Due diligence for processors

Processors are required to have a written due diligence system before they process raw logs (s 17A of the Act, s 10 of the Rules).

Your due diligence system must include:

1. your details, including: business name (where applicable); street and postal address; contact number; and email address.
2. your ABN/ACN, and a description of your main business activity (if you process logs through a business).
3. the name of the person in charge of the due diligence system, and their contact details.
4. the process you will take to meet the due diligence requirements for processing raw logs.

Your due diligence system should be easy to understand and follow. It will help you make decisions about what to do each time you process a log. If you change your due diligence process, you should also update your due diligence system.

In certain circumstances, we may request information or documents, or require an assessment or audit to be carried out. If you are audited or issued a Requirement to Give Information and Produce Documents notice, you may be asked to provide a copy of your due diligence system to us for review, which will be assessed for compliance against the requirements in the Act and the Rules.

Processors must conduct due diligence before processing domestically grown raw logs.

However, you should first check to see if your raw log/s are exempt from due diligence requirements.

Neither the prohibition on processing illegally logged raw logs (s 15 of the Act) or the requirement to conduct due diligence before processing raw logs (s 17 of the Act) apply where the raw logs have been imported into Australia.

Processors are also exempt from the due diligence requirements in circumstances where the processor was also the harvester of the raw logs (s 9 of the Rules).

While these products are exempt from the due diligence requirements, if you are issued a Requirement to Give Information and Produce Documents notice, you will be expected to provide information or documents that are relevant to:

• your due diligence system in place at the time the raw log was processed
• your compliance with the due diligence requirements for processing the raw log.

This could include information that demonstrates you determined the product was exempt before it was processed.

Before you process Australian grown raw logs, you need to gather specific information about the raw logs.

You must obtain as much of the following information as it is reasonably practicable, before each occasion you process an Australian-grown raw log (Rules s 11(2)):

• A description of the logs, including the common and scientific name of the tree it came from.
• The State/Territory and the area in the State/ Territory where the logs were harvested.
• The quantity of raw logs to be processed (expressed in volume, weight or number).
• Details of your supplier, including name, address, trading name, and ABN/ACN.
• The sales or delivery documents in relation to the purchase of the logs by the processor.

Many of these details about your raw logs may be found in existing commercial documents, contracts or invoices. However, you may need to work with your supplier to gather more information, documents, or evidence.

How you gather the prescribed information is up to you. This could include phone calls, emails, online research, questionnaires sent to suppliers or site visits, among other approaches.

The law requires you to gather as much of the above-listed information about the product as it is ‘reasonably practicable’ to obtain. In determining what is reasonable, you should consider: what information is possible to obtain and what information is reasonably able to be gathered given the specific circumstances for the raw log being processed.

As the processor, the onus is on you to prove that it was not reasonably practicable to obtain the information, under your specific circumstances.

Visit our FAQs page for more information on what is meant by ‘reasonably practicable.’

You must keep a record of your information gathering efforts, and any information obtained for the purposes of s 11(2) of the Rules you find, for at least five years beginning on the day the raw log is processed. Your records should allow you to demonstrate compliance with the information gathering requirements.

Once you have completed Step 1, you need to use the information you have gathered to identify and assess the risk. If you have processed the same kind of raw logs via the same supply chain within 12 months and previously completed this step, you may be able to apply an exception to this step. Information about the exception is outlined in detail later on this page. If this exception does not apply you must identify and assess the risk of your raw logs being illegally logged.

The illegal logging laws provide two pathways to do this:

• certified raw logs pathway
• non-certified raw logs pathway.

You need to use one of these pathways to carry out your risk assessment. Further information on each of these is provided on this page.

The pathway that you use will depend on whether your raw logs are certified. The certified raw logs pathway can only be used where your raw logs are certified under Forest Stewardship Council (FSC) or Programme for the Endorsement of Forest Certification (PEFC).

You need to consider all the information you have which may indicate that the raw logs were illegally logged.

Your risk assessment must include assessing all information gathered in Step 1. As you gather information for your due diligence requirements, ask yourself the following questions:

• Have you been able to obtain sufficient information to inform your risk assessment?
• Do the classification of species, quantities and qualities match across the documentation?
• Can the claims made in the information gathered be verified with evidence?

If you have been unable to obtain information about the species of timber and where it has come from, it will be difficult to conclude that the log is low risk.

Your identification and assessment of risk must be to a reasonable standard and supported by the information that you have gathered. This reasonable standard applies to all the facts and considerations in the risk assessment process, including the requirement to consider the source, reliability and validity of documents used in the process. Visit our FAQs page for more information on what is meant by a 'reasonable standard'.

You must also make a written record of the assessment and risk identification process. If you are assessed, audited or issued a Requirement to Give Information and Produce Documents notice, you may be asked to provide information on what you considered during the risk assessment, and how you reached the risk conclusion for the raw logs.

If, after completing the risk assessment, you conclude that your raw logs are low risk, then you can move on to the record keeping step (Step 4) and finalise your due diligence requirements before processing. However, if you have assessed the risk as greater than low, you will need to undertake risk mitigation as set out in Step 3.

This risk assessment pathway applies to the raw logs/s certified under the:

• Forest Stewardship Council (FSC)
• Programme for the Endorsement of Forest Certification (PEFC)

Forest certification schemes are defined in s 4 of the Rules to include country or jurisdiction-specific schemes which are recognised or accredited against the FSC and PEFC international standards.

This pathway recognises that the FSC and PEFC certification schemes work to reduce the risk that forest products have been illegally harvested. However, the pathway also acknowledges that certification does not provide a guarantee of the legality of the timber. As such, the simplified risk assessment process in this pathway does not rely on certification as the sole indicator of risk associated with a raw log and does not provide a blanket exemption from due diligence requirements. If eligible to use the certified raw log pathway, you will still need to provide all the information required to conduct the risk identification and assessment process. However, your risk assessment step will be simplified as compared to the risk assessment process required in the pathway for non-certified raw logs.

A common mistake is assuming that your raw log is certified because your supplier is certified. It is important to understand that a certified business can still deal in non-certified raw logs. There is also a risk that your supplier may be falsely claiming their log is certified. As such, it is important to follow both steps in the certification products pathway:

1. Confirm that your raw log is a certified raw log (s 11(3) of the Rules)
2. Conduct a risk assessment (s 11(4) of the Rules).

Step one: Confirm that your raw log is certified

The Rules set out a definition for a ‘certified raw log (s 11(3)). To verify that your raw log is certified, you must:

• obtain a copy of the relevant certification record from either the FSC or PEFC database;
• confirm that the raw log falls within the scope of the certification, where the scope includes the species and output category (where applicable);
• verify that all the supplier’s details – and all other details – are correct and align with the information gathered under s 11(2); and
• verify that the sales or delivery documentation for the raw log obtained from the supplier contains a certification claim that is consistent with the certification record from the relevant database and the FSC or PEFC certification standard.

If you find that your raw log is not certified, you must conduct your risk assessment using the non-certified raw logs pathway (Pathway 2B).

Step two: Conduct a risk assessment

Before processing the raw log, you must identify and assess the risk that the raw log is illegally logged.

As part of the risk assessment, you must consider:

• all the information gathered in Step 1
• the extent of illegal logging involving known entities in the supply chain
• any other information you know which may indicate that the raw logs are illegally logged
• the source, validity and reliability of all matters considered in the risk assessment.

You must also make a written record of the risk identification and assessment that you have made.

Further information on completing a risk assessment under Pathway 2A is provided in the FAQ page.

If your raw logs are not certified, you must identify and conduct your risk assessment using the non-certified raw logs pathway (s 11(5) of the Rules).

The non-certified raw logs pathway includes a list of specific risk factors that you must consider when identifying and assessing the risk that the raw logs were illegally logged.

As part of the risk assessment, you must consider:

• all the information gathered in Step 1
• any State Specific Guidelines that related to the raw logs
• the extent of illegal logging involving known entities in the supply chain
• the extent of illegal logging of the species or genus from which the timber was derived;
• the conservation status and/or CITES listing of the species or genus
• the extent of illegal logging in general in the area of harvest
• any other information you know which may indicate that the raw logs were illegally logged
• the source, validity and reliability of all matters considered above in the risk assessment.

You must also make a written record of the risk identification and assessment that you have made.

State Specific Guidelines (SSGs) are documents that have been developed and co-endorsed by the Australian Government and the governments of States and Territories. They help you understand:

• the legal frameworks that regulate timber harvesting in these States/ Territories
• relevant documents (certificates, licences, etc.) that demonstrate harvest legality

The SSGs may also provide helpful information on timber transportation processes.

We have compiled a list of third-party resources which may be useful when conducting your risk assessment.

Further information on completing a risk assessment under Pathway 2B is provided in the FAQ page.

If you are not able to conclude that the raw log is low risk after assessing the risk of the raw log being illegally logged, you need to take reasonable steps to mitigate the risk before you process the raw logs.

How you mitigate the risk is up to you. It will depend on your individual circumstances.

You may need to do more research, such as:

• ask for more evidence or information from your supplier
• ask your supplier for a certified alternative
• visit your supplier to learn more about their supply chains
• use scientific timber identification methods to verify the species of the raw logs before processing.

In some cases, you may need to consider sourcing lower risk raw logs, or even changing suppliers. If you are unable to mitigate the risk by taking other measures, your risk mitigation may involve not processing the raw logs.

Your risk mitigation efforts need to be reasonable and proportionate to the identified risk.

Once you have put your risk mitigation measures in place, you will need to reassess the risk to be satisfied that the measures you have taken have had the desired effect of reducing the risk level to low, or if further risk mitigation measures are necessary.

You must keep records of your risk mitigation process, including the mitigation steps you have taken, the risk conclusion, and any other information you obtained as part of the process.

You may commit an offence and face serious penalties if:

• you process any raw logs that are later found to be illegally logged; or
• you process Australian grown raw logs without conducting due diligence prior to processing.

The Rules set out an exception where processors who are processing the same kind of raw logs via the same supply chain multiple times within a 12-month period are not required to conduct another risk assessment or risk mitigation (s 11(9) of the Rules) within that 12-month period.

This is not an exception to the information gathering requirements set out in step 1, so processors must gather the prescribed information before processing each consignment. It is also not an exception to determine that the logs are certified logs.

If your earlier raw log was certified, and you conducted your risk assessment using the certified raw logs pathway (set out in Pathway 2A), you must confirm that your current raw log is certified, as per the definition set out in the Rules (s 11(3)) (see Pathway 2A for further details).

Before relying on an earlier risk assessment, you must:

• confirm that you have processed the same raw logs within the last 12 months;
• where applicable, confirm that the certification status of the earlier raw log and the current raw log are the same;
• confirm that certain information gathered for the current raw log is the same as the information for the earlier raw log, namely:
  • the description of the raw logs, including the common name and scientific name of the tree from which the raw logs were derived;
  • the State/Territory and area of harvest;
  • the supplier’s details, including the name, address, trading name and business registration number (if any)
• have completed a risk assessment and risk mitigation (if applicable) process on the earlier raw log within the last 12 months;
• consider whether, since the risk assessment was conducted, there have been any significant changes which would increase the risk that the current logs are illegally logged and determine that there have been no such change.
  • What is significant will depend on the circumstances surrounding your regulated timber product. Examples of such significant changes are:
    • the relevant certification for timber harvested in certain areas is suspended or revoked;
    • a significant increase in the reports of illegal logging in a particular area;
    • the conservation status of the relevant species of tree has changed

You must make a written record of your information gathering and the steps you took to determine that the exception was applicable. If you are assessed, audited or issued a Requirement to Give Information and Produce Documents notice, you may also be required to provide a copy of the earlier risk assessment and risk mitigation process (if applicable) that you relied upon.

You must keep records covering certain steps you took in the due diligence process (s 11(10) of the Rules). This includes records of all information and evidence obtained as part of the information gathering requirement.

Your records must be able to demonstrate that you undertook your due diligence obligations before processing the raw logs. Records can be kept digitally or on paper. Your records must be maintained for at least five years after processing.

If you are assessed, audited or issued a Requirement to Give Information and Produce Documents notice, you may be required to provide information and produce documents relevant to:

• your due diligence system in place at the time of processing; and
• your compliance with all the due diligence requirements for processing domestically grown raw logs.

Failure to provide required information or produce documents is an offence under the Act and the person may be liable for a civil penalty.

You may commit an offence or be liable to a civil penalty if you provide false or misleading information or documents to the department.

Visit the Compliance and enforcement webpage to find out more.