Safe Harbor in the Coming Enforcement Storm? DOJ Announces New M&A Policy to Encourage Compliance
October 10, 2023
By Nathaniel B. Edmonds,Tom Best,Nisa R. Gosselink-Ulep,Craig Y. Lee,Morgan J. Miller,Jennifer D. Riddle,Josh Christensen,Andrew E. Sterritt,Christopher C. Brewer,& Ker Medero
On October 4, 2023, Deputy Attorney General Lisa Monaco (the “DAG”) announced a new Mergers & Acquisitions (“M&A”) Safe Harbor Policy issued by the Department of Justice (“DOJ”) as part of her comments detailing increased enforcement efforts of national security related corporate crime and DOJ’s efforts to incentivize stronger compliance efforts. In particular, DOJ will provide safe harbor for acquiring companies that discover and disclose criminal conduct during the M&A process in order to promote increased voluntary self-disclosures. Specifically, in the context of M&A activities, companies must (1) “disclose misconduct discovered at the acquired entity [to DOJ] within six months from the date of closing” and (2) “fully remediate the misconduct” within one year from the date of closing to qualify for the Safe Harbor.
The DAG’s speech, before the Society of Corporate Compliance and Ethics’ 22nd Annual Compliance & Ethics Institute in Chicago, echoed DOJ’s commitment to enhancing transparency and predictability in an environment of increasing corporate criminal enforcement. The DAG highlighted how “corporate crime intersects with our national security—in everything from terrorist financing, sanctions evasion, and the circumvention of export controls, to cyber- and crypto-crime.” She also noted that DOJ is “seeing new national security dimensions in familiar areas of corporate crime—from FCPA violations to intellectual property theft that affects critical supply chains and involves disruptive technologies.” In response to an audience question on a supposed decline in criminal corporate enforcement matters, the DAG quickly recounted several criminal enforcement matters and declared that DOJ is as busy as they have ever been and “putting our money where our mouth is” with 25 new national security prosecutors and “increasing by 40% the number of prosecutors in the Criminal Division’s Bank Integrity Unit.”
The more intriguing announcement, however, is the formalization of the “Safe Harbor” policy providing greater protections to companies engaged in international M&A activity. Just last month, Principal Associate Deputy Attorney General Marshall Miller (the “PADAG”) foreshadowed this new M&A guidance while speaking at the Global Investigations Review Annual Meeting on September 21, 2023. In that speech, the PADAG highlighted that the Criminal Division’s Evaluation of Corporate Compliance Programs and Corporate Enforcement Policy already include key considerations related to the M&A context and that further guidance from the DAG covering voluntary self-disclosures would be coming soon.
In both speeches, the DAG and the PADAG made clear that DOJ does not want to discourage acquisitions, especially if a company with an exemplary compliance program is acquiring a target with a troubled past. Under the new Safe Harbor Policy, acquiring companies will receive a presumption of a declination—i.e., they themselves will not face enforcement for the acts of an acquired company, discovered pre- or post-closing—if they promptly and voluntarily disclose criminal misconduct of the acquired company within the Safe Harbor period, cooperate with DOJ’s ensuing investigation, and “engage in requisite, timely and appropriate remediation, restitution, and disgorgement.” The Safe Harbor Policy applies “whether the misconduct was discovered pre- or post-acquisition” but does not apply to “misconduct that was otherwise required to be disclosed or already public or known to [DOJ].”
Notably, the DAG explained that DOJ realizes that “not every transaction is the same” and that, “depending on the specific facts, circumstances, and complexity of a particular transaction,” DOJ could extend the Safe Harbor’s deadlines based on a “reasonableness analysis.” This is an important factor to keep in mind while engaging with DOJ as, depending on the size of the target company or other factors, the Safe Harbor deadlines may be impracticable.
Safe Harbor Based on Previous Guidance on Acquirer and Successor Liability
The DOJ’s adoption of an explicit, Department-wide policy in this area follows from its initial policy announcement on acquirer and successor liability in the Foreign Corrupt Practices Act (“FCPA”) context involving Opinion Procedure Release (“OPR”) 08-02. The subject of OPR 08-02 was Halliburton Company’s acquisition of a U.K. publicly-traded oilfield service company where Halliburton was legally prohibited from conducting detailed FCPA/anti-corruption due diligence pre-closing. The new Safe Harbor Policy also continues DOJ’s slow evolution of the policy framework first set out in OPR 08-02 in subsequent compliance and enforcement policy pronouncements.
The DAG cited OPR 08-02 in her recent comments, which applied “only to that transaction, however, and did not have broader application.” Despite the limited application, the Halliburton post-acquisition due diligence and integration plan—which it is important to note was implemented in the context of an acquisition while Halliburton was itself under DOJ investigation for FCPA/anti-corruption issues—provided companies with a detailed protocol, even absent ongoing DOJ investigation or voluntary disclosure, to follow when pre-acquisition due diligence could not be adequately completed, or issues were identified shortly post-closing.
The new Safe Harbor Policy adopts the key milestones of OPR 08-02: the 180-day—or six-month—disclosure period and the one-year remediation period. In practice, that means that the acquiring entity has a very limited time to identify potential misconduct, complete the investigation, conduct a root cause analysis, integrate the acquired entity into its compliance program, and implement full remediation.
The DAG’s speech also mentions that the Safe Harbor Policy “will only apply to criminal conduct discovered in bona fide, arms-length M&A transactions.” This seems to leave open the possibility that certain post-acquisition misconduct at the acquired entity might not be subject to the presumption of declination. For example, when an employee or agent from the acquiring company knowingly participates in misconduct that is ongoing at the target company when it is acquired, DOJ may argue that the relationship between the entities is no longer “arm’s-length.”
The new Safe Harbor Policy for voluntary self-disclosures in the M&A context will apply Department-wide, a first for a DOJ policy of this type, and part of a larger trend to standardize DOJ’s approach to corporate criminal enforcement. In March 2023, the DAG announced a new policy requiring all DOJ components that prosecute corporate crime to have a formal, written policy on voluntary self-disclosures. The goal was to allow companies that promptly disclose misconduct to “take advantage of the programs’ benefits in any type of case, in any part of the Department, and in any part of the country.” But only some of the DOJ components addressed M&A transactions in their voluntary self-disclosure policies and the approaches differed from each other.
With an eye towards consistency, the DAG made clear that the M&A Safe Harbor Policy applies Department-wide though each DOJ component “will tailor its application of this policy to fit their specific enforcement regime, and will consider how this policy will be implemented in practice.”
How each DOJ component incorporates the new Safe Harbor Policy into existing enforcement regimes is likely to generate questions and uncertainty. For example, the DOJ’s Antitrust Division has a longstanding leniency policy that allows companies to avoid criminal prosecution and fines (among other benefits) by being the first to self-report involvement in a criminal antitrust conspiracy. Unlike the new M&A Safe Harbor Policy, which allows misconduct to be reported within six months of the date of closing a deal, the Antitrust Division’s leniency program does not provide any defined time period and instead requires applicants to “promptly” report misconduct once it is discovered. The Antitrust Division’s leniency program also provides the possibility of immunity for cooperating employees, including employees directly involved in the misconduct, depending on whether DOJ was already aware of the potential misconduct.
Given that merger review at the Antitrust Division (and FTC) have previously spawned criminal enforcement actions, such as DOJ’s price-fixing prosecution in the canned tuna industry following a proposed merger between two packaged seafood companies, the interplay between the Antitrust Division’s leniency policy and the new M&A Safe Harbor Policy will likely need to be addressed sooner rather than later.
Application to Acquired Company
Importantly, the “Safe Harbor” only applies to the acquiring company and not to the acquired entity. However, the DAG also stated that the “presence of aggravating factors at the acquired company will not impact in any way the acquiring company’s ability to receive a declination.” This policy position is consistent with DOJ’s efforts to create incentives for acquiring companies to conduct robust pre- and post-closing due diligence, remediate issues, and disclose them to the DOJ. Importantly, acquired companies also may qualify for voluntary self-disclosure benefits, including a potential declination, unless aggravating factors exist at the acquired company, presumably consistent with the current version of the DOJ’s Corporate Enforcement Policy.
Separately, and also importantly, “misconduct disclosed under the Safe Harbor Policy will not affect any recidivist analysis [for the acquiring company] at the time of disclosure or in the future.”
The DAG provided an update related to the three-year Pilot Program Regarding Compensation Incentives and Clawbacks, effective March 15, 2023, where DOJ implemented requirements tied to a company’s compensation systems. She cited recent resolutions as evidence of the program’s early successes. Of note, the 1:1 ratio offered by DOJ may not make sense as it does not include litigation costs typically required to effectuate clawbacks.
Takeaways for Companies on the Current Enforcement Environment and Post-Acquisition M&A Due Diligence
The DAG emphasized: “National security compliance risks are widespread; they are here to stay; and they should be at the top of every company’s compliance risk chart.” While there may be disagreement with the priority ranking, companies must enhance their policies to adjust to this new enforcement reality.
The new M&A Safe Harbor Policy places an “enhanced premium on timely compliance-related due diligence and integration,” as failure to conduct effective due diligence or disclose misconduct raises the risks of (i) the acquiring company incurring liability for the ongoing acts of its acquired target, (ii) the acquired company being held liable for ongoing and past conduct not detected and remediated, or (iii) true successor liability for the acquiring company if it merges its acquired entities out of existence and those entities had engaged in past misconduct. Compliance teams should be prominently involved in the M&A process in order to de-risk transactions and protect shareholder value through “careful due diligence and timely post-acquisition integration.”
Despite being more than 15 years old, OPR 08-02 still provides useful guidance, particularly where a company has limited ability to conduct pre-acquisition due diligence. Additionally, the practical steps included in the DOJ’s and SEC’s A Resource Guide to the U.S. Foreign Corrupt Practices Act still hold true not just for corruption risks but for all corporate criminal risks:
- Conduct thorough, risk-based due diligence on potential new business acquisitions;
- Roll out and ensure that the acquiring company’s code of conduct and compliance policies and procedures apply as quickly as is practicable to newly acquired businesses or merged entities;
- Train the directors, officers, and employees of newly acquired businesses or merged entities, and, when appropriate, train agents and business partners on relevant laws and on the company’s code of conduct and compliance policies and procedures;
- Conduct risk-based audits or due diligence reviews of all newly acquired or merged businesses as quickly as practicable; and
- Disclose misconduct discovered as part of due diligence of newly acquired entities or merged entities.
As quickly as practicable post-close, the acquiring company should place special focus on improving the target company’s compliance program and culture so that it is equal to that of the acquirer. This goes beyond the basic steps outlined above and may require significant efforts and resources to change the acquired company’s entrenched culture and attitudes regarding the value of compliance.
Finally, the Safe Harbor Policy’s deadlines will be extremely challenging for companies facing large, complex, and/or high-risk transactions. Companies should be prepared to proactively engage in discussions with DOJ regarding their findings from pre-close due diligence, the post-close due diligence and integration work plan, and planned timing, as well as keeping DOJ apprised of progress and findings in order to agree with DOJ about any deadline extensions under the “reasonableness analysis.” The assistance of experienced counsel and other personnel will be critical in executing timely and effective pre- and post-close due diligence and integration and engaging with DOJ, particularly when a company may want a deadline extension. Also, given DOJ’s focus on national security, compliance should be evaluating all risks with a national security lens in order to best respond to the current enforcement environment.
As the DAG stated, “Compliance should no longer be viewed as just a cost center for companies. Good corporate governance and effective compliance programs can shield companies from enormous financial risks and penalties.” In conclusion, for companies to be in a position to take advantage of the Safe Harbor Policy, Compliance teams must:
- Be involved early in the evaluation of potential targets to conduct thorough pre-close due diligence (which may mean bringing in external counsel if the Company does not have the expertise or capacity).
- Participate in negotiations to advise on mitigation strategies and plan for post-close integration.
- Immediately work, following transaction closing, to fully understand relevant risks and integrate the acquired entity and its employees into the acquiring company’s compliance program.
- Engage with DOJ regarding the feasibility of the deadlines and the progress of due diligence activities.