Your company has just made its largest acquisition ever and your CEO says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Of course, you think about the 2020 FCPA Resource Guide, 2nd edition but  you also remember that the established time frames in the enforcement actions involving Johnson & Johnson (J&J), Pfizer Inc. and DS&S and the Halliburton Opinion Release.

While there are time frames listed in these DPAs, they are a guide of timeframes, not a ‘how to’ guide and many compliance professionals struggle with how to perform these post-acquisition compliance integrations. The 2020 Update to the Evaluation of Corporate Compliance Programs asked the following questions, What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post- acquisition audits, at newly acquired entities?

Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as practicable.

Three key takeaways:

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You need to be ready to hit the ground running when a transaction closes.

The compliance component of your M&A regime should begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.


I suggest a four-step process to plan and execute a strategy to perform pre-acquisition due diligence in the M&A context.

  1. Establish a point of contact.
  2. Collect relevant documents.
  3. Review the compliance and ethics mission and goals.
  4. Review the elements of an effective compliance program.

There are multiple red flags which could be raised in this process, which might well warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors’ level, this could present issues. From the CCO perspective, if the position did not have Board or CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely, if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.

Three key takeaways:

  1. The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.

One of the clearest themes from the original, 2012 FCPA Resource Guide was around the importance of your pre-acquisition work in any M&A on a target company. In the section on Declinations, the 2012 FCPA Resource Guide provided an example of a company which had received a declination in large part because of its pre-acquisition work, which then served as a basis of its post-acquisition remediation. I find it appropriate to think of the process as a straight line, directly from the pre-acquisition phase through to closing and then to remediation, integration and self-reporting in the post-acquisition phase. These same concepts were brought forward in the 2020 FCPA Resource Guide, 2nd edition.

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a mechanism through which to view the feasibility of the business strategy and help to value the potential target.

The first step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, in the post-acquisition phase. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

The pre-acquisition risk assessment can be a critical element in any M&A work for compliance. Use this opportunity to see where the target might stand on compliance. Your risk assessment can evolve as you obtain greater information. Finally, use this pre-acquisition risk assessment as a base document to plan, resource and budget for your post-acquisition remediation, integration and reporting.

Three key takeaways:

  1. One never has enough time to engage in all of the pre-acquisition review you might want to do, so optimize your time and resources.
  2. Consider what you can review to put together a preliminary risk assessment on the target.
  3. As with most compliance initiatives, you are only limited by your imagination, so if you are limited in time and scope, try something new and different.

Why should a company engage in pre-acquisition due diligence in the M&A context? Certainly, compliance with anti-corruption laws such as the FCPA or U.K. Bribery Act is a good starting point. A Transparency International white paper, entitled “Anti-Bribery Due Diligence for Transactions”, suggested that there are greater forces driving compliance than simply compliance with anti-corruption and anti-bribery laws. A company engaging in an international acquisition should also strive to avoid the potential financial and reputational damage that may arise from investing in or purchasing a company associated with bribery or corruption.

Financial, legal, or reputational risk can have a significant impact the valuation or a transaction or its desirability. Factors such as current or historical bribery/corruption discovered at any point in the acquiring company provide the compliance practitioner with strong ammunition when confronted with a management that fails to understand the need for a robust due diligence in a M&A transaction. By not focusing on the regulatory aspects of M&A transactions, but more on the market reasons for engaging in the appropriate due diligence, you can emphasize the business reasons for compliance.

Three key takeaways:

  1. There are numerous legal and business reason to engage in anti-corruption due diligence in the M&A space.
  2. ESG can present significant corruption risks in emerging markets.
  3. Present your analysis in high, medium and low risk formats.

White collar defense practitioners have long called for a specific safe harbor for companies in the mergers and acquisition context where they meet the criteria set out by the DOJ. This clarion call was answered in the summer, 2018 when in July 2018, the DOJ announced a revision to the FCPA Corporation Enforcement Policy, specifically around mergers and acquisitions. The new language read:

M&A Due Diligence and Remediation: The Department recognizes the potential benefits of corporate mergers and acquisitions, particularly when the acquiring entity has a robust compliance program in place and implements that program as quickly as practicable at the merged or acquired entity. Accordingly, where a company undertakes a merger or acquisition, uncovers misconduct through thorough and timely due diligence or, in appropriate instances, through post-acquisition audits or compliance integration efforts, and voluntarily self-discloses the misconduct and otherwise takes action consistent with this Policy (including, among other requirements, the timely implementation of an effective compliance program at the merged or acquired entity), there will be a presumption of a declination in accordance with and subject to the other requirements of this Policy.

In announcing the change, then Deputy Assistant Attorney General Matthew Miner, that while the 2012 FCPA Resource Guide did provide some guidance on what may constitute a safe harbor; that word ‘may’ was a “sticking point for corporate management when deciding whether and how to proceed with a potential merger or acquisition. There is a big difference between a theoretical outcome and one that is concrete and presumptively available.”

Three Key Takeaways

  1. The FCPA Corporate Enforcement Policy was amended in 2018 to provide a safe harbor in the M&A context.
  2. Pre and post-acquisition compliance work must be equally robust.
  3. If you find misconduct, report and remediate.