You’re in the investment committee. someone asks the question everyone wants to rush through: “any compliance issues?”
If you answer with “they have a code of conduct and annual training,” you’re not protecting the deal. You’re guessing.
I’ve sat in enough diligence calls to know how this goes. Bankers treat compliance as downside protection. Lawyers treat it as reps and warranties. Compliance teams get asked for documents, fast. and then we all pretend we’ve priced the risk.
Here’s my point: in M&A, compliance is not only about protecting value. It is part of what you are buying.
Because the buyer is not buying last year’s revenue. the buyer is buying whether that revenue survives contact with reality.
What you’re actually underwriting when you buy a company
Every serious deal is an uncertainty trade.
you are underwriting:
- whether key contracts are stable (and won’t be terminated after a sanctions hit, a corruption allegation, a competition complaint)
- whether licenses and permits were obtained cleanly
- whether distributors, agents, and “consultants” are real business partners or future liabilities
- whether the finance function can prove what happened, when, and who approved it
- whether you can integrate the target without breaking operations or inheriting a mess you cannot unwind
A “paper” compliance program makes all of that harder to trust.
A living compliance system, one that influences decisions and leaves evidence, makes the asset more reliable.
And reliability is economic.
The french anti-corruption agency explicitly frames anti-corruption due diligence as a way to value the target properly, measure transaction risk, and prepare integration. it even states that findings can affect the transaction price. that is not a philosophical statement, it is a regulatory one. (if the pdf link moves, search the a.f.a. publications for the guide titled “l’évaluation de l’intégrité dans le cadre des opérations de fusions-acquisitions”.) AFA publications
Why “do they have a program?” is the wrong diligence question
Dhe old diligence checklist is built around existence:
- do they have policies?
- do they train?
- do they have a hotline?
That’s basic hygiene. it is not a proxy for control.
What sophisticated buyers need is decision reliability: can the company show that it detects issues early, escalates them, and fixes root causes without drama.
The U.S. DOJ’s framework for assessing compliance programs is blunt about the test: is the program well designed, is it applied in good faith, and does it work in practice. that lens is exactly what m&a teams should use. DOJ evaluation of corporate compliance programs
The practical question in diligence becomes: what is the evidence that compliance changes outcomes?
Here’s a simple way to translate that into diligence requests that actually matter.
What you ask in diligence | What a real program can show | Why it moves valuation |
|---|---|---|
How are third parties approved in high-risk countries? | risk tiering, approvals, red-flag notes, remediation actions, rejection rates | reduces successor liability and “unknown unknowns” in the revenue engine |
What happens when accounting sees unusual payments? | escalation logs, exception handling, documentation of challenges, outcomes | tells you if books and records are governable post-close |
How are allegations investigated? | triage criteria, investigation files, timing, findings, disciplinary actions | predicts disruption risk and regulatory exposure |
How fast do they remediate control failures? | open actions register, owners, deadlines, closure evidence | shows whether integration will be a cleanup project or a platform |
Can you map key risks to controls and tests? | traceable risk-control-evidence links, testing cadence | reduces the need for heavy price protection mechanisms |
Notice what is missing: “send me your code of conduct.”
the deal mechanics: where compliance becomes money
When compliance is weak, uncertainty spreads. And uncertainty has very specific deal expressions.
you see it in:
- heavier indemnities and escrows
- broader bring-down conditions
- aggressive material adverse change debates
- price chips late in the process when someone finally reads the audit trail
- slower integration because every process needs to be recontrolled before it can be trusted
When compliance is operational, you often get the opposite:
- cleaner diligence
- fewer bespoke protections
- faster post-close integration because you can plug the target into an existing control system
- fewer surprises that force you to restate, self-report, terminate third parties, or fire executives in month two
And yes, sometimes it hits the headline price. the A.F.A. basically says so.
the doj and sec’s own guidance on f.c.p.a. diligence and successor liability makes the same point from another angle: pre-acquisition diligence and rapid post-acquisition integration into the acquirer’s compliance framework are part of the enforcement calculus. your ability to absorb and remediate is part of the transaction risk profile. DOJ and SEC FCPA resource guide
A scenario I’ve seen too many times
A mid-size company buys a fast-growing distributor network.
Topline is great. the diligence binder is thick.
Six months after close, a key public-sector customer freezes contracts pending an internal review. why? an anonymous report alleges a local agent paid “facilitation fees.”
The buyer asks the target for the agent’s onboarding file.
There is no file. there is a signed policy. there is a spreadsheet with names. there is no risk assessment, no approval record, no documented rationale for commission rates, no monitoring.
Now the buyer is doing emergency remediation under the worst conditions: live business, nervous employees, and counterparties watching.
In that moment, everyone understands the truth: you didn’t buy revenue. you bought a control environment.
Where naltilia fits (quietly)
I’m building Naltilia because this is the gap i kept seeing as a compliance lawyer.
Teams are asked to prove that compliance is real, but they’re operating with scattered folders, inbox approvals, and one-off questionnaires.
A platform helps when it makes the program executable: risk assessment tied to remediation actions, evidence collection that does not rely on heroics, workflows that produce traceable decisions.
That is what narrows uncertainty in a deal. not prettier pdfs.
If you want the deeper version of this argument, i wrote separately about why paper compliance collapses under scrutiny. Why paper compliance does not work
The takeaway i want you to hold
Stop treating compliance diligence as a box that gets ticked before the real negotiations.
Treat it as part of the asset.
If the target cannot show how decisions are governed, you are not looking at a “compliance risk.” you are looking at a valuation problem.
And if your own team cannot integrate, test, and remediate fast, that is also a valuation problem. yours.
Frequently asked questions
Does strong compliance really affect the purchase price in m&a? Yes. directly when findings trigger price adjustments or earn-outs, and indirectly when uncertainty drives escrows, indemnities, and integration cost assumptions.
What is the fastest way to spot paper compliance during due diligence? Ask for decision evidence, not documents: third-party approvals with rationale, exception handling, investigation files, remediation registers, and control testing outputs.
How much compliance diligence is enough for a mid-size acquisition? Enough to price uncertainty. that means focusing on the revenue engine (sales intermediaries, key licenses, public-sector exposure, pricing practices) and on whether controls actually run.
What should happen in the first 100 days post-close? Integrate the target into the buyer’s compliance framework, close critical control gaps, and set a remediation register with owners and deadlines you can report on.
If you want compliance to add value, not just audit comfort
I’m happy to talk if you’re in an acquisition cycle and you want to make compliance diligence decision-grade, or if you need the post-close integration plan to be more than a slide.
Naltilia is built for that kind of work: turning obligations into workflows, evidence, and remediation you can defend.
#compliance #mergersandacquisitions #duediligence #governance
