Compliance due diligence from a company perspective - An interview with Roland Kemper, DEKRA SE

Roland Kemper, 40, is a senior counsel in DEKRA SE’s Legal & Compliance department. DEKRA is an international provider of testing, inspection, and certification services. Roland focuses on the legal side of M&A projects and on corporate governance matters. In addition, he is a non-executive member of DEKRA’s management holdings in the UK, the US, and Denmark. Roland is a law graduate (University of Bonn, The George Washington University Law School, King’s College London) and a management graduate (FU Hagen, LSE). He is admitted to the New York State Bar and to the German Bar.

Compliance has received ever more attention in the last few years. This is particularly so when it comes to acquiring a company in relation to which a compliance due diligence has evolved significantly. How is this handled at DEKRA?

DEKRA carries out a compliance due diligence in every acquisition process, with varying intensity of course. In the last ten years, acquisitions have played a major role in accelerating DEKRA’s growth in the testing, inspection, and certification business (“TIC”). Generally, these acquisitions have targeted companies outside of DEKRA’s German home market. In recent years, DEKRA acquired, for instance, the AT4 Wireless, a group headquartered in Spain and with subsidiaries in Taiwan, Chile, and in the US, and QuieTek Corporation in Taiwan, and the Scottish company Optimus Seventh Generation, a provider of safety consultancy services to oil platforms. Again in Taiwan, DEKRA formed a joint venture company in 2015 for “electromagnetic compatibility testing” together with the iST Group. Transactions hence often involve jurisdictional and cultural contexts that may not be well-known to the in-house legal counsel. And for this reason, it is even more important to engage in due diligence that covers compliance aspects as well.

What does a standard compliance due diligence at DEKRA look like?

As a matter of principle, in-house legal counsel at DEKRA must involve themselves heavily in the legal due diligence process on the basis of the experience they gain in advising the operative business. Further, each DEKRA in-house legal counsel is called upon to integrate the compliance perspective into every step of the advisory process, be it in an operations or transactional context. If they lack the required knowledge or experience to deal with a certain compliance issue, or if a conflict of interest arises, we expect them to take the initiative and involve the Group’s Compliance Office and, if needed, outside counsel.

As to the depth of, and the aspects covered by, the standard compliance due diligence process, it is necessary to remember that DEKRA’s core expertise consists in delivering TIC services. TIC services mean that DEKRA assesses whether products, appliances, and processes comply with certain standards. These standards regularly relate to features that express the technical safety or the quality of the product, appliance or process at issue. In fact, DEKRA’s historical core business is ensuring the road safety of trucks and cars. More generally, these standards may be regulatory standards imposed by governmental agencies or they may be standards that are related to certain industries. Often, the authority assessing compliance with such standards depends on the respective DEKRA company being specifically accredited. For instance, DEKRA’s Product Certification service unit is specifically accredited under the “European Electromagnetic Compatibility Directive 2014/30EU (EMC)” to assess whether devices that contain an electrical energy source interfere with the operation of other products or are affected by themselves by the operation of other products. Another example is the periodic safety testing of trucks and cars in France, Germany and Sweden. In these countries, the state has delegated DEKRA the authority to assess whether trucks and cars comply with certain road safety standards. It is paramount for DEKRA to ensure compliance with all aspects of the law. Governmental and non-governmental accreditation bodies are key stakeholders for DEKRA. Consequently, our compliance due diligence always covers all areas that may be deemed as compliance relevant.

In your practice, which are the areas that are generally compliance relevant and hence a main part in your compliance due diligence?

Depending on the nature, size, and location of the business conducted by the target company, we investigate certain areas more intensely. For instance, if the target conducts its business in regions with a low ranking on Transparency International’s Corruption Perception Index and works with freelance sales agents in order to enlarge its customer base, we will heavily emphasise anti-bribery aspects. Here, we take into account specific compliance requirements set out in laws such as the US Foreign Corrupt Practices Act and the UK Bribery Act. On the other hand, the structure, home jurisdiction and place of business of our target companies’ shareholders, as well as the target companies’ financing and payment arrangements, are usually very straightforward. Hence, we would not initially focus on anti-money laundering as much as you would do in settings that are more susceptible or in the financial services industry. DEKRA’s target companies are mostly in the small to mid-size range and privately held. As a result of this, tax compliance is an important topic, and DEKRA’s in-house legal counsel will closely cooperate with the tax department and external tax specialists to minimize DEKRA’s exposure to legal and reputational risks stemming from tax law violations.

Does DEKRA’s compliance due diligence also comprise a review of compliance with industry specific standards which go beyond the legal requirements?

Yes, it does, and that is a consequence of how DEKRA positions itself in the market. Being a “neutral third-party” provider of TIC services lies at the heart of DEKRA’s identity. Integrity is one of DEKRA’s five core “people values”. In addition, DEKRA’s “Vision 2025” is to “be the global partner for a safe world”. Part of this positioning is that most of DEKRA’s TIC services actually contribute to reducing the risk of accidents at work, in traffic and at home as well as to change conditions that lead to health impairments. In line with this positioning, our compliance due diligence always assesses whether the target company has had employment, safety or environmental issues. You asked about industry specific standards: DEKRA indeed is a member of TIC specific trade associations and, in particular, the International Federation of Inspection Agencies (“IFIA”). The IFIA has a set of compliance principles that binds its members which are broader than what is required by law. In addition to reviewing whether a target company has complied with certain standards in the past, however, we use the compliance due diligence process to really understand whether the target company’s organizational culture supports a mindset that tries to minimize issues like employment safety incidents. We invest a lot of effort in understanding the target company’s attitude to safety.

What time period do you generally cover in your compliance due diligence?

While the statute of limitations provided in applicable laws tends to frame our scope of attention, we try to fully exhaust the information available publicly, in the data room and delivered in management meetings. This is not only a question of diligence or thoroughness. DEKRA’s business is not heavy in physical assets. Quite to the contrary, the success of DEKRA’s business largely hinges on DEKRA’s reputation as an independent and neutral third-party provider of TIC services. This reputation materializes in the daily behaviour of DEKRA’s employees and in how the market participants perceive DEKRA’s brand. Consequently, it is very important for DEKRA to ascertain that the target company’s organizational culture and the behaviour of its leadership is such that the target aligns with DEKRA’s reputational demands. Because of this need for alignment, we look at any available piece of information, irrespective of its age, that may cast a doubt on this potential alignment.

How and with what kind of focus do you review the target’s existing compliance management system?

In order to understand whether a target company has implemented and oversees an adequate compliance management system, we try to understand how the target company’s leadership defines what the risks to the company are and how the target company’s leadership describes the management systems put in place to tackle such risks. That said, it is DEKRA’s stance that a well-designed compliance management system must be the result of an integrated concept of risk management and internal controls. At the end of the day, compliance risks have the potential to become business risks. Thus, the scope of attention to the compliance management system naturally overlaps with and is part and parcel of a company’s risk management and controls system. In addition, all owners of potential compliance risks, in particular the leaders of the operational units, must be involved in such an integrated risk and compliance management system. In order to test such involvement, and depending on the size of the target company, we look at whether the company has appointed compliance officers across service units and functional units who report compliance matters to a top compliance officer. We also try to understand whether such formal organisation is brought to life by specific measures- e.g. regular interviews between the compliance officers, regular training, regular town hall meetings, annual “compliance leadership dialogues”, ad-hoc compliance audits, and an appropriate level of documentation. Certainly, we try to understand whether the top compliance officer has been formally designated to receive whistleblower messages or whether there is a hotline or external ombudsman. As already said, we find it very important to understand whether the target company has an organisational culture that fosters compliance with the law, integrity and respect for the rule of law and, thus, buttresses the rather formal compliance measures mentioned previously.

What is DEKRA’s general approach in a compliance due diligence? Do you proceed in a step-by-step approach and if yes, what are the respective steps?

In terms of our practical approach to compliance due diligence, we certainly recognise that we have to follow the customary systematic approach whereby the level of intensity of compliance due diligence increases as the transaction proceeds to completion. Within the initial stage of the transaction process, which may start even before the conclusion of a non-disclosure agreement, we try to categorise certain compliance risks, e.g. corruption, based on indicators that may have become apparent or are public anyway. E.g.- do the company’s shareholders have links to public officials? Is the target company located or doing business in a jurisdiction with significant institutional voids? What is the target company’s record in online and other publicly available media? That said, we make a preliminary assessment of compliance risks and try to identify potential red flags even before we initiate more formal due diligence investigations. The heavy lifting of compliance due diligence then takes place before we sign a definitive agreement, which implies the use of outside counsel and other external specialists. Such heavy lifting regularly involves active communication to the target company’s leadership. Here, in-house legal counsel jointly with outside counsel and relevant operational leadership at DEKRA interview the target company’s leadership as well as certain members of middle management in face-to-face interviews that take place as part of the “management meetings”. In exceptional circumstances, DEKRA might insist at this stage that the target company’s leadership discloses certain internal communications that surround incidents that DEKRA perceives as potential compliance risks. Depending on the weight and type of the compliance risks identified, DEKRA may also decide prior to completion that it will engage in certain post-completion compliance investigations spearheaded by the Legal & Compliance department. Irrespective of whether we have been able to identify certain compliance risks prior to completion and in line with DEKRA’s insistence on integrated risk and compliance management systems, DEKRA’s audit department regularly runs audits on all subsidiaries and, hence, the newly acquired business.  

How are the findings of your compliance due diligence generally taken into account in the negotiations and the transaction documentation?

DEKRA’s business model largely hinges, as already outlined, on the integrity of DEKRA’s employees, the perception of DEKRA’s brand by market participants and on DEKRA’s reputation as a neutral, independent third party provider of TIC services. DEKRA’s approach to compliance risks is that it avoids acquiring target companies with a compliance history that have the potential to infect DEKRA’s reputation. Having said this, inserting compliance related representations, warranties, and specific indemnities into the definitive agreement is only a minimum requirement. Generally, DEKRA will acquire a company only if DEKRA’s compliance experts have strong reason to believe that compliance risks will not materialise at all or beyond of what is already known. Sometimes a carve-out can help, especially if the target company has various service lines that conflict with the TIC idea. If, in exceptional cases, the “heavy lifting” of the compliance due diligence mentioned above could not sufficiently ascertain a potential compliance risk or the extent of a risk partly materialised, we may either abstain from the transaction or insist on having the right to rescind the transaction or reduce the purchase price ex-post. Reducing the purchase price may already be part of the purchase price mechanism in “staggered acquisitions” where DEKRA has partly bought out the management/owners. Here, the right to purchase further shares later on will include a pricing model that reflects an impact of compliance risks should these materialise.

How do you make use of the findings of the compliance due diligence when integrating the target company into the DEKRA group?

Any results of compliance due diligence that indicate a relevant level of risk will be used to inform risk mitigation measures. The clear message to any target company’s leadership is that DEKRA will make no concessions when it comes to its five core people values. As indicated earlier, integrity is one of these principles. Even if compliance due diligence does not uncover distinct compliance risks, it will help DEKRA to assess the costs, time, and effort related to the integration of the target company into the Group’s compliance management and into the Group’s compliance culture.