The Compliance and Regulatory Due Diligence Process for Pharma M&A Transactions

10 Min Read By: Darshan Kulkarni

A much-publicized 2003 KPMG survey concluded that nearly 70 percent of mergers and acquisitions (“M&A”) (in various verticals) did not achieve the acquiring companies’ management goals.[1] The key to success in this regard is due diligence. Appropriately conducted due diligence serves a variety of functions, including (1) identifying issues that may reduce the price of the target company;[2] (2) identifying the value and sustainability of product technologies, their threats, and improvement opportunities;[3] (3) identifying possible opportunities for investment;[4] (4) validating existing contracts, approvals, registrations, etc.;[5] (5) identifying the appropriate warranties and indemnities,[6] and (6) assisting in developing the sale and purchase agreement.[7]

While due diligence can serve a variety of goals, the process will often need to be customized for the type of organization being acquired. Specifically, we will focus on the regulatory and compliance due diligence process in the context of companies regulated by the Food and Drug Administration (“FDA”).

Noncompliance Issues and Due Diligence

An acquiring company is expected by the Criminal Division of the Department of Justice (“DOJ”) to perform appropriate due diligence to uncover compliance issues prior to merging with or acquiring a target. A company’s failure to comply with requirements can result in financial penalties, legal actions, damaged reputation, and loss of profit—and it could even extend to criminal charges in severe cases.

If a transaction continues when noncompliance is discovered, the acquirer should consider appropriate self-disclosure to the DOJ and, if appropriate, other agencies such as the Office of Inspector General (“OIG”), Federal Trade Commission (“FTC”), Office for Civil Rights (“OCR”), and FDA in order to minimize or avoid civil and criminal liability, as well as address the complexity and potential financial/criminal fallout.

DOJ Guidance

The DOJ’s updated guidance from March 2023, Evaluation of Corporate Compliance Programs, clarifies its expectations involving “pre-M&A due diligence.” The DOJ believes that “[t]he extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its corporate compliance program is . . . able to effectively enforce its internal controls and remediate misconduct at all levels of the organization.”[8] To that end, the DOJ expects the following:

  1. An acquirer must complete pre-acquisition due diligence and look to identify misconduct or the risk of misconduct. The due diligence should be conducted by appropriately qualified, appropriately empowered individuals with experience working with FDA-regulated companies.
  2. The compliance function is an integral part of the M&A process.
  3. The target company is evaluated for misconduct and its policies and procedures scrutinized to avoid and address compliance issues.

Noncompliant Companies and Individuals

Noncompliance with Department of Health and Human Services (“HHS”), FDA, and/or other agency expectations may result in a variety of punitive measures, including fines, exclusion from federal health-care programs, and even criminal prosecution. Companies may be a party to various agreements with the government that require a demonstration of ongoing compliance.

Failure to comply with FDA requirements can result in warning letters, product seizures, injunctions, and civil or criminal penalties. For more severe or persistent violations, the FDA may also withdraw product approvals, effectively barring a product from the market. This can lead to substantial financial loss and damage to the company’s reputation.

Both individuals and companies may be temporarily or permanently excluded from participation in federal health-care programs, which can be the death knell for a business or a career killer for an individual.[9] Additionally, the FDA can sue the responsible corporate official for a first-time misdemeanor (and possible subsequent felony) under the Federal Food, Drug, and Cosmetic Act[10] without proof that the corporate official acted with intent or even negligence—and even if such corporate official did not have any actual knowledge of, or participation in, the specific offense.[11]

Reasons Due Diligence May Be Limited

Due diligence is a crucial step in informed decision-making; however, there may be various factors that limit the comprehensiveness of a due diligence review. This endangers the chances of successful outcomes in any business transaction or strategic decision.

  1. Time Restrictions: Due diligence is a comprehensive but time-consuming process. However, business deals and strategic decisions often operate within strict time frames, and this pressure to meet deadlines can restrict the depth and breadth of the due diligence process. Rushed due diligence may result in overlooked details, incomplete analysis, and uninformed decision-making.
  2. Cost Restrictions: Due diligence can also be a costly process that requires the use of external experts or consultants in areas like law, finance, environment, technology, and more. An investor with a limited budget can limit the investigation, causing corners to be cut. This can result in a failure to identify risks or opportunities.
  3. Client Instructions: An attorney conducting due diligence can potentially be limited by the client’s specific instructions. The client may only want certain areas to be investigated or may not wish to dive too deeply into certain aspects of the organization for a variety of reasons, including already available information, perceived insignificance of certain aspects, or the desire to maintain good relations during a merger or acquisition process. Such instructions can limit the comprehensiveness of the due diligence process.
  4. Specifics of the Operation in Question: The nature and specifics of the operation or deal in question can also limit due diligence. For instance, in some cases, the information might be highly sensitive or classified, making it difficult to access. In other cases, the operation might be in a niche or highly specialized field, where expertise is limited or the benchmarks for evaluation are not well-defined. In such cases, despite best efforts, the due diligence process may be inherently limited.

Phase I: Initial Investigation

During the initial request for documents, it is important to set the stage and develop an initial scope of review. In the context of life sciences due diligence scope development, you must consider outlining the metes and bounds of the scope. Working with an experienced FDA regulatory and/or compliance attorney can help you make sure that your scope is all-encompassing and that you have evaluated all possible areas of compliance.

A possible scope for a due diligence audit for a drug company (“Company”) being purchased by a private equity firm, particularly focusing on FDA and HHS compliance issues, may read as follows:

This due diligence process will provide an assessment snapshot of the potential regulatory risks, liabilities, and compliance gaps for the Company. This due diligence will

  1. confirm the validity of the Company’s product approvals;
  2. obtain and review the listing of the Company’s ongoing clinical trials;
  3. briefly review the safety (including adverse event reports) and efficacy data of the Company’s products in question;
  4. briefly review the Company’s quality-control processes, including in the context of its manufacturing practices, labeling, advertising practices, and health-care fraud and abuse issues; and
  5. briefly evaluate the company’s adherence to the Health Insurance Portability and Accountability Act (“HIPAA”) and other HHS regulations related to patient privacy and data security.

Regulatory Strategy

Once a scope of review has been established, consider beginning by looking at the core regulatory strategy for the target company’s products. Review company registrations at both the federal level (including facility, product, and clinical trial registrations) and the state level. At the state level, make sure to examine manufacturer/distributor licenses, sales representative licenses, and more.

Internal Investigation

During your internal investigation, make sure to review the company’s organization chart along with names, titles, and job descriptions of individuals to gain a clear understanding of the company’s internal structure, its decision-making process, and the responsibilities of key personnel.

After this initial phase, request and review standard operating procedures (“SOPs”), work instructions, and records of training on procedures to gain critical insight into the company’s day-to-day operations, processes, and quality-control measures.

Audits and Inspections

Acquirers may find it useful to review the target’s internal and external audit/inspection records for the past two to five years. Records may include quality-control records and details on how adverse events are handled. External inspections, on the other hand, often involve FDA audits, which assess the operation’s adherence to regulatory standards. By reviewing these inspection records, you can identify potential areas of focus for further inquiry.

As requested by the DOJ, utilize an experienced professional to review the existing corporate compliance program,[12] and consider reviewing voluntary disclosures made by the company.[13] Particularly noteworthy is the review of employment agreements, which should ideally include clawback provisions in line with the March 2023 DOJ Criminal Division recommendations.[14]

Moreover, depending on the organization and the acquirer’s desire for audits, the review may extend to matters related to the Foreign Corrupt Practices Act (“FCPA”). This involves identifying areas of potential interest or concern, considering the company’s interactions with foreign officials, and assessing the risk of bribery or corruption.

Phase II: Response Evaluation

After gathering an initial list of inspection and audit findings related to regulation by entities such as the FDA, DOJ, and OCR, as well as state and local law authorities, the next step is to assess the actions taken by the company to address the adequacy of these findings. This involves reviewing trainings, SOP changes, remediation plans, enacted corrective actions, and other steps that the company has taken in response to quality inspections and/or regulatory findings. Look for evidence that the company made swift, substantive, permanent changes that address not only the immediate issue but also future issues in similar situations. This is an area in which it can be especially helpful for an FDA regulatory and compliance attorney to benchmark the target company’s remediation processes and procedures against others in the industry.

As an investor, the goal is to demonstrate that there is an effective quality and compliance program in place—and that the quality and compliance program can catch errors and fix them. Past performance in this regard can not only result in a more valuable company but also be indicative of a future ability to navigate compliance challenges.

Final Report

Upon completion of the due diligence review, just as with most other due diligence reviews, it is ideal to prepare a comprehensive summary of findings. This summary will detail the research conducted, the findings obtained, the limitations encountered during the review process, and any recommendations for improving the operation. The aim of this summary is not just to present a snapshot of the current state of affairs but also, importantly, to provide actionable insights that can help mitigate risks and enhance overall operational efficiency. Ideally, you should also list the scope of the audit and limitations thereof.


Conducting a meticulous regulatory and compliance due diligence review process is integral to understanding the compliance landscape of a company. This review process encompasses a wide range of steps, including understanding the regulatory strategy; inspecting internal and external audits; evaluating privacy issues, corporate compliance, and state and local registrations; and evaluating the steps taken to remedy any findings by entities such as the FDA, DOJ, and OIG, as well as assessing any outstanding issues that remain. An individual well versed in FDA-, DOJ-, and OIG-related due diligence can be an indispensable tool in this assessment.

  1. Susan Bain, “Regulatory” Due Diligence: A Survey Investigation of Best Practices in the Medical Products Industry (Aug. 2011) (DRSc dissertation, University of Southern California).

  2. Peter Howson, Due diligence: The Critical Stage in Mergers and Acquisitions 8 (Gower Publishing, Ltd. 2003).

  3. Id.

  4. Id.

  5. Id.

  6. Id.

  7. Id.

  8. Criminal Div., U.S. Dep’t of Just., Evaluation of Corporate Compliance Programs 8 (updated Mar. 2023).

  9. FDA Debarment List (Drug Product Applications), (updated Aug. 3, 2023).

  10. Pub. L. No. 75-717, 52 Stat. 1040.

  11. United States v. Park, 421 U.S. 658 (1975).

  12. Criminal Div., U.S. Dep’t of Just., Evaluation of Corporate Compliance Programs (updated Mar. 2023).

  13. Criminal Div., U.S. Dep’t of Just., Voluntary Self-Disclosure Policy (last reviewed Aug. 2023).

  14. Criminal Div., U.S. Dep’t of Just., Regarding Compensation Incentives and Clawbacks, (updated Mar. 2023).

By: Darshan Kulkarni

Connect with a global network of over 30,000 business law professionals


Login or Registration Required

You need to be logged in to complete that action.