Q: Could UK law enforcement enforce RIPA section 49 on a company outside the UK?
NO For two reasons:
RIPA 2000 is not extraterritorial so only applies in England, Wales and Northern Ireland - there is no power to compel a foreign company to comply.
The procedure to obtain material in an evidential format from, say, a foreign service provider is not RIPA but usually via an International Letter of Request which may negate the need for the key if it can't be cracked by digital forensics investigators.
The ILOR will specify what the UK authorities are seeking which may be just the key but will probably be a portion of, if not the entirety of, the available stored data relating to the username, IP or any other identifier therefore making the need for the key redundant. It's then up to the receiving jurisdiction to decide on the format with which to proceed (terminology varies around the world so it could be called a warrant, production order, writ etc). The recipient company is legally obliged to comply just like everyone else who gets served with a lawful court order.
(Also, for general interest, some countries have mandatory reporting for certain types of online offending, such as the American Cyber Tip Line operated by NCMEC which can legally share information (but not necessarily in an evidential format) with national law enforcement agencies - although it's highly unlikely, if not impossible, that this would include the key.)
Q: If law enforcement didn’t use section 49 from RIPA but still asked for the users password, what will the company say?
In my experience they don't usually say anything to requests that just ask for information, but if they do reply it's words to the effect NO, get a warrant (see point 2, above).