The role of compliance in acquisitions - from diligence to integration
Mergers and acquisitions transactions present compliance departments many challenges, many unique to the particular deal and companies involved. In the financial services sector, however, there are some common tasks compliance officers should keep in mind, including reviewing the risk profile of the newly formed company, synchronizing compliance policies and procedures, securing customer data, training employees on new systems, and addressing potential successor liability.
Such responsibilities make it essential that compliance officers have a seat at the table during the transactions to better prepare the new entity for inheriting the compliance risks.
This article details some issues to consider in a relatively simple, non-hostile acquisition, where the target has complementary products and services and the buying company is doing the bulk of the due diligence. Things get more complicated in transactions where, for example, the transaction consideration includes a significant amount of the buyer’s stock, leading the target company to want to engage in its own due diligence, which can be nearly as broad in scope as the primary diligence conducted by the buyer.
Seat at the table
A first step in this process is for compliance to be centrally involved during acquisition discussions and in the preparation for transition to a new business entity.
It may be particularly useful to have a point person from the acquiring firm serving in a lead compliance role, and helping to establish responsibilities and accountability for certain action items.
Compliance personnel must make sure their roles are spelled out during the acquisition process and outline how others can best communicate with them. It should be clear that you are not an inherent threat to ruin a deal, but that you need department managers to appreciate that a deal could fall through if you’re not allowed to seek flaws in the acquired company’s program need fixing or investigate potential risks confronting the new firm.
M&A due diligence
A variety of resources are needed to perform M&A due diligence effectively. Subject-matter expertise is needed from a variety of departments, including legal, accounting, finance, human resources, tax, supply chain, operations, information technology, to conduct it well. Consultants can be used to fill resource and subject-matter voids, where necessary.
The objective of M&A compliance due diligence is to define the target company's compliance risk profile and uncover any red flags, including any problematic contractual arrangements, past or continuing violations of fraud and anti-bribery laws, antitrust regulation violations, data protection lapses, or conflict-of-interest problems, just to name some typical risk areas.
The need for compliance attention is particularly acute in private company acquisitions, where the target company has not been subject to as much public scrutiny, and where the buyer has little less opportunity to obtain important information from public sources.
The due diligence team must highlight problems it discovers either within the target organization itself or that may be faced during the integration process, and the issues must be presented to the executive management team and the firm’s board of directors.
Risk map
A first step in due diligence is drawing a compliance risk map for the target company in order to better appreciate the sectoral risks, jurisdictional risks and counterparty risks to which it is exposed.
Understanding these risks will enable the acquiring firms to get a sense of the new policies and procedures it will need to create, and the training that employees of the new firm will need to prevent violations, identify red flags and promptly report and remediate issues.
It may be that at least some of the acquired company’s compliance program can remain in place. If so, attention needs to turn to what can continue and how it will need to be integrated into the acquiring firm’s program.
The due diligence stage is where problems get fixed before the newly formed company inherits them, so particularly from the buyer side, it is important to leverage the available expertise, resources and tools that the soon-to-be acquired company can offer. The process can also help identify and retain key employees whose expertise is needed in the followup to an acquisition.
It is also important not to lose track of the day-to-day tasks. Having critical personnel sidetracked by all of the pre-acquisition tasks can leave gaping holes in the everyday monitoring and reporting, and put the firm at risk of regulatory lapses at a time when it can least afford the distraction and scrutiny.
Information security
Information security is an important element during the entire M&A process. Both buyer and seller need to secure their business documents that hold sensitive, proprietary or copyrighted information.
Some information must be made available to all bidding parties, but other documents containing proprietary information need to be reserved for more serious contenders and the final buyer.
When a firm emerges as the final buyer, information can be more fully disclosed, but sensitive client data must still be protected, with evidence of this security provided to regulators and the clients themselves.
In this important arena, the key areas that need to be accounted for are:
In the examining financial details, topics of inquiry or concern for the buyer will include:
Successor liability
The U.S. Department of Justice (DOJ) has clarified its stance on successor liability under the Foreign Corrupt Practices Act (FCPA) in a 2014 FCPA Opinion. In FCPA Opinion Release 14‑02, DOJnoted that the Department does not view itself as having retroactive, post-acquisition jurisdiction over would-be FCPA violations committed by companies who were not then subject to the FCPA.
In that opinion release, the purchasing company was deemed not be liable for the acquired company’s pre-acquisition conduct under the FCPA, but it should be noted that it was thanks to the purchasing company’s effective due diligence that it identified the red flags of the possibility of such a charge.
Thus, it is a reminder of the importance of early and effective due diligence in an M&A transaction acquisition that then leads to a thorough FCPA audit of the target company’s books and records and all of its third-party vendors.
Issues of integration
The acquiring firm should be concerned not only with the future performance of the target company as a stand-alone business; it should try to understand the extent to which the company will fit within the larger organization after acquisition.
Some considerations include whether the acquired company will provide key people to the management team, what is the likelihood of their retention following the closing, and how do they fit into the corporate culture of the parent firm?
Anyone who has gone through a merger or acquisition knows how unsettling it can be for individual employees. Many people will be fearful of losing their jobs or having their career trajectory change.
This is not just a human resources issue, as such fears can lead to critical personnel leaving of their own accord right when you need them most or work against your integration efforts. As much information as the compliance and HR teams can provide employees, via memos and conference calls, will go a long way at keeping them feeling more engaged in the new business.
The integration period is actually a good time to remind everyone in the business about the role of compliance and ways of interacting with compliance staff, from procedure manuals to open-door policies to whistleblower portals.
It is also an appropriate time to implement a range of compliance improvements. Everything from the code of conduct, policies on gifts and hospitality, reporting possible conflicts of interest and handling material nonpublic information should be communicated and trained to the relevant employees, including managers.
By properly anticipating the related issues that may arise after the closing, the newly formed company will be better prepared to begin its main job functions, with an energized compliance team continuing to remove barriers to this central goal.
Such responsibilities make it essential that compliance officers have a seat at the table during the transactions to better prepare the new entity for inheriting the compliance risks.
This article details some issues to consider in a relatively simple, non-hostile acquisition, where the target has complementary products and services and the buying company is doing the bulk of the due diligence. Things get more complicated in transactions where, for example, the transaction consideration includes a significant amount of the buyer’s stock, leading the target company to want to engage in its own due diligence, which can be nearly as broad in scope as the primary diligence conducted by the buyer.
Seat at the table
A first step in this process is for compliance to be centrally involved during acquisition discussions and in the preparation for transition to a new business entity.
It may be particularly useful to have a point person from the acquiring firm serving in a lead compliance role, and helping to establish responsibilities and accountability for certain action items.
Compliance personnel must make sure their roles are spelled out during the acquisition process and outline how others can best communicate with them. It should be clear that you are not an inherent threat to ruin a deal, but that you need department managers to appreciate that a deal could fall through if you’re not allowed to seek flaws in the acquired company’s program need fixing or investigate potential risks confronting the new firm.
M&A due diligence
A variety of resources are needed to perform M&A due diligence effectively. Subject-matter expertise is needed from a variety of departments, including legal, accounting, finance, human resources, tax, supply chain, operations, information technology, to conduct it well. Consultants can be used to fill resource and subject-matter voids, where necessary.
The objective of M&A compliance due diligence is to define the target company's compliance risk profile and uncover any red flags, including any problematic contractual arrangements, past or continuing violations of fraud and anti-bribery laws, antitrust regulation violations, data protection lapses, or conflict-of-interest problems, just to name some typical risk areas.
The need for compliance attention is particularly acute in private company acquisitions, where the target company has not been subject to as much public scrutiny, and where the buyer has little less opportunity to obtain important information from public sources.
The due diligence team must highlight problems it discovers either within the target organization itself or that may be faced during the integration process, and the issues must be presented to the executive management team and the firm’s board of directors.
Risk map
A first step in due diligence is drawing a compliance risk map for the target company in order to better appreciate the sectoral risks, jurisdictional risks and counterparty risks to which it is exposed.
Understanding these risks will enable the acquiring firms to get a sense of the new policies and procedures it will need to create, and the training that employees of the new firm will need to prevent violations, identify red flags and promptly report and remediate issues.
It may be that at least some of the acquired company’s compliance program can remain in place. If so, attention needs to turn to what can continue and how it will need to be integrated into the acquiring firm’s program.
The due diligence stage is where problems get fixed before the newly formed company inherits them, so particularly from the buyer side, it is important to leverage the available expertise, resources and tools that the soon-to-be acquired company can offer. The process can also help identify and retain key employees whose expertise is needed in the followup to an acquisition.
It is also important not to lose track of the day-to-day tasks. Having critical personnel sidetracked by all of the pre-acquisition tasks can leave gaping holes in the everyday monitoring and reporting, and put the firm at risk of regulatory lapses at a time when it can least afford the distraction and scrutiny.
Information security
Information security is an important element during the entire M&A process. Both buyer and seller need to secure their business documents that hold sensitive, proprietary or copyrighted information.
Some information must be made available to all bidding parties, but other documents containing proprietary information need to be reserved for more serious contenders and the final buyer.
When a firm emerges as the final buyer, information can be more fully disclosed, but sensitive client data must still be protected, with evidence of this security provided to regulators and the clients themselves.
In this important arena, the key areas that need to be accounted for are:
- Who has access to the data and how will the data be stored?
- How can the firms synchronize their information security policies to best protect this data?
- What are the monitoring and testing procedures that the combined entity will be prepared to use from day one?
- Are there enough safeguards in place -- from encryption to firewalls to malware protection -- to meets the needs of the integrated firm?
In the examining financial details, topics of inquiry or concern for the buyer will include:
- What do the company’s annual and quarterly financial statements for the last five years reveal about its financial performance and condition?
- Have the company’s financial statements been audited, and by which firm?
- Do the financial statements and related notes set forth all liabilities of the company, both current and contingent?
- Are the target company’s financial projections for the future reasonable and believable?
- What is the condition of assets and what are the company’s liens on those assets?
- What does the firm's working capital show in terms of its ability to grow the way the company had been planning and its ability to weather a significant enforcement penalty or other damages assessed against it?
Successor liability
The U.S. Department of Justice (DOJ) has clarified its stance on successor liability under the Foreign Corrupt Practices Act (FCPA) in a 2014 FCPA Opinion. In FCPA Opinion Release 14‑02, DOJnoted that the Department does not view itself as having retroactive, post-acquisition jurisdiction over would-be FCPA violations committed by companies who were not then subject to the FCPA.
In that opinion release, the purchasing company was deemed not be liable for the acquired company’s pre-acquisition conduct under the FCPA, but it should be noted that it was thanks to the purchasing company’s effective due diligence that it identified the red flags of the possibility of such a charge.
Thus, it is a reminder of the importance of early and effective due diligence in an M&A transaction acquisition that then leads to a thorough FCPA audit of the target company’s books and records and all of its third-party vendors.
Issues of integration
The acquiring firm should be concerned not only with the future performance of the target company as a stand-alone business; it should try to understand the extent to which the company will fit within the larger organization after acquisition.
Some considerations include whether the acquired company will provide key people to the management team, what is the likelihood of their retention following the closing, and how do they fit into the corporate culture of the parent firm?
Anyone who has gone through a merger or acquisition knows how unsettling it can be for individual employees. Many people will be fearful of losing their jobs or having their career trajectory change.
This is not just a human resources issue, as such fears can lead to critical personnel leaving of their own accord right when you need them most or work against your integration efforts. As much information as the compliance and HR teams can provide employees, via memos and conference calls, will go a long way at keeping them feeling more engaged in the new business.
The integration period is actually a good time to remind everyone in the business about the role of compliance and ways of interacting with compliance staff, from procedure manuals to open-door policies to whistleblower portals.
It is also an appropriate time to implement a range of compliance improvements. Everything from the code of conduct, policies on gifts and hospitality, reporting possible conflicts of interest and handling material nonpublic information should be communicated and trained to the relevant employees, including managers.
By properly anticipating the related issues that may arise after the closing, the newly formed company will be better prepared to begin its main job functions, with an energized compliance team continuing to remove barriers to this central goal.