US Deputy Attorney General Lisa Monaco has announced a new Mergers & Acquisitions (M&A) Safe Harbor Policy, which may shield companies from criminal prosecution for misconduct they uncover at companies they are acquiring or have recently acquired.
Under the new policy, the US Department of Justice (DOJ) will presumptively decline to prosecute acquiring companies that voluntarily self-disclose misconduct they discover within six months from the date of closing, that cooperate with the DOJ and “fully remediate” the misconduct within one year from the date of closing.
“Our goal is simple: good companies, those that invest in strong compliance program, will not be penalized for lawfully acquiring companies when they do their due diligence and discover and self-disclose misconduct,” Monaco said in prepared remarks at the Society of Corporate Compliance and Ethics’ 22nd Annual Compliance & Ethics Institute.
The new policy will be applied across the entire DOJ – and particularly in areas implicating cybersecurity, tech, and national security. It adds timelines and more precise standards to a similar policy that had been applied in previous policy revisions. These were aimed at incentivizing voluntary self-disclosures of criminal misconduct by offering similar, potential declinations of prosecutions.
Corporate criminal matters
In January, Kenneth A Polite Jr, former assistant Attorney General for the Criminal Division, announced revisions and clarifications to the DOJ’s Corporate Enforcement Policy, expressly extending its application to all corporate criminal matters handled by the Criminal Division of the DOJ to incentivize companies to “do the right thing” in self-disclosing alleged misconduct and cooperating with DOJ investigations.
The revised and expanded Corporate Enforcement Policy offers a presumption of a declination to companies that voluntarily self-disclose misconduct to the DOJ, fully cooperate, timely and appropriately undertake remedial measures, and disgorge any profits from unlawful conduct.
The Corporate Enforcement Policy targets M&A activity specifically and extends that presumption to acquiring companies that report and remediate misconduct uncovered during due diligence at acquired companies, regardless of whether the misconduct occurred pre- or post-acquisition.
The policy did not provide timelines and other specifics, though, which is what Monaco added last week.
Corporate Enforcement Policy
The new M&A Safe Harbor Policy adds to the general Corporate Enforcement Policy by implementing a department-wide framework that focuses specifically on the M&A process to create greater consistency across the agency in its handling of criminal matters.
To be eligible for a declination under the M&A Safe Harbor Policy, an acquiring company must:
- self-report misconduct committed by the acquired company within six months from the date of closing, regardless of whether the illegal activity was identified before or after the acquisition; and
- fully remediate the misconduct within a year of the closing date.
Monaco said these timeframes are subject to a reasonableness analysis and may be extended, depending on the facts and circumstances of a particular transaction.
Executive management
The new policy touches on “aggravating factors” that often can weigh against the presumption of a declination and magnitude of cooperation credit extended in DOJ cases, such as the involvement of executive management in misconduct, significant profits from misconduct, and egregious or pervasive misconduct at the acquired company, saying those factors will not have any impact on the acquiring company’s ability to obtain a declination.
To be sure, though, such aggravating factors may prevent an acquired company from receiving a declination based on a self-disclosure from an acquiring company. And misconduct disclosed under the M&A Safe Harbor Policy will not be taken into consideration for any future analysis of recidivist activity for the acquiring company.
“We are placing an enhanced premium on timely compliance-related due diligence and integration. Compliance must have a prominent seat at the deal table if an acquiring company wishes to effectively de-risk a transaction,” Monaco said. “Through careful due diligence and timely post-acquisition integration –alongside self-disclosure, remediation, disgorgement, and cooperation where warranted – acquiring companies can protect shareholders, promote compliance, and advance the goal of fighting corporate crime.”
Monaco also made clear that the new policy applies only in the criminal context and does not affect civil merger enforcement.
Voluntary self-disclosure
The DOJ has placed a premium on voluntary self-disclosure in its ever-evolving Corporate Enforcement Policy right from the start, and that has been emphasized by its leadership over the past year.
That was evident in the M&A context in December when Safran S.A. received a declination of prosecution with disgorgement in a Foreign Corrupt Practices Act (FCPA) case after voluntarily disclosing information about improper pre-acquisition payments to consultants made by two companies it acquired, cooperated with the DOJ’s investigation, terminated a remaining employee involved in the misconduct, and promptly remediated the issues.
The new M&A Safe Harbor Policy truly shines a light on the importance of a fulsome due diligence process during acquisition and pays particular attention to compliance issues as a part of that process. Risks of antitrust and sanctions violations are a part of the potential criminal case analysis by the DOJ, and the acquiring company must have a deep understanding of the potential for any criminal exposure at the target business.
Incentives to disclose misconduct
Companies need to consider the incentives being offered to disclose misconduct and avoid prosecution through a careful consideration of all of the factors, including whether they are even eligible for the policy’s benefits. For example, the policy does not apply to conduct already otherwise required to be disclosed or already public or known to the DOJ.
Acquiring companies should be prepared to show the steps they took to avail themselves of the benefits offered by the policy, and try to meet the requirements in a timely way, with each corporate department fully understanding its responsibilities in doing so.
And businesses should consider that choosing not to self-report opens them up to the possibility that a whistleblower will disclose first at either business.
The self-reporting decision aside, the compliance exercise anticipated in meeting the requirements of the new policy are helpful to consider, as legacy compliance deficiencies at acquired businesses (such as compliance program weaknesses involving outdated risk management protocols, deficient internal controls, a lack of training, etc) have a way of reasserting themselves down the road if not identified proactively.