Logistics Industry: Compliance Law & Practice
Compliance requirements for the logistics industry have increased significantly in recent years. Internationally active clients are usually subject to strict compliance regulations and, for their own protection, concerned and often obliged, to impose those regulations on their contractors, i.e. logistics service providers. Logistics service providers are therefore regularly obliged, within the framework of logistics contracts, to ensure compliance with requirements - some of which go far beyond national law - and at the same time to ensure that their subcontractors meet these standards. In addition to carrying out the core business of logistics, this requires a considerable amount of documentation and monitoring work. Since a violation of compliance requirements, in the context of logistics contracts, is sometimes punished with significant contractual penalties or can even lead to the termination of contracts, it is advisable to familiarize yourself with international compliance requirements. Hence, appropriate precautions should be taken both contractually and structurally. This article intends to give a brief overview of the most prominent international regulations and, to show possible practical monitoring tools.
US FOREIGN CORRUPT PRACTICES ACT / UK BRIBERY ACT
The most prominent international regulations include the UK Bribery Act (UKBA) and the US Foreign Corrupt Practices Act (FCPA). The protective purpose of these provisions includes preventing corruption and white-collar crime, ensuring fair working and social conditions, and safeguarding environmental standards. In addition to US citizens, the scope of the FCPA also includes foreigners residing in the US, companies with a legal entity under the laws of a US state, and foreign companies headquartered in the US. Furthermore, all foreign natural and legal individuals who commit acts that can be deemed to promote corruption within the USA are recorded. A telephone call or an e-mail, which qualify as a contribution to the promotion of corruption, is sufficient. According to the FCPA, a company can be held responsible for the criminal behavior of its employees, but also its subsidiaries, joint venture partners, and contractual partners at home and abroad. However, this only applies if it ordered, controlled, or knew about these criminal acts. Due to the far-reaching scope of application, the FCPA is recognized to have a special role in the fight against corruption.
A company is subject to criminal liability according to the UKBA if a person associated with it (company or natural person such as employees) commits a bribery offense. In addition to unlimited fines for the company, the UKBA provides for a maximum sentence of ten years in prison for the company’s decision-makers (management, board of directors).
FRANCE – LEX SAPIN II
The Lex Sapin II passed by the French Parliament, which obliges companies based in France to maintain a Code of Conduct (COC), underlines the rapid development in the field of compliance. The CoC, also known as "soft law", serves all the company's stakeholders. First and foremost, the management is affected, whose personal risk is significantly reduced if they have taken effective personnel, functional and organizational measures to ensure compliance in the company. At the same time, all employees are protected from criminal and civil law claims.
CONTRACT PRACTICE
As already mentioned, current contractual practice shows that international companies pass on their compliance obligations to their subcontractors, such as logistics service providers, to transfer the risk of possible compliance violations as far as possible. If the commissioned company violates the obligations agreed in the CoC, for example, in addition to monetary sanctions there is the risk of the termination of the contract. As already mentioned, this practice means that even logistics service providers operating exclusively in Austria are, in addition to the applicable national law, also obliged to comply with foreign legal provisions.
COMPLIANCE MANAGEMENT SYSTEM
Against the background of the legislation mentioned and common contractual practice, the implementation of an effective compliance management system (CMS) is essential. A successful CMS consists of three elements:
Prevention
Taking preventive measures to prevent violations of the law.
Detection
Regularly monitoring to determine whether the CMS is being complied with. If necessary, establishing a whistleblower system.
Response
Information received must be checked and gaps found in the CMS must be closed.
In particular, the auditing measures listed are essential for a functioning CMS. These must take place both within the company and in the companies of the subcontractors.
Consequently, the contracts between the clients and logistics service providers contain business partner related due diligence obligations regarding service providers involved. This includes the obligation to disclose such other service providers to the original client. In the logistics sector, special attention should be paid to the areas of corruption and white-collar crime, compliance with working and social conditions and environmental conditions. For example, the Supply Chain Due Diligence Act ("LkSG") recently passed by German legislators obliges German companies to monitor compliance with minimum standards to protect the environment in their business areas from 2023. The core of the due diligence obligations of companies that fall within the scope of the LkSG is in turn the establishment of an appropriate and effective risk management system. This should adapt the existing contractual relationships and to minimize the risk of environmental law violations for new contracts. Furthermore, companies must contractually ensure that their subcontractors comply with environmental obligations.
The legislature is thus establishing a mechanism that is regularly agreed upon in the contract design between international corporations, such as Ikea and Danone, and their logistics service providers. This aims to guarantee due diligence in the supply chain from various pre-suppliers and suppliers to the product. More than 100 investors, including those mentioned above, are already calling on the EU Commission to present an effective EU supply chain law. This is intended to cover all companies in Europe, even without an individual agreement. The European law should also allow civil liability, which is not possible under the German supply chain law. At the EU level, the Commission has already drafted a supply chain law.
PRACTICAL DEVELOPMENT AND IMPLEMENTATION OF A CMS
Geopolitical tensions, systematic problems in the supply chains, and dangerous compliance violations (which are increasing due to the other two factors), render practical CMS development and implementation essential. To name just one compliance field that is currently particularly hot:
The by far strictest and most effective sanctions regime in the world is that of the USA. Its administrative leadership issues warnings, which they often pursue and enforce with extraterritorial effect. That is, the US warns and targets non-US companies (such as logistics companies) worldwide:
“Treasury can and will target those who evade, attempt to evade, or aid the evasion of US sanctions against Russia [...]”. (Under Secretary for Terrorism and Financial Intelligence Brian E. Nelson on April 20, 2022; responsible for OFAC sanctions affecting all industries.)
Here, a serious and comprehensive approach to practical implementation (avoidance of critical compliance violations) is more important than ever. On the other hand, the return on investment for having a good CMS (professional and user-friendly, not developed like a template) is considerable.
It reduces the growing risk of serious damage for companies, owners, management, and employees on the one hand, while helps gain a competitive advantage on the other.
RISK-BASED AND COMPANY-ADAPTED SCOPE OF THE CMS
For authorities and courts, a CMS practically has to be (1.) appropriately designed, (2.) seriously implemented, (3.) effective - and all of that (4.) well documented. This must be (a) focused on specifically identified risks (risk-based approach - see below) and (b) proportional to the company structure and size.
In case of ‘strict liability’ (US sanctions pursued by OFAC), even unwitting violations can lead to financially significant liabilities. However, the determination of the government´s action is then based primarily on (a) the CMS´s quality and adequacy and (b) the conduct of the company with regards to the violation(s), before and after the incident.
In the area of compliance (FCPA), the logistics industry can refer to the internationally driven case "USA v. Transport Logistics International, Inc." (2018) and its extensive legal publications. Here, a US company and several non-American individuals were prosecuted. This ultimately led to a settlement (in the form of a "deferred prosecution agreement") and a reduction of the penalty from USD 21 million to USD 2 million.
This significant reduction was based on (a) extensive cooperation with the authorities, (b) internal consequences and revision of the CMS, and (c) consideration of the economic situation of the US company. An effective CMS and proper handling of incidents therefore can be seen to pay off.
With this in mind, we look at the components of such an adequate CMS:
COMPONENTS OF AN ADEQUATE CMS FOR INTERNATIONAL LOGISTICS COMPANIES AND PRACTICALLY FREQUENT VULNERABILITIES
Structural issues, such as functional responsibility, should be clarified, as well as matters of organizational overlaps and synergies. Here the merging of all compliance areas, sometimes even with security, makes sense in many cases.
These structural questions can be best defined in hierarchies of lines of defense. At the top is leadership, which should establish three Lines of Defense (LoD) to ensure compliance:
The first LoD are the employees and their management who maintain contact with customers and partners. Behind and above these are the Compliance and Security functions as the second LoD. And both LoD are checked again - in depth - by the responsible Audit and Revision as the third LoD and reflected on improvements.
If corruption and/or incompetence are apparent in all three LoDs, the effects can usually only be felt years later - then often with serious consequences for companies and individuals.
Once such basic questions are decided on, the starting point of any good CMS should be a risk-based commitment from management. This brings us to the top two components of the CMS:
The leadership needs to be committed, which must be reflected in communication and an adequate use of resources. And the focus of the CMS must be based on ongoing risk assessments ("Risk Based Approach").
In practice, CMS often fail due to non-existent or unqualified risk intelligence and risk assessments. Without regular and tailored risk assessments, a CMS cannot be effective, efficient, and proportionate.
Based on such risk assesments, risk decisions should be made. These include which risks are to be completely avoided, which reduced, and which tolerated (up to what point). Then corresponding internal controls should be developed.
In practice, it is particularly effective to develop and apply these internal controls in two different formats: Controls for normal operations are tracked in "Blue Books"; and differentiated from controls for critical situations in "Red Books". With criteria that outline the transition from Blue Books to Red Books (decision points with upward escalation rules). Whereas the Red Book processes need to be co-developed with the Incident Management (see below).
In the case of logistics CMS, internal controls include, for example: "Sanctions Screening Tools"; Monitoring of critical areas such as ownership of partners; KYC measures; or enhanced due diligence for defined transactions (with customers, partners, and acquisition targets).
Implementing these internal controls, the CMS needs to offer well conducted trainings, communication, and constant supervision (line management).
Here, immediate "quick wins" are possible, but too often overlooked. Such as due to a lack of effective awareness trainings and communications providing credible deterrence. The biggest vulnerability for a CMS is still in the human domain. Awareness and deterrence trainings are often not effective, because they are "digital clicking throughs" or monotonous, abstract lectures. Instead, if such training offers emotionally moving cases that show operational and personal relevance, they are very effective. Such training can start with an externally purchased workshop for select company representatives, who then spread the resulting workshop products internally, and make them part of the corporate culture and internal know-how ("train the trainers").
Another crucial element of a CMS is the reporting/whistleblower system. At a minimum, having reporting procedures, that every employee and critical stakeholder knows and can trust in.
Furthermore, "incident, investigation and crisis management" should be aligned with the CMS - geared to CMS scenarios and integrated into the Red Books (see internal controls above). Serious damage often occurs because such critical scenarios have not been played through beforehand. Then, under the psychological pressure of being confronted with danger and the unknown, decisions which are bad, (too quick, too slow, or not taken at all) can create substantial harm. Or, for example, the company only realizes in the event of an alarm that it cannot counter leaks or attacks in the digital sphere quickly enough. This happens, among other things, because providers might not be able or willing to act against negative content or fake accounts. Such cases of rude awakening are devastating, but often avoidable with proactive CMS: To stay with our example, developed scenarios and preliminary coordination with providers can shorten the crisis response time and effectiveness substantially.
The next CMS component should be a well-designed policy with regards to external compliance processes (cooperation and communication). Such as the selective sharing of compliance data with partners, industry associations, lawyers, external service providers and authorities ("liaison"). Who speaks when with whom, what is communicated or requested, and how? If such policies are not well reflected and implemented, results can be very unpleasant in legal and/or commercial terms.
Next, the supervisory functions (audit) and a clear revision process (esp. the implementation of Lessons Learned) are crucial elements of a good CMS. This, among others, should be conducted via surveys ("How often do you reject customers?"; "How do you recognize suspicious cases of export end user obfuscation?"), as well as via testing and sampling.
Finally, all the above aspects must be evaluated from a legal perspective (contract law, labor law, data protection law, etc.), and their legal compliance proactively addressed. For example, through the implementation of contract clauses, where employees agree to tests, reporting systems, and monitoring processes, where feasible and desired. Or by amending the corporate constitution in regards to key roles and their responsibilities (boards,…).
All this can sound like a very complex and/or burdensome trend to many smaller and mid seize corporations. However, adapting to a dynamic world has always been one of the strengths of Central European logisticians. In this very sense, logistics companies should be able to master the compliance hurdles and might even turn this capability into a strategic competitive advantage.
First published by Schindler Attorneys.
Original Article:
schindlerattorneys.com/assets/pdf/Logistikbranche_clean13Mai22_final.pdf