Compliance Requirements and Best Practices in M&A Transactions

Updated: Feb 19 ‘24 Published: Feb 19 ‘24 34 min read

As much as 51% of M&A advisory firms anticipate higher deal volumes in 2024. However, buyers still approach deals cautiously and carefully address M&A risks and evolving compliance requirements. Tax regulations, antitrust laws, and ESG regulations remain critical aspects of the M&A landscape. This article explores the following:

  • Seven M&A compliance risks.
  • Seven compliance requirements.
  • M&A compliance due diligence checklist.
  • Five best compliance M&A practices.
compliance and guidelines m&a

Importance of compliance in M&A transactions

Historically, 70% – 90% of deals fail for various reasons, from poor due diligence to compliance issues (Harvard Business Review). The latter has been a key concern for today’s buyers. Baker Mcrenzie’s survey has revealed that 26% of companies abandon half or more of deals due to compliance issues revealed during due diligence. The biggest compliance risk in M&A comes from the following:

  1. Antitrust laws. Around 14% of deals valued at $1+  billion get canceled annually due to antitrust concerns. It’s the second biggest deal breaker after price disagreements.
  2. Tax compliance issues. A buyer may assume hidden liabilities with multi-million settlements. Hidden compliance issues are a part of the reasons why buyers overpay. Overpaying is also among the biggest contributors to deal failures.
  3. ESG compliance risks. AON’s survey has revealed that 96% of investors expect ESG regulatory scrutiny to intensify in the next three years. Meanwhile, 24% of AON’s 2023 survey respondents said environmental litigations were among the top feared post-deal issues.
  4. Intellectual property issues. Intangible assets, such as intellectual property and goodwill, comprise over 80% of enterprise value across S&P 500 companies. At the same time, an intellectual property settlement can cost as much as $470 million.
  5. Licensing compliance issues. According to Wolters Kluwer, businesses must comply with over 300 license types across 8,300 jurisdictions and 100+ industries. Failure to comply with specific requirements may trigger substantial penalties.
  6. Data compliance issues. Dealmakers make substantial data transfers and are especially susceptible to security risks, including litigations and penalties. According to the IBM report, companies lose an average of $4.45 million on a single data breach.
  7. Cross-border compliance issues. Cross-border deals carry many more complexities than domestic ones, requiring buyers to investigate intricate foreign regulations. Thus, violating sanctions regulations may result in multi-million penalties and even 30-year sentences.

Key compliance requirements in M&A

  1. Antitrust requirements
  2. Tax requirements
  3. Environmental compliance M&A requirements
  4. Intellectual property requirements
  5. Business licensing requirements
  6. Data security requirements
  7. Cross-border requirements

Antitrust requirements

The U.S. Department of Justice and the Federal Trade Commission released the latest Merger Guidelines on December 18, 2023. This 51-page document covers antitrust M&A regulatory compliance recommendations. You can see the main provisions below.

Main provisions from Merger Guidelines Antitrust thresholds
1. Mergers shouldn’t lead to significant market concentration.

✔ The market’s Herfindahl-Hirschman Index (HHI) is over 1,800, and the HHI change is over 100
✔ The merged entity’s market share is over 30%. HHI change is over 100

2. Mergers shouldn’t threaten competition between companies.

No specific transaction regulations. However, the following aspects are analyzed for anti-competition effects:

✔ Strategic decisions
✔ Customer substitution
✔ Transaction history
✔ Impact of competitive actions on merger’s rivals

3. Mergers shouldn’t increase the risk of market coordination.

The post-merger market is susceptible to coordination if the following conditions are met:

✔ HII market concentration is over 1,000
✔ The merged entity has prior attempts to coordinate the market
✔ Disruptive firms (Maverick) are eliminated from the market

4. Mergers shouldn’t create market structures that foreclose competition.

✔ The merged entity’s foreclosure share is 50%

If the foreclosure is less than 50%, the following factors are considered:

✔ Purpose of the merger
✔ Level of market concentration
✔ Level of vertical integration
✔ Entry barrier reduction

Premerger program requirements

✔ Mergers and acquisitions valued at $119.5 million must submit a premerger notification to the Department of Justice and the FTC.

Tax requirements

There are many tax considerations as part of financial reporting compliance. Thus, with asset purchases, buyers and sellers must report to the Internal Revenue Service (IRS). Dealmakers must file Form 8594 (Asset Purchase Statement). Here are the main requirements for Form 8594.

Requirement Specification

✔ Total sale price (estimate or consideration)
✔ Asset classes I-VII
✔ Aggregated fair market value + allocation of sale price for each asset class
✔ Supplementation statement is required if there are amendments to the total sale price


The statement must be attached to the income tax return of the year M&A occurred.

Filing exceptions

Buyer/seller is not required to attach Form 8594 if the following conditions are met:

✔ If the assets are exchanged for like-kind assets under section 1031. Form 8694 is still required for assets beyond section 1031.
✔ There is a partnership interest transfer. However, if partnership interest falls under section 1060, Form 8594 is required.


Up to $3 million for not providing the asset purchase statement timely. The IRS may initiate additional audits.

Environmental compliance M&A requirements

ESG regulations require companies to disclose ESG-related data, such as greenhouse gas (GHG) emissions and ESG risks. The Securities and Exchange Commission released ESG rules in March 2022.

The final ESG disclosure rules will be available in 2024. Here are the main ESG disclosure requirements affecting all companies registered in the United States based on SEC’s 2022 rules.

ESG disclosure categories Scope of ESG disclosure
Financial statement line items

✔ The impact of severe climate events if the amount of such impact exceeds 1% of line items
✔ Climate risk mitigation expenditures
✔ Climate events impact on projections documented in financial statements

GHG emissions

✔ Direct emissions from sources controlled and owned by the company (Scope 1)
✔ Indirect emissions from purchased energy sources, such as steam, heat, and cooling (Scope 2)
✔ Upstream and downstream emissions (Scope 3)
✔ Scope 1-2 emissions must be disclosed separately and in total before any offsets
✔ Scope 3 emissions must be also reported before any offsets

ESG practices and governance

✔ Climate risk assessment records
✔ Climate compliance risk management systems, protocols, and measures, and their connection to broader risk management strategies
✔ Climate transition plans with goals and KPIs
✔ Climate-related goals with detailed plans, metrics, and annual performance reports
✔ Climate risk management practices on the board of directors

Reporting requirements

ESG disclosures must be provided in the following statements:

✔ SEC registration statements
✔ Annual reports
✔ Financial statements (for financial statement footnote disclosures)
✔ Form 10-K (for GHG and ESG governance disclosures)

Reporting frameworks

Businesses use common reporting frameworks:

Sustainability Accounting Standards Board (SASB)
Global Reporting Initiative (GRI)
International Financial Reporting Standards (IFRS)

Intellectual property requirements

Acquirers have to ensure trademarks, patents, copyrights, and trade secrets are correctly registered and legally protected during ownership transfer.

The acquirer can clarify the validity of the target’s intellectual property rights with the United States Patent and Trademark Office. Here are the main requirements this authority has for intellectual property.

IP regulation Requirements
United States Patent and Trademark Office (USPTO)

During M&A, intellectual property is automatically transferred to the acquiring party. An acquirer must ensure the target’s intellectual property rights are correctly registered and have the following properties:

✔ Trademark type
✔ Class of goods and services
✔ Filing basis and international filer
✔ Track record: country, application, registration record, maintenance fees

Business licensing requirements

An acquirer has to double-check its business licensing status and carefully investigate the target’s licensing matters.

Business licensing typeExamples
General licensesPayroll forms, employee compensation filings, and sales tax permits.
Regulatory permitsRegulatory approvals for domestic and foreign businesses in regulated industries (defense, banking, telecommunications, medical, etc.).
Occupational licensesOccupational licenses in regulated industries (agriculture, construction, financial services, gaming, insurance, healthcare, etc.).
Local licensesTaxation, occupation, and other licenses under local requirements, such as Washington, D.C.

Data security requirements

Below, you can see key regulations affecting data privacy in M&A. Please note that these regulations require companies to protect personal information using reasonable security measures. Failure to protect data (data breach) triggers litigation.

Data security regulation Businesses affected Key requirements
The California Consumer Privacy Act of 2018 (CCPA)

The following requirements:
Generate annual revenue over $25 million.
Have the personal information of 100,000 California residents.
Generate 50% of revenue from selling personal information of California residents.

✔ Inform customers which personal information you collect
✔ Allow customers to delete personal information or choose which information can be collected or shared
✔ Protect customers’ personal information
✔ Disclose privacy policies

Health Insurance Portability and Accountability Act (HIPAA)

Healthcare businesses

✔ Protect individually identifiable health information (protected health information (PHII))
✔ Maintain administrative, technical, and physical safeguards
✔ Have security officials for developing and maintaining security policies
✔ Ensure full access control to PHII

The Gramm-Leach-Bliley Act (GLBA)

Financial institutions

✔ Have privacy policies explaining the use of customers’ personal information
✔ Allow customers to choose which personal information is used
✔ Protect customers’ personal information

Cross-border requirements

Compliance requirements for cross-border transactions depend on many factors, such as the industry, jurisdiction, nature of the transaction, etc. The scope of requirements for each transaction is individual, and it’s preferable to involve compliance advisors for careful due diligence in this risky environment.

As per Deloitte’s survey, tax laws, regulatory requirements, and political instability are the primary risk factors in cross-border M&A. Companies should emphasize tax, regulatory, and sanctions compliance in cross-border deals.

top risk factors in m&a compliance
Source: Deloitte

Conducting thorough due diligence

High-quality compliance due diligence (DD) in M&A is the only way to mitigate compliance risks early. In contrast, up to 60% of executives consider inadequate due diligence the primary reason for failed deals, Bain & Company finds. 

Acquirers should initiate inspections after signing a letter of intent (LOI). It helps to buy time for unexpected issues and collaborative hiccups. Additionally, compliance due diligence should span the main business functions and transaction documents for M&A. You can create compliance checklists to navigate due diligence items more efficiently. Here is the sample M&A compliance checklist.

M&A compliance area Sample due diligence checklist

☐ Market share
☐ Competitive landscape
☐ Level of market concentration and vertical integration
☐ Potential antitrust concerns
☐ Scope of pre-transaction filings
☐ Past, current, and pending antitrust litigations of the target company
☐ Target’s transaction history


☐ Target’s tax warranties and representations
☐ Target’s quality-control procedures
☐ Tax returns for the past five years
☐ Form 8594
☐ Tax disclosures
☐ Tax liabilities
☐ Tax audits
☐ Past, current, and pending tax litigations


☐ ESG disclosure history
☐ ESG disclosure frameworks
☐ ESG policies and practices
☐ Environmental risks and liabilities
☐ Past, current, and pending environmental litigations

Intellectual property

☐ IP portfolios
☐ USPTO records
☐ IP licensing agreements and contracts
☐ Third-party IP rights
☐ IP maintenance status
☐ IP insurance coverage
☐ IP disputes and litigations

Business licensing

☐ Licenses and permits
☐ Occupational licenses
☐ Change of control provisions in licenses
☐ License applications and renewals
☐ Material license agreements
☐ Transfer of license consent
☐ Licensing audits

Data security

☐ CCPA, HIPAA, GLBA, and GDPR (EU) certificates
☐ SOC 1,2,3 audits
☐ Data inventory
☐ Data breach history
☐ Data security policies, controls, and systems
☐ Data transfer mechanisms
☐ Cybersecurity insurance
☐ Past, current, and pending data security litigations

Cross border

☐ Regulatory frameworks across buyer and seller jurisdictions
☐ Corporate governance standards
☐ Seller’s antitrust regulations
☐ Foreign investment restrictions
☐ Taxation policies
☐ Sanctions considerations
☐ Data privacy and protection legalities
☐ Foreign regulatory approvals

2 best practices in managing compliance risks

Professional compliance assistance and quality data analytics are the strongest predictors of smooth M&A besides thorough due diligence. You can drastically increase deal success chances with these two best practices.

Engage legal advisors

It might be tempting to conduct compliance due diligence with the internal team only. However, external advisors are preferable for a professional M&A process. Here are the best practices for advisory assistance in compliance management:

  • Engage compliance advisors early. Connect the advisory and DD teams at the start of due diligence and ensure consistent cross-functional collaboration.
  • Use incentives. As advisors receive compensation when deal parties sign transactions, they may pursue M&A closure regardless of the results. Acquirers can offer “performance bonuses” to consultants, ensuring the best outcomes.
  • Leverage teamwork. Define the scope and responsibilities of advisory teams from the beginning to ensure transparent workflows. It will minimize misunderstandings and decisional overlaps.
  • Limit quantitative aspects. Preferably, hire no more than one advisor. Multiple parties may produce conflicting decisions and increase data leakage risks.

Use a virtual data room

Based on our experience, a virtual data room is inseparable from a successful acquisition. It is a security-first virtual workspace designed for M&A lifecycle management. A virtual data room for M&A has the following capabilities for compliance due diligence:

  • Accelerate seller due diligence. In-built personally identifiable information (PII) redaction helps sellers prepare due diligence materials for submission directly in the data room rather than using additional software.
  • Improve buyer due diligence. Buyers can configure Q&A workflows and auto-forward seller questions to relevant DD professionals and advisors. Attachments, discussions, and configurable FAQ sections streamline compliance due diligence.
  • Simplify document management. VDRs offer powerful features for analyzing bulk documents and tracking compliance progress. Automatic data indexing, file conversions, bulk drag-and-drop actions, and full-text search reduce administrative tasks.
  • Ensure security compliance. Using a VDR is the simplest and most effective way to ensure CCPA, HIPAA, GLBA, and GDPR compliance during M&A. VDRs allow deal parties to enable role-based access to critical data with many features that prevent unsolicited file-sharing, phishing, and data hacks.

Post-merger compliance integration

Failed integration is the biggest cause of deal failures (Harvard Business Review). Compliance integration is critical, and surviving companies overlook several compliance risks during post-merger integration (PMI):

  • Statutory risks. Failure to obtain and update licenses, public records, and regulatory filings may trigger audit procedures and penalties.
  • Inability to run a business. Litigations result in the loss of good standing (and related certifications). It may prevent the company from running business leading to customer outflows and revenue losses.

Acquirers can boost post-integration risk prevention processes with robust governance, audits, and digital accelerators.

Tip: Check the best M&A risk management practices with case studies.

Create a compliance plan

Businesses often treat post-merger integration as a background process, canceling advisory assistance as soon as the transaction gets signed. A more optimal approach is to create a dedicated PMI compliance office consisting of DD professionals, cross-functional managers, and external advisors. Our observations indicate that the following practices reduce post-integration risks:

  1. Initiate compliance planning early. Determine key compliance considerations on industries, markets, and jurisdictions in advance. PwC 2023 integration survey revealed that 60% of successful companies started to develop long-term operating models as early as deal screening and LOI. 
  2. Emphasize post-integration compliance requirements. A surviving entity should focus on the following compliance requirements during integration:
    1. Update business records (business name, location, office, jurisdiction).
    2. Obtain operating licenses in new states and additional locations.
    3. Revoke foreign qualifications (when ceasing business in some states).
    4. Ensure tax compliance after M&A by registering in new tax departments (new states).
    5. Obtain (update) licenses for new products and services.

Ensure continuous auditing

Continuous audits pinpoint potential risks and develop corrective actions in the post-integration phase. Address the following questions in compliance audits:

  1. What is the audit scope?
  2. What is the current status of compliance initiatives? Licensing, data security, ESG, financial, intellectual property, etc.
  3. What is the status of supply vendor compliance?
  4. What is the status of contract compliance?
  5. What actions have been taken to satisfy compliance requirements?
  6. What KPIs have been used to measure compliance success?
  7. Are there any remaining compliance issues?
  8. Is there a compliance incident response plan?
  9. Are there continuous improvement measures?
Tip: Check the 20+ key questions to ask during a merger.

Use digital accelerators

Enable digital accelerators — data analytics and preconfigured systems like virtual data rooms during post-merger integration. PwC’s survey on integration shows that 88% and 52% of successful M&A organizations use this technology in operational and legal integrations, respectively.

usage of digital accelerators
Source: PwC 2023 integration survey

The bottom line

  • The primary M&A compliance risks come from antitrust, ESG, data security, licensing, IP, taxation, and cross-border issues. Businesses should explore and meet respective compliance requirements before, during, and after M&A.
  • The best M&A compliance practices include conducting thorough due diligence, engaging legal advisors early, and using virtual data rooms.
  • To ensure compliance during post-merger integrations, successful companies initiate compliance planning before due diligence, conduct continuous compliance audits, and use digital technology for legal and functional integrations.


M&A organizations should consider antitrust laws, financial reporting requirements, business licensing requirements, and ESG reporting standards. Businesses should also consider data security requirements, intellectual property validations, and cross-border M&A legal requirements.
The biggest compliance risks come from antitrust violations, ESG reporting litigations, tax law violations, data breach penalties, and licensing violations. These issues result in the loss of good standing and temporary inability to run a business.
Compliance risks include penalties and temporary inability to run a business, which lead to material and reputational losses. Legal risks include risks of authorities triggering legal investigations against entities that violate laws or compliance regulations. As a result, compliance risks include legal risks.


Marketing specialist at

Elisa is a marketing specialist with 15 years of experience. She worked for many VDR brands and gained insider knowledge of the industry.

At, Elisa conducts marketing research, develops content plans, supervises content teams, and develops VDR review methodology. She envisions her mission as distributing accurate knowledge of virtual data rooms.

“My mission is to deliver accurate and relevant knowledge of virtual data rooms to as many people as possible.”

To make sure you have the best possible experience on our site, we use cookies. By continuing to use this website, you consent to the use of cookies.
Learn more
To top