February 6, 2023

Volume XIII, Number 37


February 06, 2023

Subscribe to Latest Legal News and Analysis

Managing Compliance Risks in M&A Transactions

Buyers can acquire unintended and potentially very damaging liabilities together with target business or assets.  Analyzing the financial situation of a target company, understanding its business model and assessing if the target is the right fit for acquisition demands experienced advisers.  Unforeseen liabilities, if not properly mitigated, can undermine the commercial rationale underpinning the deal.  Lawyers advising on the transaction have clear targets:  minimize risks, allocate risks and maximize shareholder value.

Mergers and acquisitions (M&A) transactions are challenging in a lot of ways.  Compliance issues are just one of many challenges in a transaction.  The valuation of the target has to reflect reputational risks, as well as successor liability.  Additionally, the deal structure and wording of the transaction document must reflect the compliance risks associated with the target’s business.  During due diligence, a lot of attention goes to financial and operational analysis, as well as legal aspects, of the target company.  But compliance risk management now plays an increasingly important role in M&A transactions.

Compliance Due Diligence

The objective of compliance due diligence is to define the target company’s compliance risk profile and uncover any red flags, including any past or ongoing violations of anti-bribery laws, antitrust regulations, data protection rules, trade regulations or worker safety requirements, naming some typical risk areas.

A first step in due diligence is to draw a compliance risk map for the target company in order to understand the concrete risk exposure. This diligence includes the analysis of sectorial risks, jurisdictional risks and counterparty risks. The compliance due diligence reviews compliance reports, incidents and the incident-handling procedure, evaluates existing compliance management programs and reviews the compliance culture at the target company.

Avoiding Successor Liability Under FCPA

The number of investigations under the U.S. Foreign Corrupt Practices Act (FCPA), together with the number of prosecutions by the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC), has significantly increased during the last years. 
In the United States, the DOJ has high compliance due diligence expectations, and the successor in a stock transfer or merger is generally held liable for past violations of the target company. If a robust pre-acquisition compliance due diligence cannot be performed—for example, due to insufficient time in bidding procedures—the DOJ sees an obligation to implement a post-closing review plan for non-compliance and respective disclosure, upon detection.

In Europe, the successor liability can be limited if the infringement took place before the acquisition.  However, the buyer must make sure that immediately after the acquisition an effective compliance program is enrolled in the acquired company.  If non-compliance continues under the new shareholder, the shareholder will be held liable for not managing the compliance risk.

In some circumstances, successor liability may even attach in an asset purchase, for example when the purchasing company is merely a continuation of the selling corporation.

An entire transaction can fall apart if the involvement in corrupt business practices is not discovered.  Appropriate due diligence will help to establish the true value of the target company and determine whether bringing the post-merger company into compliance could jeopardize the acquirer’s profitability or result in criminal liabilities for past violations.

Managing the Compliance Risks

Usually, buyers seek to avoid acquiring liability for non-compliance. Appropriate representations in the share or asset transfer agreement can ensure that the seller covers the costs of violations.  Sellers may also need to conduct a compliance due diligence to ensure that their disclosures and representations are not misleading.

Also, either the buyer or seller should perform in assessment of the FCPA Compliance program and the target’s compliance management system to determine whether the sale price could be challenged due to non-disclosed or non-discovered FCPA or other compliance issues.

M&A Transactions Increase Compliance Risks

The acquisition of a company often means a big organizational change, with many others likely to follow post-closing. 

Empirical studies show that the more employees feel change, the bigger the compliance risk.  Organizational changes in a company during post-merger integration can exacerbate compliance risks because they distract employees, create new control gaps and affect the company’s culture.  This, in turn, affects worker behaviors and decisions.

Therefore, a successful post-merger integration will include compliance initiatives.  Practice shows that multichannel compliance communication, as soon as practical before the change via direct managers and with a strong emphasis on integrity, reduces the observation rate of misconduct significantly (by up to 73 percent) and improves the perception of a culture of integrity (by up to 40 percent).

Post-merger Compliance Integration

The post-transaction period provides a unique opportunity to renew focus on compliance and implement a range of compliance improvements.  While there are many demands on the new owner in transitioning and integrating the new business and its operations, the new owner should not overlook the opportunity during the post-transaction transition to improve compliance.  The post-acquisition transition period opens the door to implement compliance efforts identified during due diligence or during the post-transaction period, improving the target business’ operational compliance going forward.    

The compliance program of the acquirer should be rolled out to the acquired business directly after closing.  Basic documents like the code of conduct, policies on gifts and hospitality, etc. should be communicated and trained to the relevant employees, even if certain reporting tools (for example, hospitality registers) can be implemented only at a later stage.

As contact person, a compliance manager can be very helpful to employees in the acquired business during this phase.


The early involvement of compliance expertise in an M&A project is one key factor to a successful acquisition.  Compliance risks have to be identified during the pre-acquisition due diligence, which are then reflected in the acquisition documents, and then the business needs active management in the post-closing integration process.

© 2023 McDermott Will & EmeryNational Law Review, Volume IV, Number 288

About this Author

McDermott’s Antitrust & Competition Practice Group has broad experience in all aspects of antitrust and competition law, and it is recognized as one of the leading antitrust/competition practices in the world.  The Group’s 65+ lawyers have a sophisticated practice that encompasses U.S. antitrust law, EC competition law and the competition laws of other countries throughout the world. The Group is centered in Washington, D.C. and has lawyers with significant antitrust/competition experience in its Chicago, Houston, Los Angeles, New York, Silicon Valley, Brussels, Paris, Rome and Milan...

202 756 8061