Many manufacturing supply agreements now contain a deceptively simple clause in the concluding boilerplate:

Supplier shall comply with Buyer’s Supplier Code of Conduct located at [buyer’s IP address].com. With a sigh, careful readers may look it up, wondering what onerous requirements may be lurking within. Does Buyer demand disclosure of my trade-secret raw materials? Others will shrug it off—the Code only codifies good business practices, and no one is enforcing the audit rights. Still others may wonder whether they, too, should adopt a Code—have I overlooked a new legal mandate? If so, what is really required? Does it need to be twelve pages?

Companies have recognized the advisability of maintaining a Code of Conduct for internal purposes. The wide-spread usage of such a Code was partly driven by a Delaware judicial decision that recognized an oversight duty on the part of directors (In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996)). An explicit Code of Conduct proved useful when defending shareholder lawsuits or criminal charges based on the alleged wrongdoings of employees. Since suppliers of product and outsourced services play an important role in the organizational framework, legal responsibility has crept beyond the corporate walls. Thus, many companies (as used herein, “buyer”) have also created a Supplier Code of Conduct (“Supplier Code”).

What Law Drives the Creation of a Supplier Code?

Internationally, the labor and human trafficking standards have been advocated by organizations associated with the United Nations. See, e.g., http://www.unglobalcompact.org/  the UN Universal Declaration of Human Rights, http://www.un.org/  en/documents/udhr/index.shtml/  and the standards of the International Labor Organization, http://www.ilo.org/global/standards/information-resources-and-publications/ publications!WCMS 318141lang--en!index.htm. For broader guidelines applicable to multinational corporations, see  http://www. oecd.org/corporate/mne/. For environmental standards, see  http:// www.unep.org/.

Two international sets of standards address social and environmental matters. ISO 14000 (http://www.iso. org/iso/iso14000) essentials is a series of international voluntary standards and guidelines for environmental management systems, eco labeling, environmental auditing and performance evaluation, and related matters. SA 8000 (http://www.saintl.org/index.cfm?fuseaction=Page. ViewPage&PageID=937)   addresses child labor, forced labor, workplace safety and health, and related matters.

For United States businesses, perhaps the biggest impetus for Supplier Codes has come from the State of California. Like the international standards, the focus has been on labor and environmental issues. The California Transparency in Supply Chains Act of 2010 (“California Human Trafficking Act”) requires that retail sellers and manufacturers doing business in California (e.g., filing California tax returns) to disclose their efforts to eradicate slavery and human trafficking from their direct supply chains. It requires any retailer or manufacturer having $100,000,000 or more in annual worldwide gross receipts to disclose on its website whether it maintains policies, whether it verifies compliance and, if so, whether the verification was an independent, unannounced audit.

In California, AB. 708 has been winding its way through the legislative process, replacing previously proposed regulations that were dubbed a “green chemistry” initiative by the California Department of Toxic Substances Control. The new law, if enacted, will require a manufacturer that manufactures, assembles, produces, packages, repackages, or relabels a cleaning product that is sold or used in California to disclose each ingredient on the manufacturer’s website, and to provide the website address on the product label, along with a prescribed statement. http://leginfo.legislature.ca.gov/ faces/billNavClient.xhtml?bill_ id=201520160AB708. The regulations failed under the green chemistry initiative in part because objections were raised about forced disclosure of trade secret information.

At the federal level, for many years suppliers have been required to supply Safety Data Sheets (formerly known as Material Safety Data Sheets or MSDS) (see, e.g., https://www. osha.gov/Publications/HazComm QuickCard SafetyData.html)

At the United States federal level, the proposed Business Supply Chain Transparency on Trafficking and Slavery Act of 2015 (H.R. 3226; S. 1968) directs the Securities and Exchange Commission (“SEC”) to promulgate regulations within one year of enactment. The regulations are mandated to require disclosure in the annual report of whether the issuer has taken any measures during the year to identify and address conditions of forced labor, slavery, human trafficking, and the worst forms of child labor within the company’s supply chains. It will apply to issuers of registered securities with annual worldwide global receipts in excess of $100,000,000. The regulations are also directed to mandate disclosure on the issuer’s website under the label “Global Supply Chain Transparency.” In the House, this legislation was referred to the Financial Services Committee and, in the Senate, to the Banking, Housing, and Urban Affairs Committee. Although not at the top of the legislative agenda, the legislation has picked up additional sponsors since first being introduced in the 2013-2014 session. The new mandated disclosure is similar to the SEC’s controversial rules regarding “conflict minerals” disclosure (Section 1502(e) (4)) of the Dodd Frank Wall Street Reform Act), which require supply chain mapping. See, e.g. https:// www.sec.gov/News/Article/Detail/ Article/1365171562058.  

Bribery and improper payments through the supply chain have been addressed in the United States through the Foreign Corrupt Practices Act (see, e.g., http://www.justice. gov/criminal/fraud/fcpa/), in the United Kingdom through the Bribery Act (see, e.g.,http://www.fco. gov.uk/en/global-issues/conflictminerals/legally-binding-process/ uk-bribery-act) ,and generally through the OECD Convention on Combating Bribery of Foreign Officials in International Business Transactions (http://www.oecd.org/corruption/ oecdantibriberyconvention.htm). Since September 2001, the United States Department of Treasury has been vigilant against transactions by blocked persons (see http://treas. gov/offices/enforcement/ofac/ sdn/). Of course, long-standing principles of antitrust compliance and other legal compliance unique to certain industries are also subjects of supplier codes. Federal contractors under the Federal Acquisition Regulations potentially face additional requirements, such  as equal opportunity and Buy American compliance, which relies on certifications from suppliers. For trade, “point of origin” must be proved based in part on information from suppliers, in order to satisfy requirements of the North American Free Trade Agreement.

The American Bar Association issued the ABA Model Business and Supplier Policies on Labor Trafficking and Child Labor (70 BUSINESS LAWYER 1083 (Fall 2015)) (the “ABA Policy”). Its key points are to require: (a) suppliers to adopt a policy prohibiting the use of labor trafficking and child labor in its operations; (b) ongoing risk assessment, consisting of due diligence and verification of a company’s own operations and those of its suppliers; (c) certification that the product or service provided complies with the labor trafficking and child labor laws of the country in which the seller and buyer have operations relating to the products and services being sold by the supplier; (d) notification to the seller of any noncompliance; (e) termination of the supply contract for failure to comply; and (f) indemnification for any violation of such laws.

Sustainability, or green, procedures are also receiving more attention, especially by large enterprises.

Codifying all of this in a simple manner can be daunting. The Electronic Industry Citizen Coalition® Code of Conduct published a model. It includes standards for working conditions in the electronic industry supply chain, aimed at safety, treating workers with respect and dignity, and promoting business operations that are ethically and environmentally responsible (http://www.eiccoalition.org/standards/code-of-conduct/).

The Conference Board has also published model supply chain labor standards (https://www.conference-board.org/topics/publicationdetail.cfm?publicationid=2219.cfm?publicationid=2219).

These are not all the laws having a bearing on Supplier Codes. Suffice it to say that there is a large body of law to support being sure that a buyer is dealing with a reputable supplier.

What subjects should a Supplier Code cover?

The above survey covers considerable ground. Must all these topics be included in a Supplier Code? No, although large, publicly held companies try to cover all or most of the laws applicable to their businesses, and many times more. Such Supplier Codes are frequently readily available from the corporate websites.

At minimum, a Supplier Code should include a statement about ethical dealing, as well as a policy against the use of labor trafficking and child labor in the business operations. Health and safety is also commonly addressed. A good sample is the Electronic Industry Citizen Coalition® Code of Conduct, cited above.

Must the Supplier Code require an audit?

Most Supplier Codes issued by publicly held corporations state that the buyer has the right to enter the supplier’s premises for the purposes of auditing to determine if the supplier is in compliance with the Code. That sounds pretty intrusive. Is it necessary?

One could argue that establishing a policy without any means of enforcement is a meaningless gesture. From the above legal survey, it is clear that verification is a component of the California Human Trafficking Act, the ABA Policy, and the proposed federal disclosure legislation.

Including a requirement for a supplier to self-report its compliance is reasonable and unlikely to produce a serious objection from the supplier. But is it sufficient? Must a Supplier Code contain an audit requirement? At present, there is no binding authority to require an audit. Even under the California Human Trafficking Act, an audit is not required—the disclosure is whether one was done, as if to shame the entity into conducting an audit. Several pending class action suits are challenging disclosures given in the absence of an effective audit.

Given little guidance, I note one example involving the Buy American Act. The Federal Trade Commission (“FTC”) entered into a final consent order with USA Brand, LLC that it deceived consumers. USA Brand, LLC had awarded “Made in USA” certification seals that marketers could then use. The FTC found it deceptive that USA Brand, LLC did not independently verify each applicant’s claim itself, nor did it disclose that the companies had self-certified.

What are audit issues?

If a buyer requires an audit, some typical issues are:

  • Who pays? If the buyer voluntarily sends in a team and uncovers no noncompliance, there is arguably no basis for charging the supplier for the cost of the audit. In audits that are limited to verification of the accuracy of invoicing and charges, the primary agreement might shift the cost to the supplier if errors above a certain threshold are discovered. Supplier Codes do not routinely address the cost, and it would be difficult to establish an  economic threshold—most Supplier Code provisions are more akin to policy statements.
  • What is the remedy? If noncompliance is found, the supplier ought to be given a right to cure. Although human trafficking is a severe offense, many Supplier Codes cover many subject matters in general terms, and a violation might not necessarily be material or undisputable. If a material breach remains uncured after reasonable notice, the remedy would logically be termination of the supply agreement. This author has heard of no reports of a buyer having terminated purely on the basis of a violation of the Supplier Code.
  • What is the scope? In my experience, this is the most unsettling issue. To verify compliance with not only human trafficking, but also labor laws, such as wage and hour, and other wide-ranging subject matters that are in some Supplier Codes, a similarly wide-ranging variety of confidential information might arguably be requested. Some files might contain personally identifiable information of employees. Other subjects might arguably require disclosure of proprietary trade secret information. Although a confidentiality agreement should be required of auditors, such agreement might be insufficient protection if the buyer and seller are competitors. The Supplier Code may permit the audit to be conducted by an independent third party under a confidentiality agreement, but that greatly increases the costs. This author has not heard of audits being conducted based solely on the Supplier Code. Audits for other purposes, such as to verify billing accuracy, are not uncommon. What differs here is the potential breadth of the audit.

Nevertheless, as pressure mounts for increased supply chain transparency, as described in the initial section of this Article, these matters will need to be managed. Moreover, suppliers with a large number of customers might face a large number of such audits.

  • How can the process be managed? Having an advance reaction plan is helpful. Many Supplier Codes require the buyer to deliver reasonable notice of the audit (ignoring the California Human Trafficking Act). The notice recipient should immediately advise the plant manager and designated legal counsel, whether in-house or otherwise designated in advance. One plant employee should be designated as the “point person.” Before arriving for the audit, the buyer should be requested to provide a plan of audit or request list to the point person. The point person may be able to steer the audit to readily available, nonproprietary information. For example, some Supplier Codes require the supplier to provide workers with workplace health and safety information and warnings. The point person might be able to identify information in a non-confidential employee handbook or a notice on a non-confidential portion of an intranet site that would satisfy this requirement of the Supplier Code. If the supplier has received a recent certification from a governmental or other third-party on a given topic, that certification could be offered in lieu of an audit— this procedure has been adopted by many cloud IT providers in lieu of individual security audits by large customers.

Conclusion

Although the Supplier Code is arguably merely an extension of the ubiquitous supply-agreement representation that each party will perform in compliance with all applicable law, the issues raised above make its application uncertain. At one time, a supplier could refuse to include a Supplier Code as part of the supply agreement or purchase order terms. The prevalence of Supplier Codes, at least among large buyers, is making that position less likely to succeed. Suppliers with sufficient bargaining power may be able to negotiate only that it will comply with its own Code of Conduct, provided that it covers essentially the same range of subject matters. Some may negotiate to remove provisions that require notifications that are not mandated by law or that permit far-reaching audits. Most, however, will assume that, since there is little cost-benefit for the buyer to pursue verification, the Supplier Code is merely boilerplate that they can live with. For buyers and suppliers with long standing, good relationships, this may be a valid assumption. Good operators will be in compliance, and a poor supplier will no doubt be terminated for other reasons, such as quality or delivery failures.

However, if developing law pushes the supply chain into conducting audits or engaging in other forms of verification, the industry will need to develop procedures for cost effectively managing the process.