The World Bank's Compliance Advisor Ombudsman (CAO) completed a Compliance Audit of IFC's Financial Sector Investments, releasing a report on October 10, 2012 (CAO Audit). The CAO Audited a Sample of IFC Investments in Third-Party Financial Intermediaries. One critique of the IFC's own approach to implementation of the IFC Performance Standards on Environmental and Social Sustainability (IFC Performance Standards) was the application by the IFC of two potentially contradictory aims in its environmental and social diligence: "Do No Harm" and "Credit Risk". The same contradictory aims affect the application of the Equator Principles (EP) by EP Financial Institutions (EPFI).
This article argues that for the sake of clarity and effectiveness, the regulatory nature of the EP and IFC Performance Standards must be fully recognized and permeate the EP implementation process, while credit risk objectives should be considered quite secondary to the real dynamic of EP implementation as a private regulatory process.
Credit Risk or Regulation of "Do No Harm" - Competing Goals of the IFC
As the CAO notes, the IFC’s risk assessment encompasses two types of environmental and social risk: the risk of doing harm, and credit-related risk. The risk of doing harm, or creating adverse impacts, is described in the Sustainability Policy. This approach is reinforced by IFC’s Integrated Risk Management Framework, which identifies seven types of risk: strategic; credit; financial; operational; environmental and social; legal; and reputational.
Environmental and social risk is described as the risk of IFC’s Sustainability Policy and IFC Performance Standards not achieving their objectives, which are to “do no harm.” As the CAO Audit describes, the final and most demanding step in IFC’s environmental and social requirements is to “anticipate and avoid adverse impacts on workers, communities, and the environment, or if avoidance is not possible, to reduce, mitigate or compensate for the impact, as appropriate." One of IFC’s environmental and social objectives can therefore be summarized as “avoid adverse impacts,” or “do no harm.” In the 2012 revision of the Performance Standards, IFC describe this framework as the “mitigation hierarchy.”
The other aspect of environmental and social risk can be summarized as the credit risk associated with an environmental and social event, such as fines, loss of licenses, loss of reputation, and events of default that can lead to the worsening of a client’s financial condition.
IFC's Conflicting Objectives and Related Confusion
The CAO noted the need for greater clarity in applying the two risk concepts at the client level. For example, some FI clients in the CAO's sample utilized the environmental and social requirements as a credit screening tool, with little or no attention paid to the risk of doing harm. In one region the potential implications of this were explored further. An IFC client staff acknowledged that a polluting subclient could be considered an acceptable credit risk because it has provided good collateral or because the loan is short term and the pollution will occur later in the client’s production cycle. Such reasoning would be totally inconsistent with a "do no harm" mandate.
The CAO noted that this lack of clarity about which risk concept applies creates the possibility that environmental and social harm is not being minimized, in addition to creating differing expectations on the part of stakeholders.
The effectiveness of the Social and Environmental Management System (SEMS) was sometimes further compromised by lack of clarity about what set of risks (credit risk, and the risk of doing no harm) the client was expected to control.
CAO's Findings on Shortcomings of Credit Risk Approach
As a result of these observations, the CAO found that the lack of clarity about when the IFC’s two different concepts of environmental and social risk apply, it creates the possibility that IFC’s systems do not effectively minimize environmental or social harm that may result from the action of clients or subclients.
The CAO found that there are potential opportunities for IFC to encourage the adoption of a widely shared vision of industry standards for acceptable environmental and social practices, behavior, and results. Requiring clients to report and disclose environmental and social performance and to engage third-party assurers to provide an independent check would further contribute to the propagation of global norms, while improving disclosure.
Separately, these steps could free up IFC resources to play a more strategic role, such as focusing on results and outcomes, working with new clients, working in countries where capacity is weak, and identifying and sharing good practice across regions/countries.
Additional Comments of CAO on IFC as Private Regulator
As the CAO notes in the CAO audit, the IFC or an EPFI has a partly regulatory role because typically a regulator would establish the standards for an industry as a whole and then enforce and measure compliance, while in the case of the environmental and social requirements, IFC and EPFI establishes the requirements for themselves and then assesses how well it does in achieving them. The EPFI and IFC is therefore essentially a hybrid organization, part commercial bank and part regulator (establishing the policy framework and standards that it applies to itself and its clients, and then measuring its own performance in ensuring that its clients meet those requirements).
The CAO notes that the different roles within such a hybrid organization pose challenges for clarity of mission and operations, especially where differing roles and functions may conflict. During the CAO’s interviews, for example, some IFC staff identified a tension (and sometimes a conflict) between trying to increase investment and imposing the appropriate environmental and social provisions.
Application to EPFI
The findings of the CAO apply fully to EPFI, since the EP process is derived from and tied to the IFC's approach to environmental and social risk management. Moreover, EPFI are (perhaps more than the IFC) prone to considering EP and IFC Performance Standards implementation as a "credit risk" management process. The CAO's critique of this approach should be heeded by EPFI in considering their own processes.
EPFI can have diverse approaches to the implementation of the EP. Some EPFI have a highly decentralized approach, where implementation of the EP is managed by lending officers, with support from centralized risk management teams for higher risk projects. Some EPFI utilize specialist teams that are ultimately responsible for EP compliance on every project. In-house legal counsel may have dotted line oversight of this process, but may not be closely consulted in the EP implementation process and have only cursory knowledge of the details, relying heavily on the legal compliance assessments of non-lawyers.
Many EPFI have a view that the EP is a “credit risk” management framework and not a regulatory compliance process aimed at "do no harm". There is little in the EP to justify this interpretation. “Credit risk” is mentioned only once in the EP framework – as a possible responsibility centre for EP implementation. “Compliance”, on the other hand, is mentioned 14 times and forms the foundation of the EP’s substantive requirements. Critically for the “credit risk” versus “regulation” debate is the fact that EP compliance is required regardless of whether compliance enhances the likelihood of loan repayment. Compliance is required for its own sake, in the same way as compliance with any legal and regulatory requirements is mandatory regardless of whether there is a financial benefit in doing so.
EP as a Private Regulatory Process
In light of these characteristics, there is a clear case to be made for the EP to be understood as a regulatory framework (albeit a private rather than publicly imposed one) and not a credit risk management framework.
As the CAO noted about the IFC, EPFI sit in the role of a “regulator” overseeing EP implementation for a financed project. This creates complex risks for EPFI in conducing EP due diligence with interrelate and overlap with regulatory risks relating to environmental and social issues. In fact, the approach to private regulation taken in the EP resembles “case” methods of regulation adopted by health and safety risk regulators in the United Kingdom, Australia and other jurisdictions.
Safety Case regulatory regimes were introduced first in the United Kingdom following the Piper Alpha disaster in 1998. This regulatory strategy is now regularly used in relation to off-shore oil and gas production, nuclear, chemical, rail and other high risk industries.
The Safety Case approach to regulation focuses on risks and performance rather than simply a “tick the box” approach aimed at minimally meeting prescriptive requirements. A Safety Case regulatory regime requires the proponent of a project to identify risks associated with their intended commercial activity and propose to the regulator an effective plan to manage and mitigate those risks to an acceptable level. The Safety Case of the proponent is then vetted and challenged by regulators. This iterative process results in the development of an action plan for managing project risks that must ultimately be accepted by the regulator in order for the project to proceed. The Safety Case is a living document, which must be amended as the understanding of risks changes.
In an analogous way, this “case” method to risk management permeates the approach of the EP, with the EPFI in the role of the regulator, challenging and vetting the borrower’s “Sustainability Case” for the project.
Principles 1 and 2 of the EP require borrowers, in consultation with EPFI, to identify and assess environmental and social risks of a project, resulting in a document referred to as the “Assessment”. Principle 4 requires the borrower to develop a Management Plan to address risks identified in the Assessment process.
The Assessment and Management Plan must then be critically evaluated by the EPFI. The EPFI will challenge the Management Plan and recommend additional or alternative compliance measures as appropriate. Once vetted, the EPFI will develop an Action Plan that will guide the borrower in achieving compliance for the life of the project. The Action Plan defines actions to address environmental and social impacts, the implementation of which can be tracked over time.
The Action Plan is a “living” document that should evolve over the life of the project. Together, these components of the EP process constitute the “Sustainability Case” for the project and justify the EPFI’s decision to finance. The Sustainability Case should explain what risks of regulatory non-compliance exist and how regulatory compliance will be achieved on the financed project.
In EP III, the Sustainability Case must be publicly disclosed, meaning their contents will be the focal point of stakeholder scrutiny and any future legal risks for the EPFI. If associated risks are being managed properly, it is clear that EPFI legal counsel must be fully cognizant of this process and satisfied with the project’s environmental and social regulatory compliance.
Legal Risks for EPFI as Private Regulators
This begs the question, could legal liability arise if projects are categorized improperly, or projects fail to meet the expectations of environmental and social laws or the IFC Performance Standards, due to the deliberate or negligent actions of an EPFI? While this is an unsettled legal question, the risks of legal liability for EPFI are substantial and growing as the EP become more entrenched in industry practice.
EPFI and their borrowers commit to implement the EP through contractual covenants. EPFI also commit publicly to EP implementation and integration EP due diligence into their corporate governance systems. There are always risks related to public disclosures like those required by the EP, from privacy and confidentiality concerns to securities rules regarding project related disclosures. Moreover, the EP requires legal compliance and the application of best practice standards in environmental and social fields which are the subject of State regulation. Industry best practices like the EP are often included in the application of legal standards by States. Failure to meet such standards of behaviour therefore can have inherent legal implications. These realities, on their face, provide the legal “hooks” that give rise to legal implications for the EP and make EP implementation a legal issue.
An interesting analogy to EP legal risks arises from the recent London Interbank Offered Rate (LIBOR) investigations and fines. LIBOR is the interest rate at which banks offer to lend to one another on the international inter-bank market. In June 2012 it became apparent that a number of banks had been manipulating LIBOR for their benefit to either make their positions look more secure, or to make a greater profit. Coming so soon after the financial crisis, this caused further negative press for the banks and resulted in a massive public outcry. Legal action was pursued against the banks by regulators. In June of 2012 Barclays was fined US$450 million dollars. On December 19, 2012, UBS, was fined US$1.5 billion dollars by the UK, Swiss and American authorities for its role in the manipulation of the LIBOR rate. Numerous civil law suits have also been filed in US courts and over twenty banks are still under investigation in relation to LIBOR manipulation, a number which is likely to increase following the UBS fine.
Like LIBOR, implementation of the EP process is not formally administered by governments. However, EPFI create reasonable expectations in the market that their EP commitments will be implemented without negligent or deliberate misapplication. Should such commitments indeed be deliberately or negligently breached by EPFI, there would be many avenues for potential legal consequences emerging from the detrimental reliance of market actors, shareholders or public regulators on the commitments of the EPFI.
Implications: Treating EP as a Regulatory Compliance Process
If EPFI identify that EP implementation is in fact a regulatory compliance exercise and not a credit risk management response, it could (and should) have significant implications for how EP implementation is managed internally. Instead of managing EP implementation as a credit risk question, focusing on financial returns of the EPFI (with the potential conflicts of interest that entails), EP implementation should instead be treated like any regulatory compliance effort (which does not have a cost/benefit analysis tied to it).
Interestingly, the CAO's Audit also emphasized that the IFC Performance Standards always require a review of legal compliance with environmental and social laws which require the oversight of legal advisors. For the EP this is doubly true, since the EP require compliance and due diligence in relation to host country and international environmental and social laws in all cases, and in some cases (non-High Income OECD) additionally compliance and due diligence with the IFC Performance Standards, which are themselves dervied from legal norms in those areas and also require legal compliance in their application.
In lights of such characteristics, it is critical for EPFI legal counsel to be closely involved in overseeing EP implementation, to ensure that the “private regulator” role taken on by their EPFI organisations is carried out in compliance with legal expectations, avoiding misrepresentations or deliberate or negligent failures in oversight of borrowers that could result in legal ramifications.
Practically speaking, as I wrote in my recent article for the International Financial Law Review "Making the Sustainability Case", the role of legal is most essential in the independent review process required by Principle 7. Legal's role in the independent review process should be in part to vet the “Sustainability Case” of the project. This would require the involvement of several sub-specialist external legal counsel, with expertise on particular risks affecting the project – be they labour risks, occupational health and safety risks, human rights risks, indigenous relations risks or environmental risks. These specialist external legal advisors can aid the in-house counsel’s due diligence efforts by providing the technical expertise necessary to assess the project’s environmental and social risks. The review will culminate in advice regarding the Action Plan necessary to mitigate legal and reputational risks and achieve compliance on the project.
The benefit of this approach is a legally sound opinion on the environmental and social risks of the project that would not be possible in the absence of effective participation by legal counsel – internal and external. Such an approach also aligns the EP implementation process with its true nature as a private regulatory process (which will likely come more pronounced in light of the CAO's findings and global trends).
The CAO Audit highlights an inevitable trend towards understanding EP implementation as a regulatory compliance rather than credit risk compliance process. This trend and the implications for internal EPFI processes should be critically evaluated by EPFI, particularly in any reviews scheduled to coincide with the implementation of EP III which is due to be released in 2013.