Mapping ESG regulatory requirements

ESG Regulations

ESG regulations are government standards for ESG actions or disclosures. While the ESG space is mainly unregulated, legal requirements are coming in different countries and at different paces. Some are already in force and certain businesses may already find themselves having to undertake ESG disclosures depending on their size and industry.

ESG Regulatory Requirements

There are already some EU rules on ESG reporting, and the US Securities and Exchange Commission (SEC)’s investment committee moved forward this year to start creating a framework for ESG disclosure. SEC Chair Gary Gensler has hinted what the forthcoming SEC requirements will entail, specifically signalling that the new climate disclosure regime should be inspired by the TCFD climate risk reporting framework.

The UK will also introduce new ESG disclosure requirements for Financial Conduct Authority (FCA)-authorized investment managers based on the recommendations of the Taskforce on Climate-Related Financial Disclosures (TCFD). The UK’s Joint Government-Regulator TCFD Taskforce has said the UK’s proposed rules will likely include disclosure of strategy, policies, and processes.

In addition, disclosures, reporting and due diligence on ESG related matters are not new. For example, the Modern Slavery Act, the EU Timber Regulations 2013, the Conflict Minerals Regulation and the Dutch Child Labour Due Dilligence Act all include ESG aspects.

A guide to international ESG compliance

There are a lot of acronyms flying around with ESG. There’s at least a dozen reporting frameworks out there, and it can be hard to know which one to use when a regulation may be coming down the line which mandates one over the other.

While the ESG space is mainly unregulated, legal requirements are coming in different countries and at different paces. Some are already in force and certain businesses may already find themselves having to undertake ESG disclosures depending on their size and industry.

SEC Chair Gary Gensler has hinted what the forthcoming SEC requirements will entail, specifically signalling that the new climate disclosure regime should be inspired by the TCFD climate risk reporting framework.

Aligning to the TCFD framework is one of the most important steps global businesses can take. TCFD are a good set of guidelines to how organisations can begin tracking, reporting, and integrating climate-related risks into their longer-term strategy, which are some of the fundamental methods to begin preparing for compliance with upcoming SEC requirements. Of course this is only one part of the wider ESG framework and it is important for companies to consider their ESG strategies in the round.

Here are the key ESG regulations which are already in force, and ones which are planned in the near future. These are listed by jurisdiction. Some are in development, meaning governments have proposed the rules, but they are not yet in force.

List of international ESG regulations

Last updated – 1 February 2022

* denotes new since last update.

European Union

Sustainable Finance Disclosure Regulation (SFDR)

EU Taxonomy Regulation Article 8 Delegated Act

In development: Corporate Sustainability Reporting Directive (CSRD)

Regulatory body: European Commission (EC)

United Kingdom

In development: Sustainability Disclosure Requirements (SDR) and Investment Labels

In development: Diversity and Inclusion on Company Boards and Executive Committees

In development: Climate-related Disclosure Requirements

Regulatory body: Financial Conduct Authority (FCA)

United States

In development: Climate Disclosures for Public Companies

Regulatory body: Securities and Exchange Commission (SEC)

In development: Climate-related Financial Risks and Insurers

Regulatory body: US Federal Insurance Office (FIO)

*In development: California – Climate Corporate Accountability Act (CCAA)

Regulatory Body: California Secretary of State Office

*In development: New York – Fashion Sustainability and Social Accountability Act (FSSAA)

Regulatory body: New York State Department of Law

Australia

Prudential Practice Guidance on Climate Change and Financial Risks

Regulatory body: Australian Prudential Regulation Authority

Brazil 

Management and Disclosure of Social, Environmental and Climate Risks

Regulatory body: Central Bank of Brazil (BCB)

*In development: Circular on providing for the requirements for sustainability, to be observed by companies, insurance companies, open supplementary pensions (EACPCs) capitalisation companies and local reinsurers.

Regulatory body: Superintendent of Private Insurance (Susep)

Canada

In development: ESG-related Investment Disclosure for Funds

In development: Climate-related Disclosures for Listed Issuers

Regulatory body: Canadian Securities Administrator (CSA)

Chile

Sustainability and Corporate Governance Requirements in Annual Reports

Regulatory body: Financial Market Commission of Chile (CMF)

China

ESG-related Amendments to the Disclosure Rules Applicable to Listed Companies

Regulatory body: China Securities Regulatory Commission

Germany

*Supply Chain Act

Regulatory body: Federal Office for Economic Affairs and Export Controls (BAFA)

Hong Kong

In development: Green and Sustainable Finance Strategy (Climate-related Disclosures)

Regulatory body: Hong Kong Securities and Future Commission (SFC), Hong Kong Monetary Authority (HKMA)

Japan

Revisions of Corporate Governance Code

*In development: Mandatory TCFD reporting for prime segment listed companies

Regulatory body: Japan Financial Services Agency (FSA)

New Zealand

In development: Mandatory TCFD Reporting

Regulatory body: External Reporting Board New Zealand (XRB)

Singapore 

Environmental Risk Management for Asset Managers, Banks and Insurers

Regulatory body: Monetary Authority of Singapore (MAS)

South Korea

In development: Mandatory ESG Report Disclosure

Regulatory body: Financial Services Commission of South Korea (FSC)

Switzerland

*Articles 964a-964c, 964j-964l of the Code of Obligations

Regulatory body: Federal Audit Oversight Authority (FAOA)

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.