Your company has just made its largest acquisition ever and your CEO says they want you to have a compliance post-acquisition integration plan on their desk in one week. Where do you begin? A good place to start would be the 2012 FCPA Guidance language:

Pre-acquisition due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.

As reported by New and Trahanas, in a July 2018 speech, former Deputy Assistant Attorney General Matthew Miner emphasized that DOJ would apply the principles contained in the FCPA Corporate Enforcement Policy to successor companies that discover potential violations subsequent to an acquisition, as well as to acquirers who detect potential corrupt activities during the due diligence process. He also encouraged acquiring companies to seek guidance through the FCPA Opinion Procedures. Miner said the DOJ would apply the principles contained in the FCPA Corporate Enforcement Policy to acquiring companies that uncover potential FCPA violations in the mergers and acquisitions context. This means if you meet the four requirements under the FCPA Corporate Enforcement Policy, the default DOJ position would be a declination would be granted.

What should you perform in the post-acquisition phase? It revolves around integrating the new company into your compliance program, performing a FCPA Audit to determine if there are any outstanding issues, remediating both new issues and those identified in the pre-acquisition phase and reporting any findings of violations to the DOJ. In the 2019 Guidance it stated, “Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process?  What has been the company’s process for implementing compliance policies and procedures at new entities?

Timing-wise the Opinion Release 08-02, provided the company’s FCPA Audit would conclude within 180 days of closing and the company would implement FCPA compliance training immediately upon closing and would complete said training within 90 days. In the Johnson & Johnson FCPA resolution the company agreed to completing  its FCPA audit within 18 months and implementing and completing FCPA compliance training in 12 months. For Data Systems & Solutions LLC (DS&S), the FCPA audit and training was to be completed “as soon as practicable.”

As no guidance from the DOJ has specified what it expects in the specific investigation, integration and training, many compliance professionals struggle with how to perform these post-acquisition compliance integrations. In a 2012 Harvard Business Review article, entitled “Two Routes to Resilience”, Clark Gilbert, Matthew Eyring and Richard N. Foster wrote about business transformation which speaks directly to the compliance practitioner to help create post-acquisition integration game plan.

The authors reviewed the situation where an entity must transform itself, leading to a transformation called “establishing a ‘capabilities exchange’ – a new organizational process that allows the two efforts to share resources without interfering with each other’s operations.” That is what a compliance practitioner must accomplish through a post-acquisition integration in the compliance context.

Anyone who has gone through a large merger or acquisition knows how terrifying it can be for the individual employee. Many people, particularly at the target or acquired company, will fear losing their jobs. Yet these fears can be equal in the acquiring company as well. These fears, whether misplaced or well-founded, can lead to many difficulties in the integration process. Consider the creation of a Compliance Capabilities Exchange process which allows “the two organizations to live together and share strengths” and will coordinate “the two transformational efforts so that each gets what it needs and is protected from [unwanted] interference by the other.” There are five steps in this process.

Establish compliance leadership. While this may be the “simplest step but also the one most open to abuse.” The process should be run by just a few top people, which I believe are the CEO, Chief Financial Officer (CFO) and CCO of both the acquiring and acquired company.

Identify the compliance resources the two organizations can or need to share. Hopefully the acquiring organization will have some idea of the state of the compliance program before the deal is closed. It may be that there is some or all of a minimum best practices compliance program in place. If so, attention needs to turn to what can continue and how will need to be integrated.

Create compliance capability exchange teams. In many “synergy efforts, everyone is expected to think about ways resources might be shared.” In Compliance Capability Exchanges, the responsibility should be “carefully confined to a series of teams.” Senior leadership should create compliance teams by assigning a small number of people from both entities with the responsibility of allocating resources used in the integration project.

Protect boundaries. This one is tricky as employees from the former target may not want to move forward with the integration; for fear of losing their jobs or some other reason. There may be internal disputes as to which group may handle an issue going forward. This area is tricky because it is important not to alienate new employees who might have good ideas on the integration or how to move forward. If necessary, the Leadership Team must step in and referee disputes decisively.

Scale up and promote the new compliance program. It is important to celebrate and promote the new entity to both the acquiring company, others in the company and even external stakeholders. It is important that markets and others in the same or similar industry see this evolution and growth. Take the time to publicize the integrated compliance function with the internal customer; i.e., employees. This would include all other compliance stakeholders, including third-party representatives, both on the sales and supply chain side of the house and even customers. Finally, be sure to inform your management, Board of Directors and regulators, such as the DOJ/SEC, as appropriate.

The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based your pre-acquisition due diligence and risk assessment. Moreover, the DOJ and SEC clearly view both the pre- and post-acquisition phases of M&A as tied together in a unidimensional continuum. If pre-acquisition due diligence is not possible, you should review the requirements and time frames laid out in Opinion Release 08-02 or the 2012 FCPA Guidance, which noted, “pursuant to which companies can nevertheless be rewarded if they choose to conduct thorough post-acquisition FCPA due diligence.” Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as is practicable.

The earlier you can deploy these steps the better off your company will be at the end of the day. An acquisition that fails for compliance reasons is a preventable disaster of the first order. One need only consider the Latin Node Inc. FCPA enforcement actions where the acquiring company had to write off its entire investment because it had wholly failed to engage in appropriate pre-acquisition due diligence.

Three key takeaways:

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes.