Request a demo
Aerial view of multiple highways merging surrounded by green grasses and trees

Blog

3 areas of focus when preparing third-party risk management frameworks for CS3D compliance

As set out by the European Commission, the Directive on corporate sustainability due diligence entered into force on July 25, 2024. “The aim of this Directive is to foster sustainable and responsible corporate behavior in companies’ operations and across their global value chains. The new rules will ensure that companies in scope identify and address adverse human rights and environmental impacts of their actions inside and outside Europe.”

The Corporate Sustainability Due Diligence Directive – known as CS3D - distinguishes itself from other banking regulations as it requires financial institutions (FIs) assess actual and potential human rights and environmental impacts through due diligence processes across their global value chains.

The directive emphasizes proactive risk management, accountability, and remediation for adverse impacts. Its implementation requires continuous effort from obliged entities inside and outside the European Union (EU) to identify and control new risk factors associated with anti-bribery and anti-corruption (ABAC), environmental crimes, and human trafficking/modern slavery.

3 considerations for third-party risk management (TPRM) related to CS3D compliance

1. Scope and obligations

CS3D contrasts with many existing banking regulations, which have typically focused on financial metrics and compliance without expansive social and environmental considerations. For obliged companies, this Directive provides a harmonized legal framework within the EU, aimed at increasing customer trust, better risk management, and enhanced competitiveness.

CS3D applies to EU companies and non-EU companies who have significant operations within the EU. The Directive specifically targets those with more than 1,000 employees or a net annual turnover that exceeds €450 million.

Financial institutions are required to engage with stakeholders; establish and maintain a notification mechanism and complaints procedure; monitor the effectiveness of their measures; and communicate publicly on their due diligence activities.

The Directive mandates companies develop and execute a climate change mitigation transition plan. This plan needs to align the company’s business model and strategy with the shift to a more sustainable economy. Banks will, for example, need to have a deeper understanding of how the proceeds from loans are used and how they contribute to sustainability goals, while preventing money laundering related to the proceeds of environmental crimes.

CS3D brings a renewed focus to third-party risk management (TPRM) and supplier risk management frameworks. Due diligence requirements now include additional risk factors, as the CS3D mandates companies identify, prevent, and mitigate negative impacts related to human rights and environmental standards not only in their operations, but also throughout their entire value chain. This includes understanding relationships with suppliers; verification of business partners; and controlling bribery and corruption risks.

Interestingly, the Directive makes particular mention of corruption: "Adverse human rights and environmental impacts can be intertwined with or underpinned by factors such as corruption and bribery. It may therefore be necessary for companies to take into account those factors when carrying out human rights and environmental due diligence, in a manner that is consistent with the UN Convention against Corruption."

2. Focus on value chains

There is a focus on managing and conducting due diligence in the Directive – some of the salient points are discussed below:

  • Value chain analysis: CS3D requires FIs conduct due diligence on direct activities and upstream relationships. For instance, if a bank finances a company involved in environmental violations, it has the obligation to mitigate this exposure and address the risk identified. This broader perspective aims to drive financial institutions to identify links between sustainability risks associated with lending practices and the possible re-injection of proceeds from environmental or human rights crimes into the financial system.
  • Partial exclusion: While banks are required to assess and manage their own “upstream” activities, including internal operations and direct business relationships (and their associated risks), there is partial exclusion on “downstream” activities. This means FIs will not necessarily be held accountable for the activities of third parties they finance or invest in. The review clause included in the Directive could lead to the inclusion of downstream activities in future iterations however, depending on an impact assessment conducted by the European Commission.
  • Limited downstream obligations: CS3D emphasizes due diligence in upstream activities, it excludes downstream activities related to clients receiving financial services. This means banks are primarily responsible for their own operations and those of their immediate business partners rather than the broader impacts of their clients' actions.

3. Integration with existing regulation

CS3D complements existing frameworks like the EU Corporate Sustainability Reporting Directive (CSRD), creating a cohesive regulatory environment focused on sustainability. This integration aims to provide more legal certainty and a “level playing field” across member states. It helps address potential disparities in national regulations that could create confusion for banks and financial institutions who operate internationally.

For obliged companies, the Directive provides a harmonized legal framework within the EU that the Commission hopes will lead to increased customer trust, better risk management, and enhanced competitiveness, while controlling human rights and environmental priorities.

Implications and challenges for Financial Institutions under the CS3D

The CS3D is important for financial institutions as it sets out clear expectations and requirements for sustainable business practices, which can help these institutions manage their environmental and social risks, meet regulatory obligations, and contribute to the transition to a more sustainable economy.

It represents an evolution in regulatory expectations for obliged entities by embedding sustainability into the financial sector's operational framework, shifting the focus from purely financial compliance to a more holistic approach to risk management that encompasses social responsibility and environmental stewardship throughout the value chain.

The rules are also clearly aimed at protecting the public and supporting developing countries by promoting sustainable investment, a focus on human rights and the environment, and integrity in global value chains.

FIs will need to be vigilant in their TPRM and supplier risk management processes in relation to existing regulations regarding sustainability and human rights, as well as new requirements arising from the transposition of CS3D into national laws by 2026.

How Moody’s can help with third-party risk management

With the increased focus on supplier risk management and the third-party ecosystem, Moody’s has long been trusted by financial institutions to support their processes designed to assess and mitigate risks and comply with regulation.

  1. Scale and complexity: FIs often work with a large number of suppliers and third-party vendors, Moody’s can enable more effective due diligence and monitoring of entity-related risk, including entities deep within a value chain
  2. Data management and visibility: Data can often be held in silos, making it difficult to gather insights about third parties. Moody’s can offer more holistic, shared risk intelligence that enables FIs to make better risk-based decisions about whom they work with
  3. Evolving threat landscape: The rapid pace of regulatory change, digital transformation, and emerging technologies can introduce new risks. Moody’s can work with FIs to manage changes in relation to new threats, regulations, and compliance requirements through flexible, configurable solutions

Get in touch

We can help automate third-party risk management programs and anti-financial crime compliance processes across a supply chain in any jurisdiction. We help customers digitally transform their onboarding, enhanced due diligence, and ongoing risk monitoring processes in alignment with their policies and global regulation.

Banks can access our leading sources of data to perform in-depth risk assessments on individuals and entities in their third party networks to make decisions with greater confidence about who they work with.

Moody’s also offers intelligent screening solutions to identify sentiments associated with up-to-date news, or negative news associated to key risks and predicate offenses in near real time, including forced labor and human trafficking.

For more information, please get in touch with the team at Moody’s – we would love to hear from you.