Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. In 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre-and post-acquisition. The 2012 Data Systems & Solutions LLC (DS&S) DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity.

The 2012 FCPA Guidance spoke about the post-acquisition phase of due diligence, noting that is a part of the compliance process for mergers and acquisitions. Both the “DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.” While the 2012 FCPA Guidance discussed mergers and acquisitions in the context of a best practices compliance program it did not specify a time frame for post-acquisition integration.

Opinion Release 08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

Halliburton Opinion Release 

Halliburton committed to the following conditions in 08-02, if it was the successful bidder in the acquisition:

Within ten business days of the closing. Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk

Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However, we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed, the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”

Johnson & Johnson (J&J) Deferred Prosecution Agreement

In Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations”, there is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. Regarding the M&A context, J&J agreed to the following: 

J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.

J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly, for those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.

Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and

Conduct an FCPA-specific audit of all newly acquired businesses within 18 months of acquisition.

These enhanced obligations agreed to by J&J in the M&A context were less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to the following time frames:

18 Month – conduct a full FCPA audit of the acquired company.

12 Month – introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

Data Systems & Solutions LLC (DS&S) Deferred Prosecution Agreement

In the DS&S DPA there were two new items listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions were found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.

DS&S will ensure that DS&S’s policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:

Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.

Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J “Enhanced Compliance Obligations” incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities. 

FCPA M&A Box Score Summary

Time Frames Halliburton 08-02 J&J DS&S
FCPA Audit 1.     High Risk Agents – 90 days

2.     Medium Risk Agents – 120 Days

3.     Low Risk Agents – 180 days

18 months to conduct full FCPA audit As soon “as practicable
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable

The Guidance, coupled with the 08-02 and the two enforcement actions, speak to the importance that the DOJ puts on M&A in the FCPA context. The time frames for post-acquisition integration are quite tight. This means that you should do as much work as you can in the pre-acquisition stage. The DOJ makes clear that rigor is needed throughout your entire compliance program, including M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense.

Three Key Takeaways

  1. The Halliburton Opinion Release put some very tight dates into the post-acquisition due diligence and evaluation process.
  2. J&J and DSS added some specific post-acquisition requirements.
  3. The time deadlines require you to hit the ground running post-closing.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

The compliance component of your mergers and acquisition regime should begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

Next is a five-step process on how to plan and execute a strategy to perform pre-acquisition due diligence in the M&A context.

  1. Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. Typically, this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full time position.
  2. Collect relevant documents. Obtain a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all Joint Venture (JV) contracts, due diligence on JVs and other third party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; internal audit reports and other relevant documents. You do not need to investigate de minimis sales amounts but focus your compliance due diligence inquiry on high sales volumes in high-risk countries. If the acquisition target company uses a sales model of third parties, obtain a complete list. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; your focus should be on large commissions in high risk countries.
  3. Review the compliance and ethics mission and goals. Here you need to review the Code of Conduct or other foundational documents a target has to gain some insight into what they publicly espouse.
  4. Review the seven elements of an effective compliance program as listed below:
    1. Oversight and operational structure of the compliance program. Here you should assess the role of board, CCO and if there is one, the compliance committee. Regarding the CCO, you need to look at their reporting and access – is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources? Review high-risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.
    2. Policies/Procedures, Code of Conduct. In this analysis you should identify industry practices and legal standards that may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles, if any. Lastly, you need to know how everything is distributed and what the enforcement mechanisms for compliance policies are. Additionally you need to validate, with Human Resources (HR), if there have been terminations or disciplines relating to compliance.
    3. Education, training and communication. Here you need to review the compliance training process, as it exists in the company, both the formal and the informal. You should ask questions, such as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for its intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels, for example is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws. You will need to interview the acquisition target company personnel responsible for its compliance program to garner a full understanding of how they view their program. Some of the discussions that you may wish to engage in include visiting with the target company’s General Counsel (GC), its Vice President (VP) of sales and head of internal audit regarding all corruption risks. You should also delve into the target’s compliance efforts, and any other corruption-related issues that may have surfaced.
    4. Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit(s). You will need to review the travel and entertainment records of the acquisition target company’s top sales personnel in high-risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high-risk countries which your company does business.
    5. Reporting. What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to  turn to who does the investigations to determine how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.
    6. Response to detected violations. This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations? Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto? Further, you may be required to self-disclose any FCPA violations that you discover. There may be other reporting issues in the M&A context such as any statutory obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer?
    7. Enforcement Practices/Disciplinary Actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?

5. Periodically evaluate the M&A review procedures’ effectiveness benchmarked against any legal proceedings, anti-corruption enforcement actions, Opinion Releases or other relevant information.

Mike Volkov has noted there are multiple red flags which could be raised in this process, which would warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors level, this could present issues. From the CCO perspective, if the position did not have Board access, CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.

Three Key Takeaways

  1. The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Connie Hawkins died over the weekend. For anyone who watched professional basketball in the late 1960s or early 1970s, you will certainly remember Hawkins (aka the ‘Hawk’). He was the precursor to Dr. J, Michael Jordan and LeBron James. No one had seen his combination of size, speed, arm-length and quickness in the pro game. Larry Brown has called him the greatest player he has ever seen play basketball. He truly was a first in pro basketball. Unfortunately for Hawkins, he was unfairly deprived of displaying his skills in the National Basketball League until he was 27 as he was wrongly banned from playing the league due the mere fact of being interviewed in a point-shaving scandal.

According to his obituary in the New York Times (NYT), near the time Hawkins was scheduled to enroll as a freshman at the University of Iowa, “College basketball at the time was engulfed in its second point-shaving scandal after players had received money from gamblers to affect the final score of games. Hawkins was questioned by the New York City authorities about possible connections with one of the fixers, but he was never accused of wrongdoing. Nonetheless, he was banned from collegiate play and the N.B.A.”

Hawkins began his career with the Harlem Globetrotters and later starred in the original American Basketball Association (ABA). Hawkins later “sued the N.B.A. on antitrust grounds, arguing that the league had in effect illegally banned Hawkins and deprived him of the “opportunity to earn a livelihood.” They won. The league paid Hawkins a settlement of nearly $1.3 million and dropped the ban. Hawkins joined the N.B.A. in 1969 and became an instant star with the [Phoenix] Suns.”

Hawkins story informs today consideration of investigations and discipline under the Foreign Corrupt Practices Act (FCPA) for as was made clear in his biography, Hawkins story showed “how an underprivileged black man was victimized by a fat-cat, unfeeling Establishment.” In the Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs (Evaluation), Prong 8 Incentive and Disciplinary Measures it states: Incentive System Consistent Application – Have the disciplinary actions and incentives been fairly and consistently applied across the organization? 

In the DOJ’s 13 point minimum best practices compliance program, Item 10 states:

  1. Discipline. A Company should have appropriate disciplinary procedures to address, among other things, violations of the anti-corruption laws and the Company’s anti-corruption compliance code, policies, and procedures by the Company’s directors, officers, and employees. A Company should implement procedures to ensure that where misconduct is discovered, reasonable steps are taken to remedy the harm resulting from such misconduct, and to ensure that appropriate steps are taken to prevent further similar misconduct, including assessing the internal controls, ethics, and compliance program and making modifications necessary to ensure the program is effective.

The DOJ best practices are more active than the ‘stick’ of employee discipline to make a compliance program effective and I believe that it also requires a ‘carrot’. This requirement is codified in the US Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.” Finally as the 2012 FCPA Guidance stated, “No matter what the disciplinary scheme or potential incentives a company decides to adopt, DOJ and SEC will consider whether they are fairly and consistently applied across the organization.”

One of the areas which Human Resources (HR) can operationalize your compliance program is to ensure that discipline is handed out fairly across an organization and to those employees who integrate such ethical and compliant behavior into their individual work practices going forward.

Procedural fairness is one of the things that will bring credibility to your compliance program. Today it is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your compliance program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce. Finally, it is yet another way to more fully operationalize your compliance program.

Internal Investigations

The first area is that of internal company investigations. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess.

Administration of Discipline and Employee Promotions

However, as important as the Fair Process Doctrine is with internal investigations, I have come to believe it is more important in another area. That area is in the administration of discipline after any compliance related incident. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

In addition to the area of discipline which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the (anecdotal) tale about some Far East Region Manager which goes along the following lines “If I violated the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle.

If you ever were able to see Connie Hawkins play basketball, you could not walk away without being in wonder of his grace, power and seeming suspension of gravity with some of his dunks. The National Basketball Association (NBA) still carries a very black eye over its treatment of Hawkins, whose greatness was confirmed by his enshrinement in the Basketball Hall of Fame in 1992. His story reminds us all that in addition to the importance of getting investigations right, companies must uniformly apply discipline throughout its organization.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

One of the clearest themes from the 2012 FCPA Guidance was around the importance of your pre-acquisition work in any merger or acquisition on a target company. In the section on Declinations, the 2012 FCPA Guidance provided an example of a company which had received a declination in large part because of its pre-acquisition work, which then served as a basis of its post-acquisition remediation. I find it appropriate to think of the process as a straight line, directly from the pre-acquisition phase through to closing and then to remediation, integration and self-reporting in the post-acquisition phase.

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a mechanism through which to view the feasibility of the business strategy and help to value the potential target.

The first step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

One of the difficulties in the pre-acquisition phase is that there is never enough time or resources to do all the assessment and analysis that you might desire. This means that if you do not have the time, resources or support to conduct a worldwide risk assessment, you must take a different approach. You might try assessing other areas through a more limited focused risk assessment.

Some of the areas that such a pre-acquisition risk assessment could begin with an inquiry into the following areas:

  • What is being sold, to whom and where?
  • Are the target’s resources adequate to sustain a culture of compliance?
  • How are the compliance risks being addressed in the C-Suite and the Boardroom?
  • What are the compliance risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the compliance program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured?
  • Disciplinary guidelines – Do they exist, have they been publicized at the target and has anyone been terminated or disciplined for a violating policy?
  • Are escalation protocols appropriate?

There are a variety of materials that you can review from or at a company that can facilitate such a Pre-acquisition Risk Assessment. You can review the target’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

You could assess the target’s senior management support for the target’s compliance efforts through interviews of high-level personnel such as the CCO, CFO, General Counsel, Head of Sales, CEO and Board Audit or Compliance Committee members to assess “tone from the top”. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.

Such a review would lead to the next level of assessment, which is how well does that target communicate about compliance within its organization and to key third-parties such as sales agents. You can do this by assessing compliance policy communication to company personnel but even more so by reviewing such materials as compliance training and certifications of employees and third-parties. You should also take consider statements by senior management of the target regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections.

A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on reporting suspected compliance violations and then actions taken on any internal reports, including follow-ups to the reporting employees of the target. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses.

As there is no dispute that third parties represent the highest risk to most companies under the FCPA, as assessment of the target’s third party due diligence program is certainly something that should be a part of any pre-acquisition risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries; there should be an assessment if there has been management of the third-party after the contract is signed.

Another area for review in any pre-acquisition risk assessment is to consider the target’s employee commitment to its compliance regime. But just as you look at the carrots to achieve compliance, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly.

The pre-acquisition risk assessment can be a critical element in any M&A work for compliance. Use this opportunity to see where the target might stand on compliance. Your risk assessment can evolve as you obtain greater information. Finally use this pre-acquisition risk assessment as a base document to plan, resource and budget for your post-acquisition remediation, integration and reporting. 

Three Key Takeaways

  1. One never has enough time to engage in all the pre-acquisition review you might want to do, so optimize your time and resources.
  2. Consider what you can review to put together a preliminary risk assessment on the target.
  3. As with most compliance initiatives, you are only limited by your imagination so if you are limited in time and scope try something new and different.

 

 This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

As a general legal matter, when a company acquires another company, the successor company cannot be liable for the acquired company’s activities prior to acquisition. In FCPA jurisprudence, there is no case law precedent directly on point. However, the DOJ and SEC have commented extensively on successor liability. Opinion Release 03-01, from the DOJ first suggested that an acquiring company could be liable for pre-acquisition FCPA violations. In that case, an acquiring company determined a target had engaged in conduct which potentially violated the FCPA. The DOJ opined that if the acquirer halted the illegal conduct, extensively remediated, disciplined the offending officers and employees of the target and continued to provide information and cooperate with the government, the DOJ would not prosecute under the FCPA.

In addition to 03-01, there are a few FCPA enforcement actions which suggest that if a company makes good faith efforts to conduct due diligence, integrate compliance programs and take extensive remedial actions by and if all that is done on a quick basis, the DOJ will give the acquiring entity strong credit. One of the best examples of this approach was the 2009 purchase by Pfizer of Wyeth. Pfizer could do limited due diligence before the acquisition but because both were massive organizations it was not possible to do complete due diligence prior to acquisition. After the acquisition, but within 180 days, Pfizer had identified much of the wrongdoing at Wyeth and halted it. Pfizer was not held criminally liable for any of the conduct at Wyeth.

Most of what Pfizer was held responsible for in its DPA was because of a previous acquisition of Pharmacia, which they acquired in 2002 and 2003. At the time of the Pharmacia acquisition, purchasers did not typically conduct pre-acquisition due diligence on acquisition targets. And during the investigation most of the violations of FCPA for which Pfizer was held criminally liable; began prior to the acquisition of Pharmacia. Pfizer was held responsible for the misconduct at Pharmacia both before and afterwards. The Pfizer case is interesting because it shows both the sides of the equation.

In 2008, DOJ Opinion Release No. 08-02 provided additional information for a safe harbor for successor liability based upon a very specific fact scenario. The Opinion Release is known as the “the Halliburton Opinion Release.” In the Halliburton Opinion Release, the DOJ indicated that it would not take enforcement action based on specific circumstances that allowed for limited pre-acquisitions due diligence and aggressive post-acquisition schedule for a risk audit and disclosures to the government. Thereafter in the Johnson and Johnson and DSS DPAs, the DOJ further refined the requirements and time frames to obtain this safe harbor.

The 2012 FCPA Guidance advanced the information for the compliance professional. It provided the clearest argument for a safe harbor to companies if companies invest reasonable effort in due diligence and post-acquisition compliance; they may well be able to avoid major liability. The DOJ and SEC noted, “in a significant number of instances, DOJ and SEC have declined to take action against companies that voluntarily disclosed and remediated conduct and cooperated with DOJ and SEC in the merger and acquisitions context.” Furthermore, DOJ and SEC provided that “a successor company’s voluntary disclosure, appropriate due diligence, and implementation of an effective compliance program may also decrease the likelihood of an enforcement action regarding an acquired company’s post-acquisition conduct when pre-acquisition due diligence is not possible.”

The 2012 FCPA Guidance provided literally a roadmap for a Buyer to limit compliance risk in the mergers and acquisition context. It emphasized the importance of pre-acquisition due diligence and post-acquisition integration of compliance programs and internal controls. This type of integrated approach would reduce risk of future bribes and allow the purchaser and target to address potential violation(s) through negotiation of costs and responsibilities for investigation/remediation. Finally, and as with all effective compliance, it will assist the purchaser to accurately value the target company.

In 2014, the DOJ issued Opinion Procedure Release 14-02 which provided further guidance on successor liability. This release reiterated the DOJ’s willingness to recognize a safe harbor where the acquiring company makes sufficient efforts to conduct due diligence and post-acquisition integration and concluded that acquisition of a company does not create FCPA liability where it did not exist before, such as for jurisdictional reasons. In the Release, the requesting company had acquired a company with significant anti-corruption compliance program deficiencies, including: lack of documentary records to support gifts to government officials or charitable donation, incomplete and inaccurate records for expenses, and lack of written compliance policies and procedures. 

Three Key Takeaways

  1. Opinion Release 03-01 was the first to provide a safe harbor concept in the M&A context.
  2. The Halliburton Opinion Release expanded the safe harbor concept to the situation where a company could not engage in substantive pre-acquisition due diligence.
  3. The 2012 FCPA Guidance brought together the various strands of a safe harbor position.

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.