Once thought adequately addressed by a simple representation of compliance with the appropriate law, sanctions risk in corporate transactions has increased steadily as sanctions have become more complex and more intertwined with other areas of regulatory compliance. To further complicate the diligence required in these transactions, the footprints of transacting parties have expanded around the globe, and expectations of various stakeholders (such as investors, lenders, insurers and regulators) have heightened. Today, whether the transaction involves an acquisition, establishment of a joint venture, appointment of an agent, onboarding a customer or even a divestiture, a full understanding and review of all applicable sanctions, anti-boycott and export control requirements is necessary if enforcement risks are to be minimised.
While this chapter attempts to present diligence principles and methodologies that can be applied irrespective of the jurisdictions of the parties and businesses involved, it will not escape the reader’s notice that principles of US law are featured prominently. Examination of potential US law exposure is a necessary element of almost all transaction diligence owing to the broad extraterritorial reach of US primary sanctions and related laws and regulations affecting international business, the robust enforcement of such laws, and the wide-ranging deployment of secondary sanctions designed to advance US national security and foreign policy goals. Of course, diligence must cover all potentially applicable laws and regulations. A comprehensive multi-jurisdictional review is beyond the scope of this chapter, but examples of commonly encountered issues posed by EU and national laws are addressed.
Scope of sanctions diligence
The establishment of new business relationships poses a myriad of risks when it comes to compliance with sanctions. This is especially so given the substantial overlap of sanctions regulation and enforcement with other regulatory areas, such as anti-boycott and export control laws and regulations. In the United States, both the Office of Foreign Assets Control (OFAC) and the export control agencies have jurisdiction over trade in goods subject to comprehensive embargoes. In addition, some sanctions programmes – notably, the Ukraine/Russia-related US sanctions – were implemented simultaneously with export control measures targeting many of the same actors. There is often a high correlation between sanctions evasion, diversion of export-controlled items and corruption. Anti-boycott regulations are viewed in some jurisdictions as sanctions subject to blocking laws. In the financial sector, sanctions compliance measures often double as a means of detecting money laundering and other financial crimes, and vice versa. The result is that sanctions diligence cannot be effective if approached in isolation – rather, prospective parties to transactions should deploy a holistic methodology to ensure that all relevant aspects of transactions are reviewed. Happily, such an approach also is less time-consuming and more cost-effective for parties to transactions.
Why diligence is important
Global businesses must comply with sanctions and other legal requirements in all jurisdictions in which they do business. Often, requirements of one jurisdiction will conflict with those of another (as, for example, when efforts to impose compliance with US primary sanctions run up against EU or national blocking statutes) or will apply alongside those of another (such as when US export control rules applicable to items manufactured outside the United States apply in addition to the export control rules of the country of manufacture). In addition, the increasing application of US secondary sanctions creates sanctions risks for companies even if they are in compliance with applicable local laws and not subject to US primary sanctions.
Another source of risk is the expansion ‘by operation of law’ of the list-based sanctions of several jurisdictions to entities owned or controlled by listed parties, which requires not only name screening of potential business partners but also an examination of their ownership and control.
Moreover, owing to the ‘long-arm’ reach of US export control regulations outside the United States to encompass re-exports (from one country to another) and transfers (within another country), non-US companies have not been immune from enforcement action for violations of US export controls and related sanctions. Recent examples include imposition of fines against a Lebanese company for re-exporting engines of US origin to Syria and OFAC’s action against a dental supply company for exporting dental products of US origin to third-country distributors with knowledge that the exports were destined for Iran.
In the merger and acquisition (M&A) context, due diligence is a must if the risk of successor liability for sanctions and export control violations and other offences is to be assessed. Transactions structured as mergers generally pass liability for the pre-transaction activities of the acquired entity to the buyer by operation of law, but successor liability can also arise from stock purchases, as well as transactions structured as asset purchases. Of course, stock purchases that maintain the separate status of the target entity do not create successor liability for the buyer in the strictest sense of the term, but enforcement costs incurred by the target entity in connection with pre-completion violations, with the associated reputational costs, will diminish the value of the buyer’s investment in the target entity. Even in jurisdictions without successor liability, difficulties may arise when company assets may include the proceeds of previous sanctions and export control violations.
As for asset purchases, in a string of US cases, beginning with Sigma-Aldrich in 2002, the Bureau of Industry and Security of the US Department of Commerce (BIS) has interpreted the International Emergency Economic Powers Act (IEEPA) and the Export Administration Regulations to impose successor liability for export violations on purchasers of assets when ‘substantial continuity’ of the business results from the transaction. Notably, IEEPA also is the statutory underpinning for all US sanctions programmes save the Cuban embargo. The Trading with the Enemy Act, which authorises the Cuban embargo, contains provisions similar to the IEEPA provisions interpreted in Sigma-Aldrich and goes a step further by purporting to impose obligations on non-US entities owned or controlled by US persons. Sigma-Aldrich thus laid the groundwork for both BIS and OFAC to impose successor liability on purchasers of assets when the purchased assets constitute a business that continues under the new owner. As enumerated in Sigma-Aldrich, a finding of ‘substantial continuity’ will be supported when:
the successor: (1) retains the same employees, supervisory personnel and the same production facilities in the same location; (2) continues production of the same products; (3) retains the same business name; (4) maintains the same assets and general business operations; and (5) holds itself out to the public as a continuation of the previous corporation.
The decision in Sigma-Aldrich was not appealed and the parties entered into a settlement agreement, following which the BIS position on successor liability was applied in subsequent settlement agreements with both BIS and OFAC.
The Directorate of Defense Trade Controls (DDTC) , which administers the International Traffic in Arms Regulations pursuant to the Arms Export Control Act, likewise has a long history of imposing successor liability dating back to 2003, when the DDTC entered into a consent agreement with Hughes Electronics Corporation and Boeing Satellite Systems, Inc (formerly Hughes Space and Communications). The consent agreement imposed penalties for violations that occurred several years prior to Boeing’s acquisition of the Hughes space and communications division in 2000. The DDTC’s position on successor liability is bolstered by its policy of requiring registered defence companies to agree in writing to assume responsibility for pre-acquisition export licences issued to the acquired business.
Although the US position on successor liability has been criticised by legal scholars, as a practical matter, given OFAC’s sweeping discretionary powers and the ability of US export agencies to deny export privileges, parties have tended to settle enforcement actions rather than embark on time-consuming and expensive challenges to agency authority. As a result, the risk of enforcement actions based on the successor liability concept remains an important focus of sanctions and export control diligence.
In addition to its role in detecting potential successor liability, diligence in M&A transactions is essential if patterns of violative behaviour that may continue post-closing are to be discovered. OFAC has shown little patience for companies that have allowed violations to continue post-closing, imposing penalties in a series of recent cases notwithstanding voluntary disclosures filed by the acquirors. Root causes of violations emphasised by OFAC included being ‘slow to integrate the subsidiary into the . . . corporate family, including with respect to compliance with U.S. sanctions’ (Expedia); failure to ‘implement procedures to monitor or audit [the subsidiary’s] operations to ensure that its Iran-related sales did not recur post-acquisition’ (Stanley Black & Decker); and not undertaking ‘a fuller internal investigation’ upon receipt of helpline reports of continued sales to Cuba (AppliChem). In Kollmorgen, a penalty was imposed notwithstanding ‘egregious conduct’ on the part of the newly acquired subsidiary, whose management actively attempted to thwart the buyer’s compliance efforts by obfuscating continued sales to Iran from the buyer’s ‘extensive efforts’ to ensure the newly acquired subsidiary was complying with US sanctions. Similarly, in Keysight, a penalty was imposed despite the buyer’s directive to its newly acquired subsidiary that continued sales to Iran should cease and the newly acquired subsidiary’s assurance that they had – though, as in Kollmorgen, the newly acquired company continued sales that were actively concealed from the buyer. However, OFAC and other agencies have made it clear that uncovering potential violations during the diligence process is not enough. OFAC’s compliance framework, issued in 2019, notes that mergers and acquisitions ‘appear to have presented numerous challenges with respect to OFAC sanctions’ but that OFAC nevertheless expects that compliance functions ‘be integrated into the merger, acquisition, and integration process’ and that ‘[w]hether in an advisory capacity or as a participant, the [buyer] engages in appropriate due diligence to ensure that sanctions-related issues are identified, escalated to the relevant senior levels, addressed prior to the conclusion of any transaction, and incorporated into the organization’s risk assessment process.’ The recent SAP case serves as a stark reminder of the consequences of failure to address compliance gaps identified during M&A diligence and post-acquisition audits. In late April 2021, OFAC, BIS and the US Department of Justice announced settlements with the German company related to, among other things, violations of the EAR and the Iranian Transactions and Sanctions Regulations (ITSR), resulting from failure to integrate various US cloud services providers acquired in transactions dating back to 2011 into its export controls and sanctions compliance programme.
Transactional due diligence will focus on many of the same compliance issues that should be reviewed in the context of M&A activity, but for different reasons. When vetting potential agents, distributors, joint venture partners or customers, a history of non-compliance with sanctions or export control laws can foreshadow a risk of becoming embroiled in violations and enforcement actions in the future. Companies contemplating entering into a transaction with a third party with a less than stellar compliance record should take a hard look at whether the risk that the party will commit violations in the future can be adequately addressed in the agreement governing the transaction. If the contemplated transaction is a long-term arrangement, such as a joint venture, care should be taken to ensure that the governing agreement provides a clear exit strategy if violations occur, or if changes in the law render continuation of the relationship unlawful.
What your diligence review should include
Diligence in corporate transactions has both business and legal elements, and both come into play in the context of sanctions, anti-boycott and export control due diligence.
From a legal perspective, verifying compliance with legal requirements is a standard starting point. However, establishing that a target company or potential business partner is in compliance with all applicable legal requirements prior to entering into a transaction will not suffice, as new requirements and risks may take effect when the transaction is consummated, with both business and legal implications.
For example, non-US businesses that come under the ownership or control of US persons will become subject to US anti-boycott rules and certain US primary sanctions requirements upon completion of the transaction. In the anti-boycott context, the rules apply to ‘US persons’, which is defined to include ‘controlled in fact’ foreign subsidiaries, affiliates, or other permanent foreign establishments of US business entities, which are termed ‘domestic concerns’ in the rules. ‘Control in fact’ is defined to consist of ‘the authority or ability of a domestic concern to establish the general policies or to control day-to-day operations of its foreign subsidiary, partnership, affiliate, branch, office, or other permanent foreign establishment’.
In the sanctions context, both the Iran and Cuba sanctions extend to non-US entities ‘owned or controlled by’ US persons. The ITSR provide that:
an entity is ‘owned or controlled’ by a United States person if the United States person:
(i) Holds a 50 percent or greater equity interest by vote or value in the entity;
(ii) Holds a majority of seats on the board of directors of the entity; or
(iii) Otherwise controls the actions, policies, or personnel decisions of the entity.
Although what constitutes ownership or control is undefined in the regulations governing the Cuba sanctions programme, the definition applicable to Iran reflects OFAC’s long-standing interpretation of the reach of the Cuba sanctions as well.
Diligence should be designed both to ferret out historical compliance lapses and identify activities that will not be permitted post-completion, as well as the effects of implementing any such prohibitions on the business outlook. Cessation of activities that will be unlawful under US ownership or control may have a material adverse effect on the financial outlook of the acquired business, while compliance failures post-completion will give rise to enforcement risk. Nevertheless, the parties may decide to proceed with the transaction, notwithstanding any detrimental effect on the business that would result from the need to cease certain operations post-completion. In such cases, further diligence should be conducted regarding the legal risks associated with cessation so that advice can be taken on how best to navigate any potential roadblocks, such as those posed by so-called ‘blocking’ statutes. Several jurisdictions, as well as the European Union, have adopted blocking measures to counteract extraterritorial application of US sanctions against Cuba and Iran, while Canada has restricted its blocking measures to the Cuba embargo, and German law targets foreign boycotts. Thus, advice should be taken before completion so that an appropriate plan of action can be formulated, bearing in mind recent enforcement actions against US companies who failed to prevent their recently acquired non-US subsidiaries from continuing business with Cuba and Iran. Litigation risk arising from breach of contract claims from parties to discontinued relationships may also be a factor.
Transactional diligence, like compliance programmes, should also be customised to fit the risks presented and the risk appetites of the parties. Some companies subject all potential agents or distributors to background checks; others apply such requirements only to relationships with third parties located in countries or regions considered high risk from a sanctions, corruption or export diversion perspective. In the absence of red flags, third-party certifications of matters such as ownership and control, as well as compliance, can be considered in place of more extensive diligence.
Diligence checklists must be the subject of continuous improvement. Laws and regulations in the sanctions and export control area change frequently, and these changes usually spawn new diligence requirements, as do new enforcement actions and agency guidance.
In each transaction, care should be taken to ensure that compliance with all applicable sanctions and export controls is reviewed, based on the jurisdiction of formation and places of business as well as products and services of the target company.
When considering doing business with or acquiring a company with operations outside the United States, possible secondary sanctions risk based on the nature of the target’s business also must be considered. US secondary sanctions target those doing business with numerous sectors of the Iranian economy, as well as Russia, Venezuela and North Korea, among other countries.
Relationships with customers, agents or distributors in countries or regions characterised by high risk for diversion or corruption also should be scrutinised carefully – several countries in Asia and the Middle East come to mind in this regard, although, perhaps surprisingly to some, US law enforcement officials also view Canada as a country of diversion risk.
Other often overlooked but important areas of potential liability when conducting due diligence on non-US companies include application of US sanctions and export control de minimis rules and compliance with US export controls applicable to foreign-produced items. Many non-US companies are unaware of the extent to which their products might be subject to US export controls and sanctions as a result of incorporating components of US origin or that have been manufactured using US technology or plant and equipment.
Though traditionally an exercise conducted primarily by the buyer, the increasing convergence of sanctions and export controls with other areas of law and regulation, including national security, anti-money laundering (AML) and anti-corruption, has given rise to diligence obligations for all parties to the transaction. In transactions that may be reviewed by the Committee on Foreign Investment in the United States, both parties will need to assess the export controls applicable to the target US business to assess whether mandatory filing requirements apply, and sellers will want to assess the sanctions and export control compliance history of potential non-US buyers, given new rules that ban companies with a history of violations of US sanctions and export controls from enjoying certain exceptions to the mandatory filing requirements. Investors and bankers providing financing for a transaction will want to ensure sanctions and anti-financial crime compliance by all parties, as well as compliance with export controls and sanctions by the acquired company. Representation and warranty insurers likewise will be alert for compliance lapses so that material violations can be excluded from coverage.
As much as possible, diligence should be streamlined to avoid having to go over the same ground multiple times. Particularly in the context of M&A activity, the target company’s appetite and capacity for responding to diligence requests can wane in the face of competing queries from a myriad of business and legal teams.
Efficiencies can be achieved in the M&A context by minimising the number of requests for the same information. For example, questions relating to sanctions risk assessment, internal controls, testing and auditing, compliance training and management’s demonstrated commitment to comply with applicable sanctions and export control law can be grouped with similar questions about other relevant compliance matters. Further efficiencies can be achieved if the various subject matter experts reviewing the responses to diligence queries coordinate their efforts to avoid having multiple reviewers pore over the same document.
When onboarding business partners, deployment of multiple work streams should be avoided. Questions relating to sanctions, anti-corruption, AML and export compliance should be consolidated into one online or paper form rather than sprinkled throughout a variety of documents and certifications. OFAC recently has signalled approval of this holistic approach. In a release regarding its the 2019 enforcement action against Apollo Aviation Group, LLC (Apollo), OFAC emphasised the importance of know-your-customer (KYC) diligence – traditionally the purview of export and AML compliance guidelines – in the context of sanctions compliance, noting ‘the importance of companies operating internationally to implement Know You [sic] Customer screening procedures and implement compliance measures that extend beyond the point-of-sale and function throughout the entire business or lease period’.
What to do if historical breaches are uncovered
If the diligence process uncovers historical breaches, the parties must decide how to proceed.
If compliance issues are discovered while conducting a background check of a potential customer or distributor, the way forward will depend on whether a relationship is off-limits as a result of the discovery (for example, if the party is on an asset freezing or other applicable sanctions list) or whether a trustworthy relationship can nevertheless be achieved in spite of historical issues (perhaps by imposing and monitoring adherence to various compliance terms and conditions).
In the M&A context, in most cases, the seller will learn of the historical breaches first while preparing responses to the buyer’s diligence queries. At this point, it will be important to consider whether a disclosure should or must be filed. In the United States, most disclosure processes are voluntary rather than mandatory. However, given the substantial reduction in potential fines for sanctions and export control violations that are voluntarily disclosed, many companies will decide to make a disclosure so as to reduce potential exposure. In some instances, the violation may be deemed not to warrant disclosure (such as a minor record-keeping violation), in which case the seller may elect to implement corrective action and disclose the matter to the buyer but not to the relevant agency.
A decision whether to disclose potential criminal conduct is not to be taken lightly in any context, but the SAP case, described by the Department of Justice as the ‘first-ever resolution pursuant to the Department’s Export Control and Sanctions Enforcement Policy for Business Organizations’, does illustrate the benefits of disclosure in appropriate circumstances, in the form of substantially reduced penalties.
However, there are circumstances in which disclosure is mandatory, for example, the requirement under the International Traffic in Arms Regulations to disclose violations involving arms embargoed countries, such as China. In addition, in some jurisdictions there may be mandatory obligations to report known or suspected breaches of AML laws or terrorist financing prohibitions, as well as specific obligations to report known or suspected breaches of sanctions. Moreover, EU regulations giving effect to sanctions laws are accompanied by general obligations to report information that would facilitate compliance.
If the filing of a disclosure is determined to be warranted or required, or if an enforcement action is commenced during the period of diligence, the buyer and its counsel may wish to have input into the disclosure or response to the enforcement action. In these circumstances, a joint defence agreement may be considered as a means of protecting privilege. Absent a joint defence agreement, sellers should keep in mind that legal privilege does not attach to responses to the buyer’s diligence queries. Furthermore, depending upon the jurisdiction, disclosures to one’s own in-house counsel likewise may not be protected, in which case it may be prudent to channel compliance diligence regarding potentially sensitive matters through external counsel.
Both parties can and should take steps to remediate compliance breaches and enforcement risks identified during diligence.
In the lead-up to a merger or acquisition, a seller who discovers historical breaches bears primary responsibility for stopping the unlawful conduct and beginning to implement corrective actions. However, while some remediation steps (such as disciplining employees involved in the misconduct) can be taken fairly quickly, other more systemic responses (such as overhauling compliance programmes and procedures) may be best left to the buyer, particularly if the buyer has a robust compliance programme that it intends to roll out to the newly acquired business. In such instances, the seller may choose to implement only those short-term remediation measures required to ensure that no further breaches occur prior to the closing.
The buyer, however, is responsible for lapses that continue or occur on its watch, and several recent OFAC enforcement actions discussed in this chapter (Keysight, Expedia, Stanley Black & Decker, AppliChem and Kollmorgen) illustrate the importance of regular compliance monitoring in the context of integrating newly acquired businesses. Thus, it is not enough merely to have compliance policies and procedures and provide training; companies must also monitor compliance with their policies and procedures if they wish to avoid enforcement action.
This can be of particular concern for newly acquired non-US companies. For instance, as the Keysight and Kollmorgen cases highlight, parent companies should be particularly careful when acquiring non-US companies that have pre-existing relationships with sanctioned persons and jurisdictions that may continue despite directives from the parent company to the non-US subsidiary that these relationships be terminated. As in both Keysight and Kollmorgen, the non-US subsidiary may even undertake efforts to conceal continued business with sanctioned parties from the parent company by falsifying corporate records. Because of the risk that non-US subsidiaries may continue to do business with sanctioned parties, it becomes particularly important for companies acquiring non-US companies not simply to rely on certifications from non-US subsidiaries that they have ceased such business, but also to take pro-active steps to ensure that such business has actually ceased by insisting on parent company visibility into the newly acquired non-US subsidiary’s corporate records. Although in both Keysight and Kollmorgen, the buyer did not have knowledge of its newly acquired subsidiary’s continued sales to Iran, in Kollmorgen OFAC detailed the buyer’s ‘extensive efforts’ to ensure post-acquisition compliance and determined the violations to be non-egregious (imposing a base penalty of only US$7,434 rather than the US$750,000 that would have been imposed if OFAC had found the violations egregious). In finding the violations non-egregious, OFAC credited the buyer’s ‘extensive and preventative remedial conduct’. However, in Keysight, in which OFAC did not make such a finding as to buyer’s post-acquisition compliance efforts, OFAC found the violations egregious and imposed a base penalty of US$1,051,460 (half the statutory maximum) – the lesson being that the more post-acquisition diligence and remedial measures, the more likely the buyer is to receive leniency from OFAC should violations continue to occur post-closing. The SAP case also illustrates the benefits of remediation. As noted by the Department of Justice, ‘SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated.’ The disclosure, cooperation and remediation culminated in a non-prosecution agreement with the Department of Justice and administrative agreements with OFAC and BIS.
In the context of agreements with customers and other third parties, the parties must decide to what extent a breach of compliance obligations triggers termination rights. The agreement also should clearly address the role that each party will play in remediation, in the absence of a triggering breach.
Supplementing diligence with compliance representations and covenants
Agreements recording corporate transactions, whether with business partners or buyers or sellers of businesses, contain numerous clauses designed to allocate risks associated with past or future violations.
All agreements should contain basic representations and warranties about the identity and ownership of the parties. To the extent that an agreement is intended to govern a relationship between the parties going forward, it should include covenants of both parties to advise the other if its circumstances change (e.g., if it or any of its owners is added to a sanctions list), as well as covenants to comply with applicable sanctions and export controls, related information exchange and termination rights, and, if applicable, rights and obligations of the parties in connection with any required remedial action.
The recent OFAC enforcement action against Apollo illustrates the importance OFAC assigns to regular compliance monitoring in the context of customer relationships. Although the party to whom Apollo leased aircraft engines failed to comply with lease provisions that prohibited the transfer of the engines to a country subject to US sanctions, and the violations were disclosed voluntarily, OFAC nevertheless penalised Apollo, noting that:
Notwithstanding the inclusion of this clause, Apollo did not ensure the aircraft engines were utilized in a manner that complied with OFAC’s regulations. For example, at the time, Apollo did not obtain U.S. law export compliance certificates from lessees and sublessees. Additionally, Apollo did not periodically monitor or otherwise verify its lessee’s and sublessee’s adherence to the lease provision requiring compliance with U.S. sanctions during the life of the lease.
Caution should be exercised, however, as including unmanageable audit requirements in agreements with customers and other third parties can come back to haunt companies who do not avail themselves of their audit rights. This is another area in which collaboration between various compliance functions within a company can add value. For example, personnel who conduct periodic audits for other purposes, such as financial or quality control, can be trained to incorporate checks for sanctions and export compliance into their audit process.
In the M&A context, representations and warranties regarding past compliance are critical, but there is a tension between the objectives of the buyer and seller in negotiating these clauses. Sellers often will prefer to couch these representations and warranties with varying degrees of materiality and knowledge qualifiers, while buyers may prefer more robust disclosures.
Purchase agreements typically also contain various provisions under which a buyer may seek indemnification from a seller for breaches of representations and warranties. These clauses impose monetary limitations on recovery, require claims to be made within a certain time, and exclude claims for known exceptions disclosed to the buyer. Occasionally, however, the parties may agree to include special indemnity provisions relating to potentially significant issues. However, it is important to understand that the indemnification clauses, with the representations and warranties, will define the limits of the seller’s responsibility to reimburse the buyer for costs associated with pre-completion compliance lapses. As a result, buyers must satisfy themselves during the diligence process that they are willing to bear any enforcement risk not covered by the negotiated indemnity or representation and warranty insurance, which typically excludes coverage of damages arising from known material violations.
Ongoing diligence expectations
In the end, irrespective of the scope of the representations and warranties that may be negotiated, or how ‘clean’ the results of a diligence review may be, the enforcement agencies have made clear their expectation that acquirors should conduct further diligence post-completion and that parties to commercial agreements should monitor compliance for the life of the relationship. Among other things, OFAC clearly expects buyers to conduct heightened diligence of parties known to do business with countries or entities subject to OFAC sanctions, appoint management personnel who are committed to compliance, conduct regular audits and risk assessments, provide ongoing training, and respond to red flags promptly. In the context of commercial relationships, OFAC expects risk assessments, exercise of caution when doing business with entities with known contacts with OFAC-sanctioned entities and jurisdictions, compliance monitoring throughout the life of the relationship, training, KYC screening procedures and, when applicable, the obtaining of compliance certifications.
In light of these ongoing diligence and compliance expectations, buyers evaluating potential mergers or acquisitions and parties contemplating commercial transactions should ensure that their pre-completion due diligence includes not only an assessment of the legal and business risks discussed in this chapter, but also an evaluation of their capacity to meet the expectations of regulators for ongoing diligence and compliance, as well as the enforcement risks they will face if these expectations are not met.