Hot Topics in Supply Chain Compliance

by Ropes & Gray LLP

Ropes & Gray LLP

The last few years have seen a proliferation of new supply chain-focused regulations and other compliance obligations, a trend which isn’t likely to abate any time soon. In this Alert, we provide an overview of selected supply chain compliance items that should be on the radar screen of healthcare industry legal and compliance professionals in 2017.

Anti-Human Trafficking

Anti-human trafficking compliance is a newer area of focus for many healthcare companies as a result of recently adopted disclosure and compliance requirements and increasing stakeholder scrutiny.

The UK Modern Slavery Act (MSA). Starting this year, the MSA will require a significant number of healthcare companies to annually publish on their websites a statement describing the steps that they have taken during the preceding fiscal year to ensure that slavery and human trafficking are not taking place in any of their supply chains or in any part of their own businesses. This requirement applies to “commercial organisations” doing business in the United Kingdom, irrespective of home country, that provide goods or services and have worldwide turnover of at least £36 million.

Each company will need to tailor its statement to its particular risk assessment and compliance program. There are no mandatory topics that must be covered in the statement, although the MSA recommends that the following disclosure topics be addressed: (1) organizational structure, business model and supply chain relationships; (2) policies in relation to slavery and human trafficking; (3) slavery and human trafficking due diligence processes; (4) the parts of the business and supply chains where there is a risk of slavery and human trafficking taking place and the steps taken to assess and manage that risk; (5) the effectiveness in ensuring that slavery and human trafficking are not taking place in the business or supply chains, measured against appropriate key performance indicators; and (6) the training available to staff.

For additional Ropes & Gray resources describing the MSA in substantially more detail, including the statement requirement and action items for establishing a compliance program, see here.

The UK Labour Standards Assurance System (LSAS). LSAS was commissioned by the UK Department of Health and NHS Supply Chain, which procures products for the National Health Service. LSAS is the foundation of NHS Supply Chain’s ethical procurement strategy. Initially introduced in 2012 in connection with its Framework Agreement for Surgical Instruments, NHS Supply Chain is introducing LSAS compliance into other contracts.

LSAS has 15 action points, including the following supply chain facing items: (1) adopting a labor policy for the supply chain that among other things addresses the use of child and forced labor; (2) assessing the extent to which labor standards are at risk of being abused within the supply chain; (3) communicating the policy and other relevant information to identified suppliers, collecting and verifying information relating to labor standards performance and responding to the information and evidence collected to drive continual improvement of labor standards throughout the supply chain.

There are four audit levels under LSAS, each of which requires a specified level of compliance with the LSAS action points: (1) Foundation - the vendor has begun to consider how labor standards relate to its business and there is some documentation in place for an auditor to review; (2) Implementation - the vendor has started to implement processes and procedures to manage labor standards, including processes to identify risk in the supply chain; (3) Established - the vendor has in place a robust system for managing labor standards and risk is being effectively mitigated where uncovered; and (4) Progressive - the vendor demonstrates leadership level management of labor standards, going beyond audit to tackle the root cause of issues and risks uncovered and is engaging with key stakeholders, partnerships and projects to do so.

Suppliers must at a minimum be audited to Level 1/Foundation within six months of contract launch for NHS Trusts to purchase supplies through NHS Supply Chain, with later deadlines to achieve compliance with higher LSAS levels.

The US Federal Acquisition Regulation (FAR) Anti-Human Trafficking Provisions. The FAR governs the US Federal government’s procurement process and applies to not only prime contractors, but in many cases subcontractors and agents as well. The anti-human trafficking provisions of the FAR were significantly expanded in March 2015. Because the amendments apply only to contracts and new task orders under existing indefinite delivery/indefinite quantity contracts entered into after that time, the FAR anti-human trafficking compliance requirements are only now starting to impact the compliance programs at many companies.

There are two principal compliance obligations under the FAR anti-human trafficking provisions. First, there are nine prohibited activities applicable to contractors and subcontractors (which also includes indirect subcontractors) and their employees and agents. This portion of the rule applies to all contracts.

Second, the FAR anti-human trafficking provisions require a compliance plan and periodic certifications if the contract is for goods or services acquired or to be performed outside the United States with an estimated value that exceeds $500,000. For purposes of calculating the dollar threshold, commercially available off-the-shelf items are excluded.

Companies must design the compliance plan to fit their particular facts and circumstances. The compliance plan must be appropriate to the size and complexity of the contract and the nature and scope of its activities, including the number of non-US citizens expected to be employed and the risk that the contract will involve services or supplies susceptible to trafficking in persons. In addition, the compliance plan must at a minimum include the following elements: (1) an awareness program; (2) a grievance process; (3) a recruitment and wage plan that meets specified requirements; (4) a housing plan, if the contractor or subcontractor intends to provide or arrange housing; and (5) procedures to prevent violations and to monitor, detect and terminate agents, subcontractors or subcontractor employees that have engaged in prohibited activities.

If required, certifications must be provided in connection with the contract award and annually. The contractor must certify that: (1) a compliance plan and procedures to prevent prohibited activities and to monitor, detect and terminate a contract with a subcontractor or agent engaging in prohibited activities have been implemented; and (2) after having conducted due diligence, either, to the best of the contractor’s knowledge and belief, there have been no occurrences of prohibited activities or, if they have occurred, appropriate remedial and referral actions have been taken.

For more information on the FAR anti-human trafficking rule, see our Alert here.

Trade Facilitation and Trade Enforcement Act. This Act, which was adopted in early 2016, repealed the “consumptive demand” exception to the US Tariff Act. The Tariff Act bans the importation of foreign goods and merchandise produced or manufactured in whole or in part by convict, forced or indentured labor. However, under the consumptive demand exception, the prohibition did not apply to the extent that US demand exceeded domestic supply.

Since the adoption of the Act, several shipments of goods from China have been detained by US Customs and Border Protection for having been produced using forced labor. For purposes of assessing risk, commodities and products used in the healthcare industry appear on both the Department of Labor’s List of Goods Produced by Child Labor or Forced Labor and its List of Products Produced by Forced or Indentured Child Labor. Over time, third party tips alleging convict, forced or indentured labor in supply chains are likely to increase, which will put additional pressure on pre-emptive supply chain mapping for at-risk commodities and products. 

Proposed French Human Rights Legislation. During November 2016, the French National Assembly adopted a bill that would require large French companies to adopt a vigilance plan to identify and prevent serious human rights violations, including at the subcontractor and supplier level. Requirements of the vigilance plan would include: (1) risk mapping; (2) procedures for assessing subsidiaries, subcontractors and suppliers; (3) risk mitigation; (4) a reporting and grievance mechanism drawn up in consultation with representative trade union organizations; and (5) a mechanism for monitoring the compliance measures implemented and evaluating their effectiveness. If adopted into law, this legislation will impact the supply chains of large French companies, including those in the healthcare industry, irrespective of where the supplier is located.

Conflict Minerals

Conflict minerals regulation will continue to be dynamic in 2017.

US Conflict Minerals Rule. The Conflict Minerals Rule was adopted pursuant to the Dodd-Frank Act. The Rule requires US public companies that manufacture or contract to manufacture products that contain tin, tantalum, tungsten or gold (3TG) to, among other things: (1) make supply chain inquiries to determine the source of the 3TG in their in-scope products; (2) if the 3TG originated or there is reason to believe may have originated in the Democratic Republic of the Congo region, conduct due diligence in accordance with the Organisation for Economic Co-operation and Development’s Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas; and (3) annually publicly report on their compliance.

President Trump and the Republican-majority Congress are expected to seek to roll back at least some aspects of Dodd-Frank. The repeal of the Conflict Minerals Rule is explicitly provided for in the Financial Choice Act, which was introduced in the House during the last term. However, at present, most of the Conflict Minerals Rule remains very much in effect and is likely to remain so for at least the current reporting period, which requires filings in respect of calendar 2016 to be made by May 31, 2017. In the meantime, the Securities and Exchange Commission’s April 2014 stay of the mandatory audit requirement under the Rule is expected to remain in effect for this year (see our Alert discussing the audit stay here).

The ultimate fate of the Conflict Minerals Rule is likely to turn on whether Congress decides to take a narrow or broad brush approach to Dodd-Frank repeal. However, even if the Rule is repealed, many large companies have indicated that they will continue to expect suppliers to trace the origin of the 3TG in their products, maintain compliance programs and responsibly source 3TG. These requirements will ripple through many supply chains in much the same way as if the Rule were to remain in effect.

Finally, NGOs continue to review and rank filings. This past year, one NGO survey ranked both medical device companies and drug manufacturers, the latter for the first time as a separate category. As is the case with other supply chain compliance and corporate social responsibility issues, larger consumer facing brands that are perceived as compliance laggards face the greatest risk of being targeted by NGOs and socially responsible investors.

EU Conflict Minerals Regulation. During November 2016, the EU Council, Commission and Parliament reached an informal final agreement on a conflict minerals regulation. The Regulation generally will require EU smelters and refiners and direct importers of 3TG into the European Union to conduct due diligence using the OECD Guidance framework if they are sourcing from conflict-affected and high-risk areas anywhere in the world. For more information on the pending Regulation, see our Alert here.

The text of the final Regulation is expected to be released soon, after which it will be submitted for approval to the Council and the Parliament. The Regulation will take effect on January 1, 2021.

The Regulation generally will not impose compliance obligations on manufacturers or sellers of components or finished products. However, many larger “downstream undertakings” will expect their suppliers to make supply chain inquiries and source 3TG from conflict-free smelters and refiners. This will result in compliance obligations, to meet commercial requirements, for a significant number of supply chain participants that are not subject to the Regulation. In addition, many larger downstream companies and the NGO community are expected to push for voluntary supply chain compliance prior to 2021.


The continuing phase-in and expansion of RoHS (Restriction of Hazardous Substances) and REACH (Registration, Evaluation, Authorisation and Restriction of Chemicals) to new substances and product categories will require enhancements to supply chain compliance programs in 2017 and beyond.

RoHS. RoHS prohibits electrical and electronic equipment that contains enumerated toxic substances in specified concentrations from being placed on the EU market. RoHS also contains affirmative compliance requirements, such as requiring “CE” markings and declarations of conformity.

There currently are six restricted substances under RoHS, coupled with phase-ins for eleven product categories that run through July 2019 (many categories have already been fully or partially phased in). During mid-2015, four new substances – all phthalates – were added. Restrictions on the use of these substances generally will take effect during July 2019 and July 2021.

REACH. REACH is more broadly intended to protect human health and the environment from risks posed by chemicals. REACH contains procedures for collecting, assessing and reporting information to customers and the European Chemicals Agency on substances manufactured in or imported into the European Union. For some substances, REACH goes further, requiring authorization or restricting how the substances can be supplied or used.

There currently are approximately 170 substances of very high concern (SVHCs) on the REACH candidate list, and the list continues to grow. In addition, pursuant to a decision of the EU Court of Justice in September 2015, the .1% weight to weight REACH reporting threshold must be applied at the individual article or component level, rather than at the finished good or complex product level, which in many cases greatly expands the requirement to drill down and report on SVHC content in products.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.