A Lean Approach to Evaluating and Addressing Export Compliance Issues in M&A Transactions

Since the turn of the century, there has been an expansion of both the global economy and the legal risks associated with global trade due in part to an increase in security concerns and aggressive enforcement of the export control laws. There’s a high chance that your company will one day face the situation of either buying or being bought by a company that trades globally. Whether your company is a buyer or a seller, as in-house counsel, you need to be aware of what risks are out there and how to be prepared. We will explain the risks associated with the acquisition of an exporting company, how to prepare if you are a seller, and what to look for if you are a buyer. Throughout, we will temper our comments with the knowledge that every legal and compliance department must do more with less and do it faster.

The risks

We have all faced the situation of trying to explain to our internal business clients the need for certain compliance activities. Faced with limited time and resources, our business clients need to understand exactly why our time and resources should be allocated to export compliance. They need to know the potential costs associated with noncompliance as well as the successor liability that exists for export compliance violations.

In particular, this article focuses on concerns raised in the merger and acquisition environment by actual or potential violations of the laws and regulations administered by the Bureau of Industry and Security (BIS) of the US Department of Commerce, the Office of Foreign Assets Control (OFAC) of the US Department of the Treasury and the Directorate of Defense Trade Controls (DDTC) of the US Department of State. Depending on the location of subsidiaries, divisions or other affiliated operations, the export control laws of other countries may also be a concern.

In recent years, trade journals and newspapers have reported on the seemingly ever-increasing dollar amounts of export violation settlements. Each year, multimillion-dollar settlements are announced with settlements periodically reaching into the tens of millions of dollars. The potential for severe penalties in this area exists due to the extremely high per-instance penalty dollar limit provided for by the relevant penalty statutes coupled with the fact that cases often involve many repeated violations because of the failure of an exporter to identify that an activity it routinely engaged in constituted a violation.

In cases of mergers or acquisitions, the agencies charged with enforcing the export control laws have successfully taken the position that the liability for penalties is transferred to the new ownership entity. This is true even in transactions structured as asset purchases. As a result, given the potentially high penalties and potential denial of export privileges, your company greatly increases its risk profile by ignoring these potential issues.

A notable example of the concept of successor liability in this context is the Sigma-Aldrich case.* Sigma-Aldrich purchased the assets of a biochemical company, which the BIS alleged made shipments of certain toxins without acquiring the licenses required for these shipments. In deciding that Sigma-Aldrich could be held liable for violations that the acquired company had committed prior to the transaction, in addition to its own continued violations after the transaction, the administrative law judge deciding the matter noted that, under the traditional rules, “asset purchasers are not liable as successors unless one of the following four exceptions applies:

1. The purchasing corporation expressly or impliedly agrees to assume the liability;
2. The transaction amounts to a de facto consolidation or merger;
3. The purchasing corporation is merely a continuation of the selling corporation; or
4. The transaction was fraudulently entered into in order to escape liability.”

* In the Matter of Sigma Aldrich Business Holdings, Inc. et al. Case Nos. 01-BXA-06, 01-BXA-07 and 01-BXA-11.

The opinion continues that when a “substantial continuity” of the operation is established, liability may transfer despite a lack of continuity of shareholders. The opinion states that among the factors to be considered in making this determination are whether the successor:

1. retains the same employees, supervisory personnel and production facilities in the same location;
2. continues production of the same products;
3. retains the same business name;
4. maintains the same assets and general business operation; and
5. holds itself out to the public as a continuation of the previous corporation.

The case was settled upon Sigma-Aldrich’s payment of a $1.76 million penalty.

In a similar vein, the DDTC pursued both Boeing and Hughes Electronics Corporation after Boeing’s purchase of the assets of a Hughes subsidiary. Boeing and Hughes paid a $32 million fine to settle the case despite the fact that violations committed by the former Hughes subsidiary had ceased years prior to Boeing’s acquisition of it.

In light of these and other cases, both buyers and sellers need to be aware of the potential risks of noncompliance. As a seller, unknown violations raised during due diligence could cause the potential buyer to walk away. As a buyer, failing to identify potential issues before closing could create significant, unplanned liabilities.

The seller’s perspective: preparing your company for sale

Your company is on the market. As in-house counsel, you will wear many hats during the sale process, including that of ensuring that a compliance issue does not stop the sales process. Now that you understand the risks, the last thing you want to do is to derail the potential deal because of export compliance issues. The existence of export violations or the lack of an effective, well-documented compliance program can dramatically affect the value of an acquisition transaction or, in some cases, prevent consummation of the deal. Ideally, your company will have a compliance program in place and will have dealt with any instances of noncompliance long before any contemplated transaction. When this is not the case, immediate action should be taken to identify problem areas and address them, if possible, prior to negotiations.

An astute buyer will include the area of export compliance in its due diligence activities. A company that wishes to be acquired should be in a position to satisfy such a foreseeable review. The first step in this direction is to conduct a review of the company’s export compliance to make the company a more attractive target.

Unless an in-house counsel is extremely well versed in the intricacies of export licensing, it is wise to have a review conducted by a knowledgeable outside law firm under attorney-client privilege. An impartial review can shorten and simplify the due diligence process. If the company is found to be in compliance, and the results of the review are shared with the prospective purchaser, the report can be a source of reassurance.

The compliance review should cover, generally speaking, the following areas:

• risks associated with your company’s business partners;
• risks associated with the types of products you export;
• risks associated with your process for classifying and licensing your products for export; and
• previous violations or compliance issues that have occurred with respect to exports.

The checklist referenced in the following section provides a good guide for an internal compliance review.

The conduct of a compliance review, however, is of even greater importance if the company does not have a strong compliance program in place. In such cases, the goal of the review will be to identify whether any possible violations exist. Identifying any potential violations during the review enables your company to raise the issue with a prospective buyer in a way that does not terminate the deal. Early detection also allows you to evaluate how to respond. One viable response is to consider the filing of voluntary self-disclosures in order to enter negotiations with a clean slate.

Both the BIS and the DDTC have provisions in their regulations for submitting voluntary self-disclosures of violations. The OFAC has no such formal provision; however, it accepts voluntary disclosures. Typically, such disclosures are made by the submission of an initial notification letter informing the agency of the nature of the violation. Such a letter must be followed by an additional communication providing the details of the specific transactions covered as well as a description of the remedial steps the company has taken to prevent future violations.

The submission of a voluntary self-disclosure does not always result in the issuance of a penalty. The submission of a disclosure, however, is not a bar to penalties but is a mitigating factor. In recent years, in fact, substantial penalties have been assessed despite the submission of a voluntary self-disclosure. Examples include Ericsson De Panama’s settlement of $1.75 million, which the BIS announced on May 25, 2012, and Esterline Technologies Corporation’s settlement of $20 million with the State Department, announced on March 7, 2014.

Further, the submission of a voluntary self-disclosure may result in continued investigation. Such further action can include interviews with employees and additional document requests. If the disclosure is significant, it will be necessary to negotiate with the agency to reach a satisfactory settlement. It is not unusual for such cases to remain open for a significant period of time.

Finally, settlement can include directed compliance assessments that require the company to review its compliance after a specified period and report the results to the agency. In some cases, the DDTC may require that the company filing the disclosure contract with a specific service provider to conduct the impartial review. Based on the type of response received during the compliance review, it will be important for counsel to work with any potential buyer to determine how such disclosure should be made and when.

The buyer’s perspective: conducting proper due diligence

Potential trade compliance violations create extensive risk. Successor liability can dump that risk on your company, so it is important to conduct proper due diligence when buying another business. At the same time, few of us have the time and resources to do it ourselves. By giving your due diligence team the proper tools, your company can identify potential export compliance issues before closing the sale.

The first step requires educating the due diligence team about the importance of finding these issues before the deal goes too far. Using the information outlined above, we suggest holding a training session in advance of any deals. Use the time to plant the idea that M&A due diligence without a compliance component is not effective due diligence. We recommend that this education focus on all areas of compliance, not just exports. For this article, however, we will focus solely on export compliance issues.

Once the due diligence team buys into the idea that potential export compliance issues must be checked, the next step is to provide it with the tools to do so. Most in-house counsel lack the staff to do the investigations themselves. Instead, you need to tell the team what to look for and then stand by to advise on what it finds.

We have found that a simple checklist effectively guides the due diligence team without being overly burdensome. The checklist should be used to gather information about whom you are potentially transacting with, whom they transact with, and what safeguards are in place to provide a reasonable assurance of compliance with trade laws.

At the onset, you need to know what the target company sells before you can adequately assess its export compliance concerns. A weapons manufacturer will have a different risk profile than a software company. You need to know that risk profile to adequately review what risks may or may not be present.

Another threshold issue to consider is whether any licenses would be required for your team to have access to the information the target company may supply in the course of due diligence. For instance, if your team includes any foreign nationals, a licensing analysis must be performed to verify that providing them with information from the target company will not constitute a deemed export violation.

As explained above, doing business with certain denied or restricted parties can create myriad problems. The first checks your team should make are whether the potential target company or any of its key shareholders, directors or officers are on a denied-party or watch list, or under any type of investigation. Then the team needs to determine whether the target company has been, or is being, investigated for export compliance violations. This review should include a request to the target company for any voluntary disclosures.

Another aspect of knowing the target company involves assessing whether it has an effective internal compliance program. We will not address all the elements of an effective compliance program here. Generally speaking, however, you should look to see if the target company has a code of ethics, provides training to its employees and has a hotline or other method available to report compliance concerns.

Once you have gathered information about the target company itself, you need to learn about its suppliers, distributors and customers. Consider the following questions:

• Does the target company have a program in place to check its suppliers, distributors and customers against the various denied-party lists?
• What denied-party lists are used for any screening that may occur?
• Does the target company have a program in place to check its sales against the various embargo lists?
• Does the target company do business with denied parties or with embargoed countries?
• Does the target company have a program in place to identify whether its products are licensable?
• Does the target company have in place a program to maintain compliance with any export licenses that have been issued to it?
• Does the target company have in place a program to properly manage licensable information or data within its control?

If the company does not check its business partners against the denied-party lists, you should require that those entities be evaluated before any deal becomes final. This will allow you to continue working on the deal while addressing the potential compliance risk. It is important to note that if the target company has a smaller distribution area than your company, you may also need to run its business partners against any additional lists you check for your company. You do not want to find out after the fact that your new division’s largest customer is a denied party in your best market. Similarly, if the company has not adequately analyzed whether its products are subject to license requirements, the process should be undertaken immediately. A worst-case scenario is to discover after closing that one of a target company’s products is subject to licensing requirements that the company was not aware of and did not comply with.

After evaluating with whom the target company does business, the final step is to evaluate how the target company manages its exports. Consider the following questions:

• Is there a separate group that manages export compliance?
• What procedures are in place?
• Is training provided?
• Does the target company audit its program?
• Are any third-party service providers used?
• How are the necessary documents generated, managed and retained?

Once you obtain the core information, your company’s export compliance experts should assist with this stage of the process. Companies operate differently, so it is important that someone with operational experience evaluates the target company’s procedures and operations. Only then will you be able to determine whether the target company’s program will be compatible with yours.

Of course, the elephant in the room still remains: What do you do if a potential export compliance issue exists?

The easiest answer is to scuttle the deal. However, the job of in-house counsel is not to say no whenever risks present themselves. Our job is to provide options to meet our company’s goals without violating the law. If the risk is high — say, the target company sells weapons to Iran — saying no may be your only option. In most cases, however, options do exist.

First, you need to evaluate the risk. At this point, we recommend retaining outside counsel. Even though you may be more than capable of evaluating the risk, regulatory authorities typically give greater credence to independent third parties than to in-house counsel. If the risk is misinterpreted, you do not want to be left standing alone.

If the potential compliance issue becomes an actual compliance violation, your next option may be to disclose the issue. As indicated in the previous section, a question arises whether the target company should disclose it before the sale or whether you should disclose it as part of the purchase. Again, we recommend that outside counsel be involved in this decision as the relevant factors exceed the scope of this article. That being said, congratulations are due. By following the steps outlined here, you helped your company identify a significant risk in time to make an intelligent decision. Without your leadership, the issue would have likely appeared after the deal closed. The costs of addressing that issue after the fact would greatly exceed the additional costs associated with proper due diligence.

Notifications and posttransaction steps

Depending on which agency or agencies’ jurisdiction the acquired company’s operations fall under, the actual transference of compliance responsibilities can be quite complicated. Early in the contemplated transaction, it is necessary to consider notifications that will need to be submitted, especially if the one of the parties is a registered defense manufacturer or exporter. Notice must be filed with the DDTC 60 days in advance of closing if the transaction will result in a foreign person owning or controlling a DDTC-registered party “or any entity thereof.” In addition, the parties will need to consider whether the proposed transaction would raise concerns with the Committee on Foreign Investment in the United States (CFIUS) (see sidebar).

Both the buyer and the seller (if registered with the DDTC) must provide the DDTC a final notification, required in all cases of DDTC-registered parties, within five days of the closing of the transaction. Among the information required is a list of all licenses, agreements or approvals that will be assumed or relinquished. As part of the five-day notifications that are filed, the statement of registration must be updated to reflect the new name and locations of the company together with any other relevant changes. The acquiring company will also need to file license-amendment forms. It is wise to do this promptly as outstanding licenses may not be used until the DDTC approves the license amendment. Finally, all technical assistance agreements and manufacturing license agreements must be amended within 60 days of the post-transaction five-day notification.

To transfer BIS licenses, the license holder must submit a letter providing facts regarding the transaction, identifying all outstanding licenses and requesting that the licenses and the responsibilities attendant to those licenses be transferred. The party receiving the transferred licenses must provide a letter to the license holder affirming its eligibility to receive the license and its acceptance of the responsibilities of maintaining compliance with the requirements of the license. The letter must also contain certifications that the party receiving the transferred licenses accepts such responsibilities, certifies compliance with the EAR, and agrees to make records available to the BIS on request.

In addition to filing the required notifications and license amendments, any outstanding voluntary self-disclosures (VSDs) will need to be perfected. Exporters are limited to 180 days from the filing of the initial notification letter to perfect VSDs filed with the BIS. VSDs filed with the DDTC must be completed within 60 days, but this time limit is subject to extension upon written request. Assuming that the acquiring company submits the letter completing the VSD, the submission of this letter provides the acquiring company the opportunity to explain the incorporation of the acquired company into its compliance program and to explain how its program will suffice to prevent similar errors from occurring in the future.

Aside from filing the required notifications and amendments and completing VSDs, a prime post-transaction activity should be incorporating the newly acquired entity into the compliance acquirer’s compliance program. The M&A transaction provides something of an opportunity for a fresh compliance start for the company being acquired. This is the time for training and compliance activities to be stepped up significantly. Any weaknesses or problem areas should be addressed as soon as possible so that violations do not continue to occur after the transfer of ownership.

Conclusion

Ensuring that export compliance issues do not affect potential mergers or acquisitions allows you another opportunity to demonstrate the value that in-house counsel provides to the business. By explaining the risks and then outlining the steps to alleviate those risks, you will enable your business clients to do their jobs without creating additional risk for the company. That is a win-win for everyone.