Skip to content

What to Ask Suppliers Before They Get You Fined

If your supplier uses forced labor, the goods are seized at the US border — and you are the importer of record. If your supplier discharges untreated wastewater, your CSRD disclosure is inaccurate, your CSDDD due diligence is incomplete, and your buyer drops you. If your supplier's SMETA audit is expired by six weeks, the procurement system deselects you automatically — and the buyer does not ask why. The legal violation is the supplier's. The commercial and legal consequence is yours.

The regulatory frameworks that impose cascading liability — making a buyer legally responsible for what happens in their supply chain — are multiplying globally. The German Supply Chain Act (LkSG), the EU's CSDDD, the US Uyghur Forced Labor Prevention Act (UFLPA), the UK and Australian Modern Slavery Acts, the Canadian Fighting Against Forced Labour and Child Labour in Supply Chains Act — each of these creates a legal obligation for the buyer to know what is happening in their supply chain and to act on what they find. And each of them starts with the same operational question: what do you ask your suppliers — and what documentation do you demand — before you place the order?

Why Supplier Compliance Is Your Problem

Under traditional procurement, a buyer's responsibility for compliance ended at the purchase order. The supplier was responsible for meeting regulatory requirements. The buyer's risk was commercial — late delivery, poor quality, price increases. Legal risk for the supplier's non-compliance stayed with the supplier.

That model is dead. The regulatory frameworks that have come into force since 2016 have systematically transferred legal responsibility for supplier compliance to the buyer:

  • CSDDD (EU): Companies must identify, prevent, and remediate human rights and environmental harms in their own operations, their subsidiaries, and their chain of activities. Civil liability applies — affected persons can sue the company for damages caused by a failure to comply with due diligence obligations. The fine is up to 5% of global net turnover.
  • LkSG (Germany): Companies with 1,000+ employees in Germany must conduct human rights and environmental due diligence across their supply chain. Fines of up to €800,000 or 2% of global turnover, plus exclusion from public procurement for up to three years.
  • UFLPA (US): Creates a rebuttable presumption that all goods produced wholly or in part in the Xinjiang Uyghur Autonomous Region are made with forced labor and are therefore prohibited from entry into the US. The importer of record bears the burden of proving otherwise. CBP has detained thousands of shipments under UFLPA since the Act took effect in 2022, covering products from apparel to electronics to solar panels.
  • UK Modern Slavery Act: Requires commercial organizations with over £36 million in turnover to publish an annual modern slavery statement. The statement must describe the steps taken to identify and address modern slavery in the supply chain. Failure to publish a statement can result in an injunction and, if not complied with, contempt of court.
  • Australia Modern Slavery Act: Similar reporting obligation for entities with over AUD $100 million in revenue. The Minister can publicly name non-compliant entities — a reputational sanction that directly affects supplier and customer relationships.
  • Canadian Fighting Against Forced Labour and Child Labour in Supply Chains Act (Bill S-211): Requires entities to report on measures taken to prevent and reduce the risk of forced labour and child labour in their supply chains. Penalties include fines of up to $250,000 and potential director liability.

Under every one of these frameworks, the buyer's obligation is to know — and to act on what they know. The supplier's non-compliance becomes the buyer's liability.

What to Ask: The Supplier Compliance Questionnaire

Every supplier relationship should begin with a structured set of questions that establishes the supplier's compliance baseline. The questions should be specific, documented, and the supplier's responses should be retained as evidence of due diligence. A generic "please confirm you comply with all applicable laws" is not sufficient — it is legally meaningless and operationally useless.

  • Legal name, registered address, and company registration number in the country of incorporation
  • Ownership structure — beneficial owners holding 25% or more
  • Years in operation, number of employees, annual revenue (approximate)
  • Export licenses held and countries currently exporting to

Why this matters: A supplier that cannot or will not provide basic corporate identity information is a red flag. Regulators investigating forced labor or sanctions violations start with corporate identity — if the supplier is not a legally registered entity, the buyer's due diligence defense collapses at the first question.

2. Labor and Human Rights

  • Does the supplier have a written human rights policy aligned with the UN Guiding Principles on Business and Human Rights?
  • Does the supplier prohibit forced labor, child labor, and discrimination in its own operations and its supply chain?
  • Are workers employed under written contracts that specify wages, hours, overtime, and termination conditions?
  • Are wages paid at or above the applicable legal minimum wage, including overtime premiums?
  • Are workers free to form or join trade unions and to bargain collectively? If restricted by local law, what alternative mechanisms exist for worker representation?
  • Date and result of the most recent social audit — SMETA, BSCI, SA8000, or equivalent. Provide the full audit report and the Corrective Action Plan (CAP) with evidence of closure for any non-compliances.
  • Does the supplier source from sub-suppliers or subcontractors? If yes, are those sub-suppliers subject to the same human rights due diligence?

Why this matters: The most common supply chain enforcement action globally is for forced labor and human rights violations. CBP detentions under UFLPA, CSDDD civil liability claims, LkSG fines, modern slavery statement inaccuracies — every one of these enforcement mechanisms starts with the question: did the buyer ask the supplier about labor conditions, and did the buyer verify the answer?

3. Environmental Compliance

  • Does the supplier hold all required environmental permits for its operations (discharge permits, emissions permits, waste management permits)?
  • Does the supplier monitor and report air emissions, water discharges, and waste generation?
  • Does the supplier have an environmental management system — ISO 14001 certified or equivalent?
  • Does the supplier track and report energy consumption, water consumption, and greenhouse gas emissions?
  • Does the supplier use any substances subject to REACH authorization or restriction, or subject to the Stockholm Convention on Persistent Organic Pollutants?
  • For suppliers handling or processing regulated commodities (timber, palm oil, soy, cattle, cocoa, coffee, rubber): does the supplier maintain geolocation data for production plots, chain of custody documentation, and deforestation risk assessments?

Why this matters: Environmental non-compliance at the supplier level creates direct liability for the buyer under CSDDD, LkSG, and the EUDR. Under EUDR, the importer of record is responsible for ensuring that commodities are deforestation-free — and the supplier's geolocation data is the evidence. If the supplier cannot provide it, the importer cannot legally place the product on the EU market.

4. Product Safety and Regulatory Compliance

  • For each product supplied: list every applicable regulatory standard and provide the certificate of conformity or declaration of conformity that demonstrates compliance.
  • Provide the test reports from accredited laboratories that support each certificate. Identify the laboratory, the standard tested against, the test date, and the result.
  • For products sold in multiple markets: provide separate certificates for each market (FCC and UL for US, CE for EU, UKCA for UK, CCC for China, G-Mark for Gulf, etc.).
  • Does the product contain any substances restricted by REACH (EU), RoHS (EU), TSCA (US), Proposition 65 (California), or other applicable chemical regulations? List each substance, its concentration, and its regulatory clearance pathway.
  • Does the product contain PFAS? If yes, which compounds, at what concentrations, and for what functional purpose?
  • Provide the product's full material composition data — every substance, every material, every component — with CAS numbers where available.
  • Provide the product's country of origin for customs purposes and any applicable preferential trade documentation.

Why this matters: Product safety non-compliance results in border detentions, product recalls, CPSC fines, and Amazon listing suppressions. The supplier's compliance documentation is the buyer's defense. A buyer that accepts a supplier's statement of compliance without verifying the underlying test reports and certificates is accepting liability without building a defense.

5. Supply Chain Traceability

  • For each product: list every sub-supplier and raw material source by name, address, and country.
  • Provide the chain of custody documentation that traces the product from its raw material origin through every processing step to the finished product.
  • For products containing minerals (tin, tantalum, tungsten, gold, cobalt, mica): provide the smelter or refiner identification, country of origin for the minerals, and conflict minerals due diligence documentation aligned with the OECD Due Diligence Guidance.
  • For products containing wood or plant materials: provide the scientific name (genus and species) of every wood species used, the country of harvest for each, and any applicable FSC, PEFC, or equivalent chain of custody certification.

Why this matters: Supply chain opacity is the root cause of most compliance failures. A buyer that does not know where its materials come from cannot verify that they are legally sourced. The UFLPA, EUDR, Lacey Act, and conflict minerals regulations all operate on the same principle: if you cannot trace your supply chain back to the source, you cannot prove compliance — and if you cannot prove compliance, your goods are subject to seizure, your entity is subject to fines, and your directors are subject to liability.

Red Flags: When a Supplier's Answers Are a Problem

The supplier questionnaire is not a box-checking exercise. It is a risk assessment tool. Certain supplier responses should trigger escalation, not acceptance:

  • Refusal to provide corporate identity or ownership information. A supplier that will not disclose who owns it is a supplier you should not buy from. Sanctions evasion, forced labor, and environmental violations are disproportionately concentrated in entities with opaque ownership.
  • No social audit or an expired audit. A supplier without a current independent social audit is a compliance gap. If the supplier has never been audited, require an audit before the first purchase order. If the audit is expired, require a new audit before the next order.
  • "We comply with all applicable laws" as the answer to every question. This is not a compliance statement. It is a refusal to provide specific information. A supplier that will not identify which regulations apply to its products, which tests have been performed, and which certificates exist is a supplier whose compliance is unverifiable — and in the cascading-liability framework, unverifiable compliance equals no compliance.
  • Inconsistent or contradictory responses. If the supplier claims to be ISO 14001 certified but cannot provide the certificate number and certifying body, or claims to have completed a SMETA audit but cannot provide the audit report, the claim is unreliable.
  • No sub-supplier disclosure. A direct supplier that will not disclose its own suppliers is concealing part of the supply chain. The most common location for forced labor, environmental violations, and illegal sourcing is not at Tier 1 — it is at Tier 2 and below, where the buyer has no direct relationship and the Tier 1 supplier does not conduct due diligence.

How to Verify: Don't Accept the PDF

A supplier questionnaire returned as a filled-in PDF is better than nothing. It is not due diligence. Due diligence requires verification:

  • Verify certification claims. Every certification claim — ISO 27001, ISO 14001, SMETA, BSCI, FSC, GOTS, SQF, BRC — should be checked against the certifying body's public database. An ISO certificate number should be verifiable on the accreditation body's directory. A SMETA audit report should be verifiable on the Sedex platform.
  • Verify test reports. A test report should be traceable to the accredited laboratory that performed the testing. The laboratory's accreditation status, the standard tested against, the test date, and the result should all be verifiable.
  • Verify corporate identity. A supplier's legal name, registration number, and ownership structure should be verifiable against the relevant national company registry.
  • Verify on-site where the risk justifies it. For high-risk suppliers — those in high-risk geographies, those handling high-risk commodities, those with gaps in their questionnaire responses — an on-site audit by an independent third party is the appropriate level of due diligence.

The cost of verification is a fraction of the cost of non-compliance. A Supplier that provides a falsified audit report creates liability for the buyer that purchased in reliance on the report. The buyer's defense — "we asked, they answered, we accepted" — is precisely the defense that CSDDD, LkSG, and the UFLPA were designed to defeat.

How Sustalium Simplifies Supplier Compliance

Supplier compliance is a data management problem at scale. A company with 100 suppliers, each providing 5 products, across 3 markets, is managing 1,500 combinations of supplier, product, and market — each with its own set of compliance documents, each with its own expiration date, each subject to verification.

Sustalium's supplier compliance platform addresses this:

  • Structured supplier profiles — Every supplier's compliance documentation is organized in a structured profile: corporate identity, social audit reports, environmental permits, product certificates, test reports, and supply chain traceability data
  • Verification-ready documentation — Certificates and test reports are linked to their certifying bodies and accredited laboratories, making verification a one-click check rather than a manual research project
  • Automated expiry and renewal tracking — Certificates, audits, and permits have expiration dates. Sustalium tracks them and alerts you before they lapse
  • Public compliance pages for buyers and regulators — When a buyer requests your supplier compliance documentation, or a regulator opens an investigation, produce the evidence as a URL, not a folder of PDFs
  • Supplier portal for data collection — Your suppliers can upload their compliance documentation directly into structured profiles, replacing email-based document collection that produces inconsistent, non-comparable results

Ask the Right Questions Before You Place the Order

The cheapest time to discover that a supplier cannot produce compliance documentation is before the purchase order. The most expensive time is after the goods have been seized, the fine has been issued, and your buyer has found an alternative supplier.

With Sustalium, build your supplier compliance due diligence for just €10 per document.

Start Your Supplier Due Diligence Now →



Last updated: July 3, 2026