The result is a growing compliance landscape that leaders of PE firms must address resolutely and as early as possible to properly manage their risks and stay competitive. (See Exhibit 1.) Compared with other financial institutions, PE firms have the additional concern of being held responsible for legacy compliance issues at the companies they acquire. Because of this, regulators require PE firms to complete a compliance risk assessment when they conduct commercial due diligence.

Governments increased their scrutiny of financial activities, including those of PE firms, after the 2008 global financial crisis. Newer regulatory tightening is occurring against a backdrop of increasing global geopolitical tension. One source of friction has been the increase in technological competition, which has already resulted in measures in the US and EU that block or regulate cross-border high-tech investments. Because of these diverse concerns, the regulatory environment is complicated, spanning many regions and topics. For example:

• The US Department of Justice (DOJ) is stepping up its corporate enforcement efforts and adding corporate crime prosecutors to enforcement divisions to prevent M&A transactions from compromising national security.
• Regulators in the US and EU have increased their scrutiny of deals involving PE firms that could potentially harm competition.
• The US Securities and Exchange Commission (SEC) has brought enforcement actions in cases where PE firms allegedly misallocated expenses or failed to adequately disclose fees to investors.
• In the EU, measures such as the Alternative Investment Fund Managers Directive (AIFMD) and the Markets in Financial Instruments Directive II (MiFID II) require PE firms to meet certain reporting, transparency, and investor-protection standards.
• The European Commission’s Directorate-General for Competition has broadened whistleblower rules that were previously aimed at gathering information on illegal cartel practices, so citizens can now report merger-related, anticompetitive infringements.
• The EU has been leading efforts to promote ESG regulations, such as the Corporate Sustainability Reporting Directive, that increase disclosure requirements for PE firms operating in the EU or dealing with EU-based investors, with implications for the firms’ investment strategies and reporting practices.
• PE firms, which handle sensitive information during the due diligence process and in their portfolio management operations, must comply with data privacy regulations such as the EU’s General Data Protection Regulation (GDPR), as well as similar state laws in the US and regulations in countries worldwide.

The Cost of Noncompliance

PE firms that fail to address regulatory compliance adequately can face significant legal, financial, and reputational risks:

• Legal Penalties. PE firms may face penalties, including fines or legal sanctions, for securities violations and money laundering. The repercussions can be substantial and can harm a firm’s reputation and financial position.
• Civil Lawsuits. Investors and other stakeholders can bring lawsuits against firms that breach their fiduciary duty or commit other violations.
• Loss of Investor Confidence. Regulatory enforcement actions and legal troubles can harm a firm’s reputation, and negative publicity can damage relationships with investors and business partners.
• Operational Disruption. The need to address regulatory compliance failures can divert management’s attention from core business activities, disrupting operations and creating inefficiencies.
• Barriers to Markets. Penalties that restrict or place conditions on a firm’s operations could limit the firm’s ability to pursue opportunities or operate in certain jurisdictions.

What do such risks mean for leaders of PE firms? Leaders need to manage regulatory risk on three fronts: their firm, their investment portfolio, and their portfolio companies, which are subject to applicable industry regulations.

PE Firm. In the US, PE firms must adhere to the Sarbanes-Oxley Act, Investment Advisers Act, and Bank Secrecy Act. Together, these regulations require firms to have comprehensive internal controls, ethics codes, and anti-money laundering practices. PE firms must also make climate-related disclosures as mandated by the SEC.

In the EU, PE firms are subject to the AIFMD, MiFID II, GDPR, Sustainable Finance Disclosures Regulation, Corporate Sustainability Reporting Directive, and recently strengthened anti-money laundering rules. Together, these EU regulations address risk management, data protection, financial crime assessments, and sustainability reporting. (See Exhibit 2.)

Investment Portfolio. PE firm leaders must integrate the organization’s compliance framework into the overall investment strategy so that the investment portfolio adheres to regulatory requirements.

Individual Portfolio Companies. PE firms must also manage the regulatory compliance risk at the operational level of each portfolio company. Therefore, compliance standards and criteria should be built into a PE firm’s due diligence process so that it can identify compliance weaknesses or liabilities before it invests. The US DOJ’s Mergers and Acquisitions Safe Harbor Policy encourages firms to proactively identify and report any misconduct found during M&A due diligence. The agency’s aim is to help firms manage compliance effectively within the M&A context, and the DOJ’s incentives strongly favor early-stage reporting by companies. To be eligible for protection from prosecution, disclosure must be made prior to an imminent threat of a government investigation.

After making an investment, it is imperative that PE firms have compliance programs in place to avert future legal issues and augment value. Such programs involve customizing the company’s framework to address the regulatory challenges it faces.

A Multipronged Compliance Framework

PE firms that operate in both the US and EU or that have cross-border investments require substantial resources and expertise not only to adhere to the regulations in various jurisdictions but also to manage the differences in culture and regulatory nuances. PE firms may have to hire compliance officers, establish an internal audit program, and implement reporting systems to create a strong internal compliance function.

Despite the seemingly overwhelming complexity, PE firms can manage the compliance risk challenge with a three-part approach. A good place to begin is with an overall assessment, including a compliance health check of the PE firm and its investment portfolio, to identify areas for enhancement and lay the groundwork for a robust compliance strategy.

Adopt a compliance operating model. PE firms need to implement a compliance operating model that not only aligns with their business strategy but also suits their risk exposure as an investment portfolio manager that is subject to a broad set of regulations. The compliance operating model should define effective compliance management in four areas:

• Compliance strategy, governance, and oversight
• Compliance risk management
• Compliance data architecture and analytics
• Firm culture

The compliance operating model should apply across the firm and serve as a blueprint for the compliance transformations of the portfolio companies.

Set compliance standards across the investment portfolio. PE firms must define compliance policies and establish standards across their investment portfolio. The policies must set the minimum requirements for managing compliance. The minimum standards should cover these areas:

• ESG reporting
• International trade law compliance
• Anti-money laundering and financial crime prevention
• Responsible handling of artificial intelligence
• Cybersecurity risk management

Improve M&A due diligence and transform compliance in portfolio companies. Finally, appropriate measures must be taken to deal with compliance risk in a firm’s portfolio companies.

Investment due diligence should include a thorough and effective assessment of all relevant compliance topics to safeguard against successor liability and accountability for third-party actions. At the very least, M&A due diligence needs to use the compliance standards defined for the firm’s investment portfolio. Any misconduct or irregularity identified during the due diligence process must be immediately escalated to the PE firm’s senior management and disclosed to the relevant regulators. Serious compliance misconduct identified during the due diligence process should also raise concerns about the overall rationale of making the investment.

After making an investment, a PE firm should carry out a compliance transformation program in the portfolio company to implement compliance standards and rectify any shortcomings identified during the due diligence process. Compliance transformations create lasting value for investors by significantly reducing the risk, including the PE firm’s liability, of future noncompliance.

As governments in the US and EU tighten regulations, PE firms are facing a confluence of disparate rules, many of which are actively enforced and carry heavy penalties for violations. In the face of the challenges, it’s imperative for PE firms to fortify their compliance framework and act proactively to avoid the costs of addressing problems too late in the game.