The Mergers & Acquisitions Review: US Trade Compliance Due Diligence

I Introduction

In addition to a myriad of issues to consider during merger and acquisition (M&A) transactions, parties should conduct due diligence related to US trade regulations and the often-related foreign investment regulations that arise in the context of an acquisition by a foreign company.

This article will focus on two essential considerations when conducting trade due diligence: (1) successor liability based on previous or ongoing violations by the target company; and (2) the impact of foreign investment reviews triggered by acquisition or investment by foreign persons. Note that we will only address pre-acquisition concerns and notification requirements in this article, and will not delve into post-acquisition integration issues that can arise after closing.

US courts and federal agencies have repeatedly applied successor liability for violations of trade regulations to acquiring companies. Because many trade regulatory regimes are governed by strict liability and hefty penalties, successor liability may entail significant financial risk for the acquiring companies.

Of considerable importance are the foreign investment reviews that could trigger voluntary or mandatory filings with the US Committee on Foreign Investment in the United States (CFIUS) – the latter being a relatively new requirement – as well as mitigation of Foreign Ownership, Control or Influence (FOCI) when the acquisition would result in a foreign interest affecting management or operations of companies with access to classified information.

ii Relevant agencies for trade due diligence in M&A

The first step in conducting appropriate trade due diligence in the M&A context requires an understanding of the several US federal agencies that have jurisdiction over trade, foreign investment and industrial security matters. They include:

  1. the Directorate of Defense Trade Controls (DDTC) of the US Department of State, which regulates the import and export of defence articles, technical data, and defence services controlled under the International Traffic in Arms Regulations (ITAR);
  2. the Bureau of Industry and Security (BIS) of the US Department of Commerce, which regulates the transfer, export and re-export of items and technology with dual commercial and military applications that are controlled under the Export Administration Regulations (EAR);
  3. the Office of Foreign Assets Control (OFAC) of the US Department of Treasury, which regulates and administers US economic sanctions laws;
  4. US Customs and Border Protection (CBP) within the US Department of Homeland Security, which enforces the import laws of the United States;
  5. the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ), which enforce the Foreign Corrupt Practices Act (FCPA);
  6. the interagency Committee on Foreign Investment in the United States (CFIUS), which reviews the national security implications of certain transactions involving foreign investment in the US and certain real estate transactions by foreign parties; and
  7. the Defense Counterintelligence and Security Agency (DCSA) of the US Department of Defense, which grants security clearances to companies and their personnel to perform classified work.

In addition, many other government agencies may have roles in international trade compliance depending on the activity of the target company. For example, companies that import medical devices or food products may be required to comply with regulations administered by the Food and Drug Administration. Similarly, the Nuclear Regulatory Commission has regulatory jurisdiction over exports of certain products specific to nuclear activity. Another important agency, for example, is the US Census Bureau, which administers the Foreign Trade Regulations (FTR), and the collection of Electronic Export Information related to US export transactions.

The Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector, informally known as 'Team Telecom', is an interagency committee that reviews applications for foreign investment in many entities regulated by the US Federal Communications Commission (FCC). For certain foreign investment or acquisition transactions involving FCC licensing, Team Telecom reviews may be required in addition to the CFIUS process.

iii Key trade compliance due diligence considerations

i Successor liability

Briefly, successor liability is the concept of holding an acquiring company liable for violations of us laws and regulations by an acquired company. because the focus of successor liability is the conduct of the target company, successor liability is a concern regardless of whether the acquirer is a us company or a foreign company. violations typically relate to the following laws and regulations:

Export controls: ITAR and EAR

Successor liability is commonly found with respect to export violations, so acquiring companies should ensure that their review of a target's export activity includes all the relevant components of a thorough export-risk assessment. in particular, they should ensure that the target company assigns the correct export classification controls for its products or technology, obtains the required export licences, as necessary, and adequately safeguards any export-controlled technology from foreign person employees or visitors.

Good indications of compliance in the target company are the presence of an export compliance programme and relevant written procedures, an export compliance department of adequate size that matches the target's export volume, historical demonstration of upper management support for compliance procedures, and adequate audits and training, to name a few.

DDTC has acknowledged and applied successor liability in post-acquisition enforcement actions, holding acquiring companies liable for itar violations of targets that occurred prior to their acquisition. for example, in 2013, meggitt-usa, inc (meggitt-usa), a holding company of subsidiaries that specialise in extreme environment components and sub-systems for aerospace, defence and energy markets, entered into a settlement agreement with ddtc, agreeing to pay a us$25 million civil penalty for 67 violations of the arms export control act and the itar.2 ddtc alleged that meggitt-usa was liable for violations committed by several of its subsidiaries, including the unauthorised exports of defence articles and technical data. the majority of the alleged violations occurred before meggitt-usa's acquisition of the subsidiaries. this enforcement action further underscores the importance of trade law due diligence in the m&a sphere and its us$25 million penalty serves as a cautionary tale for similarly situated holding companies.

BIS has likewise applied successor liability to acquiring companies for violations of the ear that occurred prior to the acquisition. in a leading 2002 precedent case, sigma-aldrich corporation (sigma) purchased the assets of research biochemicals limited partnership (rblp).3 sigma completed its purchase of rblp after bis had alleged that rblp exported tetrodotoxin citrate without obtaining required export licences. after the acquisition of rblp was concluded, bis alleged that sigma was now liable for these violations. sigma appealed to an administrative law judge, who held that sigma was liable under the principle of successor liability. sigma ultimately settled the bis charges for us$1.76 million.

Similarly, in a more recent case in 2014, CA Litzler Co, Inc (Litzler) entered into a Settlement Agreement with BIS, agreeing to pay a US$45,000 civil penalty for a single violation of the EAR.4 BIS alleged that Litzler was liable under a theory of successor liability for a violation committed by Western Advanced Engineering Company (WAEC) before Litzler acquired a substantial portion of WAEC's assets. The underlying violation involved WAEC's May 2005 export to Spain of a prepreg machine, which was controlled for missile technology reasons, without obtaining the required export licence. In September 2010, BIS initially issued a charging letter to WAEC. Then, in 2011, Litzler acquired at least a substantial portion of WAEC's assets, as well as the services of a key person, and WAEC ceased operating although it continued to exist as a corporate entity following the acquisition. The 2014 Litzler case reflects BIS's continued commitment to applying the doctrine of successor liability and underscores the importance of performing thorough due diligence reviews for export control violations prior to the acquisition of a target company.

Economic sanctions laws: OFAC

Likewise, M&A transactions have presented numerous challenges with respect to OFAC sanctions. As such, risk assessments and sanctions-related due diligence are important during M&A transactions, particularly those that involve non-US businesses.5

OFAC has recommended that compliance functions be integrated into the merger, acquisition and integration process. Companies should conduct appropriate due diligence to ensure sanctions-related issues are identified, escalated to the relevant senior levels, and addressed prior to the conclusion of any transaction. Once M&A transactions are completed, internal audit and testing functions are key to identifying any additional sanctions-related issues.

Similar to enforcement actions brought by BIS and DDTC, OFAC has also pursued successor liability in M&A transactions. In a recent case from 26 June 2020, OFAC entered into a Settlement Agreement with Keysight Technologies Inc (Keysight) as the successor entity to Anite Finland OY (Anite).6

Keysight, a diversified test and measurement company, acquired Anite in August 2015. Anite, a Finland-based company, was a subsidiary of Keysight when the apparent violations giving rise to the settlement agreement occurred, but Anite was later merged into Keysight and no longer existed as a distinct legal entity. OFAC determined that, between January and July 2016, Anite apparently violated the Iranian Transactions and Sanctions Regulations (ITSR) by engaging in the export of goods intended for Iran with EAR-controlled US-origin content valued at US$331,089. Keysight eventually agreed to pay US$473,157 to settle its potential civil liability resulting from Anite's misconduct.


US courts have also applied successor liability in the import context. The Court of International Trade (CIT) has found an acquiring company liable for unpaid customs duties under the 'mere continuation' principle (i.e., where the purchaser is simply a continuation of the corporate entity of the seller, which is an exception to certain state law rules against corporate successor liability). Specifically, in United States v. Adaptive Microsystems, LLC, the court decided this question through the application of Wisconsin state law.7 Here, Adaptive Microsystems, LLC (AMS) went bankrupt and was acquired by another company. During the bankruptcy proceedings, Customs issued AMS a pre-penalty notice, alleging intentional or negligent misclassification of entered merchandise, leading to unpaid duties and penalties. After acquisition, the acquiring company continued to use the AMS name, and also kept most of AMS's employees, including a former officer that retained his position after acquisition. The CIT determined that the post-acquisition company was similar enough to the pre-acquisition company that the 'mere continuation' principle could apply to allow for successor liability for the unpaid duties of the former company.

More recently, in the 2015 case United States v. CTS Holding, LLC, TJ Ceramic Tile and Sales Import, Inc (TJ) began importing several different types of granite and stone polishing machines between 6 August 2004 and 14 September 2006.8 In 2006, CBP initiated an investigation against TJ and determined that TJ had misclassified the imports. TJ was ordered to pay duties arising from the product misclassifications. Before paying the duties, TJ was sold to CTS Holding, Inc (CTS) in 2011. In 2012, CBP moved against CTS to recover TJ's unpaid duties. Despite the acquisition, CIT found that CTS may be be liable for TJ's alleged violations pursuant to 19 USC Section 1592, which applies penalties for fraud, gross negligence, or negligence in the entering of merchandise, by noting 'the word “person” in Section 1592 properly includes corporations and their successors and assigns'.

As these examples demonstrate, M&A due diligence for an importing target would necessarily require a review of anti-dumping and countervailing duty compliance, free trade agreement compliance, and accurate import classification and valuation, among other considerations specific to the target's business activity.

Anti-corruption: FCPA

The FCPA makes it unlawful to bribe foreign government officials to obtain or retain business. The SEC and DOJ, which administer the FCPA, have highlighted the importance of effective FCPA due diligence throughout the M&A process and encourage companies to improve FCPA compliance programmes after acquisition.9 It is important to note, however, that the FCPA will not apply retroactively in the case of the acquisition of a foreign target that was not previously subject to the FCPA's jurisdiction.

The SEC and DOJ's FCPA guidance provides practical tips for companies involved in an M&A transaction to mitigate FCPA risks. One option is to obtain an opinion from the DOJ in anticipation of a potential acquisition. Alternatively, the acquiring company should conduct FCPA and anti-corruption due diligence on the target company. Such due diligence may include: (1) ensuring the target company has implemented FCPA compliance policies; (2) ensuring the target trains leadership and employees on FCPA compliance; (3) determining if the target company has conducted audits in the past (and if not, consider conducting a risk assessment or audit pre-closing); and (4) potentially consider disclosing corrupt payments discovered through due diligence.

ii Acquisition by foreign parties

the US government is authorised to block m&a transactions and certain foreign investments that threaten us national security. alternatively, the us government may allow the M&A transaction but alter the terms of the acquisition to mitigate any national security concerns. CFIUS is tasked with investigating and blocking or mitigating certain m&a transactions and investments that cede control to foreign parties. the department of defense, through DCSA, monitors cleared facilities and may deny security clearances to companies that become exposed to FOCI through the M&A process.

The following discussion is generally applicable only in the context of m&a transactions where a foreign person acquires or invests in a us target company.


In 2018, congress passed the foreign investment risk review modernization act of 2018 (firrma), which expanded cfius's jurisdiction to review and take action to address national security concerns arising from certain investments and real estate transactions involving foreign persons. in 2020, the us department of the treasury issued several final regulations to implement firrma.

Although the final regulations significantly expand cfius's jurisdiction to review certain foreign investments for national security concerns, including certain non-controlling investments, cfius filings remain primarily voluntary. however, there are two types of transactions that trigger a mandatory filing requirement (subject to certain exemptions): (1) certain covered control transactions or covered non-controlling investments in certain us businesses involved with critical technologies; and (2) covered transactions where a foreign government has a substantial interest in a critical technology, critical infrastructure, or sensitive personal data (tid) held by the us business. parties can fulfil the mandatory declaration requirement by filing a short-form declaration, or a full notice in lieu of a short-form declaration.

Importantly, the regulations for implementing firrma have significantly incorporated export control regimes into the analysis needed to determine the mandatory filing requirements. for example, 'critical technologies' is defined to include five categories of items subject to export controls and other regulatory schemes, and emerging and foundational technologies controlled under the export control reform act of 2018. the export controls include items controlled under the itar, the commerce control list of the ear, and specific items related to nuclear activity controlled for export by the nuclear regulatory commission and department of energy regulations.

Now more than ever, the due diligence review of underlying covered transactions or investments will benefit from an analysis by advisers deeply knowledgeable in the export regulations referenced above. parties must ensure that the us target company has accurately classified its technologies and products with the correct export classifications and has effective export compliance procedures in place. unfortunately, misclassification of products and technology is a common issue among companies subject to export control regulations, and, in some cases, companies may have not classified their products and technologies at all (e.g., if the company is not an exporter of products or services and merely conducts business domestically).


Dcsa also safeguards us national security by evaluating the exposure cleared facilities have or will have to foci.10 dcsa grants security clearances to companies by issuing facility security clearances (fcl) and to individual employees by issuing personnel security clearances (pcl). such clearances will generally not be awarded to companies operating under foci. instead, dcsa will grant or renew an fcl only after mitigating foci concerns.

A company is operating under foci when a foreign party has the power to direct or decide matters that affect the management or operations of that company in a way that would grant unauthorised access to classified information or undermine the performance of classified contracts.11 all parties to an m&a transaction that wish to retain or obtain security clearances should conduct adequate due diligence to ensure that the target will not be subject to foci after the acquisition, or if foci is unavoidable, that foci is adequately mitigated through a variety of instruments accepted by dcsa.12

The dcsa evaluates the following factors in determining whether a company is under foci: (1) whether there is a record of economic or government espionage against us targets; (2) whether there is a record of enforcement or engagement in unauthorised technology transfer; (3) the type and sensitivity of the information at stake; (4) the source, nature and extent of foci; (5) whether the company has complied with pertinent us laws, regulations and contracts; (6) the nature of any relevant bilateral and multilateral security and information exchange agreements; and (7) ownership or control, in whole or in part, by a foreign government.13

iv Trade due diligence recommendations

While not an exhaustive list, the following items ought to be included on any trade due diligence questionnaire or checklist:

  1. review the target company's current export compliance procedures. These include current product classifications under the EAR's Commerce Control List (CCL) and the ITAR's US Munitions List (USML), risks based on the end-use and the end-users, and risks arising from export destinations;
  2. review the target company's current import compliance procedures. Make sure the products have proper markings, valuations, and product classifications, and ensure supply-chain risks are properly mitigated;
  3. ensure recordkeeping is appropriate and compliance with the relevant regulations;
  4. determine the potential access to controlled technology of any foreign employees or visitors of the target company and identify the nationalities of such foreign persons. Additionally, ensure that the target has IT policies in place to restrict foreign persons from access to controlled technology, both within and outside the target's organisation;
  5. confirm the target company has policies in place to ensure compliance with applicable OFAC sanctions. These sanctions are generally applied on a country-by-country basis, so acquiring companies should review product types, countries of destinations, and end-uses and end-users to determine which sanctions programmes are applicable;
  6. determine whether the target company has any past violations with any trade regulatory agency;
  7. determine whether the target company requires its employees to be trained on import, export, economic sanctions and anti-corruption laws. This includes online or in-person training sessions, manuals and management support of the overall compliance programme;
  8. review the target company's FCPA compliance programme. This programme should cover all of the entities' business partners including agents, consultants, representatives, etc. Determine if employees have received FCPA compliance training and whether there have been previous FCPA-related investigations;
  9. when a transaction involves foreign persons, parties should determine whether the transaction requires a mandatory CFIUS filing (or whether a voluntary filing is merited); and
  10. cleared facilities involved in an M&A transaction with a foreign company must be prepared to mitigate FOCI concerns.

Conducting the above due diligence will assist the acquiring company in determining the likelihood of outstanding trade violations at the target company, which could lead to successor liability. Additionally, the information obtained during the due diligence review can be used by the acquiring company to improve the target's compliance programmes post-integration, preventing future violations of the various trade regulations regimes.


1 Olga Torres is a managing member and Derrick Kyle is an associate at Torres Law, PLLC. We would like to thank our Law Clerk, Alex Dieter, for his contributions to this chapter.

2 See In the Matter of: Meggitt-USA, Inc, Consent Agreement, United States Department of State Bureau of Political-Military Affairs (23 August 2013), available at; see also In the Matter of: Meggitt-USA, Inc, Proposed Charging Letter, United States Department of State Office of Defense Trade Controls Compliance (19 August 2013), available at

3 See In the Matter of: Sigma-Aldrich Business Holdings, Inc, Order, United States Department of Commerce Bureau of Industry and Security (29 August 2002); see also Annual Report: Fiscal Year 2003, 63-64, Bureau of Industry and Security (2003), available at

4 See In the Matter of: CA Litzler Co, Inc, Order, United States Department of Commerce Bureau of Industry and Security (24 April 2014), available at; see also Annual Report: Fiscal Year 2014, 40, Bureau of Industry and Security (2015), available at

5 A Framework for OFAC Compliance Commitments, Department of the Treasury, Office of Foreign Assets Control (2 May 2019), available at

6 Settlement Agreement between the US Department of the Treasury's Office of Foreign Assets Control and Keysight Technologies, Inc (26 June 2020), available at

7 United States v. Adaptive Microsystems, LLC, 914 F. Supp. 2d 1331 (Ct. Int'l Trade 2013).

8 United States v. CTS Holding, LLC, 37 I.T.R.D. (BNA) 1659 (Ct. Int'l Trade 2015).

9 A Resource Guide to the US Foreign Corrupt Practices Act, Second Edition, Criminal Division of the US Department of Justice and Enforcement Division of the US Securities and Exchange Commission, 29 (25 November 2020), available at

10 Foreign Ownership, Control or Influence, Defense Counterintelligence and Security Agency, available at (last accessed 9 September 2021).

11 32 C.F.R. 117.11(a)(1) (2021).

12 There are a variety of instruments that can be used to mitigate FOCI, including Special Security Agreements (SSAs), Board Resolutions, Security Control Agreements (SCAs), Proxy Agreements, and Voting Trust Agreements.

13 32 C.F.R. 117.11(b) (2021).

The Law Reviews content