UK sentencing guidelines – are regulatory breaches discovered during deal due diligence now ‘more material’?
December 2016 | SPOTLIGHT | MERGERS & ACQUISITIONS
Financier Worldwide Magazine
Headline grabbing fines for corporate offences have historically been the preserve of major financial, anticorruption or antitrust investigations. While companies are yet to be fined hundreds of millions of pounds for environmental, health and safety and food offences, recent sentencing guidelines now categorise penalties more transparently but also carry much higher tariffs, albeit maximum fines remain ‘unlimited’.
Seven figure fines for safety offences have been handed down by Courts on numerous occasions; since the guidelines came into play on 1 February 2016, sentencing judges have indicated that these amounts are now the rule, rather than the exception. The record breaking £5m fine for a non-fatal accident handed to the owners of Alton Towers recently has made it clear that the courts are starting to use the guidelines to demonstrate the old adage, ‘the bigger they are, the harder they fall’.
Add in a less tolerant attitude by society to corporate wrongdoing and the associated brand damage that can occur in the aftermath of a regulatory breach, or even following the launch of a defective product, as Samsung has found recently, then the reputational and financial materiality of breaches that are detected in corporate due diligence looks set to change dramatically.
What changes can you make to your deal due diligence?
It is the stuff of dealmaking nightmares to find out during due diligence or, worse still, after completion of a deal, that an offence has occurred and a criminal investigation and prosecution have been commenced. So, how can you manage and mitigate risk in an area where it is notoriously difficult to spot hidden or fraudulent behaviour?
First and foremost, be clear (and flexible) on what is material. The changes you make should already vary by parameters such as the target, its tangible and intangible value, its business area and associated risk profile, together with the purchaser’s familiarity with the risks associated with that industry, to name but a few. However, there are some issues that we see in many transactions of all shapes and sizes that should be brought to the fore now that the risk profile of getting it wrong has increased dramatically. Irrespective of the transaction, materiality should always be kept under continuous review as issues crop up in data room reviews.
It could be an item by item ‘de minimis’ amount set at the outset of a transaction, or a cumulative amount by risk issue. It could be a clearly defined carve out, such as all risks to brand or reputation, or a combination of the two. Ultimately, it is for the purchaser to decide exactly what is material to them, but it would be wise not to take a one size fits all approach to defining scope and setting thresholds, especially for regulatory breaches which could result in prosecution.
A savvy purchaser who knows the sector well and is acquiring a rival or a series of smaller competitors may have a very different attitude to risk on a specific issue or range of issues than the new market entrant. In the latter case, you may even look to invest in sector specific due diligence to flag all the issues that might affect a heavily regulated business sector, such as care homes, possibly before you have even scoped materiality.
Companies must also be aware of potential regulatory bear traps. The tail cannot wag the dog and we are by no means suggesting that regulatory issues are the only concern within a transaction, but regulatory risks are wide ranging and the purpose of this article is to flag that getting it wrong can be an increasingly costly mistake.
Companies must also be wary of hidden or fraudulent behaviour. Behaviour that has gone unnoticed for many years, despite internal and external auditing is, by its very nature, hard to detect. It may be that there are lots of small compliance breaches which would not flag a concern individually, but which combined should point to a poorly managed business whose risk profile is poorer than you might expect.
Business attitudes to risk must also be a consideration. Increasingly, regulators and responsible businesses are focusing on a business’ attitude to risk and the implementation of a culture of compliance to establish evidence of wrongdoing, so acquiring purchasers should do the same. Some tell-tale signs that may prompt closer scrutiny are a lack of available documents, very new documents, documents that are hard to get hold of, no one with responsibility for compliance, blank looks when basic questions are asked, or high numbers of insurance, litigation or employment claims.
In fast growth companies, regulatory breaches could be accidental – a failure to appreciate that a business has grown so big that it has triggered new regulatory reporting obligations could still be a criminal offence, but specialist advice should be taken with regard to how likely a prosecution is, mitigating risk and what any penalty might be.
In addition, companies must consider the wider implications of a regulatory breach being uncovered post-completion. The cost of a regulatory investigation and payment upon conviction is obvious for most businesses, but there can be an attitude of “it will never happen to us”, or just a hope and a prayer that this will be the case.
Certain aspects may be recoverable under warranties or indemnities in the acquisition documents, or the costs may be covered by insurance, but increasingly regulatory breaches are criminal offences, which purchasers should remember, cannot be indemnified as a basic point of English law and some of the implications do not have an immediate financial cost.
Distraction from the business. For any business that has not been involved in any form of regulatory investigation, it can take a lot of manpower to deal with investigations, document requests, PACE interviews and ultimately time preparing for and in Court. Most business plans for acquisitions will not allow for large numbers of staff and management being drawn into a regulatory investigation.
Distrust between old and new. Morale is likely to take a big hit. People can quickly resort to covering themselves and blaming others. If you have retained key staff and directors, do you really want to be suing them under an SPA while asking them to help run your business?
Key personnel. With regulators increasingly looking to prosecute key individuals at management and board level, it may be the case that senior people are under suspicion and ultimately prosecuted. Can the business operate to its full potential with ‘key personnel’ in prison or disqualified as directors?
Insurance. Deliberate wrongdoing or failure to report issues could result in insurers declining cover. At the very least, policies will be much more expensive to purchase in the aftermath of a serious regulatory breach.
Loss of confidence. This may be market confidence in a publicly listed deal, or commercial confidence from customers and suppliers, resulting in withdrawal of supply or loss of business.
Breach of covenants. Companies may quickly find that a regulatory breach puts them in breach of the funding arrangements put in place at the outset.
Corporate memory loss. If a team of directors is removed during an acquisition, what provision is there to obtain assistance on historic offending in the event of a breach being investigated, especially if they are going to protect their own interests?
All of the above will have a significant effect on value and earnings multiples, which could quickly exceed the liability caps in the agreements.
When considering the deal due diligence of corporate acquisitions, the regulatory compliance of a seller is frequently not considered as one of the issues at the top of the priority list for buyers and their legal teams.
Areas to focus upon
As criminal liabilities are taken on as part of any company purchase and no indemnity can be made against a criminal fine, buyers are exposed to a significant risk if there are any compliance issues which are not tackled pre-acquisition.
There is no silver bullet, but you should look for a number of areas in order to get a better understanding of compliance in the target company.
First, it all starts with scope. The bigger the brand being acquired, the more limited the experience in the sector or the higher risk the sector is in terms of likely breaches, then the higher risk the acquisition and the greater the need for an understanding of compliance issues in that sector or a need to carve out compliance issues from the generic scope.
Second, top down commitment and a culture of compliance. A deeper look into the culture of the business is needed to ascertain how the policies are implemented and what the culture of compliance is within the business. This can often be hard to determine. As such, there will inevitably be an element of risk attached. One way to alleviate this risk would be to instruct an independent health and safety audit or gap analysis to conduct a review upon purchase. You would never buy a house without having a structural survey completed, so why buy a business without surveying its compliance?
Third, questioning key personnel is vital. This helps to establish their competence, especially in any compliance functions. Is the compliance function a fig leaf to demonstrate compliance on a cursory glance? Challenge replies to enquiries, documents in the data room and disclosures in conversations, where possible.
Fourth, timing is key. If a business is highly regulated, compliance documents should be forthcoming and complete at the very outset. So often, a data room is quickly populated with corporate information, property and personnel files but there is little or nothing relating to compliance. Even if a business is not highly regulated, it should give you a pretty strong impression of priorities if all the sales records are available from the off, but they cannot quickly provide basic documents such as licences, permits, risk assessments and compliance policies.
Fifth, efforts should be made to ascertain the company’s key assets and whether they are likely to be compliant. If there is a breach affecting these assets, it could have a major impact on the brand and the value of the target, especially if large amounts of the deal value are attributable to a piece of polluted land, the contract that was procured with a bribe, or that dangerous piece of equipment which is key to manufacture.
Sixth, if the business is highly regulated, what formal training and qualifications have compliance officers and key personnel had to be deemed competent?
Seventh, documents are a key starting point, but the existence of a policy or risk assessment alone does not demonstrate compliance. There is no tick box approach that can be taken.
Eighth, if a company has previous convictions (or enforcement notices served against it), a further look at the compliance issues behind this could be the difference between the same offences being committed in the future and findings being applied to avoid future issues. The previous convictions of a company would pass in the sale, and would be considered an aggravating feature to any future prosecutions, regardless of who was in control at the time of the offences.
Finally, has the company learned from its past mistakes and implemented policies to ensure they will not happen again?
These sorts of assessments will provide a more detailed view as to how the business is approaching compliance, including such things as how the policies are being implemented and how staff are being trained, and what the review process is for policies and audits. These details are crucial to be able to assess any potential liabilities in relation to compliance.
At the outset of any deal, due diligence processes and regulatory compliance should be addressed in detail to prevent any future impact upon the target which could be very costly and damaging to the business’ reputation and to that of the acquirer. Compliance issues should not be relegated to being a ‘necessary evil’ which is dealt with towards the end of the due diligence process.
Those purchasers and targets considering a sale need to review their positions to push regulatory issues up the agenda and be wary of any business that cannot lay its hands on compliance documentation, or whose key personnel seem unaware of, or unfamiliar with, key areas of compliance for that business. Current deals should be reviewed to ensure regulatory issues are being addressed.
Regulatory breaches have not suddenly become important, but the sentencing guidelines and changing attitudes to risk and compliance should make businesses looking to acquire targets look much harder at their materiality scope, outputs from due diligence, as well as challenging targets on the provision of basic business compliance information from the outset.
Philip Ryan and Hayley Saunders are partners at Shoosmiths. Mr Ryan can be contacted on +44 (0)3700 86 8915 or by email: email@example.com. Ms Saunders can be contacted on +44 (0)3700 86 4217 or by email: firstname.lastname@example.org.
© Financier Worldwide
Philip Ryan and Hayley Saunders