Compliance Due Diligence

Compliance due diligence is the structured process of investigating and evaluating an organization's adherence to applicable laws, regulations, and internal standards before a transaction, partnership, or significant business decision. It operates as a formal risk identification mechanism, surfacing regulatory liabilities that might otherwise transfer undetected through mergers, acquisitions, vendor contracts, or new market entry. Agencies including the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have explicitly incorporated the quality of due diligence into enforcement discretion decisions, making it a material factor in legal exposure — not merely an administrative formality.

Definition and scope

Compliance due diligence refers to the systematic inquiry into whether an entity — a target company, a business partner, a vendor, or an acquired asset — meets its regulatory obligations across applicable jurisdictions. Its scope is defined by the transaction type, the industries involved, and the regulatory frameworks that govern each.

The DOJ's Evaluation of Corporate Compliance Programs (updated June 2020) distinguishes between pre-acquisition due diligence and post-acquisition integration, treating each as a discrete phase with measurable expectations. The Foreign Corrupt Practices Act (FCPA) Resource Guide, published jointly by the DOJ and SEC, identifies third-party due diligence as a core element of an effective compliance program — specifically because FCPA liability can attach to conduct by agents and intermediaries acting on a company's behalf.

Scope boundaries in compliance due diligence are established along three axes:

1. Jurisdictional scope — which national, state, or local regulatory regimes apply to the target entity's operations
2. Subject-matter scope — which compliance domains are relevant (e.g., financial compliance, environmental, employment, export controls)
3. Temporal scope — how far back the review extends, typically tied to applicable statutes of limitations or contractual representation periods

A due diligence review that omits any of these dimensions creates a gap that regulators and counterparties may later treat as constructive knowledge of the omitted risk.

How it works

Compliance due diligence follows a phased framework that mirrors the lifecycle of the underlying transaction or decision.

Phase 1 — Scoping and risk mapping. The inquiry begins with identifying the regulatory landscape. A compliance risk assessment produces the initial risk map, determining which frameworks apply and which present elevated exposure. This phase draws on publicly available regulatory filings, enforcement databases maintained by agencies such as the SEC's EDGAR system, and government sanction lists including the Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) List.

Phase 2 — Document review and verification. The entity under review is asked to produce licenses, permits, audit reports, enforcement correspondence, and internal compliance records. Reviewers cross-reference these against compliance documentation requirements for each applicable framework. Gaps in recordkeeping are themselves compliance indicators.

Phase 3 — Interview and process testing. Key personnel are interviewed to assess whether documented policies reflect actual operating practice. The gap between written policy and operational reality is a primary indicator of systemic compliance failure, as noted in the DOJ's 2020 guidance on compliance program effectiveness.

Phase 4 — Finding classification and remediation planning. Findings are classified by severity — typically as critical, significant, or informational — and mapped to specific regulatory provisions. Each critical or significant finding generates a remediation path with ownership assignments and timelines, consistent with compliance violation remediation standards.

Phase 5 — Integration into transaction terms. In M&A contexts, due diligence findings feed directly into representations, warranties, indemnification caps, and purchase price adjustments. A material compliance finding may trigger a renegotiation condition or a deal suspension.

Common scenarios

Compliance due diligence applies across distinct transactional and operational contexts:

Mergers and acquisitions. The acquiring party inherits the compliance posture of the target entity, including any ongoing regulatory investigations. The DOJ and SEC have credited pre-acquisition due diligence programs in enforcement decisions involving FCPA violations discovered post-closing.

Third-party and vendor relationships. The Federal Acquisition Regulation (FAR) and agency-specific procurement rules require contractors doing business with the federal government to verify the compliance standing of key subcontractors. Third-party compliance management protocols extend this logic to private-sector supplier chains.

Licensing and market entry. Entities entering regulated industries — banking, healthcare, pharmaceuticals, telecommunications — must demonstrate compliance with sector-specific requirements before licenses are granted. The Office of the Comptroller of the Currency (OCC) and the Centers for Medicare & Medicaid Services (CMS) each maintain distinct pre-entry review processes for their regulated populations.

Cross-border transactions. Export control compliance under the Export Administration Regulations (EAR), administered by the Bureau of Industry and Security (BIS), and OFAC sanctions screening are mandatory elements of any due diligence involving foreign counterparties.

Decision boundaries

Compliance due diligence differs from a compliance audit in both trigger and authority. An audit is a periodic or event-driven internal or external review of an ongoing compliance program — see compliance audit procedures. Due diligence is transactionally triggered and externally focused; its output informs a business decision rather than a remediation cycle.

Due diligence also differs from legal due diligence in scope. Legal due diligence catalogues contractual obligations, litigation history, and intellectual property rights. Compliance due diligence specifically evaluates regulatory adherence and the operational infrastructure supporting it — a distinction that becomes significant when the acquiring party faces successor liability under statutes such as the Clean Air Act (42 U.S.C. § 7401 et seq.) or the False Claims Act (31 U.S.C. §§ 3729–3733).

The appropriate depth of due diligence is proportional to risk: a higher-risk target in a heavily regulated industry warrants more intensive review than a lower-risk asset in a minimally regulated sector. This proportionality principle is embedded in the DOJ's program effectiveness criteria and in ISO 37301:2021, the international standard for compliance management systems published by the International Organization for Standardization (ISO).

References

• U.S. Department of Justice — Evaluation of Corporate Compliance Programs (2020)
• DOJ and SEC — A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition
• Office of Foreign Assets Control (OFAC) — Specially Designated Nationals List
• Bureau of Industry and Security (BIS) — Export Administration Regulations
• ISO 37301:2021 — Compliance Management Systems
• Federal Acquisition Regulation (FAR)
• GovInfo — 42 U.S.C. § 7401 (Clean Air Act)
• GovInfo — 31 U.S.C. §§ 3729–3733 (False Claims Act)