Introduction to the Mergers & Acquisitions Due Diligence process:
Due diligence (“DD”) is an integral part of Mergers and Acquisitions (“M&A”). It is a process in which a target entity's financial, operational, and legal aspects are presented in an objective manner. When conducting the DD process, an acquirer enjoys the opportunity to verify the accuracy of the information provided by the seller, examine the target entity's legacy and corporate structure, and evaluate its businesses, capabilities, assets, and financial performance as a whole. This constitutes an important step in determining transaction value. Financers often undertake financial and accounting analyses, and lawyers are engaged in legal DD. During legal DD, lawyers pay attention to the assessment of corporate and commercial agreements, insurance agreements, employment contracts, and loan agreements. With DD, an acquiring entity protects itself from potential financial, commercial, and legal problems before finalizing a deal. A DD report puts an acquiring company in a position to accurately assess the advantageousness of its investment decision. In this regard, a DD report contributes to the negotiations on the determination of transaction value and the necessary representations and warranties that should be obtained from the seller.
What is M&A Compliance? Why Organizations Should Not Overlook M&A Compliance
M&A transactions bring along a wide range of risks from a predecessor company’s business and assets. Because a successor company acquires all of a predecessor company’s liabilities, any unforeseen liabilities not only have the potential to result in an unprofitable deal, they could also expose a purchaser to administrative, criminal, and reputational damage. Therefore, M&A transactions require proper DD including risk and compliance matters, both prior to and following a transaction. The results of DD may create the need for the re-evaluation of a target’s value, taking more protective measures and ensuring post-closing liabilities are provided to mitigate identified risks, or even the re-consideration of the transaction itself, depending on the risk level.
M&A compliance enables an acquiring entity to identify, analyze and assess a target company’s compliance risk profile to reveal red-flags that may give rise to successor liability. Among other legal compliance liabilities detected under legal DD, the main areas of M&A compliance cover:
- anticorruption and anti-bribery,
- money laundering,
- conflicts of interest,
- government relationships,
- export controls and trade sanctions,
- labor and employment,
- data protection, privacy, and cyber security,
- workplace health and safety,
- human rights,
and other binding regulations and high-risk areas associated with a target company according to its industry and geography. Potential purchasers must be aware of the fact that the accurate value of a target can only be determined when compliance risks are considered and priced into the deal.
Contrary to what is often believed, M&A compliance does not only consist of legal DD. In fact, beyond identifying the regulatory obligations, liabilities, and risks of a targeted company, M&A compliance also examines whether, and to what extent a company complies with and manages such risks. Unlike legal DD, M&A compliance is an ongoing process that continues post-transaction. The Evaluation of Compliance Programs guidance for M&A compliance, advises that even though the comprehensiveness of the steps may differ depending on the industries and the size of the companies involved in a transaction, involving compliance in transactions is highly recommended to all companies to ensure that they identify and mitigate their transactional risks and prevent unforeseen successor liabilities:
Conducting Pre-M&A DD
Compliance DD, among other regulatory compliance reviews, must examine the matters below to draw a compliance risk map of a target company:
- the ownership/representation structure of a target company, whether government officials are involved, or any individuals have been placed on international blacklists or have been previously convicted of misconduct, the reputational background of these individuals and potential conflicts of interest,
- the target company, and its subsidiaries’ operational and contractual relationships with local and foreign government officials and organizations,
- any kind of third-party relationships, including agents, distributors, consultants, etc.
- the target company’s financial records, statements, and accounting books, including any government and third-party payments,
- the existence and implementation of a compliance program, codes of conduct, internal policies and procedures, training programs and internal controls, and the monitoring and audit mechanisms of a target company, or the lack of thereof
- clarification of the red flags identified by operational, financial, and legal DD; the target company’s demonstration of compliance through necessary permits, certifications and audits, and reasonable explanations for identified non-compliance,
- assessment of investigations, lawsuits, and enforcements initiated against the target company and previous convictions, history of corruption, and exposure to administrative fines, if any,
- geopolitical specific risks, and the cultural business environment and their reflection on business operations,
- examination of compliance with the previously mentioned areas such as export controls, sanctions, antitrust, data protection, etc.
A transaction must be evaluated, valued, and structured according to the results of the pre- M&A DD process. The transactional risks must be represented in the deal documents, such as in the terms and conditions of the contract, the design of representations and warranties, and the allocation of liabilities.
Circumstances may dictate that comprehensive DD cannot be conducted prior to a transaction, or there may be obstacles limiting access to information and the scope of the DD process. Therefore, the risk assessment process may have to be left until after a transaction is completed. In these circumstances, an acquiring entity is advised to guarantee the necessary protections through post-transaction clauses and to conduct immediate post-transaction DD. The DOJ and SEC also recognize a timely and thoroughly conducted post-transaction DD as an effort by acquiring companies to integrate compliance.
Acquiring companies must monitor and remediate the risks identified during the DD process. New legal requirements and risks associated with new third-party relationships, and activities involving potential violations must be duly reflected in a successor company’s compliance policies, procedures, and internal control mechanisms. The DOJ looks for an acquiring company to conduct post-transaction audits to track and remediate the misconduct or misconduct risks identified in the DD process, and to implement their compliance policies responding to these risks. An example of the effects of a failure to address this liability occurred in 2015 when Goodyear agreed to pay more than $16 million to settle FCPA charges brought due to alleged bribes paid by its African subsidiaries to government and private-sector workers in exchange for sales. According to the SEC, "Goodyear did not prevent or detect improper payments because it failed to implement adequate FCPA compliance controls at its subsidiaries" and "failed to conduct adequate DD prior to its acquisition”.
The DoJ and SEC expect acquiring companies to integrate compliance functions both during and after the transaction. Immediate integration of compliance and control mechanisms for identified risks must not be overlooked due to the fact that a transaction period creates control gaps during the integration of different businesses, operations, and company cultures that may be exploited by employees. The post-transaction period is also an opportunity to assess and improve the existing compliance programs. Companies should not insist on keeping their existing compliance program or policies and procedures, instead, they should decide on what best suits the successor company’s needs:
- maintaining separate compliance programs tailored to particular needs, especially in transactions where only the shareholding structure is changed but businesses and operations remain separate,
- merging two compliance programs and tailoring the new program according to the successor company’s structure, compliance requirements, and potential risks,
- keeping the acquiring company’s compliance program and improving it according to the new compliance requirements and potential risks of the successor company.
Integrating compliance and procuring acceptance for new policies, procedures and a new company culture is likely to face resistance. By considering possible resistance against change and the potential risks that may arise during this process, companies must act promptly while updating policies, procedures, and internal control mechanisms.
What Extra-Territorial Anti-Corruption Laws Seek From M&A Compliance
Due diligence specific to the Foreign Corrupt Practices Act (“FCPA”) is deemed necessary when a target company has previously been subject to the FCPA, and also in situations when, following a transaction, the target becomes subject to the FCPA for the first time. The DOJ and the SEC do not find FCPA compliance efforts honest and adequate in the cases where compliance concerns have only been reflected in contract drafts that allocate risks through representations and warranties. The FCPA Resource Guide,  recommends that companies in M&A transactions:
1. conduct thorough risk-based FCPA DD,
2. ensure the compliance environment regarding the FCPA applies as quickly as is practicable to the successor company,
3. give FCPA and other required compliance training to the new directors, officers, and employees, and when necessary, agents, subcontractors, business partners,
4. conduct an FCPA-specific audit as quickly as practicable,
5. disclose any corrupt payments discovered as part of its DD of newly acquired entities or merged entities. 
Depending on their efforts to integrate compliance and to identify and prevent violations, as well as prompt action to disclose misconduct, and efforts for remediation and cooperation, the DOJ and SEC may decline to initiate prosecution against a successor company, and instead, take enforcement action against its predecessor. In one such case, a U.S.-based multinational conglomerate General Electric acquired a power business from a French power and transportation company, Alstom S.A., including its subsidiaries in more than 20 countries, who were found to have paid bribes to obtain contracts prior to the acquisition. Alstom S.A. signed a guilty plea and deferred prosecution agreements, and successor liability has not been sought against General Electric.
The UK Bribery Act also mentions M&A compliance in its guidance under the principle of “DD”, similarly, Brazil’s Clean Company Act addresses successor liability in the event of transformation, merger, acquisition, or the spin-off of companies.
Conclusion: Do Not Purchase Trouble and Consider M&A Compliance from the First Step
Acquiring companies must take M&A compliance as seriously as financial and operational DD. Regardless of the scope of an M&A transaction, unforeseen compliance risks may give rise to criminal and civil successor liability and may not only turn the whole deal into a gross fault but may also result in a considerable loss for the acquiring company; both financial and reputational. The parties to a potential transaction must invoke the compliance expertise of either in-house counsel or law firms from the first step. Early involvement of compliance and pre-M&A compliance DD enable companies to accurately value a target company, identify their new compliance risks, prevent potential violations, and detect non-compliance in a timely manner. Involvement of compliance functions in the pre and post-transaction process is required to reflect the compliance risks to both transaction documents and the successor company’s compliance environment. M&A risks may vary depending on the scope, structure, and industries of the companies involved; hence, the main focus points of M&A compliance may change according to compliance requirements. While the compliance itself cannot remove all risks, the parties can manage these risks and mitigate the negative results and heavy successor liabilities as long as compliance expertise is involved.
U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (Updated June 2020) https://www.justice.gov/criminal-fraud/page/file/937501/download
 A Resource Guide to the U.S. Foreign Corrupt Practices Act Second Edition https://www.justice.gov/criminal-fraud/file/1292051/download
 Page 30-31
Kemal Altuğ Özgün