Private equity: legal, regulatory and compliance risks
September 2019 | SPECIAL REPORT: PRIVATE EQUITY
Financier Worldwide Magazine
September 2019 Issue
Separate legal personality and limited liability are both fundamental principles of English corporate law and the foundation of the modern market economy. For these reasons English courts are reluctant to ignore a company’s separate legal personality, ‘pierce the corporate veil’ and find a company’s shareholders responsible for the company’s liabilities. Historically, therefore, a manager of a private equity fund has been able to acquire and manage its subsidiary portfolio companies in the knowledge that any liabilities in the portfolio companies would, in most circumstances, be contained with no risk passing to the manager or its fund.
Of course, it has always been possible for a parent company to assume liability for its subsidiary without piercing the corporate veil. This could result from guaranteeing the subsidiary’s obligations, acting jointly with the subsidiary or acting as its agent, or becoming liable in negligence by creating a separate and independent duty of care to that of the subsidiary. Private equity (PE) fund managers have, however, always been disciplined in not providing guarantees or mixing up their fund management activities with the operations of their portfolio companies. The risk for a PE fund manager of incurring liability for its portfolio company’s debts or liabilities was therefore historically seen as fairly remote, but more recently this position has been changing. As the demands for greater corporate social responsibility have grown, so too have the circumstances in which regulators and courts have intervened to make parent companies liable for the actions of their subsidiaries. PE fund managers are therefore facing heightened risks of incurring parent company liability.
Examples of UK legislative intervention encroaching on the protection provided by separate legal personalities can be found in a number of areas, including anti-bribery and corruption, sanctions and other areas of economic crime.
Section 7 of the UK Bribery Act 2010 provides that a company carrying on a business in the UK will be liable if it ‘fails to prevent’ bribery committed by ‘associated persons’. The definition of associated persons is limited to entities ‘performing a service’ to the company which has failed to prevent the bribery and can include an agent, employee or subsidiary. Although it may seem unlikely that a portfolio company will be performing services for its controlling PE fund manager, it is possible that the UK courts will interpret the phrase ‘performing a service’ widely, so as to encompass wholly owned or controlled portfolio companies in some circumstances.
The same strict liability model of ‘failing to prevent’ used in the Bribery Act has been adopted by the draftsmen in The Criminal Finances Act 2017 in creating offences relating to the failure of a relevant body to prevent an ‘associated person’ from facilitating tax evasion.
Further legislative expansion of ‘failing to prevent’ offences is likely in relation to economic crime. The Ministry of Justice’s 2017 call for evidence on ‘corporate liability for economic crime’ floated a wider application of the failing to prevent model in the context of economic crime. More recently, in its evidence to the Treasury Committee in connection with that committee’s March 2019 report ‘Economic Crime – anti-money laundering supervision and sanctions implementation’, the Serious Fraud Office (SFO) highlighted the difficulties of prosecuting economic crime in the UK and outlined as one of its solutions to this problem, the introduction of an offence of failing to prevent economic crime.
In certain cases, sanctions legislation implemented in the UK provides that a PE fund manager will be liable if it deals with a sanctions target ‘directly or indirectly’, which is generally not defined in the sanctions legislation, but the applicable guidance from the UK sanctions regulator states that it will apply the everyday usage of the words (the words will be interpreted widely, for example). A PE fund manager could therefore find itself liable for sanctions breaches by a portfolio company on a strict liability basis. In other circumstances, UK implemented sanctions offences can provide for liability where a person ‘knows’ or has ‘reasonable cause to suspect’ that a violation took place, which could lead to a PE fund manager becoming liable for portfolio company breaches.
Examples of the English courts extending the potential scope of parent company liability can be found in relation to the law of negligence. The courts have held that parent companies may owe a duty of care in negligence to the employees of their subsidiaries in relation to health and safety matters. A UK parent company can also be found liable for negligence in the English courts for breaches of local laws by its foreign subsidiaries. In the case of Vedanta Resources Plc and Konkola Copper Mines Plc v. Lungowe and others the Supreme Court held that there was no special doctrine of parent company liability in English negligence law and that it was therefore arguable that Vedanta had created a duty of care to the local Zambian residents who had been impacted by alleged breaches of Zambian environmental laws by Vedanta’s Zambian subsidiary.
The Supreme Court in Vedanta also noted that circumstances which may result in a parent company’s duty of care arising for its subsidiary’s actions include: where, in published materials, a parent holds itself out as exercising a degree of supervision and control of its subsidiaries, even if it does not in fact do so; and, where a parent company takes active steps, by training, supervision and enforcement, to see that a group policy is implemented by subsidiaries.
Parent company liability is also contemplated by EU law. It is now well established that PE fund managers can be liable for breaches of EU competition law in circumstances where they are deemed to have control or ‘decisive influence’ over their portfolio companies and therefore form part of an ‘undertaking’ with those portfolio companies.
Some commentators have suggested that the use of the concept of the ‘undertaking’ in the European Union’s (EU’s) General Data Protection Regulation (GDPR) may mean that PE fund managers could find themselves liable for breach by their portfolio companies of the GDPR, thus exposing themselves to fines of up to 4 percent of worldwide turnover. The GDPR is a relatively new law and it is still unclear whether parent companies will be treated in the same way as under EU competition law. Differences between the GDPR and EU competition law would suggest that they will not, but there is sufficient ambiguity to mean that this risk cannot be ruled out.
So what are PE fund managers doing about these potential risks bubbling up from their portfolio companies? They are addressing the risks on a number of levels, usually within the framework of their wider environmental, social and governance (ESG) programmes, which are an increasing focus of their limited partner (LP) investors.
The first line of defence is at the point of acquisition. More time is being spent in due diligence on the legal, regulatory and compliance risks faced by portfolio companies. Where a target company has an increased risk profile, for example because of its industry or the geography of its operations or supply chain, warranties will be enhanced. Weaknesses in an acquired company’s policies and procedures identified in the process of the acquisition are being addressed by post-acquisition ‘compliance uplift programmes’.
Having adequate procedures in place can reduce the incidence of breaches by portfolio companies, but can also provide a defence to the ‘failing to prevent’ offences of bribery and the facilitation of tax avoidance. The presence and exercise of appropriate policies and procedures can also mitigate the levels of fines for other offences, for example sanctions breaches. PE firms are accordingly investing heavily in policies and procedures to be adopted by their portfolio companies as part of their broader ESG programmes. This investment includes building dedicated compliance teams to develop policies and procedures and deal with implementation, monitoring and training.
PE fund managers have, therefore, recognised the need for policies and procedures to reduce legal, regulatory and compliance risks in portfolio companies and limit or mitigate responsibility for those risks. As shown by the Vedanta case, however, there is a tension between the adoption and promulgation to portfolio companies of policies and procedures and the risk of assuming liability where the policies and procedures, or their application, are found wanting. The more that PE fund managers are seen to be dictating policies and procedures to their portfolio companies and getting involved in their operational implementation, the greater the risk of claims of direct responsibility to third parties, on the basis of control of their portfolio companies, or the creation of an independent duty of care.
Despite the tension between the development of programmes to reduce portfolio company risk on the one hand, and assuming liability by virtue of that intervention on the other, there is no avoiding the increasing demands on private equity fund managers and their portfolio companies for greater corporate social responsibility and with it increasing legal, regulatory and compliance obligations. Mitigating the risks arising from these obligations has therefore become a permanent and increasingly important fixture on the PE fund manager’s to-do list.
Graham Nicholson is a counsel knowledge lawyer and Ed Harris is a partner at Hogan Lovells International LLP. Mr Nicholson can be contacted on +44 (0)207 296 5923 or by email: firstname.lastname@example.org. Mr Harris can be contacted on +44 (0)207 296 2809 or by email: email@example.com.
© Financier Worldwide
Graham Nicholson and Ed Harris
Hogan Lovells International LLP