Much of the recent talk amongst lawyers in the context of due diligence has been around the emergence of artificial intelligence tools, which enable lawyers to review larger numbers of contracts quicker than ever before. While this has required businesses to ensure all of its paperwork is in good order to meet an insatiable demand for more and more documents during the M&A process, another significant trend has emerged.
Substantial legislative and regulatory regime changes over recent years now mean lawyers (working alongside a buyer’s other advisors) must look beyond the content of the data room. The extent of the obligations now imposed on businesses means that a traditional “paper-based” or “desktop” legal review will no longer be sufficient to satisfy the lawyers that a business is complying with all of these requirements.
Coupled with the increased severity of consequences of failing to comply, there is now a major emphasis on buyers to properly resolve concerns during the due diligence stage, rather than relying on contractual protection in the purchase agreement. While far from a comprehensive list, this theme can be usefully illustrated in three areas that are now key focus areas during the legal due diligence review.
In one of the recent well-publicised cases on employment/worker status, the Employment Appeal Tribunal referred to documents which were “contrived by armies of lawyers” but which didn’t reflect the actual rights and obligations of the parties in practice. While not a new issue in due diligence, this highlights the problem for lawyers charged with establishing the underlying reality of a situation when simply faced with a large pile of contracts which may not give an accurate picture of that reality.
Other current areas of Employment Tribunal and HMRC activity include National Minimum Wage (NMW) compliance and the correct calculation of holiday pay. All of these issues can involve significant post-deal financial liabilities but precise quantification can be a very complicated exercise. A paper-based legal due diligence review will no longer close off the risk sufficiently for a buyer and nor will it allow them to price the risk accurately, increasing the risk of a disproportionate price-chip during negotiations.
With NMW for example, a page-turning review of the contracts isn’t as important as a more in-depth look at clocking on arrangements; salary sacrifice benefits; shift patterns; treatment of travelling and on-call time. These demand a more forensic approach to due diligence which is now focused on your underlying operational approach to these matters rather than simply focusing on the data room documents you spent so much time collating.
The recent regulatory regime changes around bribery, money laundering and facilitation of tax evasion have added additional burden and complexity. Again, a desktop review of policies and procedures is now unlikely to be sufficient for a buyer to properly assess the risk nor to enable steps to be put in place to mitigate risk (e.g. through warranties or early post-deal remediation) or to accurately price the issue.
In the guidance for corporate criminal offences, two key areas of focus are the “tone from the top” and proper implementation of policies and procedures through communication and training. Therefore, lawyers now need to test both the actual operational implementation of these policies and the overall culture of a business in relation to these risks. This means interviews with your stakeholders and employees are increasingly common and re-enforces the need for a business to “live and breathe” the rules, rather than simply having paid expensive lawyers to draft the correct paperwork. Other operational due diligence demands may also now be made of you, for example the physical testing of on-site systems and controls.
Among other necessary steps (depending on risk factors such as sectors, jurisdictions and nature of the business), the ability to demonstrate reasonable and proportionate due diligence can be a key factor in establishing an “adequate procedures” or “reasonable prevention procedures” defence. It has become increasingly important for buyers not to cut corners in this area, particularly as lenders have also increasingly focused on financial crime risks when deciding whether to fund an M&A deal. The consequences of getting this wrong can be severe and lead to regulator or prosecutor intervention, debarment from public contracts, reduced asset value, instability and, of course, reputational damage.
The EU General Data Protection Regulation (GDPR) delivers a fundamental change in how data controllers and data processors handle personal data with significant penalties for failure to comply. This means data privacy protections should now be designed into the very fabric of an organisation and your management team will need to be able to clearly evidence this.
There are currently different approaches to testing whether a business is GDPR compliant. The more legalistic approach focuses simply on the precise legislative requirements, without any weighting for risk or key business objectives. Typically, this focuses on the written policies and procedures but can often deliver the same generic solution for different businesses and present more burdensome and less practical remedial steps, which are flagged as a buy-side concern without having been appropriately tested.
By contrast, the risk-based approach to GDPR due diligence recognises the operational realities of your business and the way the law will likely be enforced in practice as this area develops. Acknowledging that businesses, litigators and regulators have to make hard choices about priorities, this approach takes a more holistic view to ensure genuine and major risk areas are identified while also taking account of key business objectives. Whichever approach the lawyers take, the risk of major concerns being identified is reduced if you can clearly and easily show the practical and operational steps taken throughout your organisation and not simply relied on the fact you have uploaded a shiny new policy to the data room.
A buyer’s reliance on warranties and indemnities in the purchase agreement is increasingly no substitute for carrying out a more operational due diligence review to uncover what is really going on day-to-day within a business. If you are not ready to clearly demonstrate full compliance (in reality as well as on paper), this will simply increase the burden on the legal due diligence process, with potential knock-on consequences for the deal timetable, deal value and the extent of purchase agreement protection demanded. Management leading by example to create and maintain the right culture across the whole business is therefore more important than it ever has been.