INTRODUCTION

The election of President Trump contained more than a few positive signs for Private Equity (PE) firms. Promises of a lower corporate tax environment, a ten-percent tax holiday for funds parked overseas, large infrastructure investments, and deregulation could portend increasing portfolio returns. Yet on the other side of the scale are troubling regulatory concerns, what with President Trump also promising restrictions on international investment in the United States (which could complicate investment and exit strategies, including through hard-nosed national security reviews by the Committee on Foreign Investment in the United States (CFIUS), withdrawing from NAFTA (thereby disrupting the trade relationship with one of the three largest U.S. trading partners), and maybe even welcoming an international trade war, particularly with China (which could complicate cross-border supply chains and raise input costs).

Further complicating the picture, the U.S. government over the last decade has emphasized regulatory initiatives that directly and indirectly target PE firms and their portfolio companies. Generally these enforcement actions have involved regulations with an international hook, including: (1) the Foreign Corrupt Practices Act (an antibribery statute barring the payment of bribes to non-U.S. government officials); (2) economic sanctions administered by the Office of Foreign Assets Control (OFAC) (which restrict dealings with targeted foreign countries, governments, and persons who have taken actions against U.S. national and foreign policy interests); (3) export controls (with the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR) restricting the export of controlled U.S. goods, information, software, and technology); (4) anti-money laundering (AML)restrictions; and (5) international antitrust actions, especially for collusion and price fixing.

In each of these areas, civil and criminal penalties, both at the corporate and individual level, have been used as a massive deterrence club. This enforcement focus has sharply increased regulatory risks for PE firms that raise money internationally or that own portfolio companies that operate internationally or that export or sell to foreign countries. With the SEC using its Dodd-Frank powers to target PE firms with enforcement attention, and the U.S. government recently assessing the fourth-largest FCPA penalty of all time ($412 million) against PE firm Och-Ziff, PE firms have never faced a riskier regulatory environment.

The confluence of the campaign rhetoric, the uncertain enforcement environment, and the international flavor of many PE firm's fundraising, investments, and operations, raise numerous regulatory questions at the dawn of the new administration.

  • Will the Dodd-Frank Act and its compliance requirements targeting PE firms be repealed?
  • Will the potential trade war being telegraphed by the administration become a reality?
  • Will NAFTA be repealed, upsetting the international supply chains of many PE portfolio companies?
  • Will the enforcement attention on PE firms continue? Does the Och-Ziff FCPA action, which included a multi-million penalty on the head of the PE firm, represent a new trend of personal liability for PE firm senior management?
  • And is there anything that PE firms can do to cope with this perilous regulatory environment?

To help navigate this uncertain future, this client alert presents the "top ten" regulatory and trade questions every PE firm company with international interests or that raises investment funds internationally should be considering. This client alert is part of a series of "top ten" articles on the future of key international trade and regulatory issues expected to change under the Trump administration. Previously issued client alerts discuss the future of NAFTA,1 Customs and Border Protection,2 and international trade litigation under the Trump Administration (including antidumping and countervailing duty actions),3 the future of the CFIUS review process,4 and likely developments impacting white collar enforcement.5 Future client alerts will deal comprehensively with all international trade and regulatory areas where significant change could occur under the new administration.

THE TOP TEN PE REGULATORY QUESTIONS ANSWERED (OR, WILL PRESIDENT TRUMP MAKE PE RETURNS GREAT AGAIN?)

1. "What has President Trump promised?"

During the campaign, President Trump's populist instincts appeared to be aligned against PE firms. President Trump's frequent criticisms of U.S. manufacturers moving jobs overseas implicitly targeted the decisions of PE firms, which often take a global strategy to allocating capital and sourcing manufacturing to maximize investor returns. Mr. Trump's criticisms of PE powerhouse Goldman Sachs, in particular, were frequent and seemed to telegraph hostility towards the industry.

In this case, however, elected actions likely trump election rhetoric, as the Trump transition team and high-level nominations are heavily drawn from the PE world – including from Goldman Sachs. Chief strategist Stephen Bannon, Secretary of the Treasury nominee Steve Mnuchin, and National Economic Council Director Gary Cohn all previously worked at Goldman Sachs, while SEC Chair nominee Jay Clayton was a partner at Sullivan & Cromwell, where he represented Goldman Sachs. Other senior and transition advisors have ties to Goldman Sachs as well. Additional Cabinet nominees, such as Department of Commerce nominee Wilbur Ross (hailing from PE firm WL Ross & Co.) and economic advisory council member Stephen Feinberg (former CEO of Cerberus Capital Management) also have strong PE roots.

This is hardly a murderer's row of populist advisors looking to crack down on PE firms. Indeed, in at least one way – the fate of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act) – it appears that momentum is building in the new Republican Congress to give Mr. Trump a victory in substantially curtailing or even repealing the Act, which is a course Mr. Trump recently endorsed. Since the Dodd-Frank Act subjects many PE firms to strict SEC oversight and compliance requirements, curtailing or repealing the Act would be a welcome development to many PE firms, which have chafed at the aggressive application of SEC regulatory requirements.

2. "What is the landscape for international regulatory enforcement? Is it likely these trends will continue under the new administration?"

There have been many trends related to the regulation of exports and international conduct that are of concern both with regard to the operation of PE portfolio companies and at PE firm's own operations. Chief among these are the following:

  • Emphasis on International Regulations. The largest penalties in recent enforcement actions (outside of the crackdown on sub-prime mortgage abuses) have involved U.S. regulations governing exports and international conduct. In particular, the U.S. government has emphasized the areas of international antitrust (particularly collusion and price fixing), export controls, OFAC economic sanctions, anticorruption (FCPA), and AML for enforcement attention, imposing tens of billions of dollars of penalties under these regulatory regimes. Because PE firms often invest in companies that operate in, sell into, and trade with foreign countries, this trend of increasing penalties sharply increases the risk profile of the investment portfolios of most PE firms.
  • Individual Liability. The U.S. government, including through the issuance of the "Yates Memorandum" ( discussed here6), has emphasized individual liability, believing that nothing has a greater deterrent effect than the prospect of hefty fines or jail time for senior executives. The imposition of a multi-million dollar fine and other sanctions directly on senior managers at PE firm Och-Ziff, including the head of the company, illustrates that the U.S. government easily can apply this focus to PE firms.
  • Increasing Use of Criminal Penalties. The U.S. Government has increasingly been willing to use either the threat, or the actual imposition, of criminal proceedings as enforcement tools. This combines with another trend discussed below, which is to use penalties – including criminal penalties against individuals – to send a compliance message. Even where civil penalties are the result, the threat of criminal penalties can be used as leverage to extract a larger civil penalty.
  • Liability Based Upon Control. Many PE firms have (falsely) taken comfort in the idea that operating models emphasizing the role of the PE firm as an allocator of capital and management expertise, while leaving the active management of the companies to senior portfolio company managers, insulates them from direct liability for compliance lapses at portfolio companies. SEC actions, however, have introduced the concept of liability for failure to maintain adequate internal controls and failure to notice indications of fraud or regulatory lapses. The DOJ, as well, has no problem going after owners of third-tier subsidiaries, joint ventures, and other parties that control an entity, even if they do not directly participate in the management of the company. Similar logic applies equally to PE firms. The U.S. government believes ownership confers compliance responsibilities, with failures being punishable by hefty fines. The hands-off approach to compliance that is the rule at many PE firms no longer is tenable (if it ever was).

3. "Are there regulatory areas of special concern for PE firms?"

The U.S. government has made PE firms an enforcement and compliance target in recent years. These efforts include the SEC sending the largest PE firms letters of inquiry into their compliance practices, which some link to the September of 2016 SEC announcement that Och-Ziff Capital Management Group would pay approximately $200 million to settle SEC charges of FCPA violations, along with a DOJ criminal penalty of $213 million (plus individual fines, including a settlement of FCPA violations with the CEO of Och-Ziff having to pay nearly $2.2 million in individual fines). Total fines criminal and civil penalties of $412 million underscore the importance of U.S. government compliance expectations for PE firms.

Some other areas of special concerns for PE firms include the following:

  • SEC Enforcement. In addition to the Och-Ziff developments noted above, the SEC in other ways has made PE firms a focus, including through the creation of an Asset Management Unit to focus exclusively on PE firms, hedge funds, and mutual funds. Because the SEC also is in charge of FCPA enforcement of the internal controls and books and records provisions of the FCPA, this SEC focus exposes PE firms to scrutiny for one of the legal regimes that consistently sees the highest level of fines.
  • Dodd-Frank Effect. Traditionally, PE firms have operated largely free of regulatory oversight (with the exception of normal regulatory requirements placed on portfolio firms or on the PE firm directly, such as EEOC compliance requirements). But the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) required that PE firms with more than $150 million in assets under management register with the SEC, subjecting them to various SEC rules. These rules include the Compliance Program Rule (Rule 206(4)-7), which requires that PE firms have and maintain an effective compliance program designed to prevent violations of the Advisers Act. Required actions include the adoption and implementation of written policies and procedures reasonably designed to prevent violations of the Advisers Act, the conduct of a compliance program review at least annually, and the appointment of a chief compliance officer.
  • Multiplying Risk Factors. The manner in which PE firms typically operate increases their risk profile in myriad ways:

    • PE firms often manage multiple funds, investing in a portfolio of companies. This multiplication of investment vehicles and holdings complicates compliance oversight, as regulators increasingly view the role of the PE firm as enforcing compliance expectations across portfolio companies through the conduct of risk assessments, implementation of compliance programs and internal controls, and oversight of the adequacy of compliance. Fragmented investments and individual implementation of compliance initiatives complicate achieving a high level of compliance across the full portfolio of investments.
    • Most legal regimes do not allow changes in corporate form to alter liability for the underlying conduct. Since most PE firms frequently are in acquisition mode to fill out their investment portfolio, onboarding transactions multiply the risk of acquiring violations.
    • PE firms frequently invest in multinational companies, which often operate in industries and in countries at heightened risk of enforcement activity under such high-risk legal regimes as the FCPA, OFAC sanctions, export controls, antitrust, and AML laws.
    • With many PE firms being currently regulated under the federal securities laws, they remain liable for the bookkeeping and internal control requirements of the FCPA, which require accuracy in books and records and an effective internal control environment sufficient to give the company control of the disbursement and use of assets.
    • The opening of an investigation at one portfolio company can quickly become an investment of a group of companies or even all portfolio investments, as regulators have the discretion to inquire broadly into potential issues across the PE firm's investments.

4. "What regulatory areas are of most concern for PE firms?"

The following areas merit special scrutiny by PE firms in the administration of both their portfolio investments and their own operations:

  • Antitrust. Under the Obama administration, antitrust enforcement was regarded as being more aggressive, including the willingness of regulators to challenge transactions that fell below the filing thresholds of the Hart-Scott-Rodino Antitrust Improvements Act of 1976. It is difficult to handicap whether this scrutiny will change. While Republican administrations are viewed as more relaxed in the antitrust area, this generally has meant a more lenient approach to merger activities, not a lessening of the enforcement of such antitrust issues as collusion and price fixing. When campaigning, President Trump stated that if he were president he would seek to block the $85 billion AT&T/Time Warner merger, which potentially could signal a mindset of preventing concentrations of market power. President Trump also has personal experience in antitrust cases, including as a plaintiff in a federal antitrust suit against the National Football League, as a defendant in a NJ state court suit alleging he attempted to monopolize and suppress competition in the Atlantic City casino gambling market, and his payment of a $750,000 civil penalty to resolve claims he violated the Hart-Scott-Rodino Act's reporting and waiting period requirements when acquiring stock in two gaming companies. It is unclear how these experiences will shape President Trump's view of antitrust law.

    Because the administration's stance could impact the acquisition and exit strategies for PE companies that own companies in concentrated industries, monitoring early antitrust activity will be important. Discerning the views of new appointees to the Federal Trade Commission and the head of the DOJ's Antitrust Division will be important to divining how the administration is likely to proceed. Regardless of how the new administration treats antitrust on the monopolization side, it is likely that antitrust enforcement will continue to be strong, especially for activities that subvert the competitive market, such as collusion and price fixing. The same is likely to be true with regard to the enforcement of fair competition laws abroad, which are in many countries enforced as rigorously as or even more so than U.S. antitrust law. As a result, ensuring antitrust and fair competition compliance at portfolio companies will continue to be an important risk-management requirement.

  • Cybersecurity. President Trump stated during the first presidential debate that the U.S. government needed to get "very, very tough on cyber and cyberwarfare," and called for the creation of a joint public-private team of experts to analyze U.S. government cybersecurity protections. With the intelligence agencies agreeing that China, Russia, and North Korea have engaged in hacking designed to steal confidential data from the U.S. government and U.S. companies, and with private intrusions being even more common, it is highly likely that regulatory agencies such as the SEC and subject-matter agencies overseeing particular industries will be implementing regulations and other measures designed to ensure that regulated companies are putting in place measures to combat electronic intrusion into company networks and confidential data sources. Expectations will be particularly high for companies that maintain classified or controlled information, for government contractors, for firms with security clearances or that maintain classified data, or for companies that deal with export-controlled technical data. Firms that deal with highly confidential personal data, such as healthcare and financial firms, also will be under heightened scrutiny. Any firm in this category should operate under heightened compliance expectations to ensure they are not victims of hacking or cyberattacks. (The subject of cybersecurity will be covered in a future "top ten questions" alert.) PE firms need to have a firm handle on the vulnerability of their firms to such attacks and have strong compliance measures designed to fight off such electronic intrusions.
  • FCPA. FCPA risks existed long before the Och-Ziff enforcement action highlighted above. With many PE firms now regulated under the federal securities laws, they remain liable for the bookkeeping and internal control requirements of the FCPA, which require accuracy in books and records and an effective internal control environment sufficient to give the company control over and insight into the disbursement and use of assets. Further, the ways in which many PE firms operate increase the risk of direct application of the law to their operations. For example, many PE firms seek investments from sovereign wealth funds. Due to the operation of the FCPA's rules, which consider all employees of sovereign wealth funds to be "government officials," the payment of bribes to secure sovereign wealth fund investments are potentially criminal acts. Liability also is enhanced by the frequent use by PE firms of consultants in foreign countries, including investment placement agents and marketers. FCPA liability attaches to dealings by these third parties where the PE fund either knew, or had reason to know, that the arrangement would result in the payment of a bribe. Even where such knowledge cannot be shown, the U.S. government

    Even if liability is attached at the portfolio company level, keeping the penalty "away" from the PE firm itself can be a pyrrhic victory, as the economic hit of a portfolio penalty will still be felt on the PE firm balance sheet – a key concern, given that annual penalties under the FCPA generally exceed $1 billion annually. For this reason, the FCPA is a priority not only in terms of compliance, but also as a due diligence item during acquisitions. (The FCPA will be covered in detail in a future "top ten questions" alert.)

  • Economic Sanctions/Export Controls. Over the last few years, the economic sanctions programs overseen by OFAC, alongside the coordinating export control regimes, have become a key enforcement priority of the U.S. government. Penalties in the OFAC area can exceed $1 billion annually. Further complicating compliance in this area is that the regulations rapidly change, reflecting the foreign policy issues that arise daily. Compliance is no longer accomplished just by screening new customers against OFAC lists of Specially Designated Nationals. A multi-faceted compliance program, based upon a current risk assessment, is an essential risk-management tool for portfolio companies operating internationally, export controls and sanctions and being an important due diligence item. (Export controls and economic sanctions will be covered in detail in a future "top ten questions" alert.)
  • Privacy. During the Obama administration, the Federal Trade Commission (FTC) took the lead on bringing actions against companies that used personal data in ways that exceeded how they had agreed to use such information. Although some critics believed these actions were based on an overly broad reading of the "unfair practices" and "likelihood of consumer harm" provisions in Section 5 of the FTC Act, the protection of consumer data has become a bipartisan issue. Some business interests may press the new administration and Republican congress to weaken privacy restrictions to allow greater data mining of data, including through reversal of the USA Freedom Act of 2015 (which amended the USA PATRIOT ACT to create additional data privacy protections). It is likely, however, that concerns that such amendments would jeopardize the EU-U.S. Privacy Shield agreement, which allows companies to send data from the EU to the U.S. in compliance with EU law. Fears of cutting off the ability to share information with the EU likely would forestall such action.

    It therefore is unlikely that there will be any scaling back of the regulatory expectations of protection of confidential data. Indeed, it is more likely that other regulatory agencies will look to enhance privacy protections. This makes privacy compliance measures important at PE portfolio firms that deal with confidential data, such as at financial and healthcare firms.

  • Whistleblower Issues. The Dodd-Frank Act provides that the provision of information to the SEC that results in monetary sanctions of $1 million or more for violations of the federal securities laws or regulations thereunder makes the whistleblower eligible for an award of 10-30 percent of the amount recovered. The information cannot already be known to the SEC or derived from public sources and must be based on the whistleblower's independent knowledge or independent analysis. Although the rules also allow the whistleblower a 120-day window to provide the same information to the company, the whistleblower still has a strong incentive to report to the SEC because the SEC rules protect the whistleblower from company retaliation.

    The SEC rules apply to any entity subject to federal securities laws, thus including PE firms with more than $150 million under management. Whistleblower issues (including at companies not covered by the SEC rules) are especially onerous for PE firms for the following reasons:

    • Where SEC requirements apply, the whistleblower laws apply to any violation of the federal securities laws, allowing for reporting of issues regarding both the PE firm and at any of the PE firm's portfolio companies.
    • Whistleblowers can be employees of either the PE firm or the portfolio company, thus increasing the number of persons who can report compliance lapses.
    • Unlike for most private or publicly traded companies, where whistleblowers generally know only about compliance lapses in their own areas of responsibility, office, or division, PE firms often have employees who may know about issues across the full range of portfolio companies. This gives employees the potential to become whistleblowers across multiple companies at the same time.
    • Since many PE firms do not directly manage their portfolio companies, they may not have sufficient insight into the effectiveness of compliance at their holdings, making it more difficult to detect compliance lapses that can lead to whistleblowing opportunities.
    • PE firms often purchase companies where it is expected that better management and more efficient operations will increase profitability, making for a profitable exit strategy. To the extent that these activities lead to job losses, they create conditions that foster whistleblower activities from disgruntled or terminated employees.

While there are serious discussions in Washington regarding the potential repeal of the Dodd-Frank law, in whole or in part, we expect that the whistleblower provisions will survive, due to their demonstrated utility. This may be either through preservation of the statutory authority for the whistleblower program or through an exercise in SEC rulemaking. Regardless, even if the program were to disappear, we believe this should not impact the level of resources devoted to compliance or the type of compliance measures maintained by PE firms, including at their portfolio companies. The size of potential penalties alone dictates that companies mitigate risk through effective compliance measures.

5. "What are some of the risk factors that PE firms should be looking at when acquiring portfolio companies?"

Regardless of the context (export controls, OFAC sanctions, FCPA, and so forth), government regulators believe change of control does not eliminate liability for violations. As the FCPA Guide states: "[s]uccessor liability applies to all kinds of civil and criminal liabilities, and FCPA violations are no exception."7 Further, an acquiring entity is responsible for any ongoing or new violations, from the very first moment of ownership.

The prospect of inherited liability makes due diligence at the acquisition stage more important than ever. The speed at which deals are completed, however, as well as the difficulties in getting full information from target companies, can complicate fact finding. Time and advance thought to the due diligence strategy always are important to combat these realities. If issues are identified early in the process, protections in the form of tailored representations and warranties, escrow funds, prior disclosures to agencies, agreements that the cost of investigations will be borne by the seller, or even a diminished sales price can all be used to protect against known risks. In some cases, the problems may be large enough to merit abandoning the deal. But none of these risk-mitigating strategies can be used for risks not uncovered through appropriate due diligence.

Some of the key issues that should be evaluated in any acquisition include the following:

  • International Regulatory Risk. As noted above, such international regulatory risks as international antitrust, export controls, OFAC sanctions, AML, and anticorruption concerns arise where targets are multinational companies that operate, export, or sell abroad. For any acquisition with an international risk profile, careful inquiry should be made into these key areas, which are all enforcement priorities for the U.S. government.
  • Operations in Countries of Concern. Due diligence should not be done in a one-size-fits-all fashion. Instead, it should be tailored to the overall risk profile and particular risks of a given transaction. One of the key determinants is the countries where the target operates and sells. Countries that rank high on the Transparency International Perceived Corruption Index also tend to have a general lack of respect for the rule of law, and to present a heightened risk profile for such things as export controls and OFAC sanctions (diversion risk), AML, and other regulatory concerns. Heightened due diligence generally is appropriate when the target has significant ties to such countries as China, India, Russia, much of Latin America, the Middle East, and Africa, as well as countries in Europe with a reputation for diminished respect for the rule of law (Italy, Greece, and so forth).
  • Controlled Goods. Companies that manufacture, broker, sell, or export goods that are subject to controls under the ITAR (USML goods or goods that are specially modified to meet military specifications) or the EAR (goods with an ECCN) present special compliance concerns, as well as heightened opportunities to commit legal violations of the strict export control regulations. Inquiry should always be made as to the presence of controlled goods or technical data at the target, with a tailored follow-up inquiry should initial results be positive.
  • International Trade Risk. PE firms often own portfolio companies that operate internationally. If president Trump follows through on his claims that he will aggressively pursue an "American First" trade strategy, U.S. companies, including U.S. PE funds, may need to move their focus to U.S. investment opportunities. PE funds that possess portfolio investments abroad, or that are seeking such investments, will need to carefully factor in international trade risk, especially if they are looking at investments that draw some of their value from operations in or trade with foreign countries that are under a trade spotlight (China, Mexico, developing markets like India, the Philippines, Vietnam, and to some extent other countries where there is a trade deficit like Germany, Korea, and Japan). Relevant inquiries include whether the target imports goods that are subject to antidumping or countervailing duty orders, whether the company is heavily reliant on imports from China, Mexico, or other countries viewed as being a subject of potential trade actions, and the company's general susceptibility to international supply chain disruptions. (These issues are covered in detail in separate Foley client alerts, available here.8)
  • Supply Chain Risk. President Trump has vigorously and often stated his view that international trade as currently constituted allows certain countries to take excessive advantage of the liberal U.S. free trade posture. With President Trump asserting that his administration will crack down on countries that maintain a significant trade surplus with the United States – whether through the imposition of increased tariffs, a border tax, safeguard actions, or antidumping and countervailing duty orders – it is appropriate for acquiring companies to closely examine whether target companies import a large amount of goods or significant components, particularly if they are goods that are commonly subject to antidumping and countervailing duty actions (steel, many chemicals, and so forth). Further, the potential amendment of or withdrawal from NAFTA could have a huge impact on companies that rely on Mexican sourcing as part of an integrated supply chain. Although not commonly a due diligence topic, acquiring PE firms should carefully determine whether sourcing depends on the operation of free trade agreements like NAFTA and determine the susceptibility of the target to supply chain disruption if President Trump's international trade campaign announcements are in fact implemented. (Risk scenarios regarding NAFTA are explored in detail here.9)
  • National Security Risk. As outlined in an earlier client alert regarding national security reviews and the CFIUS review process, there are reasons to expect that the new administration will emphasize national and economic security issues. Acquiring firms should carefully evaluate whether sales to foreign companies merit a CFIUS review due to the sale of sensitive technology, product lines, technical data, or other sensitive interests to a foreign company. Further information is found in Foley's "top ten questions" CFIUS client alert.10

6. "Sounds scary! What can I do to prevent purchasing trouble?"

As noted above, liability for issues can be purchased. The U.S. Government, however, has some sympathy for the lack of transparency enjoyed in many deals and does allow for the need to get the acquired company's compliance house in order – provided it is done the right way. The FCPA Resource Guide provides for the following tips to minimize risks, which are equally applicable to any high-risk legal regime:

  • Conduct thorough risk-based due diligence.
  • Ensure the acquiring company applies its code of conduct and compliance policies to the target as quickly as possible or otherwise ensures strong compliance is in place soon after the acquisition.
  • Train the directors, officers, and employees of newly acquired businesses or merged entities regarding high-risk regulations and risks of its business model (which hopefully were identified as part of a searching due diligence inquiry prior to acquisition); consider training agents and business partners where the risk is high.
  • Conduct a compliance audit of all newly acquired or merged businesses as quickly as practicable.
  • Consider disclosing any issues discovered as part of the due diligence or post-acquisition compliance implementation to relevant regulatory authorities.11

As can be seen, the recommendations center on the conduct of effective due diligence and the implementation of the learnings of that due diligence after the acquisition. The role of due diligence in this process cannot be overstated, as effective due diligence actually has seven rationales: (1) to determine the risk of the acquisition; (2) to ensure proper valuation of the acquired company; (3) to determine the potential liability for violations; (4) to minimize unexpected surprises; (5) to minimize liability for past conduct; (6) to identify future compliance issues; and (7) to assist in post-acquisition planning.

To avoid unpleasant surprises, the following are the general topics the due diligence inquiry should address:

  • Evaluating the risk profile of the target including with regard to its industry, countries of sales and operation, use of third parties/consultants/joint ventures, and so forth.
  • Evaluating the structure of the target's operations, including its customer base, its non-U.S. operations and the countries in which it operates, sells, and to which it exports.
  • Determining how the target does business with third parties, what due diligence was performed on them, and the extent of business that relies on agents or distributors.
  • Determining the rigor of the target's recordkeeping and accounting procedures.
  • Determining whether the target has appropriate compliance and training procedures.
  • Determining whether the target conducts periodic reviews and certifications of its third-party intermediaries and whether the target has contractual provisions that allow termination based upon suspected legal violations.
  • Determining whether the target has procedures to help identify red flags for high-risk areas (FCPA, export controls, sanctions, AML, and antitrust/fair competition, among others) with appropriate follow up.
  • Determining whether the target has been the subject of any investigation by any government that potentially could lead to significant risk and penalty exposure under legal regimes of concern.
  • Determining whether the target's compliance structure is appropriate, including with regard to compliance resources located outside of headquarters, and whether it is run, in an independent fashion, by a senior management-level employee who is backed with appropriate resources.
  • Determining whether the target conducts periodic internal compliance assessments and compliance audits and follows up on identified compliance gaps with compliance improvements to identify known compliance issues.

7. "What can I do to prevent problems in my portfolio companies?"

Too many companies view due diligence as a check-off item that begins and ends at discrete portions of the deal. The best practice in the area, however, is to view due diligence as an entrée not only to identification of risk, but also the first step in the administration of the to-be acquired company's compliance efforts. To take full advantage of the efforts put into due diligence, acquiring companies should have a well-thought due diligence and compliance integration plan. Some guideposts to consider along the way include:

  • Determine the Scope of Due Diligence. The degree of due diligence to be conducted, and the areas of concentration, should be based upon the size of the transaction, its risk profile, and the business profile of the target. Targets that operate in high-risk environments like China, the Middle East, Russia, Latin America, or Africa, or make significant sales into them, require more careful scrutiny. The same is true of targets that operate in the export controlled (ITAR or EAR) or classified arenas or that are government contractors.
  • Keep a Fluid View of the Developing Risk Profile of the Target. Due diligence should not be a check-off item. As information is developed, an evolving view of the target's business and risk profile should be constructed and modified, so as to determine areas of potential regulatory risks and likely compliance lapses.
  • Conduct a Compliance Gap Analysis. The due diligence inquiry should include an inquiry into the compliance environment at the target for all high-risk areas, which often are international in scope (anti-corruption, economic sanctions, antitrust/fair competition, export controls, AML, and so forth). The scope of the compliance measures in place, as well as related internal controls and training, should be compared to the risk profile of the target.
  • Prepare an Integration Plan. Often, integration "plans" for PE firm acquisitions consist of nothing more than stating that the target will be integrated into the compliance program of the acquiring company (if an acquisition by an existing portfolio company) or using a generic compliance template that the acquiring PE firm digs up from a prior deal and indiscriminately applies. But integration into a purchasing entity or the implementation of a new compliance plan should not occur without first considering such issues as whether the compliance omissions in the target's compliance measures potentially created issues that require investigation, evaluating whether the prior training had gaps in coverage or personnel trained, and whether the internal controls matched up with the compliance objectives and the target's risk profile. Even absent such compliance lapses, integration of compliance programs should not occur without first giving thought to whether the risk profile of the combined entity changes based upon the new acquisition, thus potentially making a mismatch between the acquiring company's compliance measures and the merged entity.
  • Follow up on Identified Issues. Make certain there is a thorough and timely follow up on any issues identified during the course of the acquisition, especially for high-risk legal regimes. Any ongoing investigation will need to be completed in a timely fashion; issues not thoroughly investigated by the prior management may need to be fast tracked. Similarly, gaps in compliance identified through due diligence also should be evaluated to determine if they likely have led to compliance lapses that need to be addressed.
  • Conduct a Compliance Audit/Risk Assessment. Acquiring companies should not assume that all issues were identified during the due diligence process. A compliance audit/risk assessment, conducted within 30 to 90 days of acquisition, often is appropriate, especially for target companies that have a heightened risk profile or that represent a significant addition of business to the PE firm's portfolio.
  • Review Company Culture. Consideration all she should be given to whether the company's culture was one of appliance. A company that did not set a tone at the top supporting compliance, for example, will often require significant intervention to establish the right culture of compliance. This cannot be accomplished merely by conducting a few training sessions.
  • Set a Training Schedule. The company should establish a training schedule. This will require a review of the training performed by the target prior to the acquisition to determine whether the correct personnel were receiving tailored training in the correct areas. The goal should be to identify within 30-60 days any significant training omissions and to ensure these employees (and perhaps consultants and other third parties) are trained in all high-risk areas pertinent to their responsibilities.

8. "Compliance at portfolio companies sounds complicated! Has anyone ever thought of putting together a twelve-step program to provide guideposts for an effective risk mitigation?"

The author of this client alert has an international compliance guide that include just such a twelve-step program; a copy is available by request.12 The headlines of this twelve-step program are as follows:

  • Step 1: Secure Buy-In at the Top. This include not only taking steps to secure the appropriate "tone at the top" and support for compliance efforts, but also securing adequate resources to support compliance efforts.
  • Step 2: Perform a Risk Assessment. The second step for most organization is to perform a risk assessment (a survey of the company's operations to determine the exposure of the organization to various forms of regulatory risk, considering both the likelihood and severity of possible violations and the current enforcement priorities of the relevant authority). Once the risk assessment is complete, the results should be carefully evaluated to determine where the areas of greatest compliance concern lie through the preparation of a company-wide risk profile, which can guide the allocation of compliance resources.
  • Step 3: Survey Current Controls. Step 3 involves surveying current compliance procedures and internal controls to determine whether the compliance measures in place properly cover the circumstances that may put the organization at risk of violations.
  • Step 4: Identify Available Resources. After an inventory of compliance procedures in place has occurred, a key next step is to ensure the organization has not fallen into the classic compliance trap of over-promising and under-delivering by imposing compliance requirements and then failing to implement them. To avoid these and other promise-resource mismatches, the company should, with a clear and open mind, compare its identified risk profile with the inventory of current policies and internal controls to determine whether there are any gaps between the two. Funding adequate to cover all necessary compliance efforts should be in place and, if not, should become a funding priority.
  • Step 5: Assess Local Oversight. The state of compliance as envisioned at corporate headquarters, and the actual state of compliance as implemented in the field, far too often diverge. It accordingly is often necessary, at least at larger companies, to set up a compliance infrastructure that includes compliance liaisons and various local resources that can ensure effective implementation of compliance dictates. These resources also can be invaluable in identifying compliance lapses before they grow and become a large problem.
  • Step 6: Create a Written Compliance Policy. It is an unfortunate fact that Step 6—the drafting of the compliance manual—is often Step 1 for many companies. But there is considerable groundwork to cover before the organization should begin the actual drafting of the compliance manual, including the performance of a risk assessment and establishment of the culture of compliance. The written manual should accurately summarize the regulations, using plain language that employees without legal training can readily follow. The focus should be on readability and tailoring the policy to the risk and business profile of the company, not trying to cover every nuance of the legal regime at issue.
  • Step 7: Establish Internal Controls. Although internal controls (called standard operating procedures at some companies) are one of the three pillars of compliance (along with the written policy and training), they often are the most neglected. But internal controls provide procedures that are essential to implement the dictates of the compliance program. Systematizing compliance through internal controls also gives the company the ability to audit compliance and determine how effective the procedures actually are.
  • Step 8: Training, Training, Training. The basic task of training is to ensure, in conjunction with a well-written compliance program and appropriate internal controls, that employees and agents have sufficient knowledge to recognize red flags and other problematic situations, and understand what they need to do to comply with regulations and company policy. The goal is not to create legal experts all across the company; rather, it is to sensitize people to the law so they know when to seek counsel from the appropriate compliance or legal personnel. No compliance regime will be successful unless the appropriate individuals are identified and trained regarding the company's compliance efforts and the operation of its compliance program.
  • Step 9: Integrate Outsiders. Outsiders—third parties who act (or could be construed as acting) for the organization—are often a key source of risk. Companies accordingly should take steps to ensure that outsiders acting on their behalf are trained in the key compliance requirements, whether through the imposition of an obligation of the outside actor to receive training or through direct integration of the outsider into the company's compliance program.
  • Step 10: Auditing and Checkups. It is difficult to have a strong compliance program unless it is regularly tested and probed, with the results analyzed to come up with compliance improvement action items. As companies realize the dangers of letting their compliance program run on auto-pilot, it has become common for companies to use risk-based auditing principles to determine the countries, divisions, subsidiaries, and third parties who should be monitored through audits and compliance check-ups. Companies that do so reap considerable compliance dividends.
  • Step 11: Monitor Red Flags. The identification of red flags and ensuring appropriate follow-up are the keystones to a well-functioning compliance system. One of the most important tasks when implementing international compliance accordingly is to train relevant stakeholders regarding the transactions and conduct that are suspicious given the regulatory requirements.
  • Step 12: Communicate with Board & Senior Management. In corporations that set the proper compliance tone, board-level involvement is regular and institutionalized. The key areas for board-level involvement include thorough oversight of compliance initiatives, quarterly reports of compliance activities, and special communications for potentially serious matters. Compliance conversations with senior management should be routine and compliance counsel consistently heeded.

9. "What compliance steps can be taken to minimize the risk of whistleblowers?"

The urgency of taking steps to minimize whistleblowers has never been more important for PE firms. The issue rises at both portfolio companies and at the PE fund itself, where employees may have wide-ranging access to information regarding compliance lapses across the entirety of the company's portfolio. Even if the PE firm and its investments are exonerated, the cost of internal investigation and dealing with the regulatory agencies in the wake of a whistleblower report can be considerable. Further, studies show that most whistleblowers are motivated by reasons other than money (i.e., whistleblowing often occurs because employees are disgruntled or terminated, or because they have raised concerns about compliance lapses and believe the issue was not taken seriously). Thus, even if the Dodd-Frank whistleblower regime disappears or no longer is applicable to PE firms under the new administration, whistleblowing concerns will still remain.

Compliance measures PE firms should consider to minimize external whistleblower activity include the following:

  • Implementing internal reporting channels, adjusted for the size and nature of the business, at all portfolio companies and at the PE firm itself.
  • Creating multiple ways to report potential misconduct, including through web-based reporting, dedicated compliance email addresses, and independent 24-hour telephone hotlines with multiple languages capability.
  • Creating ways for external compliance stakeholders to report misconduct related to PE firm management or portfolio companies.
  • Implementing procedures to quickly evaluate significance of claims, determine priority of investigation, and prepare appropriate follow up based on the potential seriousness of issue.
  • Maintaining procedures to document all claims received, how they were handled, and their ultimate resolution.
  • Maintaining procedures to report to whistleblowers how their claims were handled while sanitizing reports of any confidential data.
  • Maintaining procedures for determining when outside investigate resources, including law firms and forensic specialists, need to be brought onto investigations.
  • Implementing special procedures related to the handling of complaints related to senior management, board of directors, audit committee members, and compliance committee members.
  • Drafting policies to ensure confidential treatment of materials related to internal investigations, including procedures designed to preserve attorney-client communication and attorney work product privileges
  • Maintaining anti-retaliation compliance policies to ensure that there is no retaliation for whistleblower activity and that whistleblowers continue to be evaluated solely based on quality of their work and not concerns related to whistleblower activities (i.e., the firm needs to avoid claims of retaliation).
  • Creating procedures to ensure that any compliance lapses are remedied, such that issues identified as a result of whistleblower activity (or that are otherwise discovered) are not repeated.

While implementing these compliance items is important, the PE firm should not use severance or monetary incentives to minimize the risk of whistleblowers. In several enforcement matters, the SEC has imposed significant penalties against companies that maintained provisions that restricted the ability of an employee or ex-employee to report as a whistleblower. Significantly, in some of these cases the penalties were imposed even absent any showing that anyone was deterred from actually reporting a compliance lapse. Instead of trying to restrict external whistleblowers, PE firms instead should put their efforts into ensuring that compliance lapses do not occur in the first place and into ways to encourage internal whistleblowing.

10. "How can I prevent compliance concerns from derailing my exit strategy?"

Given that PE firms tend to have finite ownership timeframes, PE firms need to be equally concerned with how compliance concerns will impact their ability to sell. By far the most useful strategy is to maintain a strong compliance program throughout the ownership period, which not only allows the company to provide assurances to potential purchasers regarding the compliance environment but also minimizes the chances of costly compliance lapses.

But beyond this basic strategy, the following are issues to consider when the PE firm is considering exiting from a particular portfolio investment:

  • CFIUS. As noted above and in a separate CFIUS Client Alert,13 it is widely anticipated that CFIUS reviews will be more rigorous under the new administration. This is a particular concern with regard to the largest source of CFIUS requests, which is for deals involving Chinese acquirers. By most measures, outbound investment from China accounted for twenty percent of global M&A activity in 2016, more than double 2015 levels. PE firms contemplating a potential sale to a Chinese company, in particular, need to carefully consider the national and economic security implications of such transactions, with an eye towards whether a CFIUS pre-clearance should be sought. Full information regarding the types of transactions that are most likely to raise CFIUS concerns are found here.14
  • Conduct a Pre-Sale Compliance Audit. It is far better to know about compliance lapses – and to address them before the sale than it is to find them out during due diligence and then have to scramble to fix them. A pre-sale compliance audit not only allows for such corrections, it also can be used to put together prepared due diligence responses in advance, allow the company a strategy for dealing with problem situations, and even put together a strategy for dealing with situations where purchasers might demand a prior disclosure as a condition of purchase. The author of this Client Alert has in some cases put together a "compliance white paper" to pre-emptively deal with known issues, thereby putting purchasers at ease regarding the scope of known compliance lapses. Such a review also can minimize the chances of there being a claim for misrepresentation after the deal has closed if the purchaser discovers issues that were not disclosed during the due diligence inquiry.
  • Prepare in Advance for Heavy Due Diligence Requests. Selling companies should expect heavy due diligence requests, especially for sales of companies that operate in, or sell into or export to, countries of concern (China, India, Russia, much of Latin America and Africa, etc.). Even where there is not trade with such red flag countries, the heightened enforcement activity for the FCPA, export controls, economic sanctions, antitrust, and AML means these areas are often a focus of due diligence inquiry. Since these inquiries can be expected, it often is possible to put together commonly requested information in advance, speeding up the response to such inquiries.
  • Go Beyond Providing the Minimum. Too often, selling entities view due diligence as a win-lose scenario, in which the goal is to provide the minimum information possible, under the theory that the more potential purchasers know about the company, the more than can "create trouble" (i.e., raise questions, seek enhanced protections through onerous representation and warranty clauses, and so forth). Yet in the current enforcement environment, requests for full compliance information are appropriate and to be expected. Disarming suspicions by acquiring companies regarding the state of compliance occurs through full and thorough cooperation and the preparation of complete and accurate responses to due diligence requests, including through the provision of information that, while not perhaps being directly requested, is still relevant to a thorough assessment of the state of compliance at the target company.

Conclusion

For these reasons, the regulatory landscape is uncertain for PE firms. Just as is true with investing, however, uncertainty creates both risks and opportunities. PE firms that learn to navigate the regulatory expectations that govern their activities will have an opportunity to deal with these risks better than their competitors, including through avoiding costly investigations and penalties. Through careful risk identification and risk management, firms can adapt to the new and aggressive enforcement of many U.S. regulations, as well as any new regulatory developments that are likely to occur under the new administration. Regardless of the course that is plotted by the new administration, however, the days when it was appropriate for PE firms to leave such concerns entirely to the senior management of portfolio companies are now gone, and are unlikely ever to return. Ensuring that sound risk-identification and risk-management practices are in place at every portfolio investment is the best way to cope with the new enforcement environment.

The international climate for U.S.-based multinational companies and non-U.S. based companies that sell into the United States has never been more uncertain. This client alert is the sixth of a series of Alerts being prepared to help companies navigate the uncertain international trade and regulatory environment. As noted in the introduction, existing "top ten" articles cover the future of NAFTA, International Trade (antidumping and countervailing duty) actions, Customs and Border Protection, the future of white collar enforcement, and likely changes in how the Committee of Foreign Investment in the United States (CFIUS) evaluates investment in the United States. Future client alerts will cover the Office of Foreign Asset Controls (OFAC economic sanctions) and Export Controls, the Foreign Corrupt Practices Act, anti-money laundering, and cyber-security.

Footnotes

1 See Gregory Husisian and Robert Huey, "NAFTA and the Trump Administration: Your Top Ten Questions Answered," https://www.foley.com/nafta-and-the-new-trump-administration-12-01-2016/.

2 See Gregory Husisian and Robert Huey, "U.S. Customs and the Trump Administration: Your Top Ten Questions Answered," https://www.foley.com/us-customs-and-the-new-trump-administration-your-top-ten-questions-answered-02-07-2017/.

3 See Gregory Husisian and Robert Huey, "International Trade Litigation and the Trump Administration: Your Top Ten Questions Answered," https://www.foley.com/international-trade-litigation-and-the-new-trump-administration-your-top-ten-questions-answered-01-06-2017/.

4 See Gregory Husisian, "CFIUS Reviews and the Trump Administration, Your Top Ten Questions Answered," https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.

5 Scott Fredericksen & Gregory Husisian, "White Collar Enforcement and the New Trump Administration: Your Top Ten Questions Answered," https://www.foley.com/white-collar-enforcement-and-the-new-trump-administration-your-top-ten-questions-answered-02-09-2017/.

6 See Scott Fredericksen & Gregory Husisian, "White Collar Enforcement and the New Trump Administration: Your Top Ten Questions Answered," https://www.foley.com/white-collar-enforcement-and-the-new-trump-administration-your-top-ten-questions-answered-02-09-2017/.

7 U.S. Dep't of Justice and U.S. Sec. & Exch. Comm'n, "A Resource Guide to the U.S. Foreign Corrupt Practices Act (Nov. 14, 2012), https://www.justice.gov/criminal-fraud/fcpa-guidance.

8 See Gregory Husisian and Robert Huey, "International Trade Litigation and the Trump Administration: Your Top Ten Questions Answered," https://www.foley.com/international-trade-litigation-and-the-new-trump-administration-your-top-ten-questions-answered-01-06-2017/.

9 See Gregory Husisian and Robert Huey, "NAFTA and the Trump Administration: Your Top Ten Questions Answered," https://www.foley.com/nafta-and-the-new-trump-administration-12-01-2016/.

10 See Gregory Husisian, "CFIUS Reviews and the Trump Administration, Your Top Ten Questions Answered," https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.

11 FCPA Resource Guide at 29.

12 Please contact Gregory Husisian at +1 202.945.6149 or ghusisian foley.com to receive a copy.

13 See Gregory Husisian, "CFIUS Reviews and the Trump Administration, Your Top Ten Questions Answered," https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.

14 See Gregory Husisian, "CFIUS Reviews and the Trump Administration, Your Top Ten Questions Answered," https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.