Due Diligence Regulatory Affairs: How to Assess Compliance Risk

Regulatory due diligence is the systematic transaction compliance review of a target's regulatory status across all applicable agencies and jurisdictions. Regulatory affairs consulting specialists map the target's license portfolio, compliance program, and enforcement history to produce a regulatory risk report. The report's findings directly inform the transaction structure, purchase price, and post-closing remediation obligations.

Legal due diligence counsel structures the regulatory due diligence workstream, designs the document request list specific to the target's industry and jurisdictions, and advises on the regulatory risk report findings and their implications for transaction structure and post-closing remediation.

Regulatory risk assessment requires mapping every applicable regulatory regime against the target's actual compliance status. Three categories of regulatory risk emerge. These are latent risks in current operations, transactional risks from the change of control, and post-closing risks. The regulatory risk assessment is the foundation for the transaction risk assessment and the principal basis for indemnification provisions in the purchase agreement.

Regulatory risk management counsel conducts the regulatory risk assessment, maps the target's regulatory exposure across all applicable agencies, and advises on the indemnification provisions and escrow arrangements that reflect the regulatory risk profile.

The licensing review examines every license, permit, registration, and certification, evaluating license transferability, renewal history, and authorization conditions. OSHA, environmental, FDA, and HIPAA due diligence evaluate open citations, CERCLA liabilities, and Clean Air Act and RCRA permit status. A license at risk of non-renewal due to compliance deficiencies is a material transaction risk that must be identified before closing.

HSR filing counsel advises on the Hart-Scott-Rodino pre-merger notification requirements, analyzes the licensing transferability issues arising from the change of control, and advises on the pre-closing regulatory approval timeline.

Compliance due diligence covers the target's historical and current compliance with all applicable regulatory obligations. The False Claims Act creates successor liability in healthcare acquisitions if the target submitted false claims to federal programs. CERCLA environmental contamination liability follows the target regardless of change of control, and HIPAA regulatory violations create post-closing exposure in health data transactions.

Merger clearance counsel advises on the antitrust merger clearance process and regulatory approval timeline, advises on the competitive overlap analysis required by the FTC and DOJ, and advises on the conditions and divestitures antitrust agencies may require.

Regulatory due diligence findings directly affect the purchase agreement's representations, warranties, and indemnification provisions. ESG due diligence findings identify climate and environmental risk addressed in the purchase price adjustment, escrow, or pre-closing remediation. An indemnification cap may be inadequate if the regulatory liability is potentially uncapped, as under CERCLA.

ESG compliance review counsel evaluates the target's ESG regulatory compliance status, identifies material ESG disclosure obligations and climate-related risks, and advises on the ESG representations, warranties, and indemnification provisions in the purchase agreement.

A transaction involving a foreign acquirer faces CFIUS review under the Foreign Investment Risk Review Modernization Act, known as FIRRMA. Critical infrastructure, critical technology, sensitive personal data, and real estate near sensitive government facilities are the primary CFIUS filing triggers. A mandatory CFIUS filing must be made before closing, and failure to file carries civil penalties up to $250,000 or the full transaction value per violation.

CFIUS and foreign direct investment counsel advises on the mandatory and voluntary CFIUS filing obligations, prepares the CFIUS mitigation agreement and national security agreement, and advises on structuring cross-border acquisitions to minimize CFIUS risk.

A consent decree resolves a government enforcement action by requiring compliance remediation, ongoing monitoring, and civil penalty payments. A target subject to a consent decree presents non-negotiable obligations the buyer must fulfill after closing. A change of control does not automatically terminate a consent decree, and the regulatory agency must approve any transfer of the underlying compliance obligations.

Consent decree counsel advises on the consent decree analysis in regulatory due diligence, advises on notifying the regulatory agency of the change of control and assuming the decree's obligations, and advises on the compliance remediation strategy required.

Data privacy due diligence is required in any transaction involving a business that collects, processes, or transfers personal data. The General Data Protection Regulation applies to any business processing personal data of EU residents, regardless of the business's location. CCPA compliance review is required for businesses that collect personal data of California residents above defined thresholds. A target's privacy compliance status determines whether its data collection is legally defensible, its privacy policy is accurate, and its data subject rights procedures are implemented.

Global data compliance counsel advises on the data privacy due diligence required for transactions with EU, California, or other jurisdictional privacy obligations, advises on the GDPR and CCPA compliance assessment, and advises on the data transfer restrictions applicable to cross-border acquisitions.