Regulatory Due Diligence: Definition, Use, And Best Practices

The global deal failure rate is between 70% and 90%, with regulatory hurdles, geopolitical uncertainty, and ill-advised acquisitions being the three main drivers. At the same time, regulatory due diligence is considered to be among the three key success factors.

This article explores the nature and business cases of regulatory due diligence. You will also get a regulatory diligence checklist and learn how reliable compliance technology allows you to outperform 82% of organizations (based on the numbers provided by the MetricStream 2021 survey).

What is regulatory due diligence?

Regulatory due diligence is the comprehensive evaluation of regulatory compliance and related risks associated with the business transaction.

Regulatory due diligence is part of the broader diligence process, aiming to detect, address, and prevent regulatory issues in various business activities, such as:

• Mergers and acquisitions (M&A). It helps dealmakers reduce regulatory issues within the M&A lifecycle. 
• Capital raising. It helps private equity firms follow complex regulations in fundraising deals, including but not limited to the Securities Act and Foreign Corrupt Practices Act.
• Initial public offerings (IPO). It helps private companies comply with the Securities Act and related regulations when going public.
• Compliance audits. It ensures that businesses maintain compliance in the changing regulatory landscape. 

Read more about each of these business cases a bit further.

Regulatory due diligence checklist

During an M&A transaction, IPO, capital raising, or a compliance audit, due diligence (DD) teams evaluate business processes against regulatory requirements on a federal level. They include antitrust and data privacy compliance, anti-money laundering (AML) laws, and ESG regulations.

Below, you can check the sample of the regulatory due diligence checklist that covers items under core regulatory aspects. 

• Please note: The following checklist is not exhaustive, as its potential areas may vary based on the nature of your company and a particular business base.

Regulatory due diligence area	Regulatory act	Due diligence review sample
Antitrust compliance	Sherman Antitrust Act	A company’s market share and monopolistic practice assessment Mergers and acquisitions history Antitrust risks, including collusion agreements with competitors and predatory pricing practices History of antitrust case filings
	Clayton Antitrust Act	Antitrust risks, including elusive dealing contracts and agreements, price discrimination, and corruptive practices History of mergers and acquisitions History of antitrust litigations
Anti-corruption compliance	Foreign Corrupt Practices Act (FCPA)	Existence and efficiency of anti-bribery policies Third-party due diligence procedures Record-keeping practices and bribery reporting mechanisms FCPA compliance training programs and activities Gifts, hospitality, and entertainment practices across the organization
	Bank Secrecy Act (BSA)	Existence and efficiency of anti-money laundering (AML) programs  Existence and efficiency of suspicious activity reporting (SAP) mechanisms Existence and efficiency of customer due diligence Record-keeping practices, third-party testing, and periodic auditing of the company’s BSA programs BSA compliance training and awareness programs
Employment and labor	Fair Labor Standards Act (FLSA)	Contracts and agreements of key employees Wage compliance, including minimum wage, overtime, and record-keeping Employee classification, including team members and independent contractors Employee benefit plans, health insurance, retirement plans, employee stock purchase plans (ESPP)
	Occupational Safety and Health Act (OSHA)	Workplace safety frameworks, policies, and conditions Employee health and safety training programs Workplace incident records Incident reporting frameworks, policies, and procedures
ESG (Environmental, Social, and Governance)	Clean Air Act	Compliance with emission standards Emission permits Emissions monitoring and reporting practices Emission technology, including detection, control, and minimization.
	Clean Water Act	Pollutant discharge compliance practices and permits Wastewater and spill-prevention management practices and procedures
	Sarbanes-Oxley Act	Internal controls and their efficiency C-suite financial reporting certifications Audit Committee efficiency and independence Business record retention and destruction policies and procedures
	Dodd-Frank Wall Street Reform and Consumer Protection Act	Financial disclosure and reporting practices of executives Conflict minerals identification and reporting procedures Whistleblowing practices, including whistleblower protection mechanisms
Health and safety	Consumer Product Safety Act (CPSA)	Product testing and certification frameworks and procedures Product labeling procedures Product recall procedures Compliance records, including testing documentation and product liability records Consumer Product Safety Commission (CPSC) reporting policies and procedures
	Food Safety Modernization Act (FSMA)	Food safety plans and recall procedures Food product safety procedures, including hazard identification and risk-prevention Supplier verification procedures and compliance with the foreign supplier verification program (FSVP)
Data protection and privacy	California Consumer Privacy Act (CCPA)	Data collection and data sale practices Consumer right execution policies for data collection, retention, and deletion Privacy policies Employee training policies, programs, and activities
	Health Insurance Portability and Accountability Act (HIPAA)	Protected health information (PHI) privacy policies and procedures Adherence to safeguards principles Safeguards implementation for protecting availability, integrity, and confidentiality of PHI Business Associate Agreements (BAA) with third parties, including participants in federal healthcare programs PHI-focused employee training policies, programs, and activities Security risk management plans, including data breach response measures
	Gramm-Leach-Bliley Act (GLBA)	Adherence to custom privacy notice requirements Information security programs and their efficiency Adherence to GLBA and FTC Safeguard Rule GLBA compliance training programs and activities
Consumer reporting	Fair Credit Reporting Act (FCRA)	Efficiency of adverse action procedures and notices Consumer consent policies Consumer information management and disposal security Efficiency of compliance training and employee background checks
Securities	Securities Act of 1933	Accuracy of registration statements Disclosure policies, including financial reporting, material event reporting, and shareholder communication mechanisms Accuracy of disclosure documents Efficiency of insider trading policies Quiet period compliance measures SOX compliance

Additionally, you should review the following data and documents: 

Contracts and agreements	List of contracts and agreements falling under regulatory requirements List of compliant and non-compliant contracts Contract statuses and renewal conditions List of agreement issues, including breach of warranties and contract violations
Permits and approvals	Department of Justice approvals Regulatory filings Health and safety permits Environmental approvals Land use permits Permit and approval renewal terms and conditions
Audits, litigations, and investigations	Past, ongoing, and pending internal and external audits Past, ongoing, and pending litigations Pending legal actions, such as settlement payments Compliance with court orders Potential impact of litigations

4 regulatory due diligence business cases

Below, you can read more about the most common issues regulatory due diligence tackles within the following business cases:

1. Mergers and acquisitions (M&A)
2. Capital raising
3. Initial public offering (IPO)
4. Compliance audits

1. Mergers and acquisitions (M&A)

An acquiring company conducts regulatory due diligence to gauge potential deal breakers, resolve compliance issues, meet antitrust requirements, and submit correct premerger filings. Here are the most common issues that thorough regulatory due diligence prevents when dealing with the target company: 

• Antitrust issues. This is especially true for big deals (over $111.4 million) as they are subject to antitrust regulations. While most mergers get the green light, as much as 14% of deals over $1 billion get canceled due to antitrust concerns, according to McKinsey.
• Labor-related lawsuits. Integrating human services involves many regulatory hurdles around employee classification, wage calculations, and immigration. Labor law incidents intensified in recent years, with 5,406 FCRA lawsuits filed in 2021. 
• Data security issues. Integrating data systems means ensuring 100% data security and following complex data privacy regulations, such as CCPA and HIPAA. Many companies fail data security and pay criminal penalties that sometimes surpass the $4.5 million data breach cost tenfold, such as Equifax’s $575 million data breach.

2. Capital raising

Due diligence helps investment funds avoid compliance risk in fundraising deals. Thorough investigation allows a private equity firm to prepare for governmental approvals and resolve common issues, such as: 

• Foreign investment issues. Foreign investments get scrutinized due to national security concerns, as reflected in the Committee on Foreign Investment in the United States (CFIUS) notices. In 2022, CFIUS adopted mitigation measures for 52 transactions (18% of total warning letters), the second-highest number since 2018.
• Securities law violations. Fundraising deals are subject to at least ten securities and investment acts and are regulated by the Securities and Exchange Commission. In 2022, businesses paid $6.4 billion in penalties under 760 non-compliance lawsuits.

3. Initial public offering (IPO)

The preparation period for an initial public offering can take up to two years, involving many legal and regulatory tasks besides the business risk. Regulatory due diligence ensures the entire process goes as smoothly as possible and addresses the key issues:

• Securities law compliance. IPOs must meet many regulatory obligations and often get sued for material misstatements and omissions in registration statements. The SEC filed a total of 50 IPO lawsuits in 2022. 
• Internal controls issues. Financial reporting weaknesses, ineffective disclosure controls, and disconnected financial systems make it challenging for private companies to comply with the Sarbanes-Oxley Act (SOX) of 2002. It’s a critical requirement for a proper SEC filing.

4. Compliance audits

Regulatory due diligence is the core part of internal and external compliance audits, helping businesses adapt to changing regulatory conditions and mitigate increasing regulatory scrutiny. It provides the following benefits:

• Cost-saving opportunities. The regulatory landscape changes rapidly, and many businesses may not keep up with new requirements. However, regulatory monitoring (as part of continuous due diligence) saves companies an average of $1.03 million in regulatory costs.
• Continuous improvement. A comprehensive due diligence process allows businesses to adapt and improve compliance procedures. It is a part of continuous improvement that strengthens long-term business sustainability.

2 best practices for regulatory due diligence

Regulatory due diligence has always been a core part of corporate risk management. It has always been a time-consuming process as well. An average business spends 15,000 hours on risk assessments (including due diligence) each year, while only 54% of data is reliable, and only 8% of such assessments are actionable.

Businesses also raise security concerns. As of 2021, as much as 90% of businesses worked on zero-trust security programs to improve data protection in complex activities. However, as of 2023, the average cost of data breaches increased by 15% over three years. Meanwhile, 73% of businesses admit that managing third-party permissions drains too many resources. While there are many solutions to the above issues, the following two practices can gauge most of them.

Early involvement

The overall due diligence process takes from four to 12 weeks and even longer, depending on the business type, regulatory expectations, and the deal’s nature. With deals often under time pressure, it’s critical to begin regulatory investigations at the deal planning stage for the following benefits:

• Clear understanding of the transaction. Regulatory risk assessments at early deal stages help create a coherent vision of the transaction. It helps build a deal structure and facilitates the informed decision-making process. 
• Timely compliance measures. Identifying issues early allows for a well-rounded regulatory strategy and thorough corrective actions. It buys time for updating policies, obtaining permits, and addressing compliance gaps.
• Minimized deal disruptions. Addressing regulatory challenges early reduces the chances of previously unknown issues and post-deal business risks. It also helps shorten the deal lifecycle by minimizing regulatory delays.

Reliable technology

Inadequate technology is often the answer to cumbersome audits. As much as 40% of companies still use disconnected technology such as Office programs and emails for compliance management, the MetricStream report says. Also, 44% of organizations consider the manual process the main compliance challenge.

Meanwhile, only 18% use standalone compliance technology, such as virtual data rooms (VDRs). VDRs significantly boost both productivity and security in regulatory due diligence, allowing businesses to outperform 82% of the market. A VDR is a security-first workplace with the following benefits:

• Zero-trust security. VDRs enable multifactor authentication, role-based access to encrypted data, and session timeouts. It ensures continuous user validation and helps businesses keep sensitive data safe while hiring external regulatory affairs auditors.
• Task automation. VDRs have built-in file redaction, Q&A workflows with auto-forwarding, and automatic notifications. With bulk permission and user management tools, businesses significantly optimize administrative tasks during due diligence.
• Reliable data. Bulk file management features, full audit logs, version control, and auto-generated activity reports simplify diligence analysis. These features make it easy to trace data points, which is essential for accurate investigations.

The bottom line

Let’s summarize the main points from the article:

• Regulatory due diligence is the core part of risk management and fits into a broader due diligence process. 
• Regulatory due diligence is crucial in M&A, IPO, and capital raising. It’s often a part of compliance audits.
• The regulatory due diligence checklist evaluates core business functions against compliance criteria, including antitrust, ESG, labor management, data privacy, and anti-corruption.
• Conducting regulatory due diligence early using dedicated technology allows companies to outperform 82% of the market.