Taking Center Stage
A report discussing the demand for M&A compliance due diligence.
The Rise and Rise of
M&A Compliance Due Diligence
Pre-transactional or pre-acquisition compliance due diligence is an essential component of any major transaction.
Pre-transactional or pre-acquisition compliance due diligence (CDD) is an essential component of any major transaction and demanded by investors and buyers, especially for cross-border mergers and acquisitions (M&A) and joint ventures (JVs). Indeed, weak CDD leaves parties exposed to unnecessary and avoidable risks that could negatively impact pricing, profitability and even call into question the fundamental rationale of the deal. It also creates possible post-acquisition civil and criminal liability that could threaten the very viability of the newly acquired asset or newly formed venture, not to mention the burden and cost of a potential investigation and monetary penalties.
Increasingly, dealmakers recognize that US Foreign Corrupt Practices Act (FCPA) enforcement, the UK Bribery Act and various local anti-corruption efforts – in markets including China, the US, Germany and Brazil – mean that consideration of compliance risks before the deal is done, as well as post-acquisition compliance assessment and remediation, is a must.
But first, what is the accepted definition of CDD? Fundamentally, it is the examination of both the regulatory obligations and risks facing an organization and how this organization manages them. For most companies, this is likely to be a combination of antitrust, data privacy, cybersecurity, bribery and corruption, money laundering, sanctions and environmental compliance.
In addition, the integrity of the supply chain is increasing in importance with growing legal and reputational risk if, for example, there are human rights abuses.
Therefore, along with commercial, financial and tax and traditional legal due diligence, CDD should be – and increasingly is – one of the key pillars of any deal process. However, as the findings of this study show, good intentions and best practice can still be quite a wide distance apart, and many multinational businesses are still accepting unnecessarily high levels of risk through inadequate or sometimes even non-existent pre-acquisition CDD. In this report, we explore both these current “blind spots” and examine global CDD trends and emerging risks.
For this study, we interviewed more than 300 corporate leaders and legal advisers throughout the world who are involved in transactions to assess the challenges and risks that regional and global multinational organizations face in relation to CDD across both M&A and JVs.
Their insights have allowed us to draw out pivotal implications and transactional best practices to dealmaking in today’s ever-changing, highly competitive and often volatile business climate.
We’re in a new age of enforcement, as evidenced by the ever-increasing fines and other enforcement actions taken by regulators. As such, CDD has become a critical step in the transaction cycle, and when not done correctly, it can erode the rationale for doing a deal a long time after it has closed.
Global Head of M&A
M&A: Compliance Due Diligence in the Spotlight
In terms of protecting value, avoiding liability and getting deal pricing right, CDD has now moved squarely into the spotlight in the transactional space. Smart buyers today know that compliance risks can and should be priced into transactions, and the true value of an acquisition target can be ascertained only when compliance risks are assessed. Increasingly for buyers, proper CDD has exposed risk that simply makes deals untenable. In fact, 26% of respondents say that more than half of their recent deals have failed or been abandoned due to discovery of compliance issues or risks over the past three years. An additional 41% say that more than a quarter of their deals faced similar fates. Without investing in CDD, many of these companies may have ended up in transactions that could have left them vulnerable, possibly destroying value in both the acquirer and acquired organizations.
Figure 1. Can you estimate how many transactions as a % of mergers and acquisitions/JVs that you have pursued have failed or been abandoned as a result of compliance issues over the past three years?
Figure 2. During the mergers and acquisitions process, which task is given the most time and resources and which is most challenging?
Many of those that walked away say their CDD discoveries acted as a key stop-loss mechanism. For these reasons and others, due diligence is today given considerably more time and resources, by a large margin, than other tasks in the M&A process.
Equally large is the percentage of respondents who say due diligence is the most challenging part of the M&A process. This exceeds post-merger integration, which is often considered a hugely challenging and time/resource-intensive task. It seems the understanding around the importance of due diligence is well ingrained, but there is still a gap between people's expectations of the challenge and how much time and resources are dedicated to it. And often it has been CDD rather than, for example, financial due diligence that has missed out in terms of this gap.
Fundamentally, most businesses are clear that due diligence in all its forms cannot be treated as a mere check-the-box exercise covering a bare minimum, although intention and reality still remain some way apart for many M&A teams.
The compliance due diligence process forms the basis of our overall [M&A] strategy and we understand the need to conduct a strong…process. We do not mind delays in this process as long as it provides us with the information crucial to us for decision-making.
However, it is clear that there is a significant shift in the priority given to CDD, especially to get ahead of the regulatory curve. Additional feedback shows that CDD is being acknowledged as a “make or break” measure to ensuring a positive deal outcome: 55% of the M&A executives/professionals surveyed say that conducting proper CDD increases the chances of success of completion and value creation in an M&A or JV transaction.
Conversely, this does, however, mean that almost half of those surveyed don’t see or don’t know if CDD feeds into deal success. This is somewhat alarming.
Figure 3. In hindsight, would you say that conducting proper compliance due diligence increases the chances of success in mergers and acquisitions and JVs?
Despite recognition of the need for prioritizing compliance, only 51% have a set of standard protocols or procedures specifically to address compliance issues in M&A or JVs. A further 56% wish they had dedicated more time to conducting compliance due diligence.
Are international dealmakers taking their CDD programs seriously enough? From this research, the answer to that question is a clear and concerning “not yet.”
An M&A deal has different dimensions of risk involved. Non-identification and neglect of these risks can detrimentally affect a deal and cause disturbances post-acquisition or in post-merger integration. Compliance checks can identify these risks, which can then be strategized to mitigate negative impacts.
Figure 4. Does your organization have a set of standard protocols or procedures specifically to address compliance issues in mergers and acquisitions or JV transactions? In hindsight, have you ever closed a mergers and acquisitions or JV transaction for which you now wish you had devoted more time?
Compliance due diligence considerations
As management teams consider whether they need to strengthen their compliance due diligence programs, Andrew Martin, Head of M&A, Baker McKenzie Wong & Leow in Singapore, recommends asking the following questions:
- Does your business have an established process to consider compliance risk in the same way they do other forms of due diligence, or is it seen as optional?
- Are there persons in your organization charged with considering this both on a pre-acquisition and post-acquisition basis (i.e., as part of a post-merger integration process), and how integrated are they with the deal team?
- Are you genuinely prepared to walk away based on CDD findings if needs be, or is this just an aid to negotiate the price down?
- How well placed are you to deal with the skeletons when they emerge from the closet after the deal has closed?
- What are the chances of bringing a successful claim against the seller, and will financial compensation really be enough?
Key Transaction Compliance Risks
Why businesses need to have a clear view of the issues that pose a risk in the transaction process.
For corporations to design appropriate CDD and post-transaction risk mitigation strategies, management and compliance teams need a clear view of issues that pose a risk to their business as soon as possible in the transaction process.
The key areas that CDD normally covers include anti-money laundering, bribery and corruption, antitrust regulations, trade and export controls, environmental, employment and human rights laws, and cybersecurity and data protection.
While clearly some businesses will have more inherent risks in specific areas, a holistic solution that assesses each area is, of course, optimum, as any one of these or other compliance risks categories could cause untold damage to a company's reputation and/or bottom line if not properly addressed.
This is particularly true as we move into an era of much greater global and local regulatory enforcement.
Figure 5. Which of the following were the most challenging compliance issues/risks you faced in recent mergers and acquisitions/JVs and which received the most time/resources?
Figure 6. What do you expect to happen to the following challenges over the course of the next 12-18 months?
Antitrust, Export Controls and Trade Sanctions
In a climate of geopolitical and regulatory uncertainty, keeping pace with changing antitrust laws is a priority and one that will preoccupy corporations in the year ahead. Antitrust risk was the most challenging compliance issue 66% of respondents faced in their recent M&A or JV transactions. It was also an area where respondents dedicated the most time and resources. Antitrust risk has increased over the past year, and 75% of respondents expect it to increase further in the next 12-18 months.
Conducting a thorough review of the target's antitrust risk exposure early on is essential. Failure to identify and deal with anti-competitive conduct pre-acquisition could leave the buyer exposed to lengthy antitrust investigations and penalties. Cross-border deals will often be scrutinized by regulators, who are increasingly demanding to see large volumes of internal documents and using sophisticated IT forensic tools for their review.
Samantha Mobley, Partner, EU, Competition & Trade Practice
Amidst the growing trade war between the US and China and the use of sanctions against Russian business interests, amongst others, export controls and customs and trade sanctions have moved up the ranks on respondents’ risk radars. While lower on the list of current challenges, both are expected to dramatically increase in the year ahead, with 78% anticipating a surge in export control and customs challenges and 77% expecting the same for trade sanctions as a more bumpy period of globalization unfolds.
Navigating sanctions and export control rules is becoming increasingly challenging, with many extra-territorial and often conflicting laws being enacted. These rules are being more aggressively enforced, in particular, by the US (where we have seen penalties hitting billions of dollars), but also by other countries in Europe and more recently Asia. We have also seen significant fallout for business from trade wars engulfing the US, the EU and China.
Trade compliance due diligence is key today. It is key to understanding that the target is not exposed to potentially crippling penalties from historic export control and sanctions violations. It is also key to getting comfortable that the target can continue taking advantage of beneficial arrangements under free trade agreements.
Sunny Mann, Co-Head,
Compliance & Investigations, London
The inherent unpredictability of 'people' issues makes it unsurprising that more than half of respondents ranked labor and employment issues as the second most challenging in their recent M&A or JV transactions. With labor and employment regulation and sanctions intensifying on a global scale, 75% of respondents are expecting labor and employment risk to increase over the next 12-18 months.
CDD teams need to understand the changing employment landscape to plan ahead and successfully manoeuvre through the transaction lifecycle. The increasing global scrutiny and regulation of issues such as misclassification of workers and gender pay and pay equity requires significant diligence, in terms of evaluating and mitigating litigation risk.
Working time obligations are increasing across Europe and parts of Asia Pacific, requiring further compliance in terms of measuring and recording employees' working time, and businesses will be paying more attention to such areas of compliance to avoid risks in acquiring a workforce. The relevance of labor and human rights issues particularly, in conjunction with transactions, cannot be understated and companies must ensure thorough scrutiny of supply chains in order to avoid unpleasant surprises.
Meanwhile factors that have the potential to cause significant delay such as consultation with unions and works councils, and transfer or replication of benefit plans must be accounted for at the outset. To avoid significant delays, employment counsel should be brought in the loop at an early stage to align the deal's timetable with employee consultation requirements. Complications as a result of underfunded pension plans are also not uncommon, and change of control provisions, potential taxation issues and compliance with regulatory filings must also be early considerations in any deal.
Immigration issues pose their own problems. Minimizing liability and avoiding an interruption of work are key priorities, and undertaking an employee census and compliance audits at an early stage are critical to ensuring work permits and visas are renewed, transferred or terminated as necessary. With protectionism and increasing immigration limitations changing the global mobility landscape at pace, and companies wishing to retain and attract diverse international talent pools, early understanding of immigration risks is crucial.
Despite employment related liability having a material impact on transactions, HR is often denied a seat at the table, with 64% of respondents admitting that HR should be more involved in CDD during the M&A process. The expertise offered by HR and employment counsel at an early stage is essential to minimising potential exposure for all involved in the transaction, and to ensuring the right strategy can be adopted to bring the workforce seamlessly through the M&A process.
While people simply are not predictable in the way corporate structures and tax solutions can be, there are tried and true methods for recognizing key issues early in the due diligence process, and limiting their potential to become HR nightmares.
Susan Eandi, Partner, Employment & Compensation
Data Protection and Cybersecurity
Despite several high-profile data breaches in recent years, data protection, privacy and information governance ranked surprisingly low among the risks respondents faced in recent M&A or JVs, with only 43% finding it the most challenging alongside 35% who had similar opinions of cybersecurity. However, this may be set to change as new, more stringent regulation is being implemented globally to safeguard personal data. As such, 78% of respondents expect data risks to be a challenge in the next 12-18 months, with 73% feeling the same toward cybersecurity.
Exemplifying this, the European Union’s General Data Protection Regulation (GDPR) affects organizations that handle the personal data of EU citizens. Non-compliance could lead to heavy fines of up to 4% of a corporation’s global annual revenue. Equally, cybersecurity concerns have become more rampant, demonstrated by headline-dominating malicious cyberattacks, including major data breaches at major airlines, hotels and via big tech. According to respondents, anticipating and defusing cyber risks calls for cybersecurity due diligence that incorporates a comprehensive systems and information security audit. An increasing trend across many countries for mandatory reporting of data breaches means that more buyers and investors will be looking at this when acquiring personal data-rich companies.
What is often overlooked in the context of an acquisition is how important the target’s compliance with data privacy and cybersecurity laws and guidelines is. With regard to data privacy compliance, special consideration should be given to whether the target has a sufficient privacy framework in place, handles its customer and/or vendor relationships in compliance with privacy laws (as renegotiating proper solutions can be quite burdensome as well as time- and cost-intensive) and whether the target has a “history of confrontation” with data protection authorities (which provides an indication as regards the likelihood of subsequent audits and ultimately fines).
With regard to cybersecurity, it is essential to ensure that the target has a sufficient and robust cybersecurity framework in place (ideally backed by third-party certifications, where available, and considering the legal framework such as Art. 32 of the EU General Data Protection Regulation) and to identify whether security incidents occurred in the recent past.
Prof. Dr. Michael Schmidl LL.M.,
Partner, Information Technology Law
Our expertise is not in cybersecurity, but we depend on it, so we use external advisers for this segment of the deal. It’s necessary and cannot be ignored as recent history suggests the consequences of a lack of cybersecurity.
Bribery, Corruption and Anti-Money Laundering
In total, 56% of respondents rank money laundering as the most challenging compliance issue they faced in recent M&A or JVs, while 55% found bribery and corruption to be a top challenge. The bribery and corruption figure was lower than expected, as anti-corruption efforts are often the cornerstone of a corporate compliance program and have long been the focus of regulators and compliance officers alike. The 55% may demonstrate a level of success and comfort in anti-corruption compliance efforts.
The question remains, however, as to whether these areas are receiving enough time and attention, given that corruption issues can be quite broad and where there is corruption, there is typically also money laundering risk. Over the next 12-18 months, three quarters of respondents expect the issue of money laundering to become more challenging, while 69% expect the same for bribery and corruption. Given the potential for principal liability under the US FCPA, the UK Bribery Act and other similar legislation for third-party conduct, monitoring third-party risks not unexpectedly will be a priority for respondents in the next 12 months. Respondents are looking to keep watch on the conduct of vendors, suppliers and distributors to avoid being blindsided by the misconduct of a third party.
As such, third-party risks rank as one of the leading factors for escalating beyond a standard compliance diligence questionnaire, according to 68% of respondents. Conducting additional third-party due diligence is also a top post-closing compliance-related measure implemented as part of recent transactions, according to 54% of respondents.
In the past, anti-corruption enforcement was largely the realm of the United States. Now, even as US enforcement may be waning somewhat, other nations are picking up the pace, both with new corporate criminal liability legislation and increased enforcement. Further, US law enforcement is increasingly working with their foreign counterparts in several areas, including anti-corruption. This combines to significantly enhance the risk profile for corporates.
We are also seeing greater regulatory and criminal money laundering enforcement both related and unrelated to bribery. This has particularly impacted banks and other financial service providers as regulators and law enforcement are more than willing to look back at seemingly legitimate transactions with 20/20 hindsight.
You can buy these problems. As such, anti-corruption and money laundering trends (not to mention increased enforcement in many other areas) only serve to underscore the importance of vigilant pre-transactional compliance due diligence and post-acquisition integration.
William Devaney, Co-Chair, Global Compliance & Investigations
Figure 7. If you escalate from a questionnaire, what results or factors cause you to do so?
Figure 8. Post-close, which of the following compliance-related measures have you implemented in recent transactions?
Teaming with External Counsel and Advisers
It's interesting to see how corporations use in-house counsel and other internal departments, versus their outside counsel and additional external advisers. In the case of compliance due diligence, this third-party advice may often include specialist auditors or consultants, such as environmental risk or data security specialists, in addition to significant use of external counsel.
While the overall response shows good in-house/outside teamwork, external advisers including outside counsel actually took the lead on most issues, particularly in the bribery/corruption, antitrust and trade spheres. Data protection, privacy and information governance was the only area typically handled more by in-house counsel and departments such as IT.
Figure 9. In which of the following areas would you handle internally and/or engage external advisers to assist with compliance due diligence?
Functions and Departments Involved
Looking at the various departments, two-thirds of respondents (64%) say HR teams should be more involved in the M&A process, as should IT teams (48%). The HR finding is stark, and shows that people issues are very much underestimated, although the strength of most businesses is down to the strength of the people. Also, HR can assist in identifying any issues with the employee pool such as immigration, prior misconduct and other related matters. HR also plays a vital function in integrating the acquired company into the acquirer's compliance programs through training, policy and controls enhancement and other employee outreach.
Meanwhile, the role of IT has shifted from a supporting role to a pivotal one, as a lack of IT readiness can expose transacting parties to serious cyber threats and huge obstacles to operational integration. As technology continues to change the manner of modern dealmaking, IT departments can also facilitate the uptake and application of the latest technology that improves both the speed and accuracy of the M&A process.
Figure 10. Which of the following functions/departments within your organization are, during the mergers and acquisitions process, generally involved in conducting due diligence on compliance-related issues or addressing other compliance matters, and which should be more involved?
Additional Blind Spots: JV and Post-Transaction CDD
Joint ventures seem to be another area where considerably more time and attention could be given to CDD to reduce risk exposure; 13% of respondents say they never conduct pre-signing or pre-closing CDD when establishing JVs, even in relatively high-risk emerging markets. In total, 62% of respondents only take such action in half or less of all JV transactions. Similar sentiments (63%) hold true for M&A where a business or asset is being purchased. Further to that, 64% do not use specific clauses in their SPA or JV contracts to identify and allocate compliance risk.
Moreover, 58% of respondents conduct post-transaction CDD in conjunction with post-merger integration only 50% of the time or less. This is despite the fact that respondents ranked the integration phase as the second-most challenging task in M&A and are aware that neglecting post-merger integration could be extremely damaging to the acquirer.
Figure 11. How often do you conduct a pre-signing or pre-closing compliance due diligence exercise when (i) buying a company/business or assets or (ii) setting up a JV?
Figure 12. Did you use a specific set of clauses in the sales and purchase agreement (SPA) or JV contract to identify and allocate compliance risk?
Foreign investors often place a lot of reliance on the local JV partner to assist with matters such as securing necessary rights to land or operating licenses, as well as managing the relationships with the local government and regulators. Conducting due diligence on the JV partner and examining the manner in which they secure the necessary rights, licenses and manage the relationships with government agencies will help mitigate the risk of the JV being held hostage in case there has been non-compliance and a challenge is made by the government. CDD will also help identify the gaps, if any, in compliance and help the parties to formulate appropriate compliance policies and code of conduct that should be adopted and implemented from day one after the JV is formed.
Tracy Wut, Head of M&A, Hong Kong / China
Figure 13. How often do you conduct post-transaction compliance due diligence exercise in conjunction with post-merger integration?
Enforcement Trends and Actions
As corporate bribery and corruption take on an increasingly supra-jurisdictional character, to avoid being blindsided, businesses must keep a close watch on enforcement trends and regulatory and policy changes not only in their home jurisdictions, but across the globe.
FCPA and Global Enforcement
Interagency cooperation among the U.S. Department of Justice (DOJ), the Securities and Exchange Commission and foreign anticorruption agencies has globalized anticorruption enforcement. Additionally, DOJ not long ago modified the FCPA Corporate Enforcement Policy (the “Policy”) in relation to M&A Due Diligence and Remediation stating that where a company undertakes a merger or acquisition, uncovers misconduct through timely due diligence or, in appropriate instances, through post-acquisition audits or compliance integration efforts, and investigates, remediates and voluntarily self-discloses the misconduct and otherwise takes action consistent with this Policy (including, among other requirements, the timely implementation of an effective compliance program at the merged or acquired entity and integration into the
parent's compliance program), there will be a presumption of a declination of prosecution, subject to certain other requirements of the Policy.
Singapore & Malaysia
Fourth in Transparency International’s “Corruption Perceptions Index 2018,” Singapore serves as a hub for the Asia Pacific operations of many multinational corporations. Local enforcement authorities are often aggressive in pursuing corruption and other misconduct, making an example of cases as a form of deterrence. In terms of corporations, Singapore recently introduced the concept of deferred prosecution agreements, following the lead of other countries such as the US and the UK, as an additional tool to deal with companies engaged in misconduct. Across the border in Malaysia, the change in government in May 2018 coincided with the introduction of a new corporate liability provision very much in line with the equivalent provisions in the UK Bribery Act, which is expected to come into force in 2020.
Since the inception of Brazil’s Operation Car Wash in 2014, Brazil and Latin America as a whole have witnessed maturing corruption enforcement expertise as governments have upgraded their legislative frameworks and enforcement measures. In July 2018, Peru became the seventh Latin American country to commit to the OECD Anti-Bribery Convention.
Regional Risk Spotlight
Companies from high enforcement jurisdictions acquiring companies in, or operating in, high-risk jurisdictions are likely to face a host of compliance challenges.
There is significant variance in terms of corporate misconduct, bribery and corruption risk around the world. Often the regions with greater risk tend to offer the highest upsides for investment and growth. As such, companies from high enforcement jurisdictions are likely to face a host of compliance challenges when acquiring companies that are located or are operating in high-risk jurisdictions.
In our survey, respondents rank Greater China and the African continent as the top two most challenging regions from a compliance standpoint. From the respondent commentary, China and many countries in Africa have more opaque legislative and regulatory frameworks, less predictable legal processes, and less consistent enforcement.
Meanwhile, respondents are most interested in growing in South Asia and Greater China via M&A. This is bringing to the fore the question of how dealmakers can leverage CDD to bring greater risk mitigation and regulatory certainty to transactions in higher risk jurisdictions.
Figure 14. In which geographies/jurisdictions are you looking to grow in via mergers and acquisitions and which are most challenging from a compliance standpoint?
South Asia (in effect, the Indian subcontinent) is the highest-ranked region in terms of growth prospects, with 47% of respondents looking to grow there via M&A, in spite of 43% of respondents finding it the most challenging from a compliance standpoint. At 78th place on Transparency International’s “Corruption Perceptions Index 2018," India, the high-growth region’s dominant market, has a challenging regulatory environment, and India-related businesses are witnessing an uptick in FCPA enforcement. Making improvements to the legislative framework in July 2018, the Indian Parliament passed the Prevention of Corruption (Amendment) Bill, imposing liability on bribe-givers as opposed to only bribe recipients. While India seems to be on track toward creating a climate of greater regulatory stability in South Asia, dealmakers and investors continue to be wary of sudden policy shifts, which could upend the best laid plans in compliance programs.
The South Asian market is not very stable, and significant changes can often unfold with little warning. The recent cancellation of banknotes in India is one example, as is the change to how bills of lading are processed. The latter shows how regulators can try to improve a process, but because of a lack of consultation, the first iteration of the change actually causes additional problems.
Navigating compliance and regulatory challenges in India is complex, and while local enforcement of anti-bribery and antitrust laws has recently picked up, the risks remain high. In our experience, the key to identifying risk in a potential Indian target is to ask the hard questions of the personnel on the ground in order to assess how compliance is operationalized within the business model. An entrenched hierarchical culture is prevalent in India and much of Asia, so leadership plays a significant role in the value of strong ethics and risk management. Addressing issues such as short cuts taken to avoid regulatory enforcement and reviewing how third-party relationships are managed are excellent first steps.
With the introduction of the new Indian Insolvency and Bankruptcy Code, there are some potentially lucrative targets to be considered for acquisition. If the distressed company is in an IBC court process, you buy the company as is, risks and all. In that situation, the key is to introduce strong post-closing risk management measures to avoid successor liability and remediate the high-risk business practices. Increasingly, there is also a body of pre-IBC opportunities, where funds are looking to invest by way of bailout / one-time settlement, to prevent an IBC process from commencing. In those scenarios a well scoped compliance diligence could reap significant pricing benefits.
Mini vandePol, Partner
Compliance & Investigations, Asia Pacific
Greater China (China, Hong Kong and Taiwan) is the most challenging region from a compliance standpoint, according to 60% of respondents. Nonetheless, 39% of respondents are seeking to grow there, with huge opportunities for those brands that can tap into the growing aspirations of China's middle class.
Over the past five years, China has seen a significant uptick in local enforcement, driven by President Xi Jinping’s aggressive anti-graft campaign. For example, in July 2018, Chinese prosecutors charged Lu Wei, former head of the Cyberspace Administration of China (CAC), for taking bribes. Earlier in the year, revisions to China’s Anti-Unfair Competition Law came into effect, hiking up penalties and casting a broader net for commercial bribery to include entities with influence over a transaction. As China battles for global digital primacy, its Cybersecurity Law, introduced in June 2017, signals recognition of the urgency of cyber governance. However, the law seemingly frustrates the cloud-enabled free flow and transmission of data across borders in the interests of Chinese national security through its data localization requirements, leading to a rise in compliance costs and a sense of uncertainty for foreign investors.
We will be focusing on growing and expanding via M&A in the Chinese market, even though we are aware of the problems that exist, from changing laws to high and unclear taxes, as well as rules related to a few important capital structures which create a lot of challenges.
Global CDD Divergence
Large gaps exist between Western respondents and those from emerging markets when it comes to buyer sentiment.
Based on buyer sentiments, large gaps exist between Western (those based in North America and Europe) respondents and those from emerging markets (Asia Pacific excluding Japan, as well as Africa and the Middle East).
An example of these differences is that 50% of Middle Eastern respondents estimate more than half of the M&A and JV transactions that they have been involved in have failed or been abandoned due to compliance issues over the past three years, a stark contrast to the 10% of North American respondents saying the same.
Figure 15. Can you estimate how many transactions as a percentage of mergers and acquisitions/JVs have failed or been abandoned as a result of compliance issues in the last three years? (percentage reflects respondent domicile region)
North American executives are on the whole more experienced in working through compliance M&A issues, which may explain the lower percentage of deals they are involved with that fail due to compliance concerns. Moreover, European and North American respondents say fewer deals failed or were abandoned as a result of strong deal teams and due diligence programs – and deals were generally only abandoned if compliance issues could not be remediated.
Meanwhile, Japanese respondents also tend to walk away from deals. As cross-border dealmaking continues to trend up, respondent sentiment shows a high level of risk aversion among Japanese executives. Possibly this is the result of numerous high profile cases, several involving the US FCPA, which have made the Japanese business community much more aware of the seriousness of compliance issues. Generally, respondents from emerging markets see deals falling apart in greater numbers than their peers in more developed markets. While there does appear to be a level of comfort with risk in a buyer's own markets that translates to markets with similar risk profiles, the steady increase in global enforcement around regulatory compliance means that tolerance for compliance risk appears to be reducing.
Supporting this position, North American and European respondents were much more positive about the effectiveness of their compliance programs. Almost all (94%) North American and three quarters (77%) of European respondents said they had very or moderately effective programs, while just 42% of Asia Pacific (excluding Japan) and 37% of Japanese companies said theirs were very or moderately effective. Africa and the Middle East took the bottom places in terms of perceived compliance effectiveness, at 36% and 25%, respectively.
Figure 16. Rate the effectiveness of your current compliance due diligence program in relation to mergers and acquisitions and JVs compared to the program you had in place two years ago.
During the M&A process, North American and European respondents devoted relatively even proportions of time and resources to due diligence and other tasks in the process. By comparison, the Japanese were spending more time on due diligence (47% of respondents) and less on post-merger integration (13% of respondents) than their Western counterparts, while other Asia-based buyers were more in line with Western organizations. Interestingly, there is a clear correlation between those who found post-acquisition integration the most difficult and those who spent the least time on it.
For example, only 7% of respondents in Africa are spending the most time or resources on post-merger integration, but 50% are finding it the most challenging.
Other key differences between North American and European respondents and those from other regions include higher percentages of the latter not conducting any due diligence when engaging in JVs, fewer having SPA or JV compliance contract clauses, and fewer completing an additional round of due diligence on compliance-related issues, as well as third-party due diligence.
Figure 17. During the mergers and acquisitions process, which task is given the most time/resources?
With some exceptions, notably the more seasoned Japanese buyers and government-linked companies in Singapore, many Asian companies are either in the early stages of their compliance programs or are prepared to deal with the risk if and when it arises. In part, this comes from the absence of extra-territorial laws of the like of the US FCPA and UKBA in their home jurisdictions, and in part because of the lack of enforcement of compliance rules both at home and in other Asian jurisdictions where the bulk of their deals are done.
While there is increased awareness of the mind-boggling settlements in monetary terms with US and European authorities for incidences of ABC infringement, antitrust and now data breaches, this is still seen as a problem for companies from the west — but this is changing. We are increasingly approached by Asian clients to help with compliance programs and issues.
Andrew Martin, Head of M&A, Singapore
Figure 18. During the mergers and acquisitions process, which task is most challenging?
Traditionally, ABC compliance focus has been on mature market legislation, and rightly so based on relative risk. In the Latin America region, we are seeing a fast-moving trend to change local legislation to broaden the definition of corruption and make it easier to prosecute. This means that many businesses that have thrived for years in more permissive times may be untenable. Even tax evasion, long considered by many local business owners to be as unlikely to be prosecuted as jay-walking, is now being pursued in some jurisdictions in such a way that the existence of many businesses is threatened.
Some wily business owners have identified this issue, and rather than make fundamental changes to the way they do business, they seek to cash out while they can still show impressive business numbers. Make sure you have knowledgeable, business-savvy counsel look at the structure of the business and do a quick reality check. In addition, consider CDD completion as a condition to closing. For JVs, be aware that passivity while the partner engages in improper conduct is a recipe for disaster. Make sure you have audit rights and exercise them frequently and actively.
Jonathan Adams, Latin America Lead, Compliance & Investigations Group
Sophisticated Japanese buyers are becoming increasingly sensitive to compliance risks of target businesses, particularly in terms of bribery and tax. They do conduct CDD if the target businesses are located or operate in riskier jurisdictions. Compliance risks in the target businesses are considered to have a direct impact on their reputation.
Accordingly, CDD often leads to abortion of deals. Challenges that Japanese buyers often face are the facts that a large part of CDD is diligence on process, which usually requires intensive interviews with the target management, and that CDD comes at a relatively late stage after other (more traditional) due diligence has more or less completed and substantial time, efforts and fees have already been incurred.
Post-merger CDD is often not conducted or, if it is, tends to be light. Japanese buyers should be aware of the importance of post-merger CDD in mitigating compliance risks.
Hideo Norikoshi, Head of M&A, Asia Pacific
Compliance Risk Maintenance
Organizations that actively manage their compliance programs thoroughly are better placed when entering into future M&A or JV transactions.
Most respondents agree that improvements are being made to CDD within their organizations — but this journey is far from complete. While 60% say their CDD programs are more effective today than two years ago, more than a third of businesses (35%) believe these programs do not yet reach effective standards.
From the findings and interviews, it is also clear that those organizations that actively manage these programs thoroughly are better placed when entering into future transactions, whether M&A or JV. One obvious but clearly beneficial method has been improving the depth and breadth of compliance teams, as well as a greater use of external advisers in conducting CDD. Respondents have also widened their focus on the range of risks covered.
Figure 19. Effectiveness of compliance due diligence programs (at present)
Making Compliance a Priority
Respondents recognize that enhancing CDD, while necessary, can be difficult. This has been due in large part to a rapidly changing regulatory environment that imposes shifting rules.
By industries, respondents operating in energy, mining and industrials (EMI) (72%) and technology, media and telecommunications (TMT) (62%) believe they have the most effective CDD programs. Meanwhile, those from financial institutions (50%) and consumer goods and retail (55%) replied as having the most challenges.
Dealmakers appear to be becoming more sophisticated, with 74% citing the need to keep pace with changing laws and regulations as the top area of focus in their primary industries.
In an illustration of this awareness, enhancing compliance programs via increased funding (66%) and modernization or digitalization efforts (69%) will be some of the key focus areas in the next 12 months. This will inevitably enhance CDD efforts.
Additionally, the 66% anticipating increased funding/investment in compliance programs in their main industry also recognize the need for compliance to be treated as a primary business concern and not an afterthought.
Figure 20. Effectiveness of compliance due diligence programs (at present)
Figure 21. Which of the following are currently the top areas of focus from a broader compliance perspective in your primary industry, and which do you anticipate to be the top compliance areas for you over the next 12 months?
In another point, 59% of respondents say modernizing the compliance process through IT/tech and/or data and analytics will be their focus. Rethinking the compliance processes and procedures and implementing technology to assist the compliance team is on the agenda of many multinational enterprises.
One key area where compliance teams can become more effective and efficient is to upgrade their CDD efforts through digitalization and the use of better data. The aggregation and visualization of data and information allows dealmakers to make more informed decisions and to lower the risk exposure of their companies.
Technology has significantly changed the way internal investigations are being conducted. Emerging innovative concepts and technologies have started to improve the way companies manage their compliance risks and compliance programs, including CDDs.
Of course, bringing technology to bear on compliance and CDD costs money. From an industry-specific perspective, increased funding in compliance programs is most likely to occur for TMT (76%) and financial institutions (74%). Healthcare and financial institution (68% each) respondents say modernizing compliance will be of top priority, as they update out-of-date legacy systems and automate lower level processes.
Technology and processes are being used to master and monitor compliance and we are using such tools to keep abreast of compliance requirements. Things have changed drastically from what they were two years ago and today seems to be a different ball game altogether, with regulators and compliance bodies getting more serious about adherence.
Figure 22. Top three current focus areas by primary industry
We are willing to invest in technology to sharpen our focus on digitizing our compliance policies. This would reduce inaccuracies and the turnaround time of compliance procedures.
Innovative concepts and technologies can provide compliance teams with unique insights into the risk exposure and the maturity and effectiveness of the compliance management system. Leveraging these insights will help the compliance teams to become more impactful and to better allocate their scarce resources.
Dr. Nicolai Behr, Co-Head, Compliance, Germany
As this survey indicates, CDD is critical to pricing a transaction, completing a transaction and ensuring its long-term success. While corporates' efforts and expenditures continue to increase in these areas, the figures suggest more work can, and will, be done.
Helping clients overcome the challenges of competing in the global economy
Global Compliance & Investigations
EU, Competition & Trade
Global Compliance & Investigations
Head of M&A
Compliance & Investigations, London
Head of M&A
Hong Kong / China
Head of M&A
Latin America Lead
Global Compliance & Investigations Group
Compliance & Investigations, Asia Pacific
Prof. Dr. Michael Schmidl
Information Technology Law
Dr. Nicolai Behr