M&A in Energy: Regulatory Due Diligence Tips

Energy M&A deals are complex, with regulations shaping timelines, costs, and outcomes. Here's what you need to know:

• Why It Matters: Regulatory compliance ensures smooth transactions and avoids fines or delays. Violations can lead to costly penalties or even imprisonment.
• Key Challenges: Antitrust scrutiny, environmental permits, geopolitical risks, and safety standards are critical areas to address.
• Focus Areas:
  • Review environmental permits and liabilities (e.g., CERCLA, PFAS risks).
  • Ensure compliance with FERC and state-level regulations.
  • Assess safety records and management systems to avoid operational risks.
  • Evaluate cybersecurity readiness, especially under NERC CIP standards.

Thorough due diligence in these areas protects deal value and ensures long-term success. Now, let’s break it down further.

Environmental Compliance and Permits

Expanding on regulatory due diligence, this section delves into the role of environmental permits and management practices in energy mergers and acquisitions (M&A). Environmental permits and licenses are essential for ensuring compliance in these transactions. The energy sector operates under intricate federal and state environmental regulations. Facilities such as coal, natural gas, and nuclear power plants, along with upstream, midstream, and downstream oil and gas assets, face unique challenges. These include emission permits, potential regulations on carbon and frac fluids, and existing liabilities tied to mercury, petroleum, and radiation releases.

"The energy industry is highly regulated and requires numerous local, state and federal licenses, permits and approvals in order to operate." – Environmental Practice Group of McDermott Will & Schulte LLP

Even renewable energy projects are subject to rigorous oversight. For example, wind and solar developments must adhere to wetland preservation rules and prove they have minimal impact on local wildlife and ecosystems.

Reviewing Permits and Licenses

The first step is to gather and verify all environmental permits and licenses held by the target company. This includes confirming their validity and ensuring they are in good standing. While the Environmental Protection Agency (EPA) oversees enforcement, many federal permit programs are managed by state, tribal, or local agencies.

Key permits typically cover air emissions, water discharges, and underground injections. The review process should align with the target company's specific operations, as requirements vary by facility type. Early evaluation is critical for deal timelines, especially since some states mandate transfer applications for facilities undergoing a change in control.

After validating permits, it's essential to assess any historical or unresolved regulatory breaches.

Identifying Violations and Liabilities

Past non-compliance can lead to significant financial and operational risks. Due diligence must identify any previous violations, penalties, or pending enforcement actions tied to environmental permits. This involves reviewing communications with regulatory agencies, inspection records, and notices of violation.

CERCLA liability (Comprehensive Environmental Response, Compensation, and Liability Act) can impose cleanup costs for hazardous substances at a site, regardless of fault or awareness. Additionally, any potentially responsible party can be held jointly and severally liable for the entire cleanup cost. A cautionary example is the Tronox bankruptcy, where the company initially reported $200 million in environmental reserves but faced actual obligations nearing $900 million, culminating in a $5.15 billion settlement across more than 4,000 contaminated sites.

Emerging regulations, such as those covering PFAS and ethylene oxide, add further complexity to the due diligence process.

Evaluating Management Systems

Strong environmental management systems reflect a company’s commitment to compliance and risk management. Key areas to evaluate include emissions monitoring, waste disposal procedures, and incident reporting protocols. Companies with effective systems are more likely to maintain long-term compliance.

Indicators of well-managed systems include ISO 14001 certification, active employee participation in environmental training, and detailed sustainability reporting. Companies that align their disclosures with frameworks like the Global Reporting Initiative often demonstrate transparency and accountability in their environmental practices.

Setting SMART goals (Specific, Measurable, Achievable, Relevant, Time-bound) within an environmental management system shows a company’s ability to plan and execute effectively. These goals should align with broader organizational objectives and applicable regulations.

"Measure the success of an Environmental Management System (EMS) by tracking regulatory compliance, reductions in emissions and resource use, and progress towards environmental goals. Achievements in certifications like ISO 14001, stakeholder satisfaction, and financial savings from improved practices are also key indicators."
– Engr. Absar Ahmed Bhatti, Environmental Manager, NEOM Projects

Incident response protocols and past performance also provide insight into regulatory risk. Companies with established protocols and quick response times tend to face fewer penalties and operational disruptions. Special attention should be given to Spill Prevention, Control, and Countermeasure (SPCC) plans, ensuring they are updated to reflect current operations and meet regulatory standards.

Conducting thorough environmental due diligence not only minimizes regulatory risks but also directly affects transaction value, making strong management practices a critical factor in successful energy sector deals.

Federal and State Energy Regulations

When it comes to energy mergers and acquisitions (M&A), understanding the regulatory framework is just as important as reviewing environmental permits. Federal and state rules governing energy assets play a critical role in shaping deal timelines and structures. These regulations differ significantly from environmental permits and demand early attention during due diligence to avoid delays and ensure smooth transactions.

The type of energy assets and their locations determine the applicable regulations. For instance, the requirements for power plants differ from those for natural gas pipelines. Companies operating across multiple states face the added challenge of navigating each state's unique approval process. This complexity underscores the need for specialized legal expertise and meticulous planning right from the start. Let’s take a closer look at some of the key federal and state-level regulations, beginning with FERC compliance.

Federal Energy Regulatory Commission (FERC) Compliance

FERC approval is a major federal checkpoint for energy M&A transactions. Under Section 203 of the Federal Power Act, any transaction involving public utilities with assets exceeding $10 million must secure FERC authorization before closing. This applies to mergers, acquisitions, and asset sales involving facilities under FERC's jurisdiction.

"No public utility shall, without first having secured an order of the Commission authorizing it to do so: Sell, lease, or otherwise dispose of the whole of its facilities subject to the jurisdiction of the Commission, or any part thereof of a value in excess of $10,000,000; Merge or consolidate, directly or indirectly, its facilities subject to the jurisdiction of the Commission, or any part thereof, that are subject to the jurisdiction of the Commission and have a value in excess of $10,000,000; Purchase, acquire, or take any security with a value in excess of $10,000,000 of any other public utility; or Purchase, lease or otherwise acquire an existing generation facility - (i) that has a value in excess of $10,000,000; and (ii) that is used for interstate wholesale sales and over which the Commission has jurisdiction for ratemaking purposes."

FERC evaluates whether a transaction aligns with the "public interest" by examining its impact on competition, rates, regulation, and cross-subsidization risks. While the standard may sound straightforward, it can become intricate when market power concerns come into play.

Market power analysis is central to FERC’s competitive review. The commission assesses both horizontal effects (market concentration in energy and capacity markets) and vertical effects (control over transmission or gas transportation). To address these concerns, companies often propose mitigation measures like asset divestitures or infrastructure upgrades.

A case in point is the 2011–2012 merger of Duke Energy and Progress Energy. Initially, FERC identified competitive issues and rejected the merger. Only after the companies revised their proposal and added mitigation measures did FERC grant approval.

During due diligence, teams should carefully review FERC’s public records for any pending complaints against the target company, such as rate or customer complaints under Section 206. It’s also crucial to evaluate the target’s involvement in regional market proceedings and positions on key industry issues.

Compliance programs require special scrutiny as well. FERC enforces strict standards under Rule 35.41(b), demanding complete accuracy in all communications. Violations - intentional or not - can result in penalties of up to $1 million per day, making rigorous due diligence non-negotiable.

Additionally, companies should anticipate "hold harmless commitments" as a condition for FERC approval. These commitments, often lasting five years, are designed to protect transmission and wholesale power customers from negative transaction impacts. Accounting for these conditions early can help streamline negotiations.

Natural gas transactions follow a different path under the Natural Gas Act, which does not include a merger approval provision. While interstate natural gas pipelines without power assets usually avoid FERC approval requirements, certain contract transfers may still need FERC waivers.

State Public Utility Commission Approvals

Beyond federal regulations, state-level approvals add another layer of complexity. Each state’s Public Utility Commission (PUC) may impose its own conditions, which are often stricter than federal standards. Unlike FERC, state PUCs typically require proof of tangible customer benefits, such as improved service quality, lower rates, or enhanced system reliability.

For example, the California Public Utilities Commission (CPUC) approved California-American Water Company's $34 million acquisition of East Pasadena Water Company in August 2021. The deal was greenlit because it promised better conservation programs, rate assistance, and access to capital for system improvements.

To navigate state regulations effectively, companies must first identify all states where the target operates. Each state’s PUC may assert jurisdiction, regardless of the size of local operations. Requirements, timelines, and review standards vary widely, so a tailored strategy for each state is essential.

State PUC proceedings are often lengthy and involve multiple steps, including environmental reviews, pre-hearing conferences, evidentiary hearings, and opportunities for public input. Unlike FERC’s largely written process, state reviews frequently require formal hearings with witness testimony and cross-examination.

Engaging state regulators and stakeholders early can help uncover potential concerns before filing formal applications. Many states encourage pre-filing meetings to discuss transaction structures and possible conditions. This proactive approach can help shape a stronger application.

State regulators may also impose specific conditions on approved transactions. These could include commitments to capital investments, maintaining service standards, or protecting rates. Preparing for these conditions from the outset can help avoid surprises later in the process.

Given the challenges of managing multiple state approvals simultaneously, experienced legal counsel is invaluable. Lawyers with deep knowledge of each state’s regulatory framework can help streamline approval processes and negotiate favorable conditions.

"The energy industry is highly complex, with varying market structures and regulations throughout the world. As a result of this complexity - particularly the energy, environmental, health and safety, and other regulations affecting the industry - energy M&A transactions are rife with risk that is difficult to identify, navigate and understand." - Environmental Practice Group of McDermott Will & Schulte LLP

For companies pursuing energy sector acquisitions, Phoenix Strategy Group offers M&A support services to help manage these regulatory challenges. Their expertise in financial due diligence and deal structuring ensures that transactions align with regulatory requirements while optimizing value and timelines.

Safety Standards and Compliance

Safety compliance is one of the most critical areas in energy sector due diligence. Overlooking violations can lead to steep legal and financial consequences. Given the hazardous materials and intricate processes involved in this industry, thorough safety assessments are key to protecting deal value and ensuring smooth operations.

Energy companies must navigate a maze of safety regulations enforced by OSHA, state agencies, and industry-specific standards. Unlike environmental permits that focus on external impacts, safety compliance directly influences daily operations, employee well-being, and business continuity. A single safety lapse can result in millions in fines, shutdowns, and lasting reputational damage.

"Environmental and workplace safety compliance is critical in industries such as manufacturing, energy, and chemicals." - Riddle Compliance

The 2005 Texas City Refinery explosion serves as a stark reminder of the importance of robust Process Safety Management (PSM) systems during mergers. This tragic incident, which claimed 15 lives and injured hundreds, occurred after two oil refining companies merged but failed to integrate effective PSM systems. It highlights why safety due diligence must go beyond a simple checklist.

This section outlines how to examine safety records and management systems to safeguard transaction value.

Reviewing Safety Compliance Records

Thoroughly reviewing safety compliance records is essential for effective due diligence. Start by examining key safety documentation in detail.

• Workplace safety records: Review safety policies, incident reports, near-miss documentation, and records of past accidents or injuries. Look for trends in safety performance - whether incidents are rising or falling - and identify patterns that could signal systemic problems.
• Compliance history: Scrutinize inspection reports from OSHA and other regulatory bodies. Focus on violation notices, enforcement actions, and how the company responded. Companies with strong safety cultures tend to address violations proactively and go beyond the minimum corrective measures.
• Hazardous materials assessments: Request detailed surveys for asbestos-containing materials, lead-based paint, mold remediation, and PCB inventories. Also, review documentation on underground storage tanks (USTs), including testing, removal, and contamination status. These assessments can uncover hidden liabilities that impact valuation.
• Environmental, Health, and Safety (EHS) audits: Independent audits by licensed professionals provide an objective view of compliance. Look for reports that include risk mitigation recommendations and Material Compliance Reviews (MCRs), which often reveal issues internal reviews might miss.
• Transportation safety records: For companies with vehicle fleets, evaluate fleet safety records, maintenance logs, driver training programs, and Department of Transportation (DOT) compliance. Check for trends in inspection rates, violations, crash indicators, and fines, as these can indicate broader operational challenges.

Non-compliance costs can easily exceed the expenses of maintaining compliance, making this review a critical step in due diligence.

Evaluating Safety Management Systems

Assessing the effectiveness of safety management systems ensures a company can sustain and improve safety performance over time. These systems are vital for maintaining regulatory adherence and ensuring the success of mergers and acquisitions in the energy sector.

Core system components should align with recognized standards like API RP 1173, ANSI Z10.0, and ISO 45001. Key elements include:

• Comprehensive written EHS programs that meet regulatory standards
• Visible management commitment and resource allocation
• Effective monitoring and change management protocols
• Robust hazard identification and mitigation processes
• Thorough incident reporting and investigation systems
• Comprehensive training programs tailored to job-specific risks
• A focus on continuous improvement through performance metrics and updates

For facilities handling hazardous chemicals, review Process Hazard Analysis (PHA) documentation to ensure hazards are identified and controlled. Verify the accuracy of Process Safety Information (PSI) and confirm the presence of Mechanical Integrity (MI) programs to maintain critical equipment. Comprehensive PSM audits should occur at least every three years.

Assess the effectiveness of Management of Change (MOC) processes, as any changes to equipment, chemicals, or procedures can introduce new risks. A solid framework must be in place to evaluate these impacts before implementation.

Training and competency systems are another crucial focus. Examine digital training platforms, certification records, and completion rates. Effective programs should address specific hazards and comply with regulatory standards.

Incident investigation systems should include detailed reporting and root cause analysis to identify and address underlying issues. For example, since 2017, Dollar General has faced over $15 million in fines for violations like blocked emergency exits and inadequate training - showing the steep price of poor safety management.

Phoenix Strategy Group provides M&A support by identifying safety compliance risks and structuring deals to include necessary safety system upgrades and compliance commitments.

"EHS due diligence should not be seen as a box-checking exercise but rather as a proactive risk management strategy that enhances deal confidence and long-term value creation." - Matthew Bell, Environmental M&A Practice Leader, Antea Group

sbb-itb-e766981

Cybersecurity and Infrastructure Protection

Cybersecurity has become a cornerstone of energy mergers and acquisitions (M&A), going far beyond traditional safety and operational checks. The 2021 Colonial Pipeline attack was a stark reminder of the growing cyber threats targeting energy infrastructure.

According to Gartner, by 2025, 30% of critical infrastructure organizations will face severe cyberattacks. Yet, more than half of M&A deals still lack thorough cyber due diligence. With cyberattacks on energy and utility companies becoming more frequent and advanced, cybersecurity has shifted from being a compliance formality to a critical factor that can make or break deals.

"Cybersecurity has become an indispensable factor in investment decisions within the energy and utilities sector. As part of the Critical Infrastructure Sector, energy and utilities companies are prime targets for cyber threats - making cybersecurity a crucial element in deal valuations." - West Monroe

The integration of operational technology (OT) with information technology (IT) has opened up new vulnerabilities. Legacy systems now interact with modern networks, creating gaps that cybercriminals can exploit. While digital upgrades like smart grids and automated controls boost efficiency, they also expand the potential attack surface.

NERC CIP Standards Compliance

The North American Electric Reliability Corporation (NERC) has established 14 Critical Infrastructure Protection (CIP) standards, ranging from CIP-002 to CIP-015. These standards regulate access control, network security, and disaster recovery for Bulk Electric System operators across the U.S., Canada, and parts of Mexico.

Failure to comply with these standards can result in daily fines of up to $2,000,000, making a compliance review an essential part of due diligence. The Compliance Monitoring and Enforcement Program actively enforces these standards, with violations leading to both financial penalties and reputational harm.

"Regulatory due diligence, a critical step in acquiring new generating assets, is a collaborative effort involving investors, energy industry professionals, and, most importantly, regulatory compliance officers." - Certrec

A thorough compliance review should begin with a gap analysis and regulatory risk assessment. Examine the target company’s compliance history and evaluate its adherence to all applicable NERC CIP standards. Focus on identifying and addressing vulnerabilities in critical digital assets.

A detailed technical assessment of each CIP standard is essential. For example:

• CIP-002: Conduct asset scans to identify vulnerabilities and assess their impact.
• CIP-003: Review real-time alerts for unauthorized access and policy enforcement.
• CIP-004: Examine personnel risk assessments, training programs, and security awareness efforts.
• CIP-005: Evaluate network segmentation and access control measures.
• CIP-006 and CIP-014: Assess physical security plans, access control systems, and intrusion detection systems.
• CIP-007: Review anomaly detection capabilities and patch management practices.

Regulatory updates, such as FERC Order No. 887, have added new requirements. By July 9, 2024, Internal Network Security Monitoring will be mandatory for high- and medium-impact BES Cyber Systems with External Routable Connectivity. These evolving standards heighten the importance of a comprehensive compliance evaluation.

Cybersecurity Policies and Incident Response

Strong cybersecurity policies are as vital as environmental and safety measures in safeguarding deal value and operational stability. Policies must align with NERC CIP standards and address modern threats like advanced persistent threats (APTs), ransomware, and AI-driven attacks.

When evaluating cybersecurity policies, pay close attention to:

• Incident response procedures
• Change management protocols
• Security awareness training
• Access control systems, such as Role-Based Access Control (RBAC)

Supply chain security is another critical area. CIP-013 emphasizes the need for effective supply chain risk management. Scrutinize contracts with third-party vendors to ensure robust cybersecurity requirements are in place.

"The due diligence processes for investors and private equity firms must go beyond basic evaluations and scrutinize a target company's entire cybersecurity posture - including its supply chain security, vendor risk management, and incident response capabilities." - West Monroe

Incident response plans deserve particular focus. These plans should be current, regularly tested through drills, and updated based on lessons learned from past incidents. For energy companies, this includes specialized protocols for Industrial Control Systems, covering prevention, detection, containment, remediation, and post-incident analysis.

"The energy sector is one of the most targeted industries for cyber attacks? With the increasing dependence on digital infrastructure, the risk of cyber threats on energy systems is higher than ever before. It is imperative for the energy sector to have a robust incident response plan in place to safeguard critical infrastructure and protect against cybersecurity breaches." - Samuel Morgan, Director of Cybersecurity Solutions for Energy and Utilities at Energi Volt

Incident response plans must also ensure timely reporting of breaches to relevant authorities, meeting federal requirements.

A comprehensive infrastructure review should cover the identification and classification of Critical Cyber Assets, OT systems, and IT systems based on their impact on grid reliability. Documentation of risk assessments, identified vulnerabilities, and remediation efforts should also be evaluated.

Continuous monitoring capabilities are essential. This includes intrusion detection systems, Security Information and Event Management (SIEM) tools, and employee training programs. Human error remains a leading cause of security breaches, making regular training, including phishing simulations, a priority.

Advanced monitoring requirements under CIP-015 should also be reviewed. This includes evaluating network defense capabilities, OT protocol support, micro-segmentation, and anomaly detection systems. Assess malware prevention measures, including Cyber-Physical Systems Detection and Response tools, to ensure early threat detection.

During the due diligence process, tools like the Department of Energy's Cybersecurity Capability Maturity Model can help assess the target company's cybersecurity maturity and resource allocation. Alignment with the NIST Cybersecurity Framework and the Electricity Subsector Cybersecurity Risk Management Process guideline should also be reviewed.

Phoenix Strategy Group offers M&A support by conducting in-depth cybersecurity assessments. These evaluations identify vulnerabilities, address compliance gaps, and help structure deals with appropriate remediation plans and post-acquisition strategies.

"Effective risk management involves identifying potential risks, assessing their impact, and implementing mitigation strategies to protect the organization from significant financial and reputational damage." - Certrec

Key Takeaways for Energy M&A Due Diligence

When it comes to energy M&A transactions, regulatory due diligence is more than just a box to check - it’s a critical step that can make or break a deal. The energy sector operates under a complex web of local, national, and even international regulations, and overlooking compliance risks can lead to penalties, liabilities, or even a failed transaction.

"Energy is a highly regulated sector, which means that companies operating in this field must comply with a range of local, national, and, in many cases, international regulations." - ILP Abogados

Environmental, federal, safety, and cybersecurity reviews are essential components of due diligence. For instance, verifying environmental permits is vital to avoid unexpected remediation costs. These regulatory checks also pave the way for securing timely approvals at both federal and state levels - an essential factor since regulatory approvals can significantly extend deal timelines.

Safety records are another key focus area. A company with strong safety management practices not only faces fewer regulatory hurdles but also demonstrates operational discipline, making it a more appealing acquisition target.

The regulatory environment is shifting toward a "zero-tolerance" approach, which makes identifying compliance risks even more urgent. Federal trade policies, environmental mandates, and cybersecurity requirements are tightening, pushing buyers to dig deeper into a target company's regulatory standing.

"Regulatory issues can be a major drain on company resources when they arise unexpectedly. In an increasingly zero-tolerance regulatory landscape, identifying compliance risk within a target firm is critical." - Ansarada

Another emerging area of focus is energy transition readiness. Regulators are increasingly scrutinizing how well companies are positioned for changes in renewable energy, carbon emissions, and grid modernization. This means assessing whether a target’s infrastructure and strategy align with future regulatory demands.

Anti-bribery and corruption risks also deserve attention, especially when dealing with targets in high-risk jurisdictions. Investigating payment practices and third-party relationships can help uncover potential violations that might lead to legal or reputational damage.

Phoenix Strategy Group specializes in guiding growth-stage energy companies through these challenges. Their M&A advisory services include comprehensive compliance assessments, risk identification, and strategies to safeguard deal value and ensure smooth execution.

FAQs

What are the essential steps for regulatory due diligence in energy M&A transactions?

Conducting regulatory due diligence for energy M&A transactions requires a careful and systematic approach. Start by diving into a detailed review of federal, state, and local regulations, paying close attention to energy-specific laws like the Federal Power Act and the requirements set by FERC. This step ensures the transaction aligns with the complex legal framework governing the energy sector.

Next, examine how the deal might affect permits, licenses, and existing contracts. Confirm that these critical documents remain valid and compliant throughout the process. Overlooking this could lead to complications down the road.

Additionally, review compliance with environmental and safety standards. This includes identifying any necessary regulatory approvals or notifications to avoid potential legal hurdles. Addressing these elements early on helps reduce risks and keeps the transaction in line with U.S. energy regulations, paving the way for a smoother process.

What steps can companies take to handle federal and state energy regulations during an M&A transaction?

To navigate federal and state energy regulations during an M&A transaction, companies need to focus on detailed regulatory due diligence. This means carefully examining all relevant laws, compliance obligations, and any necessary approvals from agencies like the Federal Energy Regulatory Commission (FERC) and state-level authorities.

Bringing in seasoned legal and regulatory experts early on can help identify potential risks and ensure adherence to all requirements. Staying updated on policy developments is especially important in the renewable energy space, where changing regulations can significantly influence deal valuation and risk strategies. Being prepared ahead of time can streamline the transaction process and reduce the chances of unexpected complications.

Why is cybersecurity important in energy M&A, and how can companies comply with NERC CIP standards?

Cybersecurity plays a key role in energy M&A transactions by safeguarding critical infrastructure and sensitive information from cyber threats. These threats, if left unchecked, could disrupt operations or diminish the value of a deal. Having a solid cybersecurity framework in place not only ensures a smoother transition but also protects the Bulk Electric System (BES) from potential risks.

To align with NERC CIP standards, companies need to adopt strong security practices. This includes deploying firewalls, using intrusion detection systems, and conducting regular security audits. Such measures help minimize vulnerabilities, ensure regulatory compliance, and maintain a smooth transaction process, all while reducing the likelihood of costly interruptions.

Related Blog Posts

• M&A Valuations in Renewable Energy: Role of Policy Changes
• Ultimate Guide to Clean Energy Regulatory Challenges
• Wind Energy Valuation for M&A Deals
• Regulatory Risks in Emerging Market Mergers