Compliance risks in M&A

February 2024  |  FEATURE | MERGERS & ACQUISITIONS

Financier Worldwide Magazine

February 2024 Issue

Compliance risks cover a wide range of issues and can potentially expose organisations to enforcement action, monetary penalties, reputation damage and material loss. For companies engaging in a merger or acquisition, it is imperative that they call on experienced compliance professionals to assess these risks. Compliance teams must have a seat at the M&A table early in the process, to assist with due diligence.

Compliance teams can help to establish the types and levels of risk an acquisition poses, and to contextualise it for the acquirer’s business. Due diligence can shed light on whether the target has any past or current compliance issues that may affect the transaction, such as issues relating to bribery, corruption, fraud, money laundering or sanctions, or whether the transaction triggers obligations to notify or obtain approval from government authorities, such as under a foreign investment control regime, or in connection with handling classified or ‘top secret’ contracts, or based on registration as an arms manufacturer or exporter under the International Traffic in Arms Regulations (ITAR) or similar, for example. Acquirers can then evaluate the target company’s suitability and value.

According to Globalscape, the cost of regulatory compliance has increased in recent years, to an average of around $5.47m. Large companies have reported that the average cost of maintaining compliance can run up to $10,000 per employee, as noted by the Competitive Enterprise Institute. Yet despite the rising cost, it can be much more expensive to fail to meet compliance requirements. Globalscape found that the average cost of non-compliance is $14.82m – an increase of more than 45 percent in 10 years. The true cost to organisations due to a single non-compliance event is an average of $4m in revenue.

A tightening regulatory landscape around the globe has forced companies to adapt to changing realities. From evolving data regulations such as the European Union’s (EU’s) General Data Protection Regulation (GDPR) to the implementation of sanctions against states such as Russia and North Korea, to expanded foreign investment controls in numerous jurisdictions, multinational companies operating today must be cognisant of the compliance challenges they face when doing business.

While some businesses may believe they lack the resources to deploy the necessary tools and procedures for compliance, the alternative could be more costly. As Paul McNutty, former assistant US attorney general, summed it up: “If you think compliance is expensive, try non-compliance.”

In the US, the Department of Justice (DOJ) recently updated its guidance on the evaluation of corporate compliance programmes, stating that “a well-designed compliance program should include comprehensive due diligence of acquisition targets, and should include a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls”.

Role of the board and compliance team

Compliance considerations should permeate all departments, but they begin with the board of directors. The board is crucial to the corporate governance process, overseeing the operations of a company. Ultimately, the board is responsible for ensuring that the company complies with all relevant laws and regulations, that its reports are accurate and that it adheres to all applicable compliance standards.

For directors and officers (D&Os), increased scrutiny has resulted in stricter compliance requirements, in some cases making board members personally liable for compliance breaches within their organisations. Decisions made in association with an M&A transaction could expose D&Os to allegations of mismanagement or misconduct, breach of fiduciary duty, or other legal issues.

Legacy liability issues can impact the value of the target and threaten the viability of the planned transaction.

In M&A, appointing compliance experts is a key step. A compliance team can properly frame potential risks to the business arising from a transaction. “The compliance team is critical to avoiding unwittingly buying significant compliance liability, complying with foreign investment controls, and planning for compliant future interaction between the target and the new parent,” notes Tahlia Townsend, a partner at Wiggin and Dana LLP. “However, compliance is too often engaged as an afterthought, late in the diligence process. Senior management should ensure that compliance is consulted early in the deal process and should carefully evaluate any compliance risks identified during diligence.”

Successor liability

With regard to compliance risks, perhaps the most significant aspect relates to successor liability. In certain jurisdictions, such as the US, when a company acquires or merges with another company, the purchasing entity generally assumes all the liabilities of the target.

Legacy liability issues can impact the value of the target and threaten the viability of the planned transaction. As a result, acquirers need compliance due diligence to analyse matters that may lead to legacy liability – especially if the target is active in a highly regulated sector. Such matters might be linked to bribery and corruption, fraud and money laundering, export controls, government contracts and sanctions, among others.

“Enforcement actions based on successor liability are quite common,” points out Ms Townsend. “Therefore, thorough compliance diligence is critical for avoiding successor liability that may significantly reduce the value of the deal and expose the new parent to financial and reputational harm.”

The successor liability landscape continues to evolve. In October 2023, Lisa Monaco, US deputy attorney general, announced a new DOJ Mergers & Acquisitions Safe Harbor policy that encourages companies to self-disclose criminal misconduct discovered by an acquiring company during the acquisition of a target. Under the policy, the acquiring party will receive a presumption of criminal declination if it promptly and voluntarily discloses criminal misconduct, cooperates with any ensuing investigation, and engages in appropriate remediation, restitution and disgorgement.

Under the DOJ guidelines, an acquiring company has one year from the closing date of the transaction to fully remediate the misconduct (though deadlines are subject to reasonableness and may be extended by prosecutors due to deal complexity and other factors). Notably, misconduct that threatens national security or involves ongoing imminent harm must be immediately disclosed.

The DOJ guidelines relate to potential criminal liability; they do not apply to civil or administrative liability for past infractions. “Many regulations, including export controls and sanctions, impose successor civil liability on acquirers, often on a strict liability basis – where intent is irrelevant – and an increasing number of jurisdictions have also adopted stringent foreign investment controls that must be addressed before closing an acquisition,” explains Ms Townsend. “To avoid buying liability for a target’s past violations, or failing to satisfy foreign investment control requirements, it is essential to engage internal or external compliance professionals early in the diligence process.”

Assessing compliance risks in the pre-close phase

Assessing and mitigating compliance risks is a challenging but vital part of the M&A process. Acquirers need to uncover any liabilities they would inherit from the target company, so they can make an informed decision on how – or whether – to proceed.

Bribery and corruption are significant issues as, depending on the jurisdiction and the underlying facts, they may constitute a criminal offence that can attract financial penalties and potentially imprisonment for D&Os. Purchasers may also incur civil liability in respect of historical or ongoing bribery and corruption that can lead to administrative enforcement action.

In the event a bribery or corruption issue is identified during the course of due diligence, the acquirer must undertake a deeper review to establish its extent. This includes identifying the persons involved, and whether the behaviour can be attributed to rogue actors or whether individuals were operating with the support or approval of management. It should also determine the amounts of any bribes paid, the frequency of illegitimate payments and the existence of any associated records. Once the extent of the activity has been confirmed, available options need to be considered, including whether to move ahead with the deal. Similar cautions and considerations apply in areas such as export controls, sanctions and government contracts.

It can be challenging for acquirers to uncover potential non-compliance issues within a target company, but there are several approaches which may be adopted. “The compliance team should assess the specific risks presented by the target’s lines of business and markets, issue a targeted compliance questionnaire, analyse the target’s responses, and review a risk-based sample of key documents,” suggests Ms Townsend. “If the review identifies potential areas of non-compliance, acquirers should evaluate the pros and cons of requiring the target to conduct an investigation and, if appropriate, make a voluntary disclosure before acquisition, versus disclosing after acquisition or simply remediating without disclosure.”

According to Ms Townsend, additional hurdles often arise in the cross-border context. “Compliance diligence in cross-border M&A must be conducted with sensitivity to conflicts of law between the relevant jurisdictions, such as EU blocking regulations implemented in opposition to the US’ unilateral embargoes on Cuba and Iran,” she notes. “Such conflicts of law may complicate remediation of non-compliance and post-acquisition implementation of parent policies and procedures, and may require collaboration between compliance counsel in multiple jurisdictions.”

Should an acquirer identify any actual or potential compliance failures during due diligence, it can attempt to transfer some or all of the associated financial responsibility back to the seller by adjusting the price or negotiating an indemnity. In parallel, representations and warranties (R&W) insurance may be available to provide coverage under an M&A purchase agreement. The policy protects an insured against financial loss – including defence costs – resulting from breaches of R&Ws. This type of insurance can be used by public and private organisations in both traditional change of control transactions and non-control, minority investments. Acquirers may also require the target to make voluntary disclosure to government authorities of any identified instances of non-compliance, in order to ‘clean house’ before closing and mitigate penalties.

Post-close analysis and remediation

As soon as the deal has closed, the acquiring company should begin post-transaction due diligence. The buyer will now have full access to the target company’s inner workings, allowing for a more thorough examination of risks associated with the acquisition. A key objective is to mitigate any newly identified risks and remediate any misconduct identified.

The compliance team has a critical function to play post-close. In this period, once the acquirer has complete access to the target company’s systems and documents, it may conduct more detailed transaction reviews.

“At a minimum, it will be essential to work with the target to promptly implement effective remedial measures for any prior violations, and to robustly integrate the target into the acquirer’s compliance programme after acquisition,” suggests Ms Townsend. “Once acquisition is complete, trust but verify should be the mantra: there have been multiple enforcement actions involving targets that continued non-compliant activity after acquisition because the new parent did not audit.”

If potential liabilities are uncovered, the acquirer may need to consider self-reporting to the relevant regulatory bodies. Pros and cons are attached to making voluntary disclosures, which must be carefully considered. Certain jurisdictions offer incentives through self-disclosure policies, for example. But collateral consequences may include civil penalties, civil litigation, parallel investigations by enforcement authorities in foreign jurisdictions, regulatory action and reputational harm from public announcement of enforcement activity.

Persistent enforcement risk

With optimism growing that 2024 will see a marked increase in deal activity, acquirers need to make themselves aware of compliance risks when executing a deal. Key steps should be completed prior to agreeing a transaction and in the post-close integration phase. Conducting compliance due diligence will allow acquirers to properly understand the risks and accurately evaluate the upsides and potential liabilities of a deal.

M&A, though an attractive means of generating value, is fraught with risk. “We would expect continued high risk around M&A transactions,” warns Ms Townsend. “The regulatory landscape is becoming more and more complex, and regulators have shown enduring interest in bringing enforcement actions based on successor liability.”

Buyers face myriad challenges when conducting transactions, particularly for deals in unfamiliar jurisdictions. Failure to fully account for compliance risks can have significant financial, reputational and legal consequences for an acquirer. Conducting thorough due diligence with appropriate expert assistance can help alleviate some of that risk. As with any transaction, it is incumbent on buyers to beware.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.