The Compliance Areas & Laws To Prioritise In 2023  

Governments are also prioritising tacking human rights abuses, particularly along the supply chain, and some promising new laws are in the pipeline for 2023. With the EU Corporate Sustainability Due Diligence Directive also on the horizon, the number of new supply chain laws coming into force is expected to pick up pace next year and beyond, with major ramifications for businesses.  

Deloitte’s annual “The Future of Compliance” study laid out some of the key compliance areas companies need to prioritise in 2023. Based on an online questionnaire with 323 participants, the research found that clearly assigning responsibility for compliance within management has a positive influence on the “tone from the top” and this is a strategy companies should pursue in 2023 (if they have not done so already). Classic forms of compliance communication such as the Code of Conduct and regular training sessions occur more frequently in larger and international organisations, but they are only likely to be successful with the active participation of management. This makes it far more likely that the desired compliance values will be lived by the organisation.

Sanctions and incentive culture were other key areas touched on by the study. In the future, organisational culture centred around sanctions will become considerably less important while, in contrast, the focus on incentives will noticeably increase. Some 71% of organisations were able to observe a strengthening or improvement of their compliance culture through the implementation of an incentive system.

Separately, an interesting survey conducted among participants at the European Compliance and Ethics Conference in October 2022 sheds more light on the topics currently on compliance departments’ agendas and how this is set to evolve over the coming years. Approximately 64% of attendees stated that whistleblower protection is an important focus area at the moment while 45% were also prioritising the digitization of their compliance department. Supply chain due diligence was also relevant for 42% of participants.

The survey also focused on the level of preparation for new regulations, particularly in the area of human rights management and environmental risks in the supply chain. Nearly 40% of ECEC participants stated that they accessed their risk exposure while just under 30% have introduced mitigation mechanisms. A quarter were not aware of any regulation directly impacting their organisation.

Concerning the accelerating pace of the transposition of the EU Whistleblowing Directive, just over half of ECEC attendees indicated that they had implemented a digital whistleblowing solution, ahead of 32% who utilised an email inbox and 15% who availed of an external ombudsman service.

The deadline for transposing the EU Whistleblowing Directive already expired in 2021 and the European Commission subsequently initiated infringement proceedings against a number of countries that failed to complete the process on time. There was noticeable progress in late 2022, however, with several EU member states finally approving draft laws transposing the Directive.

Belgium, Germany, Greece and Italy all transposed the law towards the end of the year, taking the total number of EU member states that have done so to 14. The Hinweisgeberschutzgesetz (Whistleblower Protection Act) in Germany is especially notable as it brings comprehensive whistleblower protection measures to Europe’s largest economy and allows for anonymous reporting.

Elsewhere, the speed of the Directive’s implementation in Greece was surprising after the government in Athens was criticised by NGOs for a sluggish transposition process lacking transparency. Things were equally laborious in Italy where the new law was eventually approved on 09 December with a much wider scope than Law 179/2017, the current legislation. Belgium was also able to get its transposition process over the finish line in November while the Dutch Whistleblower Protection Act was adopted by the Lower House on 20 December, bringing implementation a step closer.

While precise implementation dates are not yet certain, it is likely that most of these measures will come into force in the spring of 2023. Companies are nevertheless advised to proactively take the first steps right away so that they are well positioned to comply with the new legislation and avoid legal penalties.

When examining the trajectory of the EU Whistleblowing Directive in 2023, it is also important to mention Ireland where the Protected Disclosures (Amendment) Bill 2022 was passed during summer 2022. That legislation is now poised to come into effect from 01 January 2023, bringing sweeping protective measures to Irish whistleblowers.

Elsewhere, more governments are making headway and transposition looks to be imminent in Bulgaria, the Czech Republic, Finland and Spain. While there has been no official implementation in these countries as of yet, it is likely that their new laws will still come into force at some point in 2023.

In late November 2022, the European Council gave its final approval to the Corporate Sustainability Reporting Directive (CSRD) which introduces more detailed reporting requirements for companies as well as an obligation to report according to mandatory EU sustainability reporting standards.

It will apply to all large companies with 250 or more employees and all companies listed on regulated markets. Proportionality applies to SMEs and non-listed SMEs are exempt. Organisations will need to comply if they meet two of the three following requirements:

• 250 or more employees
• €20 million on the balance sheet
• €40 million in net turnover

Companies subject to the Directive must submit a management report containing a range of information such as business model, strategy and sustainability targets as well as an overview of the due diligence process. Financial statements and management reports must be prepared in a single electronic reporting format while the corporate governance statement must include a diversity policy. Finally, the sustainability reporting must be audited by the relevant statutory audit firm.

The next steps in the legislative process will take place at the European Parliament in May 2023 and while the CSRD will likely not impact companies next year, they should nevertheless prepare for it. The Directive will apply to organisations that are already subject to the Non-Financial Reporting Directive (NFRD) and reporting will occur in 2025 on financial year 2024.

The new supply chain due diligence law in Germany will require companies to establish an appropriate and effective risk management system that functions effectively when it comes to identifying, preventing, minimising or eliminating environmental and human rights risks.

The legislation will apply to organisations and their subsidiaries with at least 3,000 employees from 2023 and 1,000 employees from 2024 and it takes into account all staff members, including those employed abroad and temporary agency workers who exceed 6 months employment. Organisations that do not fall within the scope of the law can also be affected. This can occur when an unaffected company supplies an organisation that is subject to the law, resulting in the initial organisation also having to meet due diligence obligations. The core due diligence obligations of Germany’s new law are as follows:

• Implementation of a risk management system
• Designation of a responsible person or persons within the organisation
• Performance of regular risk analyses
• Issuing of a policy statement
• Laying down preventive measures in the organisation’s own area of business (also for suppliers)
• Taking remedial action
• The establishment of a complaints procedure
• Documentation and reporting

Companies must conduct a risk analysis where the segments of the supply chain posing the greatest risk are identified while suitable preventative measures must be put in place if any problems are identified. Organisations in Germany are also obliged to appoint a human rights officer responsible for handling incidents involving human rights violations while a complaints procedure must be established so breaches can be reported.

Reporting obligations are also being introduced for companies and they must issue a policy statement on their human rights strategy that identifies the environmental and human rights-related risks uncovered along with any mitigation measures taken. The organisation must continuously document its due diligence obligations and an annual report has to be sent to the Federal Office for Economic Affairs and Export Control. The report must be made publicly available and easily accessible on the organisation’s website. It should contain the following information:

• Any human rights and environmental risks identified
• What has been done to fulfil the organisation’s due diligence obligations
• How the impact and effectiveness of measures taken were assessed
• Conclusions for future measures

Companies failing to comply with the new measures will face severe fines and sanctions with financial penalties set to amount to €8 million or 2% of an organisation’s global turnover. If certain levels of fines are reached, companies can also be barred from being awarded public contracts for up to three years.

Under Italy’s budget law for fiscal year 2022, a tax on plastic will come into force on 1 January 2023 after being postponed several times. It aims to reduce the production and consumption of single-use plastic products (referred to as MACSI) and to promote the principle of the circular economy. MACSI manufactured in Italy or the subject intending to sell it would be taxable under the new legislation, as would the purchaser or seller of MACSI imported from other EU Member States (depending on whether the purchase has been made for an economic activity). In the case of MACSI shipped from non-EU countries, the importer would have to pay the plastic tax.

Depending on who is liable to pay the tax and the supply chain, a range of different compliance obligations would apply including registration, separate storage and, in the case of non-established entities, the appointment of a tax representative. Financial compliance measures would entail accounting entries, quarterly tax returns and managing payments. When the amount of plastic tax due does not exceed €25, payment is not necessary. However, in the case where payment is necessary but not carried out, the penalty ranges from two to five times the unpaid sum. There are further penalties for late payments and the late filing of quarterly returns.

Switzerland is rolling out new due diligence obligations and reporting requirements that apply to child labour and specific conflict metals and minerals. While companies have to deliver their first report in 2024, they need to refer to their corporate situation throughout fiscal year 2023.  

Organisations presenting a low risk of child labour will be exempt from the new legislation, along with SMEs if they fall under two of the following thresholds for two consecutive years: total assets of SFr 20 million, sales of SFr 40 million and an annual average of 250 employees.  

Organisations falling within its remit are as follows:

• Have a registered office, central administration or principle place of business in Switzerland  
• Comply with due diligence in their supply chains when they process the highlighted metals/minerals in Switzerland or release them in the Swiss market  
• They also have to comply if they offer goods and services suspected of having links to child labour  
• Swiss-based subsidiaries of foreign-based multinationals are also affected  

The provisions for conflict minerals and metals apply to tin, tantalum, tungsten and gold that are more frequently referred to as “3TG”. They usually consist of ores, concentrates, powders, rods and wires that are limited to specified tariff numbers. A company is not subject to the new measures if it sells items containing 3TG as long as it is not an importer into Switzerland or a processer with a specified tariff number.  

Companies will need to establish a traceability system, undertake risk mitigation, partake in an annual third-party audit and engage in compliance reporting.