When evaluating external growth opportunities, compliance due diligence is quickly becoming an integral part of the workstream process required, when considering minority holdings or corporate acquisition integrations. Compliance due diligence (or compliance audits) allow the acquirer to properly understand and identify the compliance risks related to the target, whether that involves corruption or related areas like data privacy.
This comprehensive review provides potential buyers with the ability to identify risks linked to failings in the target company’s compliance program. This could include risks in internal processes, leading to significant areas of non-compliance, and potentially, to past breaches of relevant regulations for which the acquirer could likely end up paying the cost.
Compliance due diligence can allow the acquirer to judge what remedial action and improvements could be implemented to the compliance framework post-acquisition: to estimate their cost and to assess less quantifiable risks such as reputational issues.
Growing Pressure From the Regulatory Environment
Recently, the international regulatory environment has become increasingly onerous for companies, resulting in an increase in compliance-related assessment on a global basis. Following an acquisition, the buyer will potentially take on legal responsibility and criminal liability for any non-compliance, such as acts of corruption within the target company, which took place either prior to acquisition or at the point of execution.
When reviewing the issue of anti-corruption, global regulators are increasingly interested in acquisitions and takeovers. For example, in January 2020, the French Anti-Corruption Agency (AFA) published a practical guide on anti-corruption checks to be conducted in the context of M&A activity following a public consultation.
In the area of data protection, all entities located within the EU are subject to the General Data Protection Regulation 2016/679 (GDPR). Therefore, identifying risks linked to non-compliance in this area becomes increasingly important when looking at a target for acquisition. The consequences of non-compliance with the GDPR are significant, with fines potentially reaching up to €20 million, or 4% of the consolidated turnover of the company, whichever is higher.
A Risk-Based Approach to Compliance Due Diligence
Compliance due diligence reviews are quickly becoming essential tools to assess external growth opportunities. When evaluating the need for this type of audit, it is essential to take a risk-based approach to assess the nature and scope of the verifications required.
In the case of a review of an anti-corruption program in France, the first step would be to assess the acquirer’s own risk profile. If the company is not already subject to Article 17 of the Sapin II law requiring the implementation of an anti-corruption framework by virtue of the number of employees or level of turnover (500 employees and €100 million in turnover), would those thresholds be exceeded once the target company is acquired? What is the nature of the acquirer’s business activities and where are those activities located? In short, what aspects of the acquiring firm would increase its risk profile and, therefore, the likelihood of regulatory scrutiny?
The second step of the analysis would be to look at the target company’s risk profile. Is the firm already subject to the Sapin II anti-corruption framework? Does the firm already have an anti-corruption framework in place? What activities is the firm engaged in and where are those activities located?
Even if companies are not subject to Sapin II, certain industries or countries may be exposed to greater risks of corruption. A pre-acquisition compliance review could be necessary in this context. Although an anti-corruption framework does not eliminate the risks of corruption, it does likely minimize those risks and demonstrates a clear message from executive management to fight against corruption.
When evaluating what analysis or review to conduct on the issues of data privacy and protection of personal data, we must consider how pertinent this topic is for the target company and to assess the level of operational risk for the acquiring company.
By way of illustration, a manufacturing company based in France with retail clients is, under the GDPR, subject to the same level of fines as a company like Google. The likelihood, however, of the manufacturing company seeing fines close to the maximum is low, as the company processes little customer personal data.
Aside from the issue of potential fines, risks around non-compliance with GDPR can also be assessed by attempting to bill any remedial work required to address failings in the compliance framework. A data protection compliance program for a manufacturing company will be proportionately simpler and lighter than that required for a digital marketing company.
Another factor to consider is the seriousness of any failings identified. In assessing the extent of any failings, existing previous cases of enforcement action and soft law are often helpful in assessing the risks inherent and provide a benchmark for fines bases on past similar situations.
Assessing the Risk of Enforcement Action
Once the requirement for compliance due diligence has been established, it is crucial to set out a practical and operational methodology to properly assess the cost of any non-compliance that may be identified.
One approach could be to assess the amount of any likely financial penalty. The immediate challenge is that it is not always easy to estimate the likelihood of a regulatory inspection or attempt to foresee a regulator’s position. Any attempt to add a probability weighting to a potential fine in order to estimate the likely amount would be little more than guesswork. An alternative approach could be to use the maximum fine possible to the regulator in the context of identified shortcomings in the compliance framework during the due diligence exercise, where national legal frameworks allow for this type of approach. When no maximum fine is stipulated under the national law, as is the case for the UK Bribery Act, estimating the likely fine may involve reviewing legal precedent and similar cases to arrive at an estimated amount.
Fines or other agreements with regulatory authorities (Convention judiciaire d’intérêt public (CJIP) in France, or deferred prosecution agreements (DPA) in the U.S. or the UK), may also present potential acquisition costs that may result from the transaction. Once the acquirer has access to all documents and systems on the target company and conducts detailed transaction reviews, identifying these transactions or situations with authorities can only be achieved by conducting further due diligence.
Consequently, evaluating sanctions or transactions with the regulators should be taken as part of a broader reputational risk analysis given the uncertainty surrounding how an individual regulatory inspection may be conducted, and therefore, the likely amount of any fine which could result from enforcement action.
Estimating the Cost of Remedial Action of the Target
Aside from the increased interest that regulators have expressed in acquisitions and the resulting pressure to complete compliance due diligence reviews, the exercise is also essential for any acquirer looking to properly understand the costs involved in integrating the target company. These costs must be considered in the total cost of the acquisition, particularly, since implementing a compliance framework can be expensive.
An initial estimate of the cost of remedial action can be evaluated by looking at the costs that the acquirer would incur in bringing the compliance framework up to standard. Several factors specific to the target company need to be considered when making this estimate, such as the regulatory environment, the maturity of the compliance framework, the size of the business and any specific risks. Historic costs of integration of prior acquisitions can also be a reference point to gauge cost.
Any red flags identified during the pre-acquisition process may also be helpful in assessing the nature and extent of the post-acquisition due diligence exercise, which will also need to be considered when assessing costs of integration. Past experience would indicate that following an acquisition, where these types of checks are conducted quickly and in good faith, and with the wish to provide full disclosure to regulatory authorities, it can significantly reduce the level of a potential fine or financial penalty arising from a negotiated settlement with a regulatory authority.
Consideration of the Due Diligence Review Results in Assessing the Total Cost of an Acquisition
Once the pre-acquisition compliance audit has been completed, the question remains—how to incorporate the results and conclusions into the analysis of the opportunity that the acquisition presents.
The most extreme case would be where the financial or reputational risks identified are considered sufficiently serious, and the only possible decision would be, to not pursue the transaction. In this case, the compliance due diligence would have protected the buyer from negative financial or reputational consequences.
Where the acquisition still seems feasible, the question then raised is how the findings of the compliance due diligence review should be reflected, either in the price the acquirer is willing to pay, or in the total cost of the transaction and included in the projected return on investment (ROI).
If the review has uncovered risks resulting from previous practices, it may be possible to identify and carve out these risks in legal documentation. This will provide the buyer with protection from the unknown and potentially significant consequences of poor or non-compliant practices identified during the review.
Where the review identifies risks that could lead to enforcement action or financial penalties, a significant remediation plan would need to be instated. Negotiation or reduction in the final purchase price based on the estimated future cost of the mediation would likely result in a lower internal rate of return on the transaction than that initially anticipated.
If the transaction involves a minority stake in the company, or where the previous management team remains in place after the acquisition, it may be possible to structure the transaction with earn-out clauses based on achieving specific objectives or targets in the compliance framework. This would trigger payment out of further tranches of the acquisition price, held in escrow until the remedial work was completed.
Finally, negotiating and obtaining a guarantee covering specific risks identified could be another way of protecting the acquiring company.
The options above need to be taken in the general context of the transaction process, where the principal difficulty lies in finding the right balance between an attractive offer for the seller and one which best protects the interests of the buyer.
A structured approach allows the results of pre-acquisition compliance due diligence based on the following points:
- Inherent compliance risks specific to:
- The acquirer
- The target company
It is important to note that reputational risk should be accounted for in the risk assessment process and in the nature and scope of the pre- and post-acquisition compliance due diligence.
- An assessment of the failings and the compliance framework for the target company resulting in:
- An estimate of the cost of compliance
- An estimate of the financial penalties or fines with the regulatory authority, compared to companies operating in the same industry with similar activities, if relevant
This approach is not scientific but does allow for a practical and operational estimate of the cost of integrating the target company into the broader compliance framework. As more accurate and complete information comes to light during the acquisition process, the estimate of costs should become more accurate.
Assessing the compliance framework of the target company during an acquisition gives the acquirer increased visibility of the costs involved and allows them to maximize the ROI with a clearer view of the risks involved in integrating the target.
It is advisable to conduct compliance due diligence ahead of any transaction to properly understand the risks of non-compliance, and to be able to make an accurate estimation of the cost of the transaction. This prevents incurring unexpected remediation expenses and runs the risk of a regulatory authority inspection uncovering issues for the target company, which could incur fines that significantly impact the ROI.
We should be mindful that when compliance risks and failings in compliance frameworks have not been adequately addressed, significant cost and effort is required to repair reputations and regain the confidence of different stakeholders (investors, clients, employees, etc.).