Earlier this year, the cable news network CNBC dubbed 2014 “the year of the mega-merger,” a prediction that has proven more than accurate.  Worldwide, mergers and acquisitions activity has already hit the $2 trillion mark this year, 75 percent higher than all of 2013, according to research by Thomson Reuters.

While big deals continue to surface—Reynolds American wants to buy rival Lorillard for $27 billion, Rupert Murdoch’s News Corp. covets Time Warner, Facebook shelled out $19 billion for the messaging service WhatsApp—much smaller deals, frequently multi-national ones, are increasingly routine.

Regulatory troubles lurk behind any deal, but compliance personnel are not always at the table from the start and are sometimes brought in late stage, if at all. That may be short-sighted, experts say, with the Foreign Corrupt Practices Act and cyber-security posing threats both pre- and post-merger.

“There are lots of companies that are still not focusing on compliance in the M&A context and haven’t built that piece as fully into their due diligence approach as others, says Jay Holtmeier, a partner at the law firm WilmerHale who specializes in the FCPA and anti-corruption matters. “The compliance folks sometimes aren’t really involved until the deal is done and then their job is to go in and integrate the target company into the buyer.”

 “It makes sense that the compliance officer of the acquiring company is part of the acquisition team,” says Robert Gavigan, a partner at the law firm Cohen & Gresser whose practice focuses on M&A transactions. “The compliance officer, knowing what the issues are within the company and what his own procedures are, is able to guide business people in a direction that makes sense from an efficiency standpoint and focus on important matters.”

While a good company with high standards taking over a company with an under-developed compliance program may be viewed as a positive by regulators, the buyer faces heightened risks that could break a deal or come back to haunt it post-closure if it cannot bring the target company’s operations within its own compliance standards, Gavigan adds.

“It is an easier situation when there is a well-developed compliance program at the seller,” Sam Cooper, a partner at the law firm Paul Hastings says. “It gives you some comfort, as the buyer, that the seller has been trying to do the right thing. It also gives you a framework for your diligence. That doesn’t mean you don’t do diligence because the seller has a program, but it gives you a framework to latch onto. There will be gaps and issues, but it gives you a place to start.”

When big companies with primarily domestic operations merge, there are typically, as expected, far fewer regulatory concerns than with smaller acquisitions, acquisitions with large overseas activities or overseas purchases. Also, bigger targets, in many cases, will have more sophisticated compliance programs. The paradox is that smaller companies, lacking these programs, often require more due diligence efforts.

Where the Risks Are

Third-party risk is another big compliance area that can bog down due diligence. In his experience, advising companies through their M&A process, Cooper has seen acquisition targets that couldn’t even produce a list of business agents and joint venture partners, or a code of business ethics that covers bribery.

There are lots of companies that are still not focusing on compliance in the M&A context and haven’t built that piece as fully into their due diligence approach as others.
Jay Holtmeier, Partner, WilmerHale

“Sometimes you're starting from scratch, having to dig into this company and on the fly to try to understand what they are doing, where they are doing it, and who they are doing it with” he says of those latter scenarios. “My ability to drill down is going to be impaired because I don’t know the company and I don’t have a compliance officer who knows the company and has gathered the kind of materials that are usually the starting point for diligence.”

“You need to try to do the level of due diligence that is appropriate,” Cooper says. “DOJ and SEC say they understand due diligence to be proportional to the deal. They don’t expect you to do $20 million of diligence for a $20 million deal. But you do sometimes end up in a situation where the deals that have the most diligence complexity around them are the smaller ones.”

Before digging in, companies need to assess the due diligence job at hand. “You have to first of all assess the risk profile of the target to figure out what the cost-effective way to do due diligence is,” Gavigan says. “You have to figure out where the operations of the company are, to what extent they are in countries that have a high risk profile. Then, look at the nature of the business and what degree the customers are dealing with foreign officials or entities.”

When compliance is brought to the table early on, its expertise can help answer that always-present question of how much due diligence is required to satisfy regulators and ensure stakeholders that the purchase was worth pursuing. “When you buy [well-known, established] companies you may not have to worry that you have thousands of employees who don’t know anything about compliance,” Holtmeier says. “Whereas, if you are buying a privately held company in China, there is probably a pretty decent chance that people haven’t been trained.”

Practical Tips to Reduce FCPA Risk in Mergers and Acquisitions

The following is from a resource guide for Foreign Corrupt Practices Act compliance published by the U.S. Department of Justice and the Securities and Exchange Commission.
Companies pursuing mergers or acquisitions can take certain steps to identify and potentially reduce FCPA risks:
M&A Opinion Procedure Release Requests: One option is to seek an opinion from DOJ in anticipation of a potential acquisition, such as occurred with Opinion Release 08-02 That case involved special circumstances, namely, severely limited pre-acquisition due diligence available to the potential acquiring company, and, because it was an opinion release (i e , providing certain assurances by DOJ concerning prospective conduct), it necessarily imposed demanding standards and prescriptive timeframes in return for specific assurances from DOJ, which SEC, as a matter of discretion, also honors Thus, obtaining an opinion from DOJ can be a good way to address specific due diligence challenges, but, because of the nature of such an opinion, it will likely contain more stringent requirements than may be necessary in all circumstances.
M&A Risk-Based FCPA Due Diligence and Disclosure: As a practical matter, most acquisitions will typically not require the type of prospective assurances contained in an opinion from DOJ DOJ and SEC encourage companies engaging in mergers and acquisitions to:
 (1) conduct thorough risk-based FCPA and anti-corruption due diligence on potential new business acquisitions;
(2) ensure that the acquiring company’s code of conduct and compliance policies and procedures regarding the FCPA and other anti-corruption laws apply as quickly as is practicable to newly acquired businesses or merged entities;
(3) train the directors, officers, and employees of newly acquired businesses or merged entities, and when appropriate, train agents and business partners, on the FCPA and other relevant anti-corruption laws and the company’s code of conduct and compliance policies and procedures;
(4) conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable; and (5) disclose any corrupt payments discovered as part of its due diligence of newly acquired entities or merged entities DOJ and SEC will give meaningful credit to companies who undertake these actions, and, in appropriate circumstances, DOJ and SEC may consequently decline to bring enforcement actions.
Source: Justice Department.

These compliance program assessments are crucial because the Securities and Exchange Commission and Department of Justice rely on successor liability for FCPA enforcement. When one company buys another, it is on the hook for any violations prior to, as well as after, the purchase.

“You buy this little Chinese company that is not subject to the FCPA, but now you own them and whatever happens after day one of closing is on your watch,” Holtmeier says. “There is potential exposure there, so the compliance folks have got to get in and make sure key integration steps are taken, looking at the risk profile of the new company, how much training they have had, and what their policies look like from an anti-corruption perspective. Do they have a huge stable of third parties they are dealing with, and do you need to go out and renegotiate agreements with those folks?”

Seller Beware

The company behind the purchase isn’t the only party that faces heightened compliance concerns. Seller can also face unwanted regulatory scrutiny.  “Although it hasn’t happened yet, is the SEC has said that if you make a representation in your purchase agreement saying that there are no FCPA violations and that purchase agreement gets incorporated into your public filings, you have now not only made a representation to the buyer but to the investing public,” Holtmeier says.  “You could have not only a breach of contract claim, but a securities law violation for an inaccurate or fraudulent disclosure.”

His advice to sellers is that they do their own in-house due diligence to make sure everyone is comfortable with all representations being made. “If not, you may have to carve out something or have a disclosure addendum to your purchase agreement,” he says.

While FCPA concerns permeate M&A deals, another risk, one well-familiar to compliance officers, is often overlooked: cyber-security. Cyber-risk needs to be evaluated like any other red flag impacting the value of a target, Chris Forsyth, co-leader of the law firm Freshfields Bruckhaus Deringer’s cyber-security practice, says.

 A recent survey, conducted globally by his firm, reveals “a worrying level of complacency toward the assessment of cyber-risks during M&A deals, despite increasing awareness of the cyber-security risks facing businesses.” Ninety percent of deal makers responding to the survey believe cyber-breaches would result in a reduction in deal value, and 83 percent believe a deal could be abandoned if cyber-security breaches are identified during deal due diligence or mid-transaction. However, 78 percent say cyber-security is not a risk that is currently analyzed in-depth or dealt with in deal due diligence.

“The value of data is forming a bigger part of the value promise of the target company than it has before,” Forsyth says. “It is the moving of Big Data into the market. Growth promise is increasingly based on an entity’s ability to leverage its data.”

“We are at a tipping point where everyone is getting how important this is and the risks associated, but no one has actually worked out what that involves,” he adds. “We all see how cyber-security might affect an M&A process, either by shifting the value of the target or by breaching the confidentiality of the process. Those are two ways an M&A process could be derailed, but nobody has quite worked out what the best practices should look like in managing that exposure.”