Roman Numbers 1-10.2The FCPA Guidance notes that one of the ten hallmarks of an effective compliance program is around mergers and acquisitions (M&A), in both the pre and post-acquisition context. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. Equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.

The FCPA Guidance was the first time that many compliance practitioners focused on the pre-acquisition phase of a transaction as part of a compliance regime. However, the DOJ and SEC made clear the importance of this step. In addition to the above language, they cited to another example in the section on Declinations where the “DOJ and SEC declined to take enforcement action against a U.S. publicly held consumer products company in connection with its acquisition of a foreign company.” The steps taken by the company led the Guidance to state the following, “The company identified the potential improper payments to local government officials as part of its pre-acquisition due diligence and the company promptly developed a comprehensive plan to investigate, correct, and remediate any FCPA issues after acquisition.”

Pre-Acquisition Risk Assessment

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include reps and warranties in the final sales agreement that the entire target company uses for participation in transactions as permitted under local law; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a rep that all the books and records presented to the acquiring company for review were complete and accurate.

To emphasize all of the above, the DOJ has held in the M&A context, that a company is to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence is conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition of a new business for reasons beyond a company’s control, or due to any applicable law, rule, or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.

Post-Acquisition Integration

There are generally three things a company must do in the M&A context, post-acquisition. They are immediately train high-risk employees of the newly acquired entity, perform a FCPA forensic audit and integrate the newly acquired company into the purchaser’s compliance program. One other factor is that if the purchaser uncovers FCPA violations they must be stopped at once and reported to the DOJ. It is critical to remember that once an acquired entity is folded into your organization, it is not committing FCPA violations on its own, your company is now the FCPA-violator. However, even if the prior entity did engage in FCPA violations and your investigation uncovered them and you stopped them and then you reported them to the DOJ, your company will not receive any springing FCPA liability. A summary of the time frames for completion of these post-acquisition steps is set forth below.

FCPA M&A Box Score Summary

Time Frames Halliburton 08-02 J&J DS&S
FCPA Audit 1.     High Risk Agents – 90 days

2.     Medium Risk Agents – 120 Days

3.     Low Risk Agents – 180 days

18 months to conduct full FCPA audit As soon “as practicable
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable

The FCPA Guidance, coupled with the Opinion Release 08-02 and the two enforcement actions, speak to the importance that the DOJ puts on M&A in the FCPA context. The time frames for post-acquisition integration are quite tight. This means that you should do as much work as you can in the pre-acquisition stage. The DOJ makes clear that rigor is needed throughout your entire compliance program, including M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense.

In an interview with the Wall Street Journal (WSJ), former DOJ attorney Nathaniel Edmonds emphasized that if a company does not have the opportunity to make these types of inquiries in the pre-acquisition stage “if there are good faith efforts to conduct due diligence, integrate compliance programs and take remedial actions by removing those wrongdoers — if all of that is done on a quick basis [authorities] give very strong credit. The best example of this is the 2009 purchase by Pfizer of Wyeth. I was prosecutor on the Pfizer Wyeth [bribery] case. Pfizer was able to do some due diligence before the acquisition but because both are massive organizations it was not possible to do complete due diligence prior to acquisition. But after the acquisition within 180 days they had identified much of the wrongdoing at Wyeth and ensured it was halted. As a result of that we gave them credit. On the criminal side Pfizer was not held criminally liable for any of the conduct at Wyeth.”

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

Check out my podcast series on the Ten Hallmarks, featuring Hallmark 10 by clicking here.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016