It Comes Down to Culture
In outlining my thoughts on brokerage M&A for this month’s column, I knew I wanted to go beyond the standard due diligence checklist.
I had a few ideas of my own, but to get a level-set, I first asked someone who has seen more than a few deals for his views, Bob Lloyd, executive vice president, secretary and general counsel at Brown & Brown. His immediate response initially surprised me. “It’s all about culture—how consistent is the acquisition target with your own risk tolerance?”
I asked him how you ferret that out. The answer—right out of my own world—you get to know them. Time spent together, in person, working on the details of the transaction, developing a deeper mutual understanding of one another and your respective businesses. And getting to know each other on a personal level, including sharing dinners together, with spouses. And if you already have that sort of relationship before you even commence merger discussions, all the better.
There are, of course, objective factors as well. “Frequent issues with regulators or an endless litany of E&O lawsuits also is a cultural issue in that it is evidence that the firm is more willing to play in the gray,” Bob said. Such a firm, he asserted, “may have difficulty assimilating into an environment with more oversight and more controls than they are used to.”
With that in mind, let’s evaluate the agency-specific issues that I think should be on your due diligence lists through that cultural lens.
Licensure practices, for example, can vary widely from firm to firm. Many firms require—as I think they should—any producer engaged in sales, solicitation or negotiation activities in any state to be licensed in that state. Other firms, however, often rely on a single producer to be the licensed producer in a non-resident state for all of the firm’s placements with respect to that state. The latter is a much more culturally aggressive position on licensure obligations, the former more conservative. If two firms contemplating a combination are on opposite ends of that spectrum, what does that say about the broader integration challenges they may face?
Criminal background checks are another area in which compliance approaches can vary significantly. Federal law—specifically 18 U.S.C. Section 1033—bars any individual who has been convicted of a felony “involving dishonesty or a breach of trust” from participating in the business of insurance. Under Section 1033, it also is a criminal offense for any person—including insurers, agents and brokers—to “willfully” employ, or “willfully” permit, anyone who has been convicted of such a crime to participate in the “business of insurance” unless that person has first obtained written consent from his home state insurance regulator to do so.
Section 1033 does not affirmatively require that criminal background checks be done before employing an individual in the business of insurance. Many firms, however, routinely have such criminal background checks done before hiring a new producer. Some of those same firms also will have criminal background checks done on applicants for service representative and other customer-facing professional positions. From an M&A cultural perspective, the key question, I think, is how the formality of the latter syncs with the more relaxed approach of the former and what that might say about the cultural fit of the two firms from a more macro perspective and the ability of the employees of the two firms to integrate into a single cohesive team.
Cyber security and privacy regulatory compliance is now a significant area of exposure with an ever-evolving list of state-by-state requirements. The New York State Department of Financial Services’ (NYSDFS) cyber-security regulatory regime is the most extensive security-focused regime currently in place. And California’s new Consumer Privacy Act extends the most extensive data-privacy rights to California residents (including a right to have data deleted).
There is, of course, a basic cyber/privacy due diligence checklist that includes policies and procedures that a regulator expects your firm to have in place including:
- General protections for and rights over personal identifiable information and non-public information
- An auditing system to ensure proper licenses are in place for all software
- Systems to perform breach alerts or notifications
- Network safeguards
- Incident response plans and procedures
- Appropriate oversight of third-party and service provider security controls
- An enterprise risk management process that includes cyber-security risks
- Board-level review of the cyber-security program and internal cyber audit findings
- Participation in cyber threat information-sharing via information-sharing and analysis organizations
- Proper cyber-security employee training.
The NYSDFS has made clear that “when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how [the cyber-security] regulatory requirements apply to that particular acquisition.” Any such due diligence conducted must consider the target’s cyber-security risk profile, the extent to which it is in compliance with applicable legal requirements, and the difficulty of merging your firm’s practices with the target’s.
In considering integration issues, the nature of the obligations that will be imposed on either the acquirer or the acquired also may expand post merger. One of the firms might not, for example, have been required to comply with either the California or New York regimes before the merger or, in the case of New York, may have had a reduced set of compliance obligations under the rules that apply to New York licensees with a smaller New York presence.
New York law anticipates this by expressly dictating that compliance with any regulatory obligations arising as a result of the merger must be completed within 180 days from the end of the fiscal year in which the merger was finalized. Compliance with any new obligations imposed as a result of any mergers completed in 2019 thus must be done by June 30, 2020.
The applicable rules, however, all inherently must allow a great degree of judgment with respect to how compliance is effectuated. And therein lies the core cultural question on all of these issues and likely many more. The question may not necessarily be which firm’s practice is the “right” or “better” one but more: how do the approaches to these compliance practices by each firm “fit” with the other, and are the compliance cultures compatible enough not to cause integration issues over the long term?
I, of course, now leave that question to you. But, when it comes down to it, you might say (with apologies to James Carville) it’s the culture, stupid!