Your company has just made its largest acquisition ever and your CEO says they want you to have a compliance post-acquisition integration plan on their desk in one week. Where do you begin? A good place to start would be the 2020 FCPA Resource Guide language:

Pre-acquisition due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.

The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based your pre-acquisition due diligence and risk assessment. Moreover, the DOJ and SEC clearly view both the pre- and post-acquisition phases of M&A as tied together in a unidimensional continuum. If pre-acquisition due diligence is not possible, you should review the requirements and time frames laid out in Opinion Release 08-02 or the 2020 FCPA Resource Guide, which noted, “pursuant to which companies can nevertheless be rewarded if they choose to conduct thorough post-acquisition FCPA due diligence.” Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as is practicable.

The earlier you can deploy these steps the better off your company will be at the end of the day. An acquisition that fails for compliance reasons is a preventable disaster of the first order. One need only consider the Latin Node Inc. FCPA enforcement actions where the acquiring company had to write off its entire investment because it had wholly failed to engage in appropriate pre-acquisition due diligence.

 Three key takeaways:

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes.

A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners of the need to engage in robust pre-acquisition due diligence.

The 2020 Update  made even more clear the need for a robust compliance presence in the pre-acquisition phase. It stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed  or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”

There are multiple red flags which could be raised in this process, which might well warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors’ level, this could present issues. From the CCO perspective, if the position did not have Board or CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely, if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.

Three key takeaways:

  1. The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.

One of the areas articulated in the 2020 Update was around payments and payroll. For the both the compliance professional and the corporate payroll function, there is a significant role to play in the operationalization of a corporate compliance program. The 2020 Update was replete with references to payment and its critical nature to any best practices compliance program.  This includes references to payments to foreign officials, payments to third parties and hiding bribes in payments to distributors. The 2020 Update begins with an admonition to stop wasting time on low hanging fruit when there are much higher risks in your business operations.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with his or her head of payroll, have them explain the role of payroll, then review the internal controls in place to see how they facilitate the goals of compliance. From that review, you can then determine how to use payroll to help to operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually do compliance going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process, which should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and controls.

Three key takeaways:

  1. Payroll can be a key prevent and detect control.
  2. The 2020 Update specified the tying of the corporate compliance function to the corporate payroll function.
  3. Offshore payments remain a key indicator for a red flag.

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the FCPA Corporate Enforcement Policy and 2020 Update. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

The 2020 Update and FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

Three key takeaways:

  1. How is compliance treated in the budget process?
  2. Has your compliance function had any decisions over-ridden by senior management?
  3. Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.

The role of the CCO has steadily grown in stature and prestige over the years. In the 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, it focused on the whether the CCO held senior management status and had a direct reporting line to the Board.

This Hallmark was significantly expanded in both the 2020 Update and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the CCO and corporate compliance function. The 2020 Update has five general areas of inquiry around the CCO and corporate compliance function. (1) How does the CCO salary and stature within the organization compare to other senior executives within the company. (2) What are the experience and stature of the CCO with an organization? Does the CCO have appropriate training for the role? (3) How much autonomy does the CCO have to report to the Board of Directors? How often do the CCO meet with directors?  Are members of the senior management present for these meetings with the Board of Directors or of the Audit Committee? (4) What is your structure? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? (5) Is data in your organization so siloed that the CCO does not have access to it? If so, what are you doing about it?

Once again for the compliance professional, the FCPA Corporate Enforcement Policy and 2020 Update make the importance of a best practices compliance program even more critical. The DOJ is focusing more on the role, expertise and how the compliance function is treated within an organization. Pay your CCO considerably less than your GC? You may now better be able to justify that discrepancy. If you have a legal department budget of $3 million and a compliance department budget of $500,000; you may be starting behind the eight-ball.

Three key takeaways:

  1. How can you show the CCO really has a seat at the senior executive table?
  2. What are the professional qualifications of your CCO?
  3. Does your CCO have true independence to report directly to the Board of Directors?