding the steps ELF took to gain mitigating credit due to its compliance response:

ELF stated the company has terminated the conduct which led to the apparent violations and has taken the following steps to minimize the risk of recurrence of similar conduct in the future:

• Implemented supply chain audits that verify the country of origin of goods and services used in ELF’s products;
• Adopted new procedures to require suppliers to sign certificates of compliance stating that they will comply with all U.S. export controls and trade sanctions;
• Conducted an enhanced supplier audit that included verification of payment information related to production materials and the review of supplier bank statements;
• Engaged outside counsel to provide additional training for key employees in the United States and in China regarding U.S. sanctions regulations and other relevant U.S. laws and regulations; and
• Held mandatory training on U.S. sanctions regulations for employees and suppliers in China and implemented additional mandatory trainings for new employees, as well as regular refresher training for current employees and suppliers based in China.⁴

Managing Risk in Your Supply Chain

As illustrated by the ELF settlement, it is not good enough to just check the compliance boxes to show stakeholders that your company is socially responsible; instead, the U.S. Government expects that companies will implement the type of “full-spectrum supply chain diligence” that OFAC highlights. So, what should manufacturers do to address this risk? It is important to start with an understanding of your supply chain and an assessment of its human-rights risks. You are expected to know what goes into your products, where they originate, and how they were made. And for components sourced in high-risk countries and that emerge from high-risk industries, you are expected to take reasonable steps to vet your suppliers (and their suppliers, and their suppliers’ suppliers …), to ensure that they understand your compliance expectations, to contractually obligate them to comply, and to monitor and audit their compliance.

Further information also is provided by the Department of Homeland Security, which has provided compliance guidelines for ensuring supply chain integrity. Although these practices are aimed at North Korean forced labor, they are equally relevant for any entity seeking to shore up its supply chain compliance. The Homeland Security recommendations are as follows:

What steps should my company take to ensure North Korean workers are not in our supply chain?

• Your company should review due diligence best practices and closely reexamine your entire supply chain with the knowledge of high-risk countries and sectors for North Korean workers.
• Due diligence will likely vary based on the size of the company and industry. Generally, human rights due diligence and related practices identify, prevent, and mitigate actual and potential adverse impacts, as well as account for how these impacts are addressed. The below steps are merely examples of actions that may be taken to ensure due diligence as it is a flexible, risk-based process and not a specific formula for companies to follow; additional steps may be required:
• A high-level statement of policy demonstrating the company’s commitment to respect human rights and labor rights;
• A rigorous continuous risk assessment of actual and potential human rights and labor impacts or risks of company activities and relationships, which is undertaken in consultation with stakeholders;
• Integrating these commitments and assessments into internal control and oversight systems of company operations and supply chains; and,
• Tracking and reporting on areas of risk.

In addition, importers have the responsibility to exercise reasonable care and provide CBP with such information as is necessary to enable CBP to determine if the merchandise may be released from CBP custody. To demonstrate reasonable care, an importer may present any material that it chooses to, which may include comprehensive due diligence efforts that may have been undertaken, such as:

• Information demonstrating that your company engaged meaningfully with affected stakeholders, including workers and trade unions, as part of the due diligence process;
• Workforce composition at the location in question;
• Training materials on North Korean forced labor prohibitions that have been provided to suppliers and sub-contractors;
• Company policies, and evidence of implementation, on using North Korean laborers;
• Contracts with suppliers and sub-contractors that state your policy on North Korean forced labor;
• Publishing the full names of all authorized production units and processing facilities, the worksite addresses, the parent company of the business at the worksite, the types of products made, and the number of workers at each worksite;
• Information on how and to whom wages are paid at the location;
• Information demonstrating that recruitment agencies are within the scope of any third-party audit with your suppliers;
• Documents verifying the use of authorized recruitment agencies and brokers, or that you use direct recruitment;
• Documents verifying that the fee structure presented by the recruitment agency is transparent and has been verified through worker interviews;
• If you have reimbursed any fees paid, verification of such reimbursement;
• Demonstrated commitment to human rights and labor due diligence at the highest levels of your company; and,
• Results of your human rights and labor impact assessments.⁵

With the U.S. Government sending the message that companies that operate or source abroad need to take ownership and assume full responsibility for supply chain sourcing, we highly recommend that any organization that has not performed a supply chain due diligence review in the last two years should do so. As a starting point, we provide a short risk-assessment questionnaire here. If you fill this out, one of our supply chain attorneys will help evaluate the risk posed by your supply chain compliance practices. We also recommend that company consult the Foley International Compliance and Mitigation Heat Map to help start to evaluate supply chain integrity risks.