Compliance Issues in ESG Matters

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


The growth in environmental, social and governance (ESG) issues in recent years has refocused the minds of investors and boards across the world. As the legal and regulatory landscape around ESG continues to evolve and mature, the compliance issues facing organisations in this area are also developing at pace.

The concept of ESG is capable of extending across a wide mixture of matters, but the term is generally used to refer to the following:

  • Environmental: This refers to the environmental impact of an organisation and reflects the recognition that companies are responsible for their contribution to the reality of climate change and other environmental harms. This is widely accepted to extend beyond a narrow focus on managing emissions and includes biodiversity concerns, waste management and the use of raw materials. The legislation in this area – in particular the compliance demands facing organisations – is developing rapidly and the pace of change is likely to increase further.
  • Social: This concerns the impact of an organisation on society more widely and relates to the approach taken by companies to manage that impact. As considered further below, it is this pillar of ESG that presents the greatest scope for organisations to customise their approach and prioritise the issues that are most relevant to their business or particular circumstances. For example, although there is a growing body of legislation that requires organisations to safeguard human rights or otherwise prohibit modern slavery, together with the supervision of bodies such as the Equality and Human Rights Commission in the United Kingdom, the approach to issues such as social mobility, diversity or animal welfare remains largely voluntary.
  • Governance: This relates to the general approach of an organisation to corporate governance and considers whether an organisation is able to properly impose the necessary systems and controls for the purposes of discharging its obligations or otherwise meeting its objectives. The failure to realise and maintain proper corporate governance is typically behind most corporate failings that give rise to reputational harm or enforcement risk.

It follows that, in the sense that good corporate governance is an essential pillar of any ESG strategy, ESG issues cut across all aspects of compliance, and, in fact, a large number of the underpinning principles set out in other chapters of this book apply equally in the context of ESG; however, there are a number of concepts that relate to compliance in the context of ESG specifically and that require particular consideration.

In this chapter, we focus on the relevant standards that ought to be applied for the purpose of ESG compliance; the specific risks that attach in an ESG context, including the prospect of enforcement in relation to ESG-related harms; the particular compliance steps available to mitigate those risks; and the specific challenges posed by investigations into ESG issues.

Relevant standards

The most conceptually challenging aspect of compliance in the context of ESG is typically the process of establishing the relevant principles and standards that apply to a particular organisation. The legislative landscape is evolving rapidly in the United Kingdom, the European Union and elsewhere, but it remains an incomplete picture, which means that voluntary standards and principles are frequently just as important for the purposes of determining the appropriate framework to be imposed.

Below is a summary of the most relevant legal and regulatory standards that apply in respect of ESG issues, with an overview of the voluntary standards and principles most frequently adopted by organisations seeking to establish a compliance function that is responsive to ESG considerations.

Legal and regulatory

The legal and regulatory landscape relating to ESG issues is diverse and encompasses issues ranging from environmental standards frameworks to legislation relating to equality, harassment and discrimination.

We have chosen to focus on two discrete areas that impose relevant standards and that frequently give rise to compliance issues: supply chains and specific reporting requirements.

Supply chains

In terms of failures of corporate governance, the clearest legal risks in the United Kingdom are imposed by the Bribery Act 2010 (the BA 2010) and the Criminal Finances Act 2017 (the CFA 2017), which create criminal liability for those organisations that fail to prevent (1) persons acting for or on their behalf from committing the offence of bribery or (2) the facilitation of tax evasion. Further, at the time of writing, the government is due to pass the Economic Crime and Corporate Transparency Bill, which would extend a similar model of liability to fraud offences.

As set out in the chapter covering UK compliance enforcement,[2] the legislation imposes criminal liability on an extraterritorial basis, which means that the risks are especially pronounced for those organisations with overseas supply chains that may extend into jurisdictions with a weak rule of law, for example. Likewise, in the United States, the Foreign Corrupt Practices Act 1977 (FCPA) contains specific anti-bribery provisions relating to the bribing of foreign officials and outlaws the failure to maintain accurate books and records. Like the BA 2010, the FCPA is wide-reaching – any company that uses the US financial system in any way in furtherance of a bribe, even if the infraction takes place entirely outside the United States, falls within its jurisdiction.

Although principally a governance issue, the failure to ensure compliance with the necessary anti-corruption standards imposed by the BA 2010 or the FCPA also necessarily has a social impact and – subject to the specific context – may also have an environmental impact. For example, the top 10 countries with the highest rates of deforestation[3] all currently fall below the global average for corruption risk, according to Transparency International’s Corruption Perception Index, thereby giving rise to the real possibility that corruption may facilitate environmental harms in a supply chain.[4]

Alongside the criminal liability outlined above, there is also an increasing body of new legislation that imposes reporting and due diligence obligations on organisations in respect of their supply chain operations. For example, in the United Kingdom, the government is planning to introduce secondary legislation, pursuant to the Environment Act 2021, that will impose an obligation on businesses that use ‘forest risk commodities’ in their supply chains to conduct due diligence to assess whether the commodities have been produced on land that is subject to unlawful deforestation. As at the time of writing, the full list of ‘forest risk commodities’ is yet to be confirmed, but it is likely to include beef, leather, cocoa, maize, coffee, palm oil, rubber and soy.[5]

The introduction of legislation under the Environment Act 2021 would build on the UK Modern Slavery Act 2015 (MSA 2015), which introduced a requirement on larger UK businesses to publish a statement as to whether there was slavery or human trafficking in the organisation or its supply chain.[6] As it stands, the MSA 2015 does not mandate specific due diligence, although the government has committed to reforming this in the short term to make the requirements more demanding.[7]

More broadly, it seems clear that the legislative trend is towards the imposition of further mandatory due diligence requirements on companies. For example, the European Commission has adopted a proposal for a Corporate Sustainability Due Diligence Directive that would require companies to undertake due diligence measures in respect of their operations and supply chains to safeguard human rights and mitigate the risk of environmental harms arising.[8] This reform would follow similar legislation that already exists in a number of EU Member States, including France, which has had a Duty of Vigilance Act since 2017, and Germany, which introduced a Supply Chain Act on 1 January 2023.

Reporting obligations

In addition to the above issues that attach specifically to supply chains, there has been a movement in recent years towards the introduction of a range of specific regulatory reporting requirements in a number of specialist sectors. The impact of these obligations is plainly most acute for those subject to regulation; however, in the absence of a developed legislative framework for ESG concerns, the requirements imposed may nevertheless be relevant to other entities seeking to identify and demonstrate the adoption of appropriate standards (see the section titled ‘Voluntary’, below).

For example, in the financial sector, the European Union introduced the Sustainable Finance Disclosure Regulation, which requires specific disclosures on the environmental impact and sustainability of products and activities.[9] In contrast, the United Kingdom has endorsed the Financial Stability Board’s Task Force on Climate-related Financial Disclosures (TCFD), which proposes a number of specific climate-related disclosures for use by companies, bank and investors, and has committed to the introduction of TCFD disclosures for relevant organisations by no later than 2025.[10]

In general, ESG is becoming an increasingly important focus of regulators across the United Kingdom. The Financial Conduct Authority (FCA) and the Competition and Markets Authority (CMA) have each taken steps to demonstrate that ESG principles, and the protection of those principles, falls squarely within their respective regulatory remits. By way of example:

  • the FCA has adopted its own ESG strategy, which sets out its target outcomes and the actions it expects to take to deliver them. ESG issues are high on the regulatory agenda with a view to better protecting consumers and other stakeholders from ‘green’ claims made by companies and financial firms, and to support the transition to a more sustainable future. These objectives were reiterated in the FCA’s Business Plan for 2023–2024;[11] and
  • the CMA has published a Green Claims Code, which sets out six principles that businesses must follow in the context of communicating their green credentials. The Code, which is principally derived from the Consumer Protection from Unfair Trading Regulations 2008, forms part of a wider stated strategy by the CMA, from 2022 onwards, to pursue businesses engaged in misleading green claims.[12]

In relation to climate change and green finance specifically, the FCA introduced TCFD-aligned disclosure rules for certain listed issuers and TCFD-aligned disclosure requirements for asset managers and asset owners, life insurers and FCA-regulated pension providers. Following a consultation in October 2022,[13] and as at the time of writing, the FCA will imminently be finalising and publishing rules on sustainability disclosure requirements and investment labels. It is expected that the new rules will include entity and product level disclosures by asset managers and other institutional investors, as well as a new ‘anti-greenwashing’ rule that would apply to all FCA-authorised firms – reiterating that sustainability-related claims must be clear, fair and not misleading.

In this regard, in February 2023, the Treasury Sub-Committee on Financial Services Regulations opened an inquiry into greenwashing and sustainability disclosure requirements, which is intended to scrutinise the proposed draft regulations. His Majesty’s Treasury is also looking at expanding the regulatory perimeter to include ESG ratings providers owing to their increasing importance in this space.[14]

More broadly, all larger companies in the United Kingdom are now required to annually disclose details of their energy consumption and emissions and, separately, issue an annual statement setting out the basis on which its directors have had regard to wider stakeholder needs, including the impact of the company’s operations on the community and the environment.[15] Similarly, the US Securities and Exchange Commission (SEC) is understood to be finalising the introduction of mandatory disclosures relating to the environmental impact of regulated entities, following a consultation in 2022.[16]


In the absence of a developed legislative framework for ESG concerns, standards and principles are frequently voluntarily adopted by organisations seeking to establish an ESG compliance framework. For example, the latest version of the Bank of England’s Money Markets Code, which effectively applies to anyone involved in the UK financial markets, actively encourages participants to ‘consider basing any [ESG] policy in line with existing credible ESG frameworks’.[17]

The most important example is probably the UN Guiding Principles on Business and Human Rights (UNGPs), which set out a series of guidelines for the prevention of human rights abuses in the context of business, together with the appropriate remediation steps.[18] Further to the UNGPs, the Organisation for Economic Co-operation and Development (OECD) has published a set of Guidelines for Multinational Enterprises (the OECD Guidelines),[19] which align closely to the UNGPs and have been ratified by the United Kingdom, the United States and the majority of EU Member States, among others. The OECD has also published Due Diligence Guidance for Responsible Business Conduct,[20] which sets out various due diligence standards that can be used by business to mitigate harms.

In addition to global standards, the United Kingdom has introduced a Stewardship Code,[21] which applies on a voluntary basis to asset owners and managers (e.g., investment managers) and requires signatory companies to disclose various ESG-related issues, including the basis on which material ESG issues have been integrated by reference to the importance of the respective issues.[22]

Finally, although these examples of voluntary frameworks can be instructive, the critical difference between compliance in an ESG context and other areas is that it is largely open to organisations to develop their own bespoke standards to reflect their particular markets, needs, commitment and scale. As a matter of practice, the adoption of those standards should typically be promulgated within (and without) an organisation as appropriate to be an effective exercise in communicating standards.

Risks and enforcement

There is a host of wrongdoing that may give rise to an ESG-related compliance failing, with the risks often materialising by virtue of a failure to comply with applicable reporting obligations or in the course of a company’s supply chain. For example, setting aside possible criminal offences, there are various other harms that may be committed for or on behalf of an organisation, including environmental harms such as pollution, or other environmental damage; human rights abuses; or other workers’ rights abuses, for example sexual harassment or discrimination.

As with other compliance concerns, the triggers for any ultimate investigation may come from a number of sources, although the nature of ESG concerns – which are typically outward-facing and relate to a company’s interaction with the world – means that investigations in this context more frequently originate externally to a company. In particular, the involvement of supply chains and other third parties in many ESG-related issues means that external whistleblowers are often a particular trigger, whereas other issues may move up a board agenda owing to media interest, or even political or shareholder pressure.

In the United Kingdom, the risk of criminal enforcement for wrongdoing in supply chains was considered in a High Court judgment in early 2023.[23] The case was a judicial review by the World Uyghur Congress (WUC), a non-governmental organisation, against the Home Secretary for failing to launch criminal investigations for money laundering arising from the imports of cotton from Xinjiang.

The WUC made a number of submissions, but the one with the most significant implications for supply chain risk more broadly was that the widespread forced labour and mistreatment of the Uyghur people in the production of cotton in Xinjiang meant that any Xinjiang cotton shipment would represent criminal property, such that the acquisition, use and possession of those goods would represent a money laundering offence under Part 7 of the Proceeds of Crime Act 2002 (the POCA 2002).

Although the High Court found that there was insufficient evidence to support an investigation on these particular facts, the judgment nevertheless established the viability in principle of using POCA 2002 for the purposes of enforcement in the context of international supply chains. An analysis of the precise reach of the POCA 2002 is beyond the scope of this chapter, but the judgment made clear that the National Crime Agency, in principle, accepts, as a matter of enforcement, that specific instances of modern slavery or other criminal conduct in supply chains may trigger criminal liability for those further up the supply chain, under Part 7 of the POCA 2002.

In practice, the reputational damage that an ESG issue can present to an organisation is often the principal risk posed by wrongdoing of the kind outlined above – something that inevitably informs any strategy going forward, as set out further below under ‘Investigation and remediation’. It is possible for organisations active in jurisdictions subject to OECD guidelines to be subject to a mediation process following a complaint, although, in the absence of the OECD having any power to impose fines, the enforcement risk remains principally reputational.

Further, in the United Kingdom, the Equality and Human Rights Commission (EHRC), a non-departmental government body, has the power to investigate organisations that are in alleged breach of equality legislation in the United Kingdom. In recent years, the EHRC, which has the power to pursue civil remedies against non-compliant organisations, has conducted investigations into alleged anti-Semitism, discriminatory pay claims and racial inequality within workplaces.

In addition to the examples of harm outlined above, there is also an increasing focus from some regulators on the particular issue of ‘greenwashing’, which carries with it a more direct enforcement risk.

By way of example, in the United Kingdom, alongside the introduction of the disclosure regimes set out above under ‘Legal and regulatory’, the most notable intervention to date is a July 2021 letter sent by the FCA to the chairs of authorised fund managers, stressing the importance of firms avoiding misleading claims in an ESG context.[24] In addition, the FCA has specifically said that it is taking steps to embed ESG considerations in all policy work as well as market oversight, supervision, authorisation and enforcement activities. This will include, for example, incorporating ESG-related questions and criteria in supervisory assessments and engagements, and building ESG-related elements into enforcement models.

In contrast, in the United States, the SEC has launched a Climate and ESG Task Force and identified ESG investing as an area of significant focus for 2023, with a focus on ‘whether the funds are operating in the manner set forth in their disclosures . . . and whether recommendations of such products for retail investors are made in investors’ best interest’.[25]


The compliance measures that have been outlined elsewhere in this book[26] will apply equally, in general, in the context of ESG-related issues. For example, the factors identified in UK government guidance relating to the BA 2010 and the CFA 2017 all have application in respect of engaging a risk assessment, conducting due diligence on third parties, training relevant persons where appropriate, and monitoring and reviewing the adequacy of the relevant procedures.

However, there are two measures that have particular application in the context of ESG issues. The first concerns the culture of an organisation and the communication of that culture throughout an organisation. As defined by the FCA, culture is ‘the habitual behaviours and mindsets that characterise an organisation’, which reflects the notion that the culture of an organisation relies on ideas, something which is especially important when dealing with voluntary standards or frameworks, as is often the case in respect of ESG.

As set out above, the involvement of supply chains or other third-party relationships often presents the greatest risk in the context of ESG issues, with wrongdoing being committed by third parties beyond the direct control of an organisation, giving rise to serious reputational or legal repercussions. In light of this particular risk area, another increasingly important mitigation measure in this context is ensuring that any contract with a third party expressly reflects the various ESG standards that a company may wish to promote and uphold. This is important because – by contrast to clear legal standards such as the BA 2010 and the CFA 2017 – many aspects of an ESG framework may be voluntary or reflect bespoke priorities, aspirations or standards for that organisation, none of which may be appreciated by any contracting third party.

The measures to be included in the contract must be fact specific, but may extend to requiring the third party to comply with a particular anti-modern slavery or anti-environmental harm policy, or to provide training to employees on the same. As with financial crime compliance generally, it may also be appropriate to require the third party to retain relevant records or to require auditing rights, which will provide some protection in the event that an issue arises, and it is necessary to investigate further.

Investigation and remediation

The incorporation of ESG issues into compliance frameworks has inevitably led to an increasing number of ESG investigations. Although the fundamental investigations process will typically remain the same as a standard internal investigation, there are inevitably specific challenges posed by the ESG context.

The first issue to be addressed will normally be to determine the appropriate standards against which the wrongdoing or issue is to be assessed. It may be that the relevant standard has already been incorporated into an ESG framework by the organisation; however, if not, it will likely be necessary to refer to the sources set out in ‘Relevant standards’, above, in order to consider the appropriate values and principles.

Further, particularly in the absence of prospective enforcement action, careful consideration must be given to the application of legal professional privilege and whether it will be possible to preserve privilege over aspects of the investigation. This may be especially complicated in circumstances where the subject of the investigation presents a reputational risk to the organisation or external stakeholders are otherwise involved. For example, UNGPs identify the importance of transparency and ‘keeping parties to a grievance informed about its progress’[27] as a specific criterion for the purposes of the effective resolution of complaints pursuant to its framework.

The same issues in respect of external stakeholders are likely to attach in the context of remedial action, in which organisations may want to repair or mitigate reputational damage by communicating outcomes and improved processes. Again, the UNGPs stress that any outcome and remedial action should ‘identify lessons for . . . preventing future grievances and harms’.[28] In practice, particularly in circumstances in which the principal driver for any investigation is to manage sensitive reputational harm to an organisation, there may be a request to publish any report, which will engage further issues around privilege and the rights of those who may be named.


[1] Matthew Ewens and Charlotte Wilson are partners and Christopher Gribbin is a managing associate at Mishcon de Reya LLP.

[2] See Chapter 2 on ‘UK Compliance Enforcement’.

[3] Food and Agriculture Organization of the United Nations, ‘Global Forest Resources Assessment 2020: Main report’, ‘Table 7: Top ten countries for average annual net loss of forest area, 2010–2020’, p. 18, (accessed 11 August 2023).

[4] Transparency International, ‘Corruption Perceptions Index’, (accessed 11 August 2023). It is a tool that ranks countries based on the perception of the corruption within their public sectors.

[5] Department for Environment, Food and Rural Affairs, ‘Consultation on implementing due diligence on forest risk commodities: Summary of responses and government response’, June 2022.

[6] The obligation is limited to businesses that supply goods or services with a turnover of £36 million or more. Despite this, some organisations have chosen to comply with the spirit of the legislation, even if they are not caught by it, to give a positive outlook to their consumers, supply chain or the public.

[7] Home Office and Victoria Atkins, ‘New tough measures to tackle modern slavery in supply chains’, 22 September 2020, (accessed 11 August 2023).

[8] COM (2022) 71: Proposal for a Directive of the European Parliament and of the Council on Corporate Sustainability Due Diligence and amending Directive (EU) 2019/1937.

[9] Regulation (EU) 2019/2088 of the European Parliament and of the Council of 27 November 2019 on sustainability-related disclosures in the financial services sector, applicable from 10 March 2021.

[10] His Majesty’s Treasury (HM Treasury), Interim Report, ‘Interim Report of the UK’s Joint Government-Regulator TCFD Taskforce’, November 2020.

[11] Financial Conduct Authority (FCA), Business Plan 2023/24.

[12] Competition and Markets Authority, Green Claims Code.

[13] FCA, CP22/20: Sustainability Disclosure Requirements (SDR) and investment labels.

[14] HM Treasury, Consultation, ‘Future regulatory regime for Environmental, Social, and Governance (ESG) ratings providers’, March 2023.

[15] Companies (Strategic Report) (Climate-related Financial Disclosure) Regulations 2021; Limited Liability Partnerships (Climate-related Financial Disclosure) Regulations 2022.

[16] US Securities and Exchange Commission (SEC), ‘SEC Proposes Rules to Enhance and Standardize Climate-Related Disclosures for Investors’, 21 March 2022, (accessed 11 August 2023).

[17] Bank of England Money Markets Committee, The UK Money Markets Code, April 2021, p. 10.

[18] United Nations, Office of the High Commissioner for Human Rights, ‘Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework’ (UNGPs).

[19] Organisation for Economic Co-operation and Development (OECD), ‘Guidelines for Multinational Enterprises’, last updated 2011.

[20] OECD, ‘OECD Due Diligence Guidance for Responsible Business Conduct’, 2018.

[21] Financial Reporting Council, The UK Stewardship Code 2020.

[22] ibid., Principle 7: Signatories systematically integrate stewardship and investment, including material environmental, social and governance issues, and climate change, to fulfil their responsibilities.

[23] R (on the application of) World Uyghur Congress v SSHD, HMRC and the NCA [2023] EWHC 88 (Admin).

[24] FCA, letter from FCA to AFM chair, ‘Authorised ESG & Sustainable Investment Funds: improving quality and clarity’, 19 July 2021, (accessed 11 August 2023).

[25] SEC, Division of Examinations, ‘2023 Examination Priorities’.

[26] See, e.g., Chapter 1 on ‘UK Compliance Requirements’.

[27] UNGPs, p. 33.

[28] ibid., p. 34.

Unlock unlimited access to all Global Investigations Review content