Sanctions & Reputational Due Diligence: The M&A Playbook

Why Sanctions and Reputational Risk Belong in the Deal Model

Financial and legal diligence answer whether a target is worth what the seller is asking and whether its contracts, tax position, and corporate records hold up. They were never designed to answer a different and increasingly decisive question: who actually controls this company, where does its money come from, and what will an acquirer inherit in liability the day after closing. That gap is where sanctions and reputational exposure live.

The cost of getting this wrong has risen sharply. The U.S. Treasury's Office of Foreign Assets Control (OFAC) enforces sanctions on a strict-liability basis, meaning a U.S. acquirer can face civil penalties for dealings with a sanctioned party even without knowing the party was sanctioned. When you acquire a company, you acquire its counterparties, its supply chain, and in many cases its historical conduct. A clean balance sheet does not insulate you from a target that has been routing payments through a sanctioned intermediary or that is ultimately owned, through layered entities, by a designated individual.

For private equity and corporate development teams, the practical consequence is that sanctions screening and reputational due diligence cannot be an afterthought bolted onto the closing checklist. They have to be sequenced into the deal timeline early enough that findings can still change the outcome, before the price is anchored and the deal has its own momentum.

What Reputational Due Diligence Actually Covers

Reputational due diligence is a structured investigation into the integrity and risk profile of the people and entities behind a transaction. It is broader than a sanctions check and narrower than a general background search. Done properly, it triangulates public records, regulatory filings, litigation databases, adverse media, corporate registries across jurisdictions, and human-source inquiry into a coherent picture of who you are really doing business with.

The discipline matters because the most damaging facts in a deal are rarely disclosed in the data room. They surface in a former regulator's enforcement file, a foreign court docket, a pattern of dissolved shell entities, or a principal's undisclosed relationship to a politically exposed person. The goal is not to assemble a dossier of trivia; it is to identify the specific facts that would change a reasonable acquirer's view of price, structure, or whether to proceed at all.

• Sanctions and watchlist exposure across OFAC, UN, EU, and UK regimes, including ownership-based (50 percent rule) exposure
• Ultimate beneficial ownership tracing through layered or offshore entities
• Corruption and FCPA-adjacent risk, including dealings with foreign officials and state-owned enterprises
• Adverse media, regulatory actions, and enforcement history in every operating jurisdiction
• Civil and criminal litigation, judgments, liens, and bankruptcy patterns
• Integrity red flags on principals: undisclosed prior ventures, misrepresented credentials, conflicts of interest

Sequencing Diligence Into the M&A Timeline

The single most common mistake is treating reputational and sanctions diligence as a confirmatory step performed shortly before signing. By then the price is set, the deal team is invested, and adverse findings face institutional resistance. The fix is to stage the work in tiers that map to the deal's natural decision gates.

At the indication-of-interest or term-sheet stage, run a fast screening pass on the target entity and its named principals against sanctions lists and major adverse-media sources. This is inexpensive, takes days not weeks, and exists to catch deal-killers before you spend real money. A confirmed sanctions hit or a principal with a serious enforcement history should be known before you sign an LOI, not discovered in week six of exclusivity.

Once exclusivity is granted and confirmatory diligence begins, escalate to enhanced due diligence on the entities and individuals that the screening pass flagged or that carry inherent risk: foreign owners, complex ownership chains, businesses in higher-risk sectors or geographies, and anyone touching government contracts. This is where beneficial-ownership tracing, jurisdiction-by-jurisdiction record retrieval, and discreet source inquiry belong. Reserve the deepest investigative work for the specific risk that the earlier tiers identified, rather than boiling the ocean on every counterparty.

• Tier 1 (LOI / term sheet): rapid sanctions and adverse-media screen on target and named principals to surface deal-killers early
• Tier 2 (exclusivity / confirmatory): enhanced diligence on flagged parties, foreign owners, and high-risk counterparties
• Tier 3 (pre-signing): beneficial-ownership verification, source inquiry, and resolution of open red flags that bear on terms

OFAC and the 50 Percent Rule: Screening Beyond the Named List

Many deal teams screen the target's name and a handful of principals against OFAC's Specially Designated Nationals (SDN) list, get no hits, and consider sanctions diligence complete. That is a serious under-scoping. OFAC's published guidance establishes that an entity is itself blocked if it is owned 50 percent or more, directly or indirectly, by one or more blocked persons, even if that entity does not appear on any list by name.

The practical implication is that sanctions screening has to follow the ownership chain, not just the front-door name. A target that is 60 percent owned by an unlisted holding company that is in turn majority-owned by a designated individual is, for sanctions purposes, a blocked entity. You will not find that by running the operating company's name through a list. You find it by tracing ultimate beneficial ownership through every intervening layer, including offshore vehicles built specifically to obscure it.

This is also why sanctions and reputational diligence are inseparable in cross-border deals. The same investigative work that establishes who really owns a company, the work reputational diligence does anyway, is exactly what you need to apply the 50 percent rule correctly. Treating them as two separate workstreams wastes effort and leaves gaps between them.

Beneficial Ownership and the Corporate Transparency Act

Knowing the natural persons who ultimately own and control a target has moved from best practice to legal infrastructure. The Corporate Transparency Act directs the Financial Crimes Enforcement Network (FinCEN) to maintain a beneficial-ownership information regime, reflecting a broad policy judgment that anonymous shell ownership facilitates sanctions evasion, money laundering, and fraud. The scope and application of these reporting requirements have evolved, so deal teams should confirm the current state of the rules with counsel rather than rely on a static summary.

For acquirers, the underlying point is durable regardless of how reporting rules shift: opaque ownership is a risk signal in itself. A target whose cap table runs through nominee directors, bearer-share jurisdictions, or chains of single-purpose entities with no commercial rationale deserves heightened scrutiny, because that structure is the precise mechanism used to hide sanctioned or criminal beneficial owners.

Verifying ownership is rarely a single database lookup. It typically requires retrieving and reconciling corporate registry records across multiple jurisdictions, reading the actual filings rather than trusting an aggregator's summary, and in opaque structures, using human-source inquiry to confirm who exercises real control. This cross-border record work is the core of Fortaris's International and Cross-Border Due Diligence practice.

FCPA-Adjacent Exposure: Inheriting Successor Liability

Anti-corruption risk is one of the few areas where M&A can transfer liability for conduct that occurred entirely before you owned the company. The Foreign Corrupt Practices Act, jointly enforced by the Department of Justice and the Securities and Exchange Commission, reaches improper payments to foreign officials, and acquirers can face successor liability for a target's pre-closing FCPA violations. The DOJ has publicly encouraged thorough pre-acquisition anti-corruption diligence and has, through its enforcement policies, signaled more favorable treatment for acquirers who conduct it, self-disclose issues they uncover, and remediate.

That enforcement posture turns diligence from a defensive cost into a value-protection mechanism. Identifying a target's reliance on third-party agents in high-corruption markets, payments to entities connected to government officials, or unexplained margins on public contracts, before closing, lets you price the risk, restructure the deal, or carve out the liability. Discovering it afterward means inheriting it.

The screening focus here is concrete: the target's interactions with foreign governments and state-owned enterprises, its use of intermediaries, consultants, and customs agents, the integrity of its books around facilitation payments and gifts, and the personal histories of executives who managed government-facing relationships. These are reputational diligence questions as much as legal ones, and they are best run together.

How Findings Change Deal Terms

Diligence findings are only useful if they translate into deal mechanics. A reputational or sanctions issue rarely produces a binary go/no-go; more often it reshapes the transaction. The deal team's job is to convert what the investigation surfaces into specific, negotiated protections.

A confirmed sanctions nexus or an unresolved beneficial-ownership question that cannot be cleared is one of the few true walk-away findings, because the legal exposure is strict-liability and the regulatory consequences are not negotiable. Most other findings are manageable through structure. A material but quantifiable exposure can be priced into the purchase consideration. A discrete legacy liability can be carved out or addressed through a specific indemnity backed by a larger or longer-surviving escrow. Integrity concerns about a specific executive can be handled through conditions, departures, or governance terms.

Findings also drive the representations and warranties the seller must give and the corresponding coverage in any R&W insurance, where insurers increasingly expect to see that sanctions and anti-corruption diligence was actually performed. The discipline is to document not only what you found but what you reasonably investigated, so that the diligence record itself supports both the negotiated terms and any later regulatory inquiry.

• Walk away: confirmed sanctions exposure or beneficial ownership that cannot be cleared
• Reprice: material, quantifiable exposures folded into purchase consideration
• Ring-fence: specific indemnities, carve-outs, and escrow for discrete legacy liabilities
• Condition: executive departures, governance changes, or remediation as closing conditions
• Insure: tailored reps and warranties supporting R&W coverage, grounded in a documented diligence record

Building a Repeatable Screening Protocol

Funds and corporate development teams that do this well do not reinvent the process for every deal. They operate a standing protocol that defines what gets screened, at which gate, against which sources, and with what escalation triggers. That consistency is what lets a small deal team move quickly without leaving gaps, and it is what an investment committee or a regulator will expect to see evidenced.

A workable protocol specifies the screening universe (target entity, parents, subsidiaries, named principals, key counterparties, and major customers), the source set (sanctions and watchlists, cross-border corporate registries, litigation and adverse media, regulatory enforcement records), and the thresholds that escalate a matter from automated screening to human-led enhanced diligence. It also specifies who reviews findings and how they are documented, because an undocumented screen offers little protection if conduct is later questioned.

The deepest investigative components, beneficial-ownership tracing through opaque structures, discreet source inquiry, and cross-border record retrieval, are typically where in-house teams reach their limits and bring in specialist support. Fortaris is engaged at exactly these points: senior-led investigations where the answer is not in a database and the stakes justify evidentiary rigor. Every engagement is led by a Managing Director with federal investigative and forensic-accounting depth, and the work is nationwide and cross-border by design.