In M&A transactions — particularly in the context of an acquisition or merger — valuation, deal structure and financing typically take centre stage. By contrast, criminal‑law risks are often treated as peripheral or overlooked entirely, sometimes with severe consequences.
Anyone acquiring a company assumes not only its opportunities but, as a rule, its risks as well. These include, in particular, legacy criminal‑law exposures, which often materialise only after completion of the transaction.
Criminal due diligence closes this gap. It enables a targeted assessment of criminal‑law risks and thus provides an indispensable basis for legally robust and economically sustainable decision‑making. Against the backdrop of increasingly stringent supervisory and enforcement trends — for example in the areas of anti‑money‑laundering, sanctions, export controls and ESG regulation — its importance continues to grow.
1. Legal Framework: Duties of Care and Liability Risks
The obligation to conduct an adequate criminal due diligence arises from the corporate duties of care owed by the management. Under section 93(1) AktG and section 43(1) GmbHG, decisions must be based on a sound and reliable information basis.
In the context of M&A transactions, this necessarily includes the identification and assessment of criminal‑law risks. If such analysis is omitted, the decision may be deemed a breach of duty, potentially giving rise to personal liability for the individuals responsible. Depending on the governance structure, corresponding duties of review and oversight may also extend to supervisory board members or advisory board members, particularly where they hold approval authority over material corporate transactions.”
Within the scope of the Business Judgement Rule, it is essential not only that risks are identified, but also that they are assessed and documented in a transparent and traceable manner. Deficient M&A compliance may prevent board members from relying on this protection. The same applies where the connection to the existing compliance organisation and the compliance management system (CMS) is missing, or where deficiencies in the CMS are not addressed despite an evident risk situation.
Criminal due diligence is therefore not an optional review step but a component of proper corporate management. It is closely linked to the design of the CMS, which not only serves a preventive function but is also relevant in the context of investigations, particularly for the assessment of supervisory and sanctioning measures.
2. Risk Landscape: Legacy Criminal‑Law Exposures in Corporate Acquisitions
Criminal‑law risks are rarely apparent on the surface. They are often embedded in business processes, entrenched organisational structures or the prevailing corporate culture, and they additionally require the trained eye of a criminal‑law and compliance specialist. For precisely this reason, they are frequently not adequately addressed in the course of a traditional M&A due diligence.
The key risk areas include, in particular:
- Corruption offences and anti‑competitive undue influence
- Money laundering and terrorist financing
- Fraud, breach of trust and other property‑related offences
- Violations of export‑control and sanctions regulations
- Tax‑criminal law, accounting offences and capital‑market‑related crimes
- Environmental and labour‑criminal law, particularly in the context of ESG and supply‑chain risks
ESG‑related risks — such as environmental violations, inadequate occupational safety or human‑rights breaches within the supply chain — increasingly carry criminal and administrative‑offence relevance. As a result, they have become a core issue at the intersection of criminal due diligence, compliance due diligence and ESG compliance.
In practice, a structural misunderstanding is frequently observed: criminal‑law risks are assumed to be sufficiently manageable through contractual warranties or indemnities. However, these typically only take effect once damage has already occurred and provide no protection against investigations, operational disruptions or reputational harm.
Continuation of criminal‑law risks in asset and share deals
The discussion around asset versus share deals is likewise often overly simplified. While risks evidently persist in a share deal, an asset deal is frequently assumed to create a complete separation. In practice, however, criminal‑law risks may also continue in this context — for example through economic continuity, the transfer of personnel, the continuation of critical business models or regulatory bases for enforcement.”
Abstract constellations from practice illustrate the point: an acquirer takes over, by way of an asset deal, substantial assets, the workforce and customer contracts of a company that has, for years, relied on problematic distribution partners. Investigative authorities may nevertheless assert access to the acquiring entity despite the asset‑deal structure, where economic continuity prevails and relevant risks have not been addressed.
The growing importance of topics such as criminal due diligence, M&A compliance and the criminal‑law risks associated with corporate acquisitions shows that this issue is increasingly being recognised — but what matters is that this happens before, and not only after, closing.
3. Criminal‑law risks in corporate transactions – why criminal due diligence is indispensable
Criminal‑law violations within a target company often remain undetected during the transaction process — yet their effects typically materialise only after completion of the transaction. This is precisely where the central risk of insufficient criminal due diligence lies.
If criminal‑law risk assessment is neglected, the practical consequences may include in particular:
- Criminal investigations against the target company that relate to facts predating the transaction.
- significant reputational harm with immediate effects on market position and financing
- fines, asset confiscation or civil liability claims
- repayment claims for unlawfully obtained benefits, for example in connection with corruption or fraud offences
These risks are not merely theoretical. In practice, they result in operational constraints, financial burdens and, not infrequently, strategic misjudgements — for example where it later becomes apparent that a core segment of the business model is not sustainable from a compliance or criminal‑law perspective.
For the company’s management, the liability‑relevant question in such cases is regularly whether these risks would have been identifiable as part of a proper due diligence in an M&A context — and whether the nature, scope and documentation of the criminal due diligence were appropriate to the specific risk profile of the transaction.
4. Strategic perspective: criminal due diligence as a decision‑making criterion
“In transactional practice, criminal due diligence is often the decisive factor for the viability of a deal — precisely because criminal‑law risks typically become visible only at a late stage and tend to materialise, in particular post‑closing, in the form of investigations or regulatory action.
It determines whether a target company can in fact be integrated or whether it becomes a structural risk. For the company’s management, it is therefore not only an instrument for identifying risks, but also a means of safeguarding their own decision‑making basis and governance structure.
Identification of structural risks for post‑merger integration
In practice, this becomes particularly evident in cases where internal investigations or regulatory measures are initiated post‑closing — for example due to past corruption payments, critical sales structures or unlawful export activities.
Such constellations not only result in financial burdens, but can significantly impair the integration of the target company, the planned realisation of synergies and the strategic direction of the group.
At the same time, there are close interconnections with ESG aspects. Violations in the areas of environmental protection, working conditions or compliance are often also criminally relevant and have a direct impact on a company’s governance structure. A robust compliance due diligence in the M&A context makes it possible to identify these interdependencies at an early stage and to factor them into the transaction strategy — for example through adjustments to the transaction structure, governance arrangements or post‑merger integration measures.
Implementation of the risk findings into corporate governance and overall management
From a governance perspective, criminal due diligence should therefore be embedded into the overall management framework:
- involvement of the management board/executive management, the supervisory board and the competent committees in the key risk assessments
- clear communication of the results in decision papers
- interlinkage with risk management, compliance and internal audit
In practice, this means that criminal‑law risks do not necessarily lead to the termination of a transaction, but they regularly require adjustments — for example with regard to the purchase price, contractual structuring, integration planning or management‑related decisions within the target company.
5. Implementation: Criminal‑law risk analysis and safeguarding in practice
An effective criminal due diligence requires a structured yet in‑depth analysis. It goes beyond a mere review of documents and includes an assessment of actual business operations, internal control systems and potential risk factors.
At its core, such a review particularly comprises:
- the targeted identification of criminally relevant risk areas
- the analysis of business processes and payment flows
- the assessment of existing compliance structures and whistleblowing systems
- the review of ongoing, concluded or potential investigative proceedings and regulatory examinations
- the development of concrete measures to safeguard the transaction (e.g. warranties, indemnities, closing conditions, covenants and post‑merger measures)
risk‑based review approach and documentation of the decision‑making basis
A risk‑based approach is central: the depth and scope of the criminal due diligence should be aligned with the industry, geographical footprint, business model, previous compliance incidents and the maturity of the compliance management system. A clearly structured and documented review plan helps to demonstrate — also from a liability perspective — that the chosen level of depth was appropriate.
On this basis, risks can be actively managed — for example through:
- the adjustment of the transaction structure (asset vs share deal, joint‑venture models, etc.)
- differentiated warranty catalogues and liability regimes
- earn‑out structures or purchase price adjustments
- targeted post‑merger compliance and investigation measures
What is decisive is that the criminal‑law assessment forms an integral part of the overall economic decision and is not carried out in isolation.
6. Criminal Due Diligence as a Differentiating Factor: The Approach of Pragal Rechtsanwälte
In practice, the quality of the criminal due diligence determines not only whether risks are identified, but whether the company remains capable of acting in critical situations.
Pragal Rechtsanwälte pursue an integrated approach that combines economic‑criminal‑law expertise with a deep understanding of M&A transactions, compliance structures and internal investigations. Driven substantially by the contributions of Ms Kristina Konrad and Dr Oliver Pragal, the focus is not on standardised review programmes but on the precise contextualisation of identified risks within the transaction — particularly under time pressure and in competitive bidding processes.
This includes the detailed criminal‑law risk analysis, the assessment of potential liability implications for the acquirer and for members of the management bodies, as well as the active support during contract negotiations and the allocation of risks. Even where indications of misconduct or ongoing investigations are present, the firm provides close guidance to ensure that the transaction is structured in a legally robust manner.
Strategic advantage through highly specialised compliance and criminal‑law expertise
Frau Kristina Konrad ist Rechtsanwältin, zertifizierte Compliance-Officerin (Univ.) und zertifizierte KI-Compliance-Beauftragte (bitkom). Sie verfügt über langjährige Inhouse-Erfahrung in Rechts-, Compliance- und Corporate-Governance-Abteilungen großer und mittelständischer Unternehmen.
Her advisory focus includes the establishment, implementation and further development of compliance‑management systems, the conduct of internal investigations, measures to prevent corruption, and the strategic advice of regulated companies, particularly in the energy sector.
Dr Oliver Pragal focuses on business and tax criminal law and has extensive experience in criminal defence, compliance and crisis management.
Clients benefit from the combination of criminal‑defence experience, a deep understanding of corporate realities, and the ability to structure internal investigations and criminal due diligence in a pragmatic, risk‑oriented and decision‑relevant manner.
Especially in complex constellations, it becomes evident that such integrated M&A legal advice makes the decisive difference — between a formally reviewed transaction and one that is genuinely manageable.
7. Conclusion: Risk Analysis as Transactional Safeguard
Criminal due diligence is not a downstream review component but a central decision‑making criterion in M&A transactions.
Those who fail to analyse criminal‑law risks systematically make decisions on an incomplete basis — exposing themselves to corresponding liability, reputational and economic risks.
A well‑founded criminal due diligence, by contrast, creates transparency, strengthens the decision‑making basis and enables the targeted management of risks. For managing directors, supervisory board members and compliance officers, it is therefore an indispensable instrument of responsible corporate governance. Companies should establish criminal due diligence early on as a fixed component of their M&A strategy — not only once investigative authorities or media enquiries increase the pressure to act.
ContactFAQ: Frequently Asked Questions on Criminal Due Diligence in M&A Transactions
Traditional legal due diligence focuses primarily on legal structuring matters, contracts, regulatory permits and corporate law issues. Criminal due diligence, by contrast, concentrates on criminally relevant risks — such as corruption, money laundering, fraud, sanctions breaches or environmental offences — and analyses them along business processes, control systems and corporate culture. It complements the traditional review and deepens it in risk‑sensitive areas.
The need for criminal due diligence is driven less by the size of the transaction and more by its risk profile. Sectors, markets and business models with heightened exposure to corruption, sanctions or money‑laundering risks require an in‑depth criminal‑law risk assessment even for smaller or mid‑sized deals. Conversely, where the risk profile is low, a streamlined and focused review may be sufficient.
The scope should be defined on a risk‑based basis. Key factors include the sector, geographical footprint, customer and supplier structure, any history of investigations, and the maturity of the compliance management system. On this basis, a graduated level of review depth can be determined. Clear documentation of the methodology and the boundaries drawn is essential in order to demonstrate the appropriateness of the decision at a later stage.
Effective whistleblowing systems are a key source of information on potential criminal‑law risks. Their design, accessibility, confidentiality and the handling of reports provide insight into the organisation’s actual compliance culture. A careful assessment of these structures can reveal concealed legacy issues and is therefore an essential component of criminal due diligence.
Even after closing, a criminal‑law risk assessment may be advisable — in particular for integrating the target into the existing compliance framework, addressing indications of potential misconduct and preparing for possible regulatory enquiries. However, it does not replace the liability‑relevant assessment that must take place prior to the transaction decision. From a liability and governance perspective, the clear focus should therefore lie before signing and closing.
The quality of the documentation is crucial for board members. Only where the risk analysis, scope of review, key findings and the resulting decisions are recorded in a clear and traceable manner can management later demonstrate that it acted on a sound informational basis. Structured documentation therefore supports reliance on the Business Judgement Rule and may be decisive in the event of investigations or civil liability claims.
The findings from the criminal due diligence should feed directly into the post‑merger integration. This includes prioritising compliance measures in particularly exposed areas, adjusting or harmonising policies and processes, targeted training, and — where necessary — more in‑depth internal investigations. In this way, the due‑diligence exercise becomes a steering element for the future governance, risk and compliance framework of the combined entity.
