On 12 June 2017 CFSI released the Responsible Minerals Assurance Process, Tin and Tantalum Standard. The Standard replaces the CFSP Audit Protocol for Tin and Tantalum of 2013, and goes into effect 1 June 2018.
Over the past year, CFSI consulted with a variety of stakeholders, including downstream companies, smelters, industry associations, NGOs, and consultants. Starting in May 2016, CFSI engaged in two public consultation periods, receiving over 800 comments from 48 commenters, which informed the revised Standard. The Standard was approved by the CFSI Steering Committee in May 2017, and is currently being translated into Chinese, German, Indonesian, Japanese, Russian, and Spanish. CFSI is reviewing and updating associated audit tools and procedures.
The revision process brings the Standard in closer alignment with internationally recognized standards including the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas (OECD Guidance) five-step framework and ISO management system requirements. Importantly, the Standard utilizes a global scope for the identification of conflict-affected and high-risk areas, and includes a simplification of risk categories from the previous Level 1-3 system into low-risk or high-risk sourcing. Additionally, the Standard now explicitly references both conflict-related risks and other serious human rights abuses by including OECD Guidance’s Annex II risks. To align with ISO management systems, the Standard now includes requirements for document control and the internal performance monitoring of due diligence management systems.
The revised Standard removes the former focus on a transactional review, instead concentrating on smelters’ management systems. As a result, the standard includes enhanced requirements for Know Your Counter-party (KYC) processes, fewer requirements for chain of custody documentation for low-risk sources, and consolidated data points for high-risk sources, aligning with the OECD Guidance recommendations. The Standard also has an updated sampling methodology, decreasing the number of samples for secondary material. Lastly, the Standard allows for smelters to utilize alternate systems for reporting transactions and conducting the mass balance and clarifies the definition of companies in scope.
What has stayed the same?
The procedural components of the audit remain the same. The auditors will review a smelter’s management system to ensure it is robust and allows for the appropriate risk-based due diligence in the mineral supply chain. The audit frequency continues to be annual, excepting those smelters on a three-year audit cycle. The general audit process remains the same, as does the on-site audit procedure. Materials in scope include both primary and secondary materials, whether mined, purchased, tolled, or otherwise obtained. As with the old version, origin determination is not required for secondary materials, legacy materials, or assay samples; however KYC requirements are in place for all counterparties regardless of material type.
Impacts on smelters
The revised Standard provides more flexibility in smelters’ due diligence approaches, in line with the OECD Guidance. Requirements are less prescriptive, allowing for due diligence systems that are proportional to the size, complexity, and risk-profile of a company and its sourcing practices. Smelters should define a clear procedure to determine Conflict-Affected and High-Risk Areas (CAHRAs) in their supply chain. They should then review their material sources to identify sourcing from CAHRAs outside the previous L2 and L3 countries as part of an updated due diligence management system and proceed to evaluate the presence of OECD red flags in all supply chains. Risk assessment and management are required for smelters with high-risk supply chains.
To improve audit preparations, smelters will be asked to provide more in-depth information on management systems prior to the on-site audit. This will allow for better preparation of both the smelter and the auditor, resulting in a more efficient onsite audit process. After the first audit under the revised Standard, audits will focus on the maintenance of due diligence management systems, reducing the audit burden over the long-term.
2017 will be a transitional year for smelters. CFSI will provide extensive training and resources to ensure that all smelters understand the changes required, and are adequately prepared for the first audit under the revised Standard. Smelters wishing to have their audit under the revised Standard prior to 1 June 2018 are welcome to do so by notifying Hillary Amster, firstname.lastname@example.org.
Frequently asked questions
Q: Why did CFSI update the protocols?
A: The CFSI requires its protocols to be reviewed annually to ensure the content continues to reasonably support the responsible sourcing requirements set forth by law (e.g., Dodd Frank Action Section 1502) and international expectations, such as the OECD Guidance. Interim adjustments are able to be made if driven by revised findings or legislation, including the European Union (EU) Supply Chain Due Diligence Regulation (May 2017) and forthcoming Chinese legislation. Within the EU context, accompanying measures and implementing regulations will require CFSI to formally apply for acceptance into the EU scheme, which requires assurance programs to be aligned with OECD Guidance to be accepted in by EU Member States.
The revised Standard also meets international expectations communicated by the availability of the OECD Alignment Tool and Methodology,), alignment with upstream partners such as ITRI Tin Supply Chain Initiative (iTSCi) and Better Sourcing Program (BSP), and the need to update content based on three years of feedback and input from auditors, auditees, and other stakeholders.
Q: Why did CFSI remove “conflict-free” terminology?
A: The “Conflict-free” label, while referenced and defined in DFA 1502, does not accurately represent the principle and practice of due diligence as an ongoing process that is expected to be carried out and improved upon over time, where risks incidents are identified, managed, and reported as part of the process.
The updated Standard and assurance process continues to support companies’ declarations for “conflict-free” for regulatory purposes or otherwise, in that smelters and refiners are still required to identify and address direct or indirect support to non-state armed groups and the financing of conflict in the Great Lakes Region as part of the risk identification and assessment process.
Companies are still able to use the results of the CFSI’s assurance process to support their United States Securities and Exchange Commission (SEC) filings, “conflict-free” claims, and/or customers’ requests. However, as was the case under the previous protocols, companies that source from smelters or refiners that are in conformance with the revised standard are not considered automatically in compliance with the SEC Final Rule. Under the SEC Final Rule, additional steps are required for companies to meet SEC reporting requirements: scoping, RCOI, and due diligence.
Q: Has CFSI expanded the risks covered by the audit?
A: CFSI has not expanded the risks covered by the audit, however the revised standard explicitly references OECD Annex II risks to clarify that risks covered by the OECD Guidance must be included in the smelter’s risk identification, assessment, and management process.
Companies must address all OECD Annex II risks, which are those commonly associated with the extraction, transport and trade of minerals from CAHRAs:
- Any forms of torture, cruel, inhuman and degrading treatment;
- Any forms of forced or compulsory labor;
- The worst forms of child labor;
- Other gross human rights violations and abuses such as widespread sexual violence;
- War crimes or other serious violations of international humanitarian law, crimes against humanity or genocide.
- Direct or indirect support to non-state armed groups.
- Direct or indirect support to public or private security forces.
- Bribery and fraudulent misrepresentation of the origin of minerals.
- Money laundering.
- Non-payment of taxes, fees and royalties to governments.
Q: How did the CFSI change the risk categories?
A: CFSI updated the risk categories to align with the OECD Guidance, the expectations of which are:
- Companies are the ones responsible for determining whether there are risks in the supply chain(s) associated with sourcing from conflict-affected or high risk areas (not the assurance program).
- Program due diligence requirements are driven by OECD Annex II risks, not geography.
- The Program does not limit its scope of applicability to specified geographies or countries (though guidance may be provided by the Program to help companies identify potential risks).
As a result, the revised categories are as follows:
- Low-Risk Source: Supply chains where 3TG material is not mined or transported through a CAHRA; Material originates in a country with known active ore production for 3TG; and there are no OECD red flags identified.
- High-Risk Source: Supply chains where tin or tantalum material is mined or transported through a CAHRA; and / or material originates in a country with limited or no active ore production for tin / or tantalum; and / or there are discrepancies, inconsistencies or other issues identified during the review of material and documentation that have not been addressed; and there is one or more red flag identified.
Q: How is CFSI going to drive consistent outcomes in identifying CAHRAs when smelters can use their own definitions?
A: CFSI uses the OECD’s definition and is providing resources to help smelters identify these areas. The rationale smelters use must be defensible and evidence-based. CFSI has made resources available at http://www.conflictfreesourcing.org/additional-training-and-resources/conflict-affected-and-high-risk-areas/. Additionally, the European Council is planning to develop and indicative and non-comprehensive list of CAHRAs. CFSI continues to engage with regulators, the OECD and other standard setting bodies to provide guidance and drive consistent outcomes in identifying CAHRAs.
Q: Can smelters use upstream assurance mechanisms for sourcing from CAHRAs?
A: Yes, smelters may continue to use upstream assurance mechanisms to assist in conducting due diligence over high-risk sources. When using upstream assurance mechanisms, smelters must, at a minimum:
- Understand the scope of activities of the upstream assurance mechanism and understand any gaps between the scope of the mechanism’s activities and the requirements of the OECD Guidance.
- Ensure that all information generated by the upstream assurance mechanism, and which is expected to be shared with the auditee, is received in a timely manner and records are maintained for at least five (5) years and made available to the auditor.
- Have sufficient understanding of the context of CAHRAs to be able to review and understand the information generated by the upstream assurance mechanism and to assess their ability to exercise influence over actors in high-risk supply chains who can most effectively prevent or mitigate identified risks.
- Where possible, actively participate in the upstream assurance mechanism to mitigate identified risks in its supply chains.