Tackling compliance issues in the M&A due diligence process

Segev Shani

Segev Shani

Segev Shani (segevshani@neopharmgroup.com) is Chief Compliance & Regulatory Officer at Neopharm Ltd., Petach Tikva, and Senior Lecturer at the Department of Health Systems Policy & Management & School of Pharmacy at Ben-Gurion University in Beer Sheva, Israel.
7 minute read

By Segev Shani

The assessment of compliance risks in connection with legal due diligence during the acquisition of a company has become a market standard for organizations of all types and sizes. One of the reasons for this trend is that, in accordance with many territories’ local rules and regulations, the acquirer’s management is obliged to evaluate all available information and use sources of information in all important managerial decisions within reasonable limits. Regulatory due diligence is a vital part of risk management in mergers and acquisitions (M&A). Regulatory issues can significantly constrain company resources when they arise unexpectedly. In an increasingly zero-tolerance regulatory landscape, identifying compliance risks within a target company is critical. It’s especially important in certain high-risk or highly regulated industries. The acquiring company must thoroughly understand the target’s regulatory obligations, risks, and issues.

As M&As are critical to the future of any organization, so is the due diligence process, which identifies risks and issues in the target company. To fulfill its role in the process, compliance should be an integral part of the due diligence team from its inception and should understand the M&A objective and deal structure. 

The target company’s preparedness for the due diligence process is paramount. It is highly recommended that the company being acquired perform internal due diligence on their own company first, as a large portion of deals fail due to issues surfacing later in the due diligence process. If the seller (target company) enters the deal unprepared, the process can be extremely time-consuming and frustrating for the acquirer. Therefore, the most successful deals are made between businesses in a state of readiness.

This article aims to describe the crucial role of the compliance function in the due diligence process conducted during M&A and how to assess the information in a practical way to ensure an effective assessment.

Compliance due diligence

Compliance due diligence is defined as the process of conducting a thorough investigation, audit, or analysis of a company’s compliance with governmental and nongovernmental regulatory bodies. It seeks to establish whether a company is following the rules as it should be, to find areas of noncompliance, and identify past breaches. It also allows the acquirer to judge what remedial actions and improvements should be implemented to the compliance framework post-acquisition, estimate costs, and assess less quantifiable risks such as reputational issues.

The expectations of the U.S. Department of Justice and Securities and Exchange Commission regarding Foreign Corrupt Practices Act enforcement in the context of M&A include:

  • Conduct good faith due diligence to uncover potential corruption and bribery pre-acquisition.

  • Ensure a well-documented due diligence.

  • Create a plan to address deficiencies or compliance gaps after the completion of the transaction.

  • Implement a remediation plan.

  • Report violations to demonstrate the company’s efforts to implement remedial measures.[1]

However, there are challenges when performing compliance due diligence. Usually there are limited compliance resources, and due diligence is usually an additional task on top of all other routine compliance activities. In some cases, the acquisition involves organizations operating in high-risk jurisdictions; some organizations have an inadequate compliance program—or none at all. Furthermore, one of the most significant barriers is the different cultural and social norms between the two organizations.

Compliance risk assessment

Although an anti-corruption framework does not eliminate the risks of corruption, it does reduce those risks and demonstrates a clear message from executive management about fighting against corruption. Therefore, the potential acquirer should take a risk-based approach to compliance due diligence. The evaluation will begin with a general external screening of the target company from publicly available resources; it will then dive into an internally focused evaluation based on the initially identified specific risk areas.

A general and quick risk assessment should be performed based on external and environment analyses:

  • The structure of the deal and size of the transaction

  • The target’s location and territories in which it operates (based on Transparency International’s Corruption Perceptions Index)[2]

  • The target’s industry and sector

  • The target’s public adverse media risk profile and compliance program

  • Reputational issues (e.g., history of previous compliance issues, its anti-corruption and compliance systems)

The next step of the risk assessment should be based on internal information from the target company:

  • Corporate, civil, and criminal documents; investigations; litigation; administrative proceedings; court filings; government authority decisions or orders

  • Company structure, ownership (particularly ultimate beneficial owners), directors, management, and key persons

  • Involvement of politically exposed persons, related political/governmental third parties

  • Legislative compliance (e.g., anti-trust and competition law, General Data Protection Regulation)

  • Robustness and effectiveness of the target company’s compliance program, including internal audit processes, policies, employee training, monitoring, controls, and disciplinary actions

  • Third parties, contracts, and controls

The aim of this investigation is to reveal previously unknown issues or red flags, mitigate regulatory risk, understand regulatory obligations, confirm that business partners are legitimate, and evaluate potential business impact. Based on the results, the acquirer may need to adjust the risk approach or terminate the initiation of the deal. The outcome of the risk assessment is the first go/no-go decision. If considerable issues have been identified, the team can recommend terminating negotiations. However, in most cases, although numerous risks might be identified, they do not justify terminating the potential deal. The due diligence team should identify the high-risk topics or processes, begin an enhanced investigation, and set out a practical and operational methodology to properly assess the cost of any noncompliance.

Variance and trust

As mentioned above, in case of potential risks (yellow/red flags), companies should conduct in-depth compliance due diligence, including screening documents and informal discussions with the target company’s employees to provide requested information and explanations. Such discussions are crucial for understanding the target company’s compliance framework and commitment to solving variance issues.

Variance in compliance programs can be attributed to geographic origins, corporate culture, organizational structure, industry sector, etc. Therefore, although “compliance” and “compliance program” are widely used as generic terms, there is a vast difference in how compliance programs and their restrictions are defined and implemented in different organizations. Comprehensive compliance due diligence should assure alignment on territory legal requirements and compliance terms while openly discussing differences in definitions, standards, etc.

Variance in compliance originates from the fact that although the principles are identical, different interpretations lead to different compliance programs. Variance may be caused by different industries and regulations, different geographical regions and territories, suppliers and service providers, and cultures.

A few examples to explain variance:

  • Cultural/religious gifts of minimal value to customers or even government officials are allowed in some territories, while in some other countries, they are regarded as a bribe and are prohibited.

  • Comparing codes of conduct of different industry organizations reveals vast variance in the dos and don’ts defined by each industry sector.

  • Fair market value considerations for payments differ between industry sectors in the same territory and between territories due to the strength of each economy.

Many gaps that can be regarded as risks or discrepancies may be the consequence of variance in the interpretation of compliance. Only open discussions between the due diligence team and the compliance function in the target company can solve these issues, assuming the target company can provide a defensible, consistent approach based on reliable market-specific information. Furthermore, these discussions can promote trust between the parties, making integration smoother once the deal is completed.

Deal closing

Another important responsibility of the due diligence team is to estimate the cost of remedial actions. As in most deals, some gaps or discrepancies will be found. These should not be disregarded, but they are not always deal-breakers. Estimating the cost of remedial action is essential for the acquirer looking to properly understand the costs involved in integrating the target company. These costs must be considered as part of the total cost of the acquisition, particularly since implementing a compliance framework can be expensive. The total cost of bringing the compliance framework up to standard can be evaluated by assessment of:

  • The target’s regulatory environment

  • The maturity of the target’s compliance framework

  • The size of the business

  • Any specific risk

  • The financial penalties or fines with the regulatory authority

Therefore, standard compliance representations and warranties of the target company should be included in the agreement:

  • Material compliance with all applicable rules and regulations

  • Not convicted nor pleaded guilty in any legal or regulatory proceedings

  • Not aware of any ongoing investigation or enforcement action

  • Not excluded or debarred or had any license or approval revoked

  • Had not received a notice of violation of any rules or regulations

  • Has timely submitted to the applicable authorities all mandatory required reports, data, or information

Identified compliance risks can impact the deal structure. Risks may need to be cured as a closing condition, or the cost of remediation may need to be deducted from the cost of the deal.

Lastly, after all risks have been identified during the due diligence process and the deal is signed, an action plan should be prepared to integrate the acquired company’s compliance program with the acquirer’s compliance program (the “day after” integration phase).

Conclusion

Due diligence is a crucial part of the M&A process. Involving the compliance team from the beginning of the due diligence assures that they conduct a full risk-based assessment ahead of any transaction to properly understand the current risks, noncompliance, and cost of the transaction. Taking into consideration the built-in variance in compliance is essential to ensure the assessment does not provide false results, as many red flags can be mitigated once explained. Open discussions between the due diligence team and the target company will streamline solving these issues. This approach prevents incurring unexpected remediation expenses post-acquisition; it reduces the risk of a regulatory authority uncovering issues for the target company, which could incur fines that significantly impact the return on investment. Furthermore, when compliance risks and discrepancies have not been adequately addressed, significant cost and effort are required to repair the company’s reputation and regain the confidence of the different stakeholders of the company, such as investors, clients, employees, regulatory authorities, etc.

The opinions expressed in this article are the author’s personal views and do not necessarily represent his employer.

Takeaways

  • Compliance’s role in the mergers and acquisitions due diligence process is crucial for the business in uncovering discrepancies, risks, and deal-breakers.

  • Although “compliance” and “compliance program” are widely used generic terms, there is a vast difference in how compliance programs and their restrictions are defined and implemented.

  • Most compliance issues and risks can be overcome, but corrective actions and remediation costs must be assessed.

  • Compliance due diligence cannot be performed successfully without open discussions and cooperation between the compliance teams of both parties.

  • Assessing the compliance framework of the target company gives the acquirer increased visibility into the costs involved and allows them to maximize the return on investment with a clearer view of the risks.

 
1 U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, updated March 2023, https://www.justice.gov/criminal-fraud/page/file/937501/download.
2 “Corruption Percentage Index,” Transparency International, 2022, https://www.transparency.org/en/cpi/2022.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

What to read next...

Impact of compliance on Pakistan and AJK

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings