The election of President Trump contained some positive signs for Private Equity (PE) fund managers. These included potential lower corporate taxes, a ten-percent tax holiday for funds parked overseas, large infrastructure projects needing investment capital, and deregulation (including the potential rollback of the unpopular Dodd-Frank law), all of which could have a profound impact on investment returns (albeit with the potential negative of an increase in the type of unregulated behavior that plagued the private funds industry before increased regulation and SEC oversight). But other potential regulatory initiatives foretold potential problems, including President Trump’s promise to restrict international investment in the United States, including through hard-nosed national security reviews by the Committee on Foreign Investment in the United States (CFIUS), withdrawing from NAFTA, and initiating an international trade war, particularly with China, just when record numbers of Chinese investors were flooding into the U.S. market.
The confluence of these promises combine to raise numerous questions at the dawn of the new administration, such as:
- Will the Dodd-Frank Act and its compliance requirements targeting PE fund and managers be repealed?
- Will the promised trade war become a reality?
- Will NAFTA be repealed, upsetting the international supply chains of many PE fund portfolio companies?
- Will the enforcement attention on PE funds continue or completely stop?
- Does the recent imposition of a multi-million penalty on the head of the PE fund represent a new trend of personal liability for PE fund management?
- Is there anything that PE funds can do to cope with this changing regulatory landscape?
To help navigate this uncertain future, this client alert presents the “top ten” regulatory and trade questions every PE fund management team with international fund raising or portfolio companies should be considering. This client alert is part of a series of “top ten” articles on the future of key international trade and regulatory issues expected to change under the Trump administration. Previously issued client alerts discuss the future of international trade (the future if NAFTA1, Customs and Border Protection enforcement2, and international trade litigation3); international investment (the CFIUS review process4); and international regulation (likely developments impacting white collar enforcement5). Future client alerts will deal comprehensively with all international trade and regulatory areas where significant change could occur under the new administration.
II. The Top Ten PE Regulatory Questions Answered (or, Will President Trump Make PE Returns Great Again?)
1. What has President Trump promised?
During the campaign, President Trump’s populist instincts appeared to be aligned against PE fund managers. President Trump’s frequent criticisms of U.S. manufacturers moving jobs overseas implicitly targeted the decisions of PE funds, which often take a global strategy to allocating capital and sourcing manufacturing. Mr. Trump’s criticisms of PE powerhouse Goldman Sachs, in particular, were frequent and seemed to telegraph hostility towards the industry.
In this case, however, elected actions likely “trump” election rhetoric, as the Trump transition team and high-level nominations are heavily drawn from the PE world – including from his favorite campaign punching bag, Goldman Sachs. Chief strategist Stephen Bannon, Secretary of the Treasury nominee Steve Mnuchin, and National Economic Council Director Gary Cohn all previously worked at Goldman Sachs, while SEC Chair nominee Jay Clayton was a partner at Sullivan & Cromwell, where he represented Goldman Sachs. Other senior and transition advisors have ties to Goldman Sachs as well. Additional Cabinet nominees, such as Department of Commerce nominee Wilbur Ross (hailing from PE firm WL Ross & Co.) and economic advisory council member Stephen Feinberg (former CEO of Cerberus Capital Management) also have strong PE roots.
This is hardly a murderer’s row of populist advisors looking to crack down on PE funds. Indeed, in at least one way – the fate of the Dodd-Frank Act – it appears that momentum is building in the new Republican Congress to give Mr. Trump a victory in substantially curtailing or even repealing the Act, which is a course Mr. Trump recently endorsed. Since the Dodd-Frank Act subjects many PE funds to strict SEC oversight and compliance requirements, curtailing or repealing the Act would be a welcome development to many PE funds, which have chafed at the aggressive application of SEC regulatory requirements to PE funds.
Further complicating the picture, the U.S. government over the last decade has emphasized regulatory initiatives that directly and indirectly target PE fund managers and their portfolio companies. Generally these enforcement actions have involved regulations with an international hook, including:
- the Foreign Corrupt Practices Act (FCPA) (an antibribery statute barring the payment of bribes to non-U.S. government officials);
- economic sanctions administered by the Office of Foreign Assets Control (OFAC);
- export controls (with the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR) restricting the export of controlled U.S. goods, information, software, and technology);
- anti-money laundering restrictions (AML); and
- international antitrust actions, especially for collusion and price fixing.
This enforcement focus has sharply increased regulatory risks for PE funds that raise money internationally, that own portfolio companies that operate internationally, or that export or sell to foreign countries. Under the previous administration, the SEC used its powers under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) to target PE funds with vigorous enforcement attention. Yet while this regulation imposed significant compliance costs, the repeal also could have an impact if deregulation turns back the clock to the pre-Dodd Frank Wild West with respect to general fund management oversight. Throw in costly new compliance concerns for PE fund managers that rely on foreign investment, manage portfolio companies outside the United States, or have global sales, and the end result could be sobering.
2. What is the landscape for international regulatory enforcement? Is it likely these trends will continue under the new administration?
There have been many trends related to the regulation of exports and international conduct that are of concern both with regard to the operation of PE portfolio companies and at PE funds’ own operations. Chief among these are the following:
- Emphasis on International Regulations. The largest penalties in recent enforcement actions (outside of the crackdown on sub-prime mortgage abuses) have involved U.S. regulations governing exports and international conduct. In particular, the U.S. government has emphasized the areas of international antitrust (particularly collusion and price fixing), export controls, OFAC economic sanctions, anticorruption (FCPA), and AML for enforcement attention, imposing tens of billions of dollars of penalties for these regulations. Because PE funds often invest in companies that operate in, sell into, and trade with foreign countries, this trend of increasing penalties sharply increases the risk profile of the investment portfolios of most PE funds.
- Individual Liability. The U.S. government, including through the issuance of the “Yates Memorandum” (discussed here6), has emphasized individual liability, believing that nothing has a greater deterrent effect than the prospect of hefty fines or jail time for senior executives.
- Increasing Use of Criminal Penalties. The U.S. Government has increasingly been willing to use either the threat, or the actual imposition, of criminal proceedings as enforcement tools. This combines with another trend discussed below, which is to use penalties – including criminal penalties against individuals – to send a compliance message. Even where civil penalties are the result, the threat of criminal penalties can be used as leverage to extract a larger civil penalty.
- Liability Based Upon Control. Many PE funds have (falsely) taken comfort in the idea that operating models emphasizing the role of the PE fund managers as allocators of capital and management expertise, while leaving the active management of the companies to senior portfolio company managers, insulate them from direct liability for portfolio company compliance lapses. SEC actions, however, have introduced the concept of liability for failure to maintain adequate internal controls and failure to notice indications of fraud or regulatory lapses. The DOJ, as well, has no problem going after owners of third-tier subsidiaries, joint ventures, and other parties that control an entity, even if they do not directly participate in the management of the company. Similar logic applies equally to PE funds. The U.S. government believes ownership confers compliance responsibilities, with failures being punishable by hefty fines. The hands-off approach to compliance that is the rule at many PE funds no longer is tenable (if it ever was).
3. Are there regulatory areas of special concern for PE funds?
The U.S. government has sent the message to PE funds in recent years indicating that they are a focus area for compliance. These efforts include the SEC sending the largest PE funds letters of inquiry into their compliance practices, which some link to the September of 2016 SEC announcement that Och-Ziff Capital Management Group would pay approximately $200 million to settle SEC charges of FCPA violations, along with a DOJ criminal penalty of $213 million (plus individual fines, including for the CEO of Och-Ziff of nearly $2.2 million in individual fines). Total fines criminal and civil penalties of $412 million underscore the importance of U.S. government compliance expectations for PE funds.
Some other areas of special concerns for PE funds include the following:
- SEC Enforcement. In addition to the enforcement developments noted above, the SEC in other ways has made PE funds an enforcement focus, including through the creation of an Asset Management Unit to focus exclusively on PE funds, hedge, and even regulated mutual funds. Because the SEC also is in charge of FCPA enforcement of the internal controls and books and records provisions of the FCPA, this SEC focus exposes PE funds to scrutiny for one of the legal regimes that consistently sees the highest level of fines.
- Dodd-Frank Effect. Traditionally, PE funds have operated largely free of regulatory oversight (with the exception of normal regulatory requirements placed on portfolio firms or on the PE fund directly, such as HR-type compliance requirements). But the Dodd-Frank Act requires that PE funds now register with the SEC unless they have under $150 million in assets under management, or qualify for a venture fund or family office exemption, register with the SEC, subjecting them to various SEC rules and oversight. These rules include the Compliance Program Rule (Rule 206(4)-7)), which requires that PE funds have and maintain an effective compliance program designed to prevent violations of the Advisers Act. Required actions include the adoption and implementation of written policies and procedures reasonably designed to prevent violations of the Advisers Act, the conduct of a compliance program review at least annually, and the appointment of a chief compliance officer, along with a host of additional regulatory responsibilities that comes with SEC oversight.
- Multiplying Risk Factors. The manner in which PE funds typically operate increases their risk profile in these ways:
- PE funds managers often manage multiple funds, each of which generally invests in a portfolio of different companies. This multiplication of investment vehicles and holdings complicates compliance oversight, as regulators increasingly view the role of the PE fund manager as enforcing compliance expectations across portfolio companies through the conduct of risk assessments, implementation of compliance programs and internal controls, and oversight of the adequacy of compliance. Fragmented investments and individual implementation of compliance initiatives complicate achieving a high level of compliance across the full portfolio of investments.
- Most legal regimes do not allow changes in corporate form to alter liability for the underlying conduct. Since most PE fuds frequently are in acquisition mode to fill out their investment portfolio, onboarding transactions multiply the risk of acquiring violations.
- PE funds frequently invest in multinational companies, which often operate in and/or sell to industries and in countries at heightened risk of enforcement activity under such high-risk legal regimes as the FCPA, OFAC sanctions, export controls, antitrust, and AML laws.
- With many PE funds being currently regulated under the federal securities laws, they remain liable for the bookkeeping and internal control requirements of the FCPA, which require accuracy in books and records and an effective internal control environment sufficient to give the company control of the disbursement and use of assets.
- The opening of an investigation at one portfolio company can become an investment of a group of companies or even all portfolio investments, as regulators have the discretion to inquire broadly into potential issues across the PE fund’s investments.
4. What are the regulatory areas where PE funds should focus their attention?
The following areas merit special scrutiny by PE funds in the administration of both their portfolio investments and their fund operations:
- Antitrust. Under the Obama administration, antitrust enforcement was regarded as being more aggressive, including with regard to the willingness of regulators to challenge transactions that fell below the filing thresholds of the Hart-Scott-Rodino Antitrust Improvements Act of 1976. It is difficult to handicap whether this scrutiny will change. While Republican administrations are viewed as more relaxed in the antitrust area, this generally has meant a more lenient approach to merger activities, not a lessening of the enforcement of such antitrust issues as collusion and price fixing. Further, when campaigning, President Trump stated that if he were president he would seek to block the $85 billion AT&T/Time Warner merger, which potentially could signal a mindset of preventing concentrations of market power.
President Trump also has personal experience in antitrust cases, including as a plaintiff in a federal antitrust suit against the National Football League, as a defendant in a NJ state court suit alleging he attempted to monopolize and suppress competition in the Atlantic City casino gambling market, and his payment of a $750,000 civil penalty to resolve claims he violated the Hart-Scott-Rodino Act’s reporting and waiting period requirements when acquiring stock in two gaming companies. It is unclear how these experiences will shape President Trump’s view of antitrust law.
Because the administration’s stance could impact the acquisition and exit strategies for PE funds that own companies in concentrated industries, monitoring early antitrust activity will be important. Discerning the views of new appointees to the Federal Trade Commission and the head of the DOJ’s Antitrust Division will help divine how the administration is likely to proceed. Regardless of how the new administration treats antitrust on the monopolization side, our expectation is that antitrust enforcement will continue to be strong, especially for activities that subvert the competitive market, such as collusion and price fixing. The same is likely to be true with regard to the enforcement of fair competition laws abroad, which are in many countries enforced as rigorously as or even more so than U.S. antitrust law. As a result, ensuring antitrust and fair competition compliance at portfolio companies will continue to be an important risk-management requirement for PE fund managers.
- Cybersecurity. President Trump stated during the first presidential debate that the U.S. government needed to get “very, very tough on cyber and cyberwarfare,” and called for the creation of a joint public-private team of experts to analyze U.S. government cybersecurity protections. With the intelligence agencies agreeing that China, Russia, and North Korea have engaged in hacking designed to steal confidential data from the U.S. government and U.S. companies, and with private intrusions being even more common, it is likely that regulatory agencies such as the SEC and subject-matter agencies overseeing particular industries will be implementing regulations and other measures designed to ensure that regulated companies are putting in place measures to combat electronic intrusion into company networks and confidential data sources. Expectations will be particularly high for companies that maintain classified or controlled information, for government contractors, for firms with security clearances or that maintain classified data, or for companies that deal with export-controlled technical data. Firms that deal with highly confidential personal data, such as healthcare and financial firms, also will be under heightened scrutiny. Any firm in this category should operate under heightened compliance expectations to ensure they are not victims of hacking or cyberattacks. (Cybersecurity will be covered in a future “top ten questions” alert.) PE funds need to have a firm handle on the vulnerability of their portfolio investments to such attacks and have strong compliance measures designed to fight off such electronic intrusions.
- FCPA. FCPA risks existed long before the enforcement activity highlighted above. With many PE funds now regulated under the federal securities laws, they remain liable for the bookkeeping and internal control requirements of the FCPA, which require accuracy in books and records and an effective internal control environment sufficient to give the company control over and insight into the disbursement and use of assets. Further, the ways in which many PE funds operate increase the risk of direct application of the law to their operations. For example, many PE funds seek investments from sovereign wealth funds. Due to the operation of the FCPA’s rules, which consider all employees of sovereign wealth funds to be “government officials,” the payment of bribes to secure sovereign wealth investments are potentially criminal acts. Liability also is enhanced by the frequent use of consultants in foreign countries, including placement agents and marketing firms. FCPA liability attaches to dealings by these third parties where the PE fund either knew, or had reason to know, that the arrangement would result in the payment of a bribe.
Even if liability is attached at the portfolio company level, keeping the penalty “away” from the PE fund and its managers can be a pyrrhic victory, as the economic hit of a portfolio penalty will still be felt on the PE fund balance sheet – a key concern, given that annual penalties under the FCPA generally exceed $1 billion annually. For this reason, the FCPA is a priority not only in terms of compliance, but also as a due diligence item during acquisitions Since penalties are generally a fund expense, even limited partners, who may view themselves as being outside of the realm of prosecution, can still take a hit on their investments. (The FCPA will be covered in detail in a future “top ten questions” alert.)
- Economic Sanctions/Export Controls. Over the last few years, the economic sanctions programs overseen by OFAC, alongside the coordinating export control regimes, have become a key enforcement priority of the U.S. government. Penalties in the OFAC area alone can exceed $1 billion annually. Further complicating compliance in this area is that the regulations rapidly change, reflecting the foreign policy issues that arise daily. Compliance is no longer accomplished just by screening new customers against OFAC lists of Specially Designated Nationals. A multi-faceted compliance program, based upon a current risk assessment, is an essential risk-management tool for portfolio companies operating internationally. Export controls and sanctions accordingly are an important due diligence item. (Export controls and economic sanctions will be covered in detail in a future “top ten questions” alert.)
- Privacy. During the Obama administration, the Federal Trade Commission (FTC) took the lead on bringing actions against companies that used personal data in ways that exceeded how they had agreed to use such information. Although some critics believed these actions were based on an overly broad reading of the “unfair practices” and “likelihood of consumer harm” provisions in Section 5 of the FTC Act, the protection of consumer data has become a bipartisan issue. Some business interests may press the new administration and Republican congress to weaken privacy restrictions to allow greater data mining of data, including through reversal of the USA Freedom Act of 2015 (which amended the USA PATRIOT ACT to create additional data privacy protections). It is likely, however, that such amendments would jeopardize the EU-U.S. Privacy Shield agreement, which allows companies to send data from the EU to the U.S. in compliance with EU law. Fears of cutting off the ability to share information with the EU likely would forestall such amendments. We accordingly do not see any scaling back of the regulatory expectation of protection of data privacy and expect that other regulatory agencies will look to enhance privacy protections. This makes privacy compliance measures important at PE portfolio firms that deal with confidential data, such as financial and healthcare firms.
- Whistleblower Issues. The Dodd-Frank Act provides that the provision of information to the SEC that results in monetary sanctions of $1 million or more for violations of the federal securities laws or regulations thereunder makes the whistleblower eligible for an award of 10-30 percent of the amount recovered. The information cannot already be known to the SEC or derived from public sources and must be based on the whistleblower’s independent knowledge or independent analysis. Although the rules also allow the whistleblower a 120-day window to provide the same information to the company, the whistleblower still has a strong incentive to report to the SEC because the SEC rules protect the whistleblower from company retaliation.
The SEC rules apply to any entity subject to federal securities laws, thus including most PE funds with more than $150 million under management. The addition of SEC coverage increases the risk of whistleblower actions because the SEC maintains a well-known whistleblower program. But regardless of whether SEC rules apply, whistleblower issues under other programs still exist, with whistleblower issues having special bite in the PE context. The reasons why include the following:
- Whistleblowers can be employees of either the PE fund or the portfolio company, thus increasing the number of persons who can report compliance lapses.
- Unlike for most private or publicly traded companies, where whistleblowers generally know only about compliance lapses in their own areas of responsibility, office, or division, PE funds often have employees who may know about issues across the full range of portfolio companies. This gives employees the potential to become whistleblowers across multiple companies at the same time.
- Since many PE funds do not directly manage their portfolio companies, they may not have sufficient insight into the effectiveness of compliance at their holdings, making it more difficult to detect compliance lapses that can lead to whistleblowing opportunities.
- PE funds often purchase companies where it is expected that better management and more efficient operations will increase profitability, making for a profitable exit strategy. To the extent that these activities lead to job losses, they create conditions that foster whistleblower activities from disgruntled or terminated employees.
While there are serious discussions in Washington regarding the potential repeal of the Dodd-Frank law, in whole or in part, we expect that the whistleblower provisions will survive, due to their demonstrated utility. This may be either through preservation of the statutory authority for the whistleblower program or through an exercise in SEC rulemaking. Regardless, even if the program were to disappear, we believe this should not impact the level of resources devoted to compliance or the type of compliance measures maintained by PE funds, including at their portfolio companies. The size of potential penalties alone dictates that companies mitigate risk through effective compliance measures.
5. What are some of the risk factors that PE funds be looking at when acquiring portfolio companies?
Regardless of the context (export controls, OFAC sanctions, FCPA, and so forth), government regulators believe change of control does not eliminate liability for violations. As the FCPA Guide states: “[s]uccessor liability applies to all kinds of civil and criminal liabilities, and FCPA violations are no exception.”7 Further, an acquiring entity is responsible for any ongoing or new violations, from the very first moment of ownership.
The prospect of inherited liability makes due diligence at the acquisition stage more important than ever. The speed at which deals are completed, however, as well as the difficulties in getting full information from target companies, can complicate fact finding. Time and advance thought to the due diligence strategy always are important to combat these realities. If issues are identified early in the process, protections in the form of tailored representations and warranties, escrow funds, prior disclosures to agencies, agreements that the cost of investigations will be borne by the seller, or even a diminished sales price can all be used to protect against known risks. In some cases, the problems may be large enough to merit abandoning the deal. But none of these risk-mitigating strategies can be used for risks not uncovered through appropriate due diligence.
Some of the key issues that should be evaluated in any acquisition of a multinational target include the following:
- International Regulatory Risk. As noted above, such international regulatory risks as international antitrust, export controls, OFAC sanctions, AML, and anticorruption ]arise where targets are multinational companies that operate, export, or sell abroad. For any acquisition with an international risk profile, careful inquiry should be made into these key areas, which are all enforcement priorities for the U.S. government.
- Operations in Countries of Concern. Due diligence should not be done in a one-size-fits-all fashion. Instead, it should be tailored to the overall risk profile and particular risks of a given transaction. One of the key determinants is the countries where the target operates and sells. Countries that rank high on the Transparency International Perceived Corruption Index also tend to have a general lack of respect for the rule of law, and to present a heightened risk profile for such things as export controls and OFAC sanctions (diversion risk), AML, and other regulatory concerns. Heightened due diligence generally is appropriate when the target has significant ties to such countries as China, India, Russia, much of Latin America, the Middle East, and Africa, as well as countries in Europe with a reputation for diminished respect for the rule of law (Italy, Greece, and so forth).
- Controlled Goods. Companies that manufacture, broker, sell, or export goods that are subject to controls under the ITAR (USML goods or goods that are specially modified to meet military specifications) or the EAR (goods with an ECCN) present special compliance concerns, as well as heightened opportunities to commit legal violations of the strict export control regulations. Inquiry should always be made as to the presence of controlled goods or technical data at the target, with a tailored follow-up inquiry should initial results be positive.
- International Trade Risk. PE funds often own portfolio companies that operate internationally. If President Trump follows through on claims that he will aggressively pursue an “American First” international trade strategy (and all indications are that he will), U.S. companies, including U.S. PE funds, may need to move their focus to U.S. investment opportunities. PE funds that possess portfolio investments abroad, or that are seeking such investments, will need to carefully factor in international trade risk, especially if they are looking at investments that draw some of their value from operations in or trade with foreign countries that are under a trade spotlight (China, Mexico, developing markets like India, the Philippines, Vietnam, and to some extent other countries where there is a trade deficit like Germany, Korea, and Japan). Relevant inquiries include whether the target imports goods that are subject to antidumping or countervailing duty orders, whether the company is heavily reliant on imports from China, Mexico, or other countries viewed as being a subject of potential trade actions, and the company’s general susceptibility to international supply chain disruptions. (These issues are covered in detail in separate Foley client alerts, available here.8)
- Supply Chain Risk. President Trump has vigorously and often stated his view that international trade as currently constituted allows certain countries to take advantage of the liberal U.S. free trade posture. With President Trump asserting that his administration will crack down on countries that maintain a significant trade surplus with the United States – whether through the imposition of increased tariffs, review of Free Trade Agreements (including NAFTA), a border tax, safeguard actions, or antidumping and countervailing duty orders – it is appropriate for acquiring companies to closely examine whether target companies import a large amount of goods or significant components, particularly if they are goods that are commonly subject to antidumping and countervailing duty actions (steel, many chemicals, and so forth). Further, the potential amendment of or withdrawal from NAFTA could have a huge impact on companies that rely on Mexican sourcing as part of an integrated supply chain. Although not commonly a due diligence topic, acquiring PE funds should carefully determine whether the target’s input sourcing depends on the operation of free trade agreements like NAFTA and determine the susceptibility of the target to supply chain disruption if President Trump’s international trade campaign announcements are in fact implemented. (Risk scenarios regarding NAFTA are explored in detail here.9)
- National Security Risk. As outlined in an earlier client alert regarding national security and the CFIUS review process, there are reasons to expect the new administration to emphasize national and economic security issues. Acquiring firms should carefully evaluate whether sales to foreign companies merit a CFIUS review due to the transaction potentially implicating national or economic security concerns due to the sale of sensitive technology, product lines, technical data, or other sensitive interests to a foreign company. Further information is found in Foley’s “top ten questions” CFIUS client alert.10
6. Sounds scary! What can I do to prevent purchasing trouble?
As noted above, liability for issues can be purchased. The FCPA Resource Guide provides for the following tips to minimize risks, which are equally applicable to any high-risk legal regime:
- Conduct thorough risk-based due diligence.
- Ensure the acquiring company applies its code of conduct and compliance policies to the target as quickly as possible or otherwise ensures strong compliance is in place soon after the acquisition.
- Train the directors, officers, and employees of newly acquired businesses or merged entities regarding high-risk regulations and risks of its business model (which hopefully were identified as part of a searching due diligence inquiry prior to acquisition); consider training agents and business partners where the risk is high.
- Conduct a compliance audit of all newly acquired or merged businesses as quickly as practicable.
- Consider disclosing any issues discovered as part of the due diligence or post-acquisition compliance implementation to relevant regulatory authorities.11
As can be seen, the recommendations center on the conduct of effective due diligence and the implementation of the learnings of that due diligence after the acquisition. The role of due diligence in this process cannot be overstated, as effective due diligence actually has seven rationales: (1) to determine the risk of the acquisition; (2) to ensure proper valuation of the acquired company; (3) to determine the potential liability for FCPA violations; (4) to minimize unexpected surprises; (5) to minimize liability for past conduct; (6) to identify future compliance issues; and (7) to assist in post-acquisition planning.
To minimize the risk of unpleasant surprises, the due diligence inquiry should address:
- Evaluating the risk profile of the target including with regard to its industry, countries of sales and operation, interactions with foreign governments, use of third parties/consultants/joint ventures, and so forth.
- Evaluating the structure of the target’s operations, including its customer base, its non-U.S. operations, and the countries in which it operates, and to which it sells and exports.
- Determining how the target does business with third parties, what due diligence was performed on them, and the extent of business that relies on agents or distributors.
- Determining the rigor of the target’s recordkeeping and accounting procedures.
- Determining whether the target has appropriate compliance and training procedures.
- Determining whether the target conducts periodic reviews and certifications of its third-party intermediaries and whether the target has contractual provisions that allow termination based upon suspected legal violations.
- Determining whether the target has procedures to help identify red flags for high-risk areas (FCPA, export controls, sanctions, AML, and antitrust/fair competition, among others), with appropriate follow up.
- Determining whether the target has been the subject of investigation by any government that potentially could lead to significant risk and penalty exposure under legal regimes of concern.
- Determining whether the target’s compliance structure is appropriate, including with regard to compliance resources located outside of headquarters, and whether it is run, in an independent fashion, by a senior management-level employee who is backed with appropriate resources.
- Determining whether the target conducts periodic internal compliance assessments and compliance audits and follows up on identified compliance gaps with compliance improvements to identify known compliance issues.
Further information is provided in the Foley international compliance guide and risk-assessment toolkit, which is available by contacting the chair of the Export Controls and National Security practice at +1 202.945.6149 or ghusisian foley.com.
7. What can I do to prevent problems in my portfolio companies?
Too many companies view due diligence as a check-off item that begins and ends at discrete portions of the deal. The best practice in the area, however, is to view due diligence as an entrée not only to identification of risk, but also the first step in the administration of the to-be acquired company’s compliance implementation. To take full advantage of the efforts put into due diligence, acquiring companies should have a well-thought due diligence and compliance integration plan. Some guideposts to consider along the way include:
- Determining the Scope of Due Diligence. The degree of due diligence to be conducted, and the areas of concentration, should be based upon the size of the transaction, its risk profile, and the business profile of the target. Targets that operate in high-risk environments like China, the Middle East, Russia, Latin America, or Africa, or make significant sales into them, require more careful scrutiny. The same is true of targets that operate in the export controlled (ITAR or EAR) or classified arenas or that are government contractors.
- Keep a Fluid View of the Developing Risk Profile of the Target. Due diligence should not be a check-off item. As information is developed, an evolving view of the target’s business and risk profile should be constructed and modified, so as to determine areas of potential regulatory risks and likely compliance lapses. Well conducted due diligence also can help frame compliance integration after the acquisition.
- Conduct a Compliance Gap Analysis. The due diligence inquiry should include an inquiry into the compliance environment at the target for all high-risk areas, which often are international in scope (anti-corruption, economic sanctions, antitrust/fair competition, export controls, anti-money laundering, and so forth). The scope of the compliance measures in place, as well as related internal controls and training, should be compared to the risk profile of the target.
- Prepare an Integration Plan. Often, integration “plans” for PE firm acquisitions consist of nothing more than stating that the target will be integrated into the compliance program of the acquiring company (if an acquisition by an existing portfolio company) or using a generic compliance template that the acquiring PE fund digs up from a prior deal and indiscriminately applies. But such compliance shortcuts should not occur without first considering such issues as whether compliance omissions in the target’s compliance measures potentially created issues that require investigation, evaluating whether the prior training has gaps in coverage or personnel trained, and determining whether the target’s internal controls match up with the compliance objectives and the target’s risk profile. Integration of compliance programs should not occur without first giving thought to whether the risk profile of the combined entity changes based upon the new acquisition, thus potentially making a mismatch between the planned compliance measures and the merged entity.
- Follow up on Identified Issues. Acquiring companies should ensure there is a thorough and timely follow up on any issues identified during the course of the acquisition, especially for high-risk legal regimes. Any ongoing investigation will need to be completed in a timely fashion; issues not thoroughly investigated by the prior management may need to be fast tracked. Similarly, gaps in compliance identified through due diligence also should be evaluated to determine if they likely have led to compliance lapses that need to be addressed.
- Conduct a Compliance Audit/Risk Assessment. Acquiring companies should not assume that all compliance issues were identified during the due diligence process. A compliance audit/risk assessment, conducted within 30 to 90 days of acquisition, often is appropriate, especially for target companies that have a heightened risk profile or that represent a significant addition of business to the PE fund’s portfolio.
- Review Company Culture. Consideration should be given to whether the company's culture emphasized compliance. A company that did not set a tone at the top supporting compliance, for example, will often require significant intervention to establish the right culture of compliance. This cannot be accomplished merely by conducting a few training sessions.
- Set a Training Schedule. The post-acquisition company should establish a training schedule. This will require a review of the training performed by the target prior to the acquisition to determine whether the correct personnel were receiving tailored training in the correct areas. The goal should be to identify within 30 to 60 days any significant training omissions and to ensure these employees (and perhaps consultants and other third parties) are trained in all high-risk areas pertinent to their responsibilities.
8. Compliance at portfolio companies sounds complicated! Has anyone ever thought of putting together a twelve-step program to provide guideposts for an effective risk mitigation?
One of the authors of this client has an international compliance guide that include just such a twelve-step program; a copy is available by request.12 The headlines of this twelve-step program are as follows:
- Step 1: Secure Buy-In at the Top. This include not only taking steps to secure the appropriate “tone at the top” and support for compliance efforts, but also securing adequate resources to support compliance efforts.
- Step 2: Perform a Risk Assessment. The second step for most organization is to perform a risk assessment (a survey of the company’s operations to determine the exposure of the organization to various forms of regulatory risk, considering both the likelihood and severity of possible violations and the current enforcement priorities of the relevant authority). Once the risk assessment is complete, the results should be carefully evaluated to determine where the areas of greatest compliance concern lie through the preparation of a company-wide risk profile, which can guide the allocation of compliance resources.
- Step 3: Survey Current Controls Step 3 involves surveying current compliance procedures and internal controls to determine whether the compliance measures in place properly cover the circumstances that may put the organization at risk of violations.
- Step 4: Identify Available Resources. After an inventory of compliance procedures has occurred, a key next step is to ensure the organization has not fallen into the classic compliance trap of over-promising and under-delivering by imposing compliance requirements and then failing to implement them. To avoid these and other promise-resource mismatches, the company should, with a clear and open mind, compare its identified risk profile with the inventory of current policies and internal controls to determine whether there are any gaps between the two. Funding adequate to cover all necessary compliance efforts should be in place and, if not, should become a funding priority.
- Step 5: Assess Local Oversight. The state of compliance as envisioned at corporate headquarters, and the actual state of compliance as implemented in the field, far too often diverge. It accordingly is necessary, at least at larger companies, to establish a compliance infrastructure that includes compliance liaisons and various local resources that can ensure effective implementation of compliance dictates. These resources also can be invaluable in identifying compliance lapses before they grow and become a large problem.
- Step 6: Create a Written Compliance Policy. It is an unfortunate fact that Step 6—the drafting of the compliance manual—is often Step 1 for many companies. But there is considerable groundwork to cover before the organization should begin the actual drafting of the compliance manual, including the performance of a risk assessment and establishment of the culture of compliance. The written manual should accurately summarize the regulations, using plain language that employees without legal training can readily follow. The focus should be on readability and tailoring the policy to the risk and business profile of the company, not trying to cover every nuance of the legal regime at issue.
- Step 7: Establish Internal Controls. Although internal controls (called standard operating procedures at some companies) are one of the three pillars of compliance (along with the written policy and training), they often are the most neglected. But internal controls provide procedures essential to implement the dictates of the compliance program. Systematizing compliance through internal controls also gives the company the ability to audit compliance and determine how effective the procedures actually are.
- Step 8: Training, Training, Training. The basic task of training is to ensure, in conjunction with a well-written compliance program and appropriate internal controls, that employees and agents have sufficient knowledge to recognize red flags and other problematic situations, and understand what they need to do to comply. The goal is not to create legal experts all across the company; rather, it is to sensitize people to the law so they know when to seek counsel from the appropriate compliance or legal personnel. No compliance regime will be successful unless the appropriate individuals are identified and trained regarding the company’s compliance efforts and the operation of its compliance program.
- Step 9: Integrate Outsiders. Outsiders—third parties who act (or could be construed as acting) for the organization—are often a key source of risk. Companies accordingly should take steps to ensure outsiders acting on their behalf are trained in the key compliance requirements, whether through the imposition of an obligation of the outside actor to receive training or through direct integration of the outsider into the company’s compliance program.
- Step 10: Auditing and Checkups. It is difficult to have a strong compliance program unless it is regularly tested and probed, with the results analyzed to develop compliance improvement action items. As companies realize the dangers of letting their compliance program run on auto-pilot, it has become common for companies to use risk-based auditing principles to determine the countries, divisions, subsidiaries, and third parties who should be monitored through audits and compliance check-ups. Companies that do so reap considerable compliance dividends.
- Step 11: Monitor Red Flags. The identification of red flags and ensuring appropriate follow-up are the keystones to a well-functioning compliance system. One of the most important tasks when implementing international compliance is to train relevant stakeholders regarding the transactions and conduct that are suspicious given the regulatory requirements.
- Step 12: Communicate with the Board & Senior Management. In corporations that set the proper compliance tone, board-level involvement is regular and institutionalized. The key areas for board-level involvement include thorough oversight of compliance initiatives, quarterly reports of compliance activities, and special communications for potentially serious matters.
9. What compliance steps can I take to minimize the risk of whistleblowers?
The urgency of taking steps to minimize whistleblowers has never been more important for PE funds. The issue rises at both portfolio companies and at the PE fund itself, where employees may have wide-ranging access to information regarding compliance lapses across the entirety of the company’s portfolio. Even if the PE firm and its investments are exonerated, the cost of internal investigation and dealing with the regulatory agencies in the wake of a whistleblower report can be considerable. Further, studies show that most whistleblowers are motivated by reasons other than money (i.e., whistleblowing often occurs because employees are disgruntled or terminated, or because they have raised concerns about compliance lapses and believe the issue was not taken seriously). Thus, even if the Dodd-Frank whistleblower regime disappears, whistleblowing concerns will still remain.
Compliance measures to minimize external whistleblower activity include:
- Implementing internal reporting channels, adjusted for the size and nature of the business, at all portfolio companies and at the PE firm itself.
- Creating multiple ways to report potential misconduct, including through web-based reporting, dedicated compliance email addresses, and independent 24-hour telephone hotlines with multiple-language capability.
- Creating ways for external compliance stakeholders to report misconduct related to PE firm management or portfolio companies.
- Implementing procedures to evaluate the significance of claims quickly, determine the priority of investigation, and prepare appropriate follow up based on the potential seriousness of the issue.
- Maintaining procedures to document all claims received, the course of the investigation (if any), and the ultimate resolution.
- Maintaining procedures to report to whistleblowers how their claims were handled while sanitizing reports of any confidential data.
- Maintaining procedures for determining when outside investigative resources, including law firms and forensic specialists, need to be brought onto investigations.
- Implementing special procedures related to the handling of complaints related to senior management, board members, and audit and compliance committee members.
- Drafting policies to ensure confidential treatment of materials related to internal investigations, including procedures designed to preserve attorney-client communication and attorney work product privileges.
- Maintaining anti-retaliation compliance policies to ensure there is no retaliation for whistleblower activity and that whistleblowers continue to be evaluated solely based on quality of their work and not concerns related to whistleblower activities (i.e., the firm needs to avoid claims of retaliation).
- Creating procedures to ensure any compliance lapses are remedied, such that issues identified as a result of whistleblower activity (or that otherwise are discovered) are not repeated.
While implementing these compliance items is important, the PE fund should not use severance or monetary incentives to minimize the risk of whistleblowers. In several enforcement matters, the SEC has imposed significant penalties against companies that maintained provisions that restricted the ability of an employee or ex-employee to report as a whistleblower. Significantly, penalties have been imposed even absent any showing that anyone was deterred from actually reporting a compliance lapse. Instead of trying to restrict external whistleblowers, PE funds should put their efforts into ensuring that compliance lapses do not occur in the first place and encouraging internal whistleblowing.
10. How can I prevent compliance concerns from derailing my exit strategy?
Given that PE funds tend to have finite ownership timeframes, PE funds need to be equally concerned with how compliance concerns will impact their ability to sell companies as well. By far the most useful strategy is to maintain a strong compliance program throughout the ownership period, which not only allows the company to provide assurances to potential purchasers regarding the compliance environment but also minimizes the chances of costly compliance lapses.
But beyond this basic strategy, the following are issues to consider when the PE firm is considering exiting from a particular portfolio investment:
- CFIUS. As noted above and in a separate Foley Client Alert, it is widely anticipated that CFIUS reviews will be more rigorous under the new administration. This is a particular concern with regard to the largest source of CFIUS requests, which is for deals involving Chinese acquirers. By most measures, outbound investment from China accounted for twenty percent of global M&A activity in 2016, more than double 2015 levels. PE funds contemplating a potential sale to a Chinese company, in particular, need to consider the national and economic security implications of such transactions, with an eye towards whether a CFIUS pre-clearance should be sought. Full information regarding the most likely to raise CFIUS concerns is found here.13
- Conduct a Pre-Sale Compliance Audit. It is far better to know about compliance lapses, and to fix them before the sale, than it is to find them out during the due diligence phase and then have to scramble to fix them and to explain them to a skeptical purchaser. A pre-sale compliance audit not only allows for such corrections, it also can be used to put together due diligence responses in advance, allowing the company to develop a strategy for dealing with problem situations. The authors of this article in some cases have put together a “compliance white paper” to pre-emptively deal with known issues, thereby putting purchasers at ease regarding the scope of known compliance lapses. Such a review also can minimize the chances of there being a claim for misrepresentation after the deal has closed if the purchaser discovers issues that were not disclosed during the due diligence inquiry.
- Prepare in Advance for Heavy Due Diligence Requests. Selling companies should expect heavy due diligence requests, especially for sales of companies that operate in, or sell into or export to, countries of concern (China, India, Russia, much of Latin America and Africa, etc.). Even where there is not trade with such red flag countries, the heightened enforcement activity for the FCPA, export controls, economic sanctions, antitrust, and AML means these areas are often a focus of due diligence inquiry. Since these inquiries can be expected, it often is possible to put together commonly requested information in advance, speeding up the responses to such inquiries.
- Go Beyond Providing the Minimum. Too often, selling entities view due diligence as a win-lose scenario, in which the goal is to provide the minimum information possible, under the theory that the more potential purchasers know about the target, the more than can “create trouble” (i.e., raise question***ns, seek enhanced protections through onerous representation and warranty clauses, and so forth). Yet in the current enforcement environment, requests for full compliance information are appropriate and to be expected. Disarming suspicions by acquiring companies regarding the state of compliance occurs through full and thorough cooperation and the preparation of complete and accurate responses to due diligence requests, including through the provision of information that, while not perhaps being directly requested, is still relevant to a thorough assessment of the state of compliance at the target company.
For these reasons, the regulatory landscape is uncertain for PE funds. Just as is true with investing, however, uncertainty creates both risks and opportunities. PE funds that learn to navigate the regulatory expectations that govern their activities will have an opportunity to deal with these risks better than their competitors, including through avoiding costly investigations and penalties. Through careful risk identification and risk management, firms can adapt to the new and aggressive enforcement of many U.S. regulations, as well as new regulatory developments likely to occur under the new administration. Regardless of regulatory developments over the next four years, however, the days when it was appropriate for PE funds to leave such concerns entirely to the senior management of portfolio companies are now gone. Ensuring that sound risk-identification and risk-management practices are in place at every portfolio investment is the best way to cope with the new enforcement environment.
Want more help? The authors of this article are the chair of Foley’s Export Controls & National Security Practice (Mr. Husisian) and the chair of Foley’s Private Funds & Buyout Practice and vice chair of the firm’s Private Equity & Venture Capital Practice (Mr. Boudreau). If you have additional questions regarding international and regulatory matters, or would like a copy of Mr. Husisian’s risk-assessment toolkit, please contact him at +1 202.945.6149 or email@example.com. If you have additional questions about PE and investment fund work, please contact Mr. Boudreau at +1 617.342.4087 or tboudreau foley.com.
* * *
The international climate for U.S.-based multinational companies and non-U.S. based companies that sell into the United States has never been more uncertain. This client alert is the sixth of a series of Alerts being prepared to help companies navigate the uncertain international trade and regulatory environment. As noted in the introduction, existing “top ten” articles cover the future of international trade (NAFTA, International Trade (antidumping and countervailing duty) actions, Customs and Border Protection); international investment (CFIUS and this Alert); and international regulations (cybersecurity and white collar enforcement). Future client alerts will cover OFAC economic sanctions and Export Controls and the FCPA. If you would like to be added to the mailing list for these alerts, please contact the chair of the Foley & Lardner LLP Export Controls and National Security practice, at firstname.lastname@example.org or +1 202.945.6149.
1See Gregory Husisian and Robert Huey, “NAFTA and the Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/nafta-and-the-new-trump-administration-12-01-2016/.
2See Gregory Husisian and Robert Huey, “U.S. Customs and the Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/us-customs-and-the-new-trump-administration-your-top-ten-questions-answered-02-07-2017/.
3See Gregory Husisian and Robert Huey, “International Trade Litigation and the Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/international-trade-litigation-and-the-new-trump-administration-your-top-ten-questions-answered-01-06-2017/.
4See Gregory Husisian, “CFIUS Reviews and the Trump Administration, Your Top Ten Questions Answered,” https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.
5Scott Fredericksen & Gregory Husisian, “White Collar Enforcement and the New Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/white-collar-enforcement-and-the-new-trump-administration-your-top-ten-questions-answered-02-09-2017/.
6See Scott Fredericksen & Gregory Husisian, “White Collar Enforcement and the New Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/white-collar-enforcement-and-the-new-trump-administration-your-top-ten-questions-answered-02-09-2017/.
7U.S. Dep’t of Justice and U.S. Sec. & Exch. Comm’n, “A Resource Guide to the U.S. Foreign Corrupt Practices Act (Nov. 14, 2012), https://www.justice.gov/criminal-fraud/fcpa-guidance.
8See Gregory Husisian and Robert Huey, “International Trade Litigation and the Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/international-trade-litigation-and-the-new-trump-administration-your-top-ten-questions-answered-01-06-2017/.
9See Gregory Husisian and Robert Huey, “NAFTA and the Trump Administration: Your Top Ten Questions Answered,” https://www.foley.com/nafta-and-the-new-trump-administration-12-01-2016/.
10See Gregory Husisian, “CFIUS Reviews and the Trump Administration, Your Top Ten Questions Answered,” https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.
11FCPA Resource Guide at 29.
12Please contact Gregory Husisian at +1 202.945.6149 or ghusisian foley.com to receive a copy.
13See Gregory Husisian, “CFIUS Reviews and the Trump Administration, Your Top Ten Questions Answered,” https://www.foley.com/cfius-and-the-new-trump-administration-your-top-ten-questions-answered-01-25-2017/.