By Samantha Sheen – Founder and Director of Ex Ante Advisory Services Limited
Many years ago, I worked for a large law firm. One of the firm’s areas of expertise was corporate mergers and acquisitions. As a junior solicitor, I spent many hours toiling away in due diligence data rooms, reviewing documentation to identify whether a company that a client was targeting for acquisition (target company) had areas of possible regulatory risk.
The types of regulatory risk I reviewed ranged from health and safety, environment and other regulatory requirements, for which a licence or other authorisation was needed. In those days, regulations relating to financial crime were not as developed as they are today and were not seen as being as big a regulatory risk.
The findings from these reviews were assessed by partners overseeing the acquisition and were then incorporated. The findings were then incorporated into reports provided to the client and advice given where areas of elevated regulatory risk were identified. The types of risks included were instances where the target company was conducting unauthorised regulated commercial activity, was the subject of a regulatory investigation, or had been fined by a regulator.
At that time, my knowledge about the relevance of these findings was limited to what impact they had upon the negotiated purchase price and the conditions and warranties attached to the transaction. Often, those warranties included the seller ‘promising’ that it had disclosed all actual fines and censures imposed on it by a regulator and any pending regulatory investigations that could give rise to future financial liabilities post-acquisition.
Fast forward to 2019. These days, due diligence undertaken on target companies is both more sophisticated and complicated. Regulatory obligations related to detecting and preventing financial crime are a significant consideration. The existence of an appropriate and effective compliance programme to mitigate financial crime risks – an anti-financial crime (AFC) compliance programme – is a crucial part of the due diligence process, along with whether a target company’ activities would violate any AFC regulations the acquiring company’s was required to comply with.
Regulatory compliance basics
It’s fair to say that most businesses are aware of their obligation to comply with financial crime regulations. They range from regulations on anti-money laundering, terrorist financing, bribery and corruption, tax evasion and sanctions. Responsibility for complying with regulatory requirements runs across the ‘three lines of defence’ – the front office, the compliance department and the internal/external audit function. Sitting atop the three lines is the board or an equivalent body that is responsible for overseeing the implementation of the AFC compliance programme and reviewing material findings of non-compliance with its requirements.
Now this, in theory, is relatively straightforward. In practice however, particularly for a business with a global reach, this is an ongoing challenge for which considerable resources in the form of time, people and finances are involved. This can be further complicated when a global business chooses to expand its operational reach by acquiring a business outside of its parent company’s jurisdiction.
One of the areas that companies who grow in this way still struggle with is the alignment of compliance cultures between the parent company and the entities they acquire. This, as I have observed, can have a material impact on the effective integration of the parent company’s AFC compliance programme into the existing activities of a target company. More importantly, however, a misalignment of compliance cultures can expose both the parent company and the target company to even greater risks of violating AFC regulations.
Acquisitions and the importance of compliance culture
I conducted a search on the internet and discovered a veritable ocean of articles on how acquisitions should be managed.
There is no shortage of advice on how to deal with the logistics, the regulatory transition of licences and authorisations and even the transitioning of staff and technology. But the one area I did not see a great deal of information or advice on was how to successfully transition compliance culture.
And yet, when it comes to compliance culture, there is no shortage of cases describing how a poor compliance culture can leave a business vulnerable to financial crime risks from customers and third parties, misconduct by employees and decline in staff morale. I previously wrote an article for this periodical where I touched on this topic.
To quickly reiterate, corporate culture – and, in turn, compliance culture – is important because human behaviour is always co-determined by the set of social norms that prevail in a company. It is in a company’s interest to shape these norms through a cooperative culture that mobilises employees’ voluntary cooperation in the pursuit of its overall goals.
But what should be done when a target company has a VERY different culture, to achieve this sort of cooperation?
Compliance culture – trust us, we know better
In my career, I have worked with two companies who were subsequently acquired by another business, with little previous knowledge about the regulatory requirements our business had to comply with. I also worked with a business where its growth was acquisition-based, having acquired several companies in different jurisdictions. In relation to all three of these experiences, I’ve subsequently identified a common problem that I will to refer to in this article as the ‘trust us, we know better’ or the TUWKB problem.
The TUWKB problem happens like this: post-acquisition, the parent company assumes that the target company needs ‘fixing’ in order to be integrated into its group of companies. It assumes, in relation to compliance, that its own AFC compliance programme is effective and appropriate to mitigate the AFC risks of the target company. It also emphasises that its regulator expects it to impose its AFC compliance programme on the target company. The company assumes that employees of the target company will be cooperative and apply the new requirements, regardless of any additional work needed to incorporate them into the daily activities of the business.
“When it comes to compliance culture, there is no shortage of cases describing how a poor compliance culture can leave a business vulnerable to financial crime risks from customers and third parties, misconduct by employees and decline in staff morale”
And lots of representatives from the parent company visit the target company – managers who will now oversee the business, heads of HR, finance, technology and even external consultants hired to advise on post-acquisition transition activities. All make very nice presentations on how things are going to change for the better, emphasise the company’s commitment to the continued success of the target company and undertake ‘listening’ exercises with the target company’s staff about challenges identified by them about the integration. This is then interpreted by the parent company to be a collaborative approach and it then expects the target company’s staff to be fully cooperative and participative in the process.
A litany of emails, conference calls and briefing are subsequently undertaken, informing the target company of all the new policies and procedures that must be followed by the target business. This includes the parent company’s AFC compliance programme. Deadlines are imposed on the target company for their implementation and regular reports are issued to the company’s board, advising them about the progress. The TUWKB approach leads the parent company to believe that cultural concerns have been addressed and that compliance with new requirements will be willingly adopted by the target company staff.
The problem? Each time I have watched or taken part in this process, the target company’s staff view this as something happening to them. Compliance staff often complain that their warnings about conflicts with their local AFC regulations and the parent company’s AFC compliance programme are ignored. Other business lines note that products and services rated as high risk under the parent company’s AFC compliance programme are not similarly rated by the target company. Despite attempting to explain the operational impact and additional resources needed as a result of that rating change, no meaningful consideration appears to be given to this impact by the parent company.
Most significantly, no consideration appears to be given to whether those changes were suitable for the target business or their potential impact upon that business. The process did little to communicate a compliance culture that would encourage target company staff to cooperate with the implementation of the parent company’s AFC compliance programme’s requirements. And ultimately, there was little buy-in by target company staff for the measures required under the parent company’s AFC compliance programme.
Recent cases and the TUWKB problem
Some recent cases illustrate how the TUWKB problem might contribute towards elevating the risk of AFC regulatory non-compliance by a target company.
Earlier in 2019, the USA Office of Foreign Asset Controls (OFAC) and Kollmorgen Corporation – a company based in Radford, Virginia, agreed to pay $13,381, on behalf
of its Turkish affiliate, Elsim Elektroteknic Sistemler Sanayi ve Ticaret Anonim Sirketi for apparent violations of the US Iran sanction restrictions.
In early 2013, Kollmorgen identified Elsim as possible acquisition target and undertook due diligence before it acquired the business. The due diligence disclosed that Elsim was making sales to, and had customers in, Iran. At that time, Elsim was not subject to the Iran OFAC restrictions and so it did not have an AFC compliance programme in place that restricted undertaking business with Iran. But post-acquisition, Elsim would need to introduce the controls used by Kollmorgen to mitigate the risk of violating these restrictions. This also included ceasing to do business in Iran. Kollmorgen determined the target company would also need to be educated on “the applicability of US sanctions”.
Kollmorgen subsequently implemented a wide range of pre- and post-acquisition measures to make sure that Elsim complied with its AFC compliance programme requirements that restricted business with Iran. These measures included:
1. Applying controls to block Elsim’s Iran-related customers from making future orders
2. Circulating a memo to Elsim employees, telling them not to sell products or services to Iran
3. Conducting in-person training for Elsim’s employees about its AFC compliance programme policies, specifically including Iran
4. Requiring Elsim’s senior management to certify, on a quarterly basis, that no Elsim products or services were being sent or provided to Iran
5. Ordering Elsim’s senior management to immediately cease transactions with Iran
6. Implementing an ethics hotline for reporting violations of law
Post-acquisition, and in spite of the measures taken by Kollmorgen, Elsim dispatched employees to Iran to fulfil service agreements and engaged in other transactions related to Iran. Elsim serviced machines containing Elsim products located in Iran and provided products, parts, or services valued at $14,867 with knowledge they were destined for Iranian end-users
Elsim management threatened to fire employees if they refused to travel to Iran. Upon returning from the service trips in Iran, Elsim employees were directed by Elsim management to falsify corporate records by listing the travel as vacation rather than business related. Over the two years the transactions took place, Elsim management regularly and fraudulently certified to Kollmorgen that no Elsim products or services were being sent to Iran.
It was only after an Elsim employee filed an internal complaint with Kollmorgen via the company’s ethics hotline in late October 2015 that the conduct came to light. After these events were uncovered, Kollmorgen took a series of remedial actions designed to rectify the situation, which included:
1. Terminating the employment of Elsim managers responsible for the violations
2. Implementing new procedures to educate Elsim employees on compliance with US sanctions
3. Requiring Elsim to seek pre-approval from an officer based outside of Turkey for all foreign after-sales service trips
4. Requiring Elsim to inform its major Turkish customers that Elsim cannot provide goods or services to Iran 
A similar set of facts was also identified in the recent 2019 case of Stanley Black & Decker, Inc. (SB&D) and its Chinese subsidiary Jiangsu Guoqiang Tools Co (GQ), for an amount of roughly $1.9million for apparent violations, again, of US sanctions against Iran.
In 2011, SB&D planned to acquire a controlling interest in the shares of GQ and undertook pre-acquisition due diligence. SB&D discovered that GQ was exporting goods to Iran. SB&D took steps to stop GQ’s sales to Iran prior to the acquisition so that post-acquisition, its activities would be in compliance with SB&D’s AFC compliance programme and, in particular, its prohibition on undertaking business with Iran. For example, GQ senior management was required to sign agreements stating that they would not engage in further transactions with Iran.
Following its acquisition of GQ, SB&D conducted sanctions and export compliance training with GQ. The extent of that training included, in early August 2013, arranging for an SB&D China employee to review SB&D’s sanction compliance policies and procedures with GQ’s manager by telephone. After this one training session, the GQ manager was expected to provide the same training to her team within GQ. However, SB&D did not implement procedures to monitor or audit GQ’s operations to ensure that the sales to Iran had in fact stopped.
Between June 2013 and December 2014, GQ exported or attempted to export 23 shipments of power tools and spare parts to Iran with a total value of more than $3.2million. After learning about the continuing violations, SB&D conducted an internal investigation and discovered that GQ employees had sought to hide its continuing export activity to Iran by using six trading companies (four United Arab Emirates companies and two Chinese companies) and fake bills of lading with incorrect ports of discharge and places of delivery, to conceal its activities.
In addition to the fine, SB&D and GQ agreed to implement a series of compliance procedures to reduce the risk of reoccurrence of similar violations and promote a ‘culture of compliance’.
Clash of compliance cultures and the TUWKB problem
According to a management survey undertaken by the British Institute of Management, one of the most important reasons for acquisition failures is ‘the underestimation of difficulties of merging two cultures’ while a study undertaken by Coopers & Lybrand indicates that 85 per cent of the executives from 100 companies with failed or troubled mergers, said that the major problem was management style and practices or, to put it more broadly, clashes of corporate culture.
The two cases I have noted above illustrate the impact that failed integration efforts around compliance programmes can have when undertaken with a one-sided approach. The TUWKB problem can create unintended consequences, which can have the effect of actually increasing regulatory risk, rather than mitigating it. Most articles I reviewed for this piece on acquisitions describe measures that should be taken to the target business or imposed enhanced monitoring on that business. Checklists and change management processes around regulatory compliance read as if the goal is to bend the target company to accede to the will of the acquiring business. Again, shades of the TUWKB problem.
My sense in the two cases I have summarised was that the TUWKB problem arose there as well. Even the remedial measures undertaken and later agreed with OFAC are one sided, save for the one measure noted in the SB&D case where the culture was identified as a responsibility of both the parent company and GQ.
“Business growth by way of acquisition will continue to take place on a global scale. So too will the AFC regulatory landscape and the scope of controls and restrictions imposed by them”
Promoting a collaborative approach to identifying AFC compliance programme challenges involved in integrating a parent company’s policies and procedures might go a long way towards cultivating cooperation and engagement by a target company. A study by behavioural economist Ernst Fehr found that the average willingness to cooperate and the awareness of the positive side effects of a large group-wide project can help to change the culture for the better. Fehr also found that if the average willingness to cooperate is low and employees have little awareness of the gains from cooperation, a more thorough set of measures that combine communication campaigns with changes in normative prescriptions and financial incentives for cooperation was necessary to achieve the desired change.
In this study, Fehr looked at a large organisation in Germany that had acquired a number of smaller businesses. The smaller businesses were able to pursue their own local business strategies. Fehr looked at what happened when the parent company wanted the local businesses to cooperate on a project that would increase revenues for the parent company, but drive business away from the local business in doing so. Fehr found that the acquired local businesses identified ways to formally implement the parent company’s project, and thus appear to be compliant, but did not really embrace those changes as part of their activities so as to actually be compliant and meet the parent company’s desired objective. What was needed was the voluntary, proactive, cooperation of the local businesses but, instead, the way in which their cooperation was sought was only perfunctory. The need to ensure that an initiative is both clearly communicated, but also is genuinely collaborative and shared as an objective, is the key to success.
The sanctions cases I mention above were used by the regulator to reinforce the importance of post-acquisition monitoring to ensure that they are applying compliance controls as required. But I think that we are missing a trick here if we fail to acknowledge that the TUWKB problem has also played a role in, at times, distracting acquiring firms from understanding the significance of compliance culture and investing the resources necessary to mitigate the potential risks post-acquisition.
Fehr’s observations around cooperation and the ingredients for a conducive corporate culture apply equally to compliance. In both the cases above, it was clear that while the significance of the sanctions’ restrictions were emphasised, the willingness to cooperate with the restrictions imposed was very low. When I read these cases I wondered: how were the acquired businesses expected to make up or replace the revenues they once generated from their business in Iran? How much time were they given to secure business in order to replace that revenue? What support was offered by the acquiring business to achieve this?
I also wondered whether the nature of the training offered played a factor. Given the global scale of the sanctions that have been imposed on Iran, the problem was likely not the level of knowledge in both of these target companies. Both of these cases identified orchestrated efforts to circumvent sanction restrictions and conceal those activities. What sort of training, if any, would have achieved the desired outcome in these cases – i.e. achieving buy-in that the loss of business with Iran was far outweighed by applying the acquiring business’ compliance controls prohibiting it? How seriously were target company employees going to take SB&D AML compliance training or buy-in to cooperating in observing these restrictions, when it was undertaken with one employee over the telephone?
This article is intended to provide some food for thought and ask the reader to consider whether they have experienced the TUWKB problem. Fehr provides some helpful advice, which I have paraphrased here, that I think might help to solve this problem:
1. Make target company managers aware of the benefits to applying the AML compliance programme controls and to show them the mutual gains from cooperation
2. The parent company and the target company management should work collaboratively to formulate a joint agreement where they define a new set of very specific appropriate behaviours to solve the cooperation problem, and each manager individually signs this agreement
3. Include in any agreement how the managers will communicate with one another about the progress of integrating the parent company’s AFC compliance programmes, and the challenges experienced, as an ongoing process
4. All managers agree to enforce the restrictions under the AFC compliance programmes at their respective companies i.e. ‘We will give direct feedback to those employees who do not comply’
5. Undertake an information campaign informing all employees of the new compliance requirements, at both the parent and target company. This should be undertaken by management at both companies and not solely the parent company
6. Change financial incentives to ensure that all areas of the business comply with the AFC compliance programmes. Tie remuneration to the overall performance of the company group, instead of tying it to local operations, which may be significantly impeded by the new restrictions imposed by the parent company’s AFC compliance programmes
7. Challenge confidence levels – this is my own addition. The board is key to challenging the confidence that an acquisition team has in the changes they propose to integrate an AFC compliance programme into a target company. In the cases noted above, why were the team confident to proceed with the deals knowing that the risk of violating the Iran sanctions existed? Why were the teams confident that the controls proposed (e.g. having managers sign agreements to comply with the new controls and not undertake business with Iran) would, at a practical level, work to mitigate this risk?
Business growth by way of acquisition will continue to take place on a global scale. So too will the AFC regulatory landscape and the scope of controls and restrictions imposed by them. The integration of an AFC compliance programme may involve many different policies and procedures, and cause pain and disruption to a target company’s operations. But unless that integration strategy starts with a campaign to ensure that the right compliance culture is introduced and avoids the TUWKB problem, real and worthwhile cooperation with and implementation of the AFC compliance programme may prove elusive and, in some cases, costly.
About the Author:
Samantha Sheen is currently the founder and Director of Ex Ante Advisory Services Limited, an advisory services firm providing assistance to regulators and financial institutions in a variety of areas related to the prevention of financial crime in Europe. Samantha is a financial crime prevention professional with over 15 years of practical experience in compliance. Sam holds a number of qualifications and is recognised as a subject matter expert in the field of financial crime. Sam’s previous work experience includes working as MLRO, Data Protection Officer and CCO and Group Head of AML for various financial institutions, both offshore and in Europe.
Samantha also worked offshore for several years and acted as the first legal counsel to the financial regulator in Guernsey, setting up its financial crime division and coordinating its evaluation by MONEYVAL. She continues to maintain ongoing engagement with other regulators on financial crime matters. Samantha has extensive training experience in the field of financial crime prevention and corporate governance matters. Originally from Montreal, Quebec Canada, Samantha holds a Bachelors of Public Administration, LLB, qualifying as a barrister and solicitor and holds her Masters in Business, specialising in risk management.
1. Fehr, E. “Behavoral Foundations of Corporate Culture” 12 March 2019 https://corpgov.law.harvard.edu/2019/03/12/behavioral-foundations-of-corporate-culture/ [online] Accessed 19 April 2019.
4. Prior to the acquisition it is possible that Elsim’s business activities did not create a “US Nexus” necessary for its activities to be covered under the US Iran sanctions.
7. https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20190327_decker.pdf [Accessed 19 April 2019]
8. Prior to the acquisition it is possible that GQ’s business activities did not create a “US Nexus” necessary for its activities to be covered under the US Iran sanctions.
9. Mengus, D.B. “Due Diligence Process in Mergers & Acquisitions and Integration Problems” LLM International Business Law 2015-2016 at p.33 [online] Available at: http://arno.uvt.nl/show.cgi?fid=142476 [Accessed 15 April 2019]
10. E. Feher. Note 1.
12. Fehr,E. “Behavorial Foundations of Corporate Culture” in UBS International Center of Economics in Society, No.7 (November 2018) [online] Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3309697 [Accessed 19 April 2019]
13. Supra. In the case study Kehr described, the statement agreed by managers included the statement, “Knowledge sharing between the profit centers was one of the desirable behaviors listed in the agreement: “We share our know-how between the profit centers. We appreciate that we can ask other profit center leaders for their expertise. We approach other profit center leaders if we believe that our knowledge and expertise adds value to them.”