Tips to mitigate compliance risks in M&A transactions

Marc R Paul ( Partner, Baker McKenzie, Washington DC) and Karyn Koiffman ( Partner, Baker McKenzie, Washington DC and New York) offer their views on the latest US guidelines on compliance risk in M&A.


In February 2017, the Fraud Section of the US Department of Justice (DOJ) published its Evaluation of Corporate Compliance Programs (Evaluation Guidance). Based on the Evaluation Guidance and prior DOJ and the Securities and Exchange Commission (SEC) policies, including A Resource Guide to the US Foreign Corrupt Practices Act (FCPA Guide), US authorities are interested in assessing:

  • Due diligence: How M&A due diligence was conducted and whether misconduct or misconduct risks were adequately identified during the diligence process. According to the US authorities, effective due diligence of acquisition targets demonstrates the company’s commitment to compliance, and will be taken into account if the authorities subsequently have to evaluate any potential enforcement action against the company.
  • Effectiveness: How effectively the compliance function has been integrated into the acquisition process. The DOJ is interested in whether the company’s compliance program is working in practice.
  • Post-acquisition integration: What was the company’s process for tracking and remediating misconduct risks identified in the due diligence process. Authorities expect the acquirer to promptly incorporate the acquired company into all of its internal controls, including its compliance program.

Steps to mitigate risk

Acquirers are at risk of being held responsible for the historical criminal or civil misconduct of the target company. Due diligence alone may not provide full protection from successor liability, but it will mitigate the risk.

  • Understand the risks: An assessment of the compliance risk profile of the target company can be done reasonably quickly and will determine what level of due diligence is necessary.
  • Tone at the top: One of the most important issues to look out for is the “tone at the top” at the target company. If high-level executives are reluctant to submit to a short interview to provide information for the risk assessment, that should raise some doubts about the culture at the company.
  • Internal controls testing: Standard financial due diligence may not be sufficient to test the efficiency of internal controls. The utilization of forensic accounting professionals should be considered if the compliance risk profile of the target warrants it, and such professionals should be hired by counsel in order to protect their work product under legal privilege.
  • Globalization impact: Local anti-corruption laws have been enacted in various countries in the last few years, and government authorities across the world are cooperating with each other. The deal team should identify the countries involved, the risk environment in those countries, and what laws/regulations are applicable in those jurisdictions.
  • Supply chains: A corruption problem not directly affecting the target company but affecting a main customer or supplier of the company may affect the valuation and prospects of the target business.
  • Third-party risk: When third parties are involved, the company should review agreements with key agents going back several years, looking at commissions, payments and any irregularities.
  • Compliance integration program: Tackling due diligence efforts early on is not only important to confirm that the target company is compliant, but also an important step to allow the company to prepare a plan to roll out a compliance integration program on day one after the acquisition.

Robust compliance diligence minimizes risks

No acquirer expects to have compliance problems in its own business or in acquired businesses. We have developed a matrix system that analyzes the risk profile of the target company based on the type of business model, industry, geographic location and governmental touch points. It is fine to expect the best, but prudent to plan against risks.