Assessing the risk: compliance due diligence


Financier Worldwide Magazine

June 2017 Issue

The acquisition of a company without conducting a due diligence investigation is barely conceivable, not least because the creditors financing the purchase price usually ask for a due diligence report. Due diligence contains different workstreams that usually include assessing the legal, tax and financial risks of the target. Not only in the acquisition of large or listed companies, but also in mid and small-cap transactions, purchasers have recently been seeking to extend due diligence procedures to include compliance issues, particularly as they could become deal breakers. This is reason enough to take a closer look at compliance due diligence.

The risk-based approach

Generally, the scope of potential compliance risks can be broad, and includes different legal topics, such as anti-corruption regulations, bribery, procurement law or European and national data protection regulation. Due to large fines (and, with regard to recent developments, damages claims), antitrust and competition law may be a key issue during a compliance due diligence investigation.

Not all of the aforementioned compliance risks are relevant in every transaction. Furthermore, an in-depth analysis of compliance risks can be a demanding and cost-intensive process. Presumably this is why, at least in Germany, common market practices for compliance due diligence have not yet been established. However, the practical tendency within the pre-signing phase is a risk-based approach. This means that compliance due diligence does not cover the entire scope of potential compliance risks, but rather is limited to certain issues, depending on the situation and the framework of the target. If further clarification of potential compliance risks identified in the pre-signing phase is necessary, the purchaser might conduct a further assessment after the signing or closing of the transaction.

The general structure of compliance due diligence

The risk-based approach requires, more so than any other due diligence process, precise planning and preparation. In practice, it is often appropriate to structure the compliance due diligence in three steps, as outlined below.

The first step requires a preliminary assessment, in order to determine whether the target bears any compliance risks. This assessment is based on publicly accessible information, such as print and online media, as well as the blacklist of the World Bank, and it must take into consideration specific business activities, the structure of the relevant markets and the company’s location. For instance, international distribution companies usually face a bigger compliance risk than a national manufacturer. An in-depth corruption assessment is advisable if the target is seated in a country listed on the Corruption Perception Index (CPI). Apart from that, hidden risks might exist for joint ventures, because, based on the UK Bribery Act, compliance infringements of a joint venture partner can be attributed mutually. Depending on the particular business of the target company, foreign trade law and commercial relations of the target with states in breach of economic sanctions may be relevant.

The next step deals with risk analysis. Based on the results of the first step, the purchaser has to assess the potential compliance risks and decide in which areas compliance due diligence should be conducted. A risk matrix, or a coloured overview quantifying the potential risk of a compliance violation for each relevant case (for example, red if there is a high risk of corruption or antitrust law infringement, and green for low risks), can be helpful. On the basis of the identified risks, it is possible to precisely define the scope of the required due diligence investigation.

In case of potential risks (red or yellow ‘flags’, for example), companies would be advised to conduct in-depth compliance due diligence procedures which contain, for example, the screening of documents in a virtual data room, as well as a management session, together with the chief compliance officer or any other employees of the target who are responsible for compliance issues. In general, the purpose is to find out on the one hand whether the target has a history of non-compliance incidents, and on the other hand, whether, and to what extent, the target has implemented a working compliance management system. Should the compliance due diligence process uncover serious compliance risks, this could be a deal breaker, or will at least affect the purchase price. Hence, the potential purchaser will have to evaluate the overall risks and rewards of the transaction.

Therefore, those advising the potential purchaser have to unveil potential compliance violations of the target, its management or employees in order to calculate the risk (and maybe a discount on the purchase price). For example, the potential buyer should find out if the target concluded illegal agreements with competitors (about pricing, for example), because after the acquisition the acquirer bears the economic effects of any fine imposed on the target. Additionally, the buyer should consider the danger of defamation of the company’s reputation. Apart from that, the potential buyer should check whether, and to what extent, the target implemented internal compliance guidelines. In this context, the target’s compliance management system and documentation, such as code of conduct and policies, as well as reporting lines and whistleblowing mechanisms, should be checked.           

Further handling of compliance risks

Insofar as compliance due diligence procedures may reveal serious compliance risks, the potential purchaser has to find appropriate solutions. If these risks do not constitute a deal breaker to terminate the transaction, the potential purchaser might argue that the purchase price should be reduced or – in consideration of the probable economic effects of the compliance risks – recalculated. Regardless, it is generally advisable to include such risks in the share purchase agreement (SPA). In this regard, one has to distinguish between indemnifications and guarantees. An indemnification clause between seller and purchaser is agreed with regard to known risks. Guarantees relate to risks that are, after compliance due diligence has been conducted, unforeseeable. Basically, the purchasing party that duly examined the risks of the transaction and is fully aware of any compliance risks has a strong negotiating position. This is due to the fact that the seller is much more willing to accept an indemnification clause if the specific risks have been clearly identified during the compliance due diligence. If the compliance due diligence revealed a possible, but not exactly known risk, the intention of the purchaser is to include a compliance guarantee. However, the advantage of an indemnity for the purchaser is that it is usually not subject to the restrictive limitations of a guarantee.

In the case of a breach of a guarantee or indemnification, the purchaser bears the risk that the seller might be unable to settle the claims. This is called insolvency risk. These risks can be protected by a warranty and indemnity insurance policy, which also covers compliance guarantees, for instance, in connection with corruption and bribery.

On a separate note, in connection to guarantee or indemnification clauses, since legal disputes often arise about the scope of both an indemnification and a guarantee, it is advisable to include an arbitration clause in any SPA to accelerate resolution.


With regard to the far-reaching risks of compliance violations, engaging in pre-signing compliance due diligence procedures is to be recommended, not only in larger M&A transactions, but also in mid and small-sized deals. A potential buyer would be well-advised to engage an experienced team of qualified business lawyers for this kind of work. The practice usually prefers a risk-based approach, which means that compliance due diligence is limited to certain issues of high relevance for the target. This enables the purchaser to indicate potential deal breakers, or offer arguments for reducing the purchase price. In any case, compliance risks should be mirrored in the SPA, via appropriate guarantees and indemnifications.


Professor Dr Jochem Reichert is partner and Dr Matthias Heusel and Dr Maximilian Goette are associates at Schilling, Zutt & Anschütz Rechtsanwalts AG. Professor Reichert can be contacted on +49 621 4257 229 or by email: Dr Heusel can be contacted on +49 621 4257 256 or by email: Dr Goette can be contacted on +49 621 4257 331 or by email:

© Financier Worldwide

©2001-2019 Financier Worldwide Ltd. All rights reserved.