Introduction

Sensible strategies and practical plans to advance regulatory compliance are not just for the biggest companies. Mid-sized and even smaller companies have rules to follow and regulators to persuade; employees and customers to reassure; lenders, insurers and investors to satisfy. No company can afford to come up short.

Addressing these imperatives need not be expensive or intrusive to succeed. Instead, a tailored “compliance check-up” will:

1. Create a company-specific compliance risk profile – based on the company’s business model, markets, geography, customers, regulators and other factors. This risk profile will reflect industry-specific requirements, as well as the most relevant regulations of more general application, such as employment rules.

2. Assist management in identifying any gaps in managing the highest-priority compliance issues and risks within that risk profile;

3. Evaluate how the company’s existing processes, resources and data can better contribute to managing these issues/risks – Every organization has elements of an effective compliance program, and an experienced eye can provide advice as to how these elements can work together in an efficient whole;

4. Develop the right plan, in collaboration with business leadership, to close the gaps and strengthen the company’s regulatory compliance; and

5. Provide on-going support as needed – for as long or as little as required.

Why should I expend resources on compliance?

The answer to this business owner’s dilemma can be found by examining the obligations, risks and business imperatives that can make an investment in compliance well worthwhile.

Did you know?

Companies of all shapes and sizes, regardless of industry, face external pressures to raise their game when it comes to compliance. Here are just some of those pressures:

• Companies can be legally responsible for the misconduct of employees, even if employees act without the participation, support or knowledge of management. A compliance program can prevent or mitigate this liability.

• Directors – whether of public or private companies – have a duty to ensure that their companies manage compliance risks, just as they manage financial and operational risks. As explained by the Delaware Chancery Court in the seminal Caremark case in 1991, directors have a fiduciary duty (sometimes referred to as a duty of oversight) to ensure that their companies have systems that provide “timely, accurate information sufficient to allow informed judgements concerning the corporation’s compliance with the law.” This duty has recently been applied to directors of a privately-held company and to the board of an early-stage biopharmaceutical company.

• Regulators across industries expect companies to actively promote compliance and discipline employees who do not comply. Whether your firm is subject to the SEC, OCC, FINRA, EPA, OSHA, CMS, CFTC, DOJ, FAR, CFPB, CPSC, FTC; State insurance, health or banking regulators; State EPAs; Attorneys General; other regulators or law enforcers, or some combination of the above – you will be expected to promote ethics and compliance, be rewarded if you do, and risk punishment if you don’t.

• Lawsuits by “whistleblowers” are more likely – and more often successful – against companies with no organized program to encourage internal reporting and provide protection to those who do come forward.

• Companies preparing to go public have additional reasons to be “compliance ready” as the listing standards for each stock exchange mandate that companies have compliance programs, in addition to the required internal controls over financial reporting.

These obligations and risks will not go away. Neither courts nor regulators nor plaintiffs’ attorneys nor whistleblowers limit their compliance-related activities to large-cap companies.

Compliance Readiness for Due Diligence

Adding to these constant external pressures are business imperatives that can make the compliance check-up even more timely and valuable.

One of the most significant imperatives for many small and medium-sized businesses is the due diligence that accompanies acquisitions, investments, exits, going public, raising capital (whether privately or publicly) or bank borrowings. These all come with legal and compliance reviews during diligence, regulations to manage, increased reputational exposure and risk, and an elevated compliance risk profile as a result. In any of these situations, a company’s lack of compliance with applicable laws and regulations can have disastrous business consequences, ranging from lost opportunities to downward price adjustments to contingent liabilities.

Potential partners, investors and acquirers are diving deeper during diligence into legal and regulatory compliance. As noted by the 2018 report of the National Association of Corporate Directors (NACD) Blue Ribbon Commission, investors “keep raising the bar for boards on the oversight of everything from cybersecurity to culture.” Likewise, the Association of Healthcare Internal Auditors has urged companies in that industry to conduct comprehensive compliance due diligence, in language that rings true for companies in any industry:

“Every seller should consider performing defensive due diligence well in advance of a potential transaction.  A comprehensive compliance review prior to a buyer’s due diligence provides the seller the opportunity to reconcile any issues discovered early in the process. The seller will seem more trustworthy and the buyer will be more amendable to paying the agreed price.”

Moreover, both sides to a deal face growing regulatory risk from inadequate compliance due diligence. On July 13, 2021, the SEC announced charges against both a special purpose acquisition corporation (SPAC) and the SPAC’s proposed merger target. According to the SEC, while the target company repeatedly told investors that it had “successfully tested” its space technology, the company’s only

In-space test had failed to achieve its primary objectives. As emphasized by SEC Chair Gary Gensler, “the fact that the [target company] lied to [the SPAC] did not absolve [the SPAC] of its failure to undertake adequate due diligence to protect investors.” According to the settlement order, the due diligence “was conducted in a compressed time frame and unreasonably failed to probe the basis of the target’s claims” and to “follow-up on red flags.”

Two recent cases brought under the federal False Claims Act further illustrate the benefits of proactive compliance and the costs of failing to address compliance problems found in due diligence. In one, a regional health system paid a $21.5 million fine for ignoring internal complaints, while its acquiror paid nothing, because the acquiror found the violations during diligence, fixed the problems and disclosed the violations to the government. In the other, both a health-testing company and its private equity investor paid multi-million fines in settlement. The investor, according to prosecutors, learned about the misconduct and failed to stop it. As noted one year earlier by a high-ranking official in the U.S. Justice Department, when “a private equity firm invests in a company in a highly-regulated space like health care or life sciences, the firm should be aware of the laws and regulations designed to prevent fraud.” The same official noted that similar risks apply to any firms receiving Covid relief and other federal funds.

What does this mean for your company?

The costs of inadequate compliance are becoming too great for either sellers or buyers to bear. In this environment, securing the next business partner may require compliance representations that must be supported with real – not just paper – compliance programs. Investors, acquirors and lenders will demand confirmation of compliance with laws and regulations, and may even conduct their own compliance reviews, or they will walk away from the deal. Some will insist on strengthened compliance efforts to follow and protect their investment. A $148 million logistics company recently reported adding “a COO, CFO and chief compliance officer” after a private equity investment. Facing these issues before closing can ease the way to a faster, better deal.

Insurers likewise will expect compliance confirmations, without which they may refuse to provide needed coverages such as directors and officers liability insurance or representation and warranty insurance. Carriers are interested in how companies generally address regulatory compliance, and also how they tackle specific issues of particular relevance and concern, such as data privacy. These insurers may not hold companies to the compliance standards of the largest and most sophisticated organizations, but they will expect an understanding of – and reasonable attention to – the most critical legal and regulatory obligations. In a sale transaction involving representation and warranty insurance, failure to do so can result in carve-outs from representation and warranties insurance, thereby raising the company’s risk, or even seller indemnities or unfavorable price adjustments.

Data privacy compliance illustrates the depth, breadth and intensity of the due diligence examination. Companies now can expect deeper interest in privacy compliance from customers, partners, lenders, investors and potential acquirors. As one expert noted in Privacy & Data Security Law, “The combination of privacy laws and the expanded data-driven nature of deals has caused companies to look at data privacy and security in M&A as not just another legal compliance area but something that is essential to business.” The same expert noted that even smaller and newer companies must be prepared to describe how personal data is collected, used, shared, protected and disclosed and, in the process, “make it clear that they are willing to step up to the plate for compliance down the road.”

A timely compliance check-up before diligence can strengthen compliance readiness by quickly identifying and assessing mission critical rules, uncovering overlooked risk areas, protecting against downside risk, improving compliance standing and, in the process, enhancing the company’s attractiveness and value. The return on this investment will extend well beyond closing of the deal, better positioning the company to compete while in compliance going forward, which can be especially important and potentially rewarding in transactions involving “earn-outs.”

Other Business Reasons to Assess Compliance

Due diligence is not the only circumstance when a practical compliance check-up can pay off. Companies often face other business conditions that warrant a closer look at their state of compliance. These range from the regulatory to the strategic.

Myriad tactical and strategic moves can raise the compliance risk profile. New products, lines-of-business and markets can each carry different or increased compliance responsibilities, as well as risks that must be identified, understood and managed. Insurance, banking, health-care and real estate all come with extensive regulations, for just a few examples. Seeking customers, vendors and products overseas can bring trade sanctions and anti-corruption compliance into play.

Doing business with government agencies requires compliance with government contracting rules. U.S. regulations require that contractors have “a written code of conduct…an employee business conduct and compliance training program and an internal control system.”

Sometimes, simply getting bigger and better in the marketplace can bring increased legal or regulatory attention and risk. A growing on-line lender recently agreed to pay $18 million in a settlement with the FTC for deceiving loan applicants about hidden fees, after failing to quicky and adequately address internal concerns about the problem.

Other times, senior business leaders or board members just want assurance that their promises – to customers, employees, and communities among others – of ethics, integrity and following the rules are being kept across the organization. As explained by the Small-Cap Institute, the job of a small-company director, “among other things, is to develop and oversee a corporate ecosystem together with management that discourages and finds any indiscretions as quickly as possible.” Otherwise, how do leaders know that the company means what they say?

Policies alone are not good enough, without assurance of company-wide adherence to these rules. The Small-Cap Institute has summarized the likely regrets of board members at companies that got into trouble, “If I had to do it all over again, I would have been far less trusting, and I would have been much more methodical in my diligence.”

Even a company that is comfortable staying in its industry can confront changes to its compliance risk profile from new or modified rules. Here again, data privacy is a helpful example, as laws and regulations across the states and throughout the world are changing fast, imposing greater obligations and tougher penalties on any company that handles personal information. Companies often are surprised at the extent of their exposure to these rules, including B2B firms which may collect personal information for payments and other purposes. A compliance check-up can help companies understand the requirements, risks and best practices to manage them.

Conclusion

Compliance or ethics failures put the reputation and value of any company (large or small), and of its leaders and directors, at great risk. In 2021, NAVEX Global surveyed more than 1,000 legal and compliance professionals from companies of varying sizes and industries. One-third reported experiencing a data privacy/cybersecurity breach in the last three years, and more than one-fifth faced a legal/regulatory action in that time. Effective compliance can make these problems less likely to happen, and minimize the damage if they do occur.

In fact, every company faces one or more of these external pressures, business imperatives or compliance risks. Whatever the unique circumstances, each compliance check-up strives to answer these questions:

• What are the principal laws and regulations that apply to this company – because of industry, structure, regulators, markets, products, customers, geography?

• What is the company’s distinctive compliance risk profile, based on these rules and the particular internal/external drivers of potentially-increased risk?

• What is the company doing to recognize, evaluate and comply with its “mission critical” regulatory obligations and manage its compliance risk profile?

• How does the company know if its compliance risk management is working?

• How do company leaders communicate and reinforce their commitment to doing business the right way, encourage and protect internal reporting of issues, and find and address instances of non-compliance?

• What mix of compliance data, processes, tools and knowledge – existing and new – will create the most value for this company?

John L. Sikora and Jay Cohen also contributed to this article.