A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. Equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.

Pre-Acquisition Risk Assessment

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include reps and warranties in the final sales agreement that the entire target company uses for participation in transactions as permitted under local law; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a rep that all the books and records presented to the acquiring company for review were complete and accurate.

Post-Acquisition Integration 

There are generally three things a company must do in the M&A context, post-acquisition. They are immediately train high-risk employees of the newly acquired entity, perform a FCPA forensic audit and integrate the newly acquired company into the purchaser’s compliance program. One other factor is that if the purchaser uncovers FCPA violations they must be stopped at once and reported to the DOJ. It is critical to remember that once an acquired entity is folded into your organization, it is not committing FCPA violations on its own, your company is now the FCPA-violator. However, even if the prior entity did engage in FCPA violations and your investigation uncovered them and you stopped them and then you reported them to the DOJ, your company will not receive any springing FCPA liability.

All of this must be done in fairly strict time frames. You basically have 12 months to complete your training and integrating the acquired entity into your compliance program. You have 18 months to complete your forensic audit and then self-disclose the results to regulators if you discover a legal violation. The clock is ticking and you need to be prepared to move forward expeditiously.

Key Takeaways 

  1. When did you last revise your Code of Conduct?
  2. You must have senior management buy-in to revise your Code of Conduct.
  3. Use all tools available to distribute your Code of Conduct.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.