Investing in a startup offers many benefits for a corporate investor, but it can also lead to buying into compliance risks. Compliance due diligence can greatly mitigate this risk if a few key points are considered.
When an established company takes a stake in a start-up, worlds collide in many respects. Not only in terms of corporate culture, hierarchies and creativity – the two partners also tend to differ fundamentally when it comes to compliance. The risk appetite typical of start-ups and their rapid growth mean that resources are primarily invested in technical and commercial development. Internal control systems as well as legal and tax advice are usually only pushed as far as absolutely necessary. In addition, compliance is often more difficult to implement in startups than in other companies, because startups operate in a more decentralized manner than other companies. The buzzword is enterprise agility. From an entrepreneurial point of view, this is understandable, but for the corporate investor it carries a risk, because compliance violations can have a Group-wide impact and damage the image.
A corporate investor should therefore ask himself two questions before investing in a start-up or even acquiring it completely: Am I buying into compliance risks and/or violations with my investment? And how can I ensure compliance in the target company for the future? Here, technology-based start-ups will regularly be particularly concerned with the areas of data protection and intellectual property.
Compliance due diligence and contractual risk allocation
Compliance due diligence often covers topics such as anti-corruption, antitrust and money laundering. Depending on the target company’s business model, other areas may be added, such as foreign trade law, product safety, data protection and industrial property rights. In addition, so-called risk-increasing environmental factors should also be surveyed and taken into account, such as the geographical classification of the business activity in comparison with the corruption perception index, the degree of regulation of the business model, the share of public contracts in the total business volume or the existence of cash transactions.
The results of the due diligence must be incorporated into the contracts governing the investment or acquisition. In particular, guarantees from the founders or sellers that protect the investor from unidentified risks, as well as indemnifications that relieve the investor from already known risks, come into question. Conduct obligations ensure that no changes detrimental to the investor are initiated between the signing of the agreement and its execution. And finally, execution conditions obligate the parties to bring about a predefined state and in this way make the company capable of being taken over or invested in.
Compliance management in start-ups
The implementation of a compliance system in a start-up follows different rules than in traditional companies. Under the rules of enterprise agility, startups typically organize themselves through value chains. The compliance organization must also understand these characteristics if it is not to paralyze the company. The necessary compliance structure is best described as “compliance agility.” There are three main issues at stake here:
The company needs a compliance culture, because compliance is first and foremost an attitude, especially in decentralized structures where little central control is exercised and documented. In addition, there is a governance and organizational structure that follows the principle of subsidiarity and clearly and unambiguously regulates horizontal and vertical delegation. Finally, decentralized compliance should be supported by legal tech applications, such as IT-based contract management. Here, outsourcing certain compliance tasks can also relieve the burden and provide additional legal certainty, for example a whistleblower system or business partner audits as managed services.
For a start-up seeking investment by a corporate investor, this results in the need to align its compliance organization to withstand compliance due diligence. In addition, both investor and start-up should align their compliance in such a flexible way that a later integration does not endanger the agility and innovative strength of the start-up.
For many startups in the digital economy, handling personal data is part of the core area of their business model, so they have to take into account the GDPR that came into force in 2018. Art. 6 par. 1 GDPR establishes the principle of prohibition with reservation of permission – therefore, a corresponding legal basis must exist for any processing of personal data. In addition, there are further principles of data processing as well as documentation and accountability obligations. In digital business models, almost every step from the selection of business partners to market cultivation and customer contact must be thought through in advance in terms of data protection. In individual cases, a full data protection impact assessment may be required.
The requirements for organization and documentation run rather counter to the decentralized structure of a start-up. So if you don’t want to set up a central office that checks all data processing operations and decides whether to approve them, the answer can only be delegation of tasks – with compliance being performed and the responsibility borne by different people. The basis for this must be the transfer of know-how through training and documentation and the use of IT tools or external service providers.
Intellectual property rights
In many start-ups, intellectual property plays a key role, i.e. technical property rights, trademarks, designs, copyrights or trade secrets. They often make up the majority of business assets. From a compliance perspective, two issues can come into play here. On the one hand, the start-up may infringe the rights of third parties. This risk exists in particular for technology-based companies, which is why a higher standard of due diligence must be applied here. Here, too, internal training should raise the necessary awareness of the problem and, if possible, rule out rights infringements in advance. A review by external service providers can then provide further legal certainty.
On the other hand, start-ups and/or their investors would also have to keep in mind the protection of the company’s own rights. Frequently, such rights represent the actual motive for the planned takeover/investment, so that investors become alert when problems arise in this regard. If a corporate investor wants to use such rights, it must be ensured that the rights belong to the start-up and not, for example, to its founders/owners, employees, freelancers or other third parties. The prerequisites for the acquisition of rights by the start-up – such as the existence of an employment relationship, the development as part of the work task or the claiming of an invention in accordance with the provisions of the Employee Invention Act – must be fully documented.
Stuttgart Site Manager
Head of Compliance & Corporate Criminal Law
tel: 0711 781923418
© 2023 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.
KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.