The global deal failure rate is between 70% and 90%, with regulatory hurdles, geopolitical uncertainty, and ill-advised acquisitions being the three main drivers. At the same time, regulatory due diligence is considered to be among the three key success factors.
This article explores the nature and business cases of regulatory due diligence. You will also get a regulatory diligence checklist and learn how reliable compliance technology allows you to outperform 82% of organizations (based on the numbers provided by the MetricStream 2021 survey).
What is regulatory due diligence?
Regulatory due diligence is the comprehensive evaluation of regulatory compliance and related risks associated with the business transaction.
Regulatory due diligence is part of the broader diligence process, aiming to detect, address, and prevent regulatory issues in various business activities, such as:
- Mergers and acquisitions (M&A). It helps dealmakers reduce regulatory issues within the M&A lifecycle.
- Capital raising. It helps private equity firms follow complex regulations in fundraising deals, including but not limited to the Securities Act and Foreign Corrupt Practices Act.
- Initial public offerings (IPO). It helps private companies comply with the Securities Act and related regulations when going public.
- Compliance audits. It ensures that businesses maintain compliance in the changing regulatory landscape.
Read more about each of these business cases a bit further.
Regulatory due diligence checklist
During an M&A transaction, IPO, capital raising, or a compliance audit, due diligence (DD) teams evaluate business processes against regulatory requirements on a federal level. They include antitrust and data privacy compliance, anti-money laundering (AML) laws, and ESG regulations.
Below, you can check the sample of the regulatory due diligence checklist that covers items under core regulatory aspects.
- Please note: The following checklist is not exhaustive, as its potential areas may vary based on the nature of your company and a particular business base.
|Regulatory due diligence area||Regulatory act||Due diligence review sample|
|Antitrust compliance||Sherman Antitrust Act||A company’s market share and monopolistic practice assessment|
Mergers and acquisitions history
Antitrust risks, including collusion agreements with competitors and predatory pricing practices
History of antitrust case filings
|Clayton Antitrust Act||Antitrust risks, including elusive dealing contracts and agreements, price discrimination, and corruptive practices|
History of mergers and acquisitions
History of antitrust litigations
|Anti-corruption compliance||Foreign Corrupt Practices Act (FCPA)||Existence and efficiency of anti-bribery policies|
Third-party due diligence procedures
Record-keeping practices and bribery reporting mechanisms
FCPA compliance training programs and activities
Gifts, hospitality, and entertainment practices across the organization
|Bank Secrecy Act (BSA)||Existence and efficiency of anti-money laundering (AML) programs |
Existence and efficiency of suspicious activity reporting (SAP) mechanisms
Existence and efficiency of customer due diligence
Record-keeping practices, third-party testing, and periodic auditing of the company’s BSA programs
BSA compliance training and awareness programs
|Employment and labor||Fair Labor Standards Act (FLSA)||Contracts and agreements of key employees|
Wage compliance, including minimum wage, overtime, and record-keeping
Employee classification, including team members and independent contractors
Employee benefit plans, health insurance, retirement plans, employee stock purchase plans (ESPP)
|Occupational Safety and Health Act (OSHA)||Workplace safety frameworks, policies, and conditions|
Employee health and safety training programs
Workplace incident records
Incident reporting frameworks, policies, and procedures
|ESG (Environmental, Social, and Governance)||Clean Air Act||Compliance with emission standards|
Emissions monitoring and reporting practices
Emission technology, including detection, control, and minimization.
|Clean Water Act||Pollutant discharge compliance practices and permits|
Wastewater and spill-prevention management practices and procedures
|Sarbanes-Oxley Act||Internal controls and their efficiency|
C-suite financial reporting certifications
Audit Committee efficiency and independence
Business record retention and destruction policies and procedures
|Dodd-Frank Wall Street Reform and Consumer Protection Act||Financial disclosure and reporting practices of executives|
Conflict minerals identification and reporting procedures
Whistleblowing practices, including whistleblower protection mechanisms
|Health and safety||Consumer Product Safety Act (CPSA)||Product testing and certification frameworks and procedures|
Product labeling procedures
Product recall procedures
Compliance records, including testing documentation and product liability records
Consumer Product Safety Commission (CPSC) reporting policies and procedures
|Food Safety Modernization Act (FSMA)||Food safety plans and recall procedures|
Food product safety procedures, including hazard identification and risk-prevention
Supplier verification procedures and compliance with the foreign supplier verification program (FSVP)
|Data protection and privacy||California Consumer Privacy Act (CCPA)||Data collection and data sale practices|
Consumer right execution policies for data collection, retention, and deletion
Employee training policies, programs, and activities
|Health Insurance Portability and Accountability Act (HIPAA)||Protected health information (PHI) privacy policies and procedures|
Adherence to safeguards principles
Safeguards implementation for protecting availability, integrity, and confidentiality of PHI
Business Associate Agreements (BAA) with third parties, including participants in federal healthcare programs
PHI-focused employee training policies, programs, and activities
Security risk management plans, including data breach response measures
|Gramm-Leach-Bliley Act (GLBA)||Adherence to custom privacy notice requirements|
Information security programs and their efficiency
Adherence to GLBA and FTC Safeguard Rule
GLBA compliance training programs and activities
|Consumer reporting||Fair Credit Reporting Act (FCRA)||Efficiency of adverse action procedures and notices|
Consumer consent policies
Consumer information management and disposal security
Efficiency of compliance training and employee background checks
|Securities||Securities Act of 1933||Accuracy of registration statements|
Disclosure policies, including financial reporting, material event reporting, and shareholder communication mechanisms
Accuracy of disclosure documents
Efficiency of insider trading policies
Quiet period compliance measures
Additionally, you should review the following data and documents:
|Contracts and agreements||List of contracts and agreements falling under regulatory requirements|
List of compliant and non-compliant contracts
Contract statuses and renewal conditions
List of agreement issues, including breach of warranties and contract violations
|Permits and approvals||Department of Justice approvals|
Health and safety permits
Land use permits
Permit and approval renewal terms and conditions
|Audits, litigations, and investigations||Past, ongoing, and pending internal and external audits|
Past, ongoing, and pending litigations
Pending legal actions, such as settlement payments
Compliance with court orders
Potential impact of litigations
4 regulatory due diligence business cases
Below, you can read more about the most common issues regulatory due diligence tackles within the following business cases:
- Mergers and acquisitions (M&A)
- Capital raising
- Initial public offering (IPO)
- Compliance audits
1. Mergers and acquisitions (M&A)
An acquiring company conducts regulatory due diligence to gauge potential deal breakers, resolve compliance issues, meet antitrust requirements, and submit correct premerger filings. Here are the most common issues that thorough regulatory due diligence prevents when dealing with the target company:
- Antitrust issues. This is especially true for big deals (over $111.4 million) as they are subject to antitrust regulations. While most mergers get the green light, as much as 14% of deals over $1 billion get canceled due to antitrust concerns, according to McKinsey.
- Labor-related lawsuits. Integrating human services involves many regulatory hurdles around employee classification, wage calculations, and immigration. Labor law incidents intensified in recent years, with 5,406 FCRA lawsuits filed in 2021.
- Data security issues. Integrating data systems means ensuring 100% data security and following complex data privacy regulations, such as CCPA and HIPAA. Many companies fail data security and pay criminal penalties that sometimes surpass the $4.5 million data breach cost tenfold, such as Equifax’s $575 million data breach.
2. Capital raising
Due diligence helps investment funds avoid compliance risk in fundraising deals. Thorough investigation allows a private equity firm to prepare for governmental approvals and resolve common issues, such as:
- Foreign investment issues. Foreign investments get scrutinized due to national security concerns, as reflected in the Committee on Foreign Investment in the United States (CFIUS) notices. In 2022, CFIUS adopted mitigation measures for 52 transactions (18% of total warning letters), the second-highest number since 2018.
- Securities law violations. Fundraising deals are subject to at least ten securities and investment acts and are regulated by the Securities and Exchange Commission. In 2022, businesses paid $6.4 billion in penalties under 760 non-compliance lawsuits.
3. Initial public offering (IPO)
The preparation period for an initial public offering can take up to two years, involving many legal and regulatory tasks besides the business risk. Regulatory due diligence ensures the entire process goes as smoothly as possible and addresses the key issues:
- Securities law compliance. IPOs must meet many regulatory obligations and often get sued for material misstatements and omissions in registration statements. The SEC filed a total of 50 IPO lawsuits in 2022.
- Internal controls issues. Financial reporting weaknesses, ineffective disclosure controls, and disconnected financial systems make it challenging for private companies to comply with the Sarbanes-Oxley Act (SOX) of 2002. It’s a critical requirement for a proper SEC filing.
4. Compliance audits
Regulatory due diligence is the core part of internal and external compliance audits, helping businesses adapt to changing regulatory conditions and mitigate increasing regulatory scrutiny. It provides the following benefits:
- Cost-saving opportunities. The regulatory landscape changes rapidly, and many businesses may not keep up with new requirements. However, regulatory monitoring (as part of continuous due diligence) saves companies an average of $1.03 million in regulatory costs.
- Continuous improvement. A comprehensive due diligence process allows businesses to adapt and improve compliance procedures. It is a part of continuous improvement that strengthens long-term business sustainability.
2 best practices for regulatory due diligence
Regulatory due diligence has always been a core part of corporate risk management. It has always been a time-consuming process as well. An average business spends 15,000 hours on risk assessments (including due diligence) each year, while only 54% of data is reliable, and only 8% of such assessments are actionable.
Businesses also raise security concerns. As of 2021, as much as 90% of businesses worked on zero-trust security programs to improve data protection in complex activities. However, as of 2023, the average cost of data breaches increased by 15% over three years. Meanwhile, 73% of businesses admit that managing third-party permissions drains too many resources. While there are many solutions to the above issues, the following two practices can gauge most of them.
The overall due diligence process takes from four to 12 weeks and even longer, depending on the business type, regulatory expectations, and the deal’s nature. With deals often under time pressure, it’s critical to begin regulatory investigations at the deal planning stage for the following benefits:
- Clear understanding of the transaction. Regulatory risk assessments at early deal stages help create a coherent vision of the transaction. It helps build a deal structure and facilitates the informed decision-making process.
- Timely compliance measures. Identifying issues early allows for a well-rounded regulatory strategy and thorough corrective actions. It buys time for updating policies, obtaining permits, and addressing compliance gaps.
- Minimized deal disruptions. Addressing regulatory challenges early reduces the chances of previously unknown issues and post-deal business risks. It also helps shorten the deal lifecycle by minimizing regulatory delays.
Inadequate technology is often the answer to cumbersome audits. As much as 40% of companies still use disconnected technology such as Office programs and emails for compliance management, the MetricStream report says. Also, 44% of organizations consider the manual process the main compliance challenge.
Meanwhile, only 18% use standalone compliance technology, such as virtual data rooms (VDRs). VDRs significantly boost both productivity and security in regulatory due diligence, allowing businesses to outperform 82% of the market. A VDR is a security-first workplace with the following benefits:
- Zero-trust security. VDRs enable multifactor authentication, role-based access to encrypted data, and session timeouts. It ensures continuous user validation and helps businesses keep sensitive data safe while hiring external regulatory affairs auditors.
- Task automation. VDRs have built-in file redaction, Q&A workflows with auto-forwarding, and automatic notifications. With bulk permission and user management tools, businesses significantly optimize administrative tasks during due diligence.
- Reliable data. Bulk file management features, full audit logs, version control, and auto-generated activity reports simplify diligence analysis. These features make it easy to trace data points, which is essential for accurate investigations.
The bottom line
Let’s summarize the main points from the article:
- Regulatory due diligence is the core part of risk management and fits into a broader due diligence process.
- Regulatory due diligence is crucial in M&A, IPO, and capital raising. It’s often a part of compliance audits.
- The regulatory due diligence checklist evaluates core business functions against compliance criteria, including antitrust, ESG, labor management, data privacy, and anti-corruption.
- Conducting regulatory due diligence early using dedicated technology allows companies to outperform 82% of the market.