Managing Director & Partner
Munich
By Julia Gebhardt, Katharina Hefter, Astrid Latzel, Florian Meier, and Claudia Hobl-Felbermayr
Private equity (PE) firms have long been subject to strict financial industry regulations in the United States and European Union (EU). Now they are facing even greater levels of scrutiny—and a wave of new compliance challenges.
To keep up, leaders of PE firms need to proactively increase their focus on regulatory risks—in their organization, investment portfolio, and portfolio companies. Leaders also need to identify and address risks during M&A due diligence, before they make an investment.
Traditionally, regulation of the PE industry has focused on potential risks to investors and markets that can stem from conflicts of interest, a lack of transparency, and anticompetitive conduct. These focus areas have attracted more regulatory attention in recent years as PE firms have grown in influence and size. Regulators are also attuned to newer issues that are growing out of global competition in the technology and defense sectors; the adoption of net zero carbon goals; the emphasis on environmental, social, and governance (ESG) reporting; and the increase in cybersecurity risks.
The result is a growing compliance landscape that leaders of PE firms must address resolutely and as early as possible to properly manage their risks and stay competitive. (See Exhibit 1.) Compared with other financial institutions, PE firms have the additional concern of being held responsible for legacy compliance issues at the companies they acquire. Because of this, regulators require PE firms to complete a compliance risk assessment when they conduct commercial due diligence.
Governments increased their scrutiny of financial activities, including those of PE firms, after the 2008 global financial crisis. Newer regulatory tightening is occurring against a backdrop of increasing global geopolitical tension. One source of friction has been the increase in technological competition, which has already resulted in measures in the US and EU that block or regulate cross-border high-tech investments. Because of these diverse concerns, the regulatory environment is complicated, spanning many regions and topics. For example:
PE firms that fail to address regulatory compliance adequately can face significant legal, financial, and reputational risks:
What do such risks mean for leaders of PE firms? Leaders need to manage regulatory risk on three fronts: their firm, their investment portfolio, and their portfolio companies, which are subject to applicable industry regulations.
PE Firm. In the US, PE firms must adhere to the Sarbanes-Oxley Act, Investment Advisers Act, and Bank Secrecy Act. Together, these regulations require firms to have comprehensive internal controls, ethics codes, and anti-money laundering practices. PE firms must also make climate-related disclosures as mandated by the SEC.
In the EU, PE firms are subject to the AIFMD, MiFID II, GDPR, Sustainable Finance Disclosures Regulation, Corporate Sustainability Reporting Directive, and recently strengthened anti-money laundering rules. Together, these EU regulations address risk management, data protection, financial crime assessments, and sustainability reporting. (See Exhibit 2.)
Investment Portfolio. PE firm leaders must integrate the organization’s compliance framework into the overall investment strategy so that the investment portfolio adheres to regulatory requirements.
Individual Portfolio Companies. PE firms must also manage the regulatory compliance risk at the operational level of each portfolio company. Therefore, compliance standards and criteria should be built into a PE firm’s due diligence process so that it can identify compliance weaknesses or liabilities before it invests. The US DOJ’s Mergers and Acquisitions Safe Harbor Policy encourages firms to proactively identify and report any misconduct found during M&A due diligence. The agency’s aim is to help firms manage compliance effectively within the M&A context, and the DOJ’s incentives strongly favor early-stage reporting by companies. To be eligible for protection from prosecution, disclosure must be made prior to an imminent threat of a government investigation.
After making an investment, it is imperative that PE firms have compliance programs in place to avert future legal issues and augment value. Such programs involve customizing the company’s framework to address the regulatory challenges it faces.
PE firms that operate in both the US and EU or that have cross-border investments require substantial resources and expertise not only to adhere to the regulations in various jurisdictions but also to manage the differences in culture and regulatory nuances. PE firms may have to hire compliance officers, establish an internal audit program, and implement reporting systems to create a strong internal compliance function.
Despite the seemingly overwhelming complexity, PE firms can manage the compliance risk challenge with a three-part approach. A good place to begin is with an overall assessment, including a compliance health check of the PE firm and its investment portfolio, to identify areas for enhancement and lay the groundwork for a robust compliance strategy.
Adopt a compliance operating model. PE firms need to implement a compliance operating model that not only aligns with their business strategy but also suits their risk exposure as an investment portfolio manager that is subject to a broad set of regulations. The compliance operating model should define effective compliance management in four areas:
The compliance operating model should apply across the firm and serve as a blueprint for the compliance transformations of the portfolio companies.
Set compliance standards across the investment portfolio. PE firms must define compliance policies and establish standards across their investment portfolio. The policies must set the minimum requirements for managing compliance. The minimum standards should cover these areas:
Improve M&A due diligence and transform compliance in portfolio companies. Finally, appropriate measures must be taken to deal with compliance risk in a firm’s portfolio companies.
Investment due diligence should include a thorough and effective assessment of all relevant compliance topics to safeguard against successor liability and accountability for third-party actions. At the very least, M&A due diligence needs to use the compliance standards defined for the firm’s investment portfolio. Any misconduct or irregularity identified during the due diligence process must be immediately escalated to the PE firm’s senior management and disclosed to the relevant regulators. Serious compliance misconduct identified during the due diligence process should also raise concerns about the overall rationale of making the investment.
After making an investment, a PE firm should carry out a compliance transformation program in the portfolio company to implement compliance standards and rectify any shortcomings identified during the due diligence process. Compliance transformations create lasting value for investors by significantly reducing the risk, including the PE firm’s liability, of future noncompliance.
As governments in the US and EU tighten regulations, PE firms are facing a confluence of disparate rules, many of which are actively enforced and carry heavy penalties for violations. In the face of the challenges, it’s imperative for PE firms to fortify their compliance framework and act proactively to avoid the costs of addressing problems too late in the game.