The United States Department of Justice (“DOJ”) recently made clear that acquiring entities involved in mergers and acquisitions must conduct thorough due diligence of acquired companies and, if relevant, undergo a voluntary self-disclosure of pertinent findings to avoid successor criminal liability for misconduct under the law. During a speech given on October 4, 2023, Deputy Attorney General, Lisa O. Monaco shared the Mergers & Acquisitions Safe Harbor Policy (the “Policy”) that will allow companies to receive the presumption of a declination from criminal prosecution upon timely disclosure, remediation, restitution, and disgorgement. The DOJ noted that this new, department-wide Policy is being implemented to incentivize acquiring companies with effective compliance programs to timely disclose misconduct of a newly acquired company with an ineffective compliance program.

Under the Policy, acquiring companies that promptly disclose criminal misconduct within the Safe Harbor time period, and otherwise comply with the DOJ and remediate the misconduct, will receive the presumption of a declination of criminal charges. Acquiring companies looking to qualify for the presumptive declination under the Policy should be aware of the following considerations and requirements:

1. The Policy only applies to criminal conduct. The Policy does not protect companies or impact civil merger enforcement or misconduct that was otherwise required to be disclosed or already public or known to the DOJ.
2. The Policy applies to criminal conduct discovered by acquiring companies in a bona fide, arms-length M&A transaction.
3. Acquiring companies must “promptly” self-disclose the criminal misconduct within the Safe Harbor period, which is defined as within six (6) months of the closing date as a baseline. This timeline applies whether the misconduct was discovered before or after acquisition.
4. Acquiring companies must cooperate with ensuing investigations.
5. Acquiring companies must engage in requisite, timely and appropriate remediation, restitution, and disgorgement. Acquiring companies are given a baseline timeframe of one (1) year from closing to complete remediation efforts.

The Deputy Attorney General noted that the above-mentioned baseline timeframes are subject to a reasonableness analysis and acknowledged that transactions can greatly differ. Therefore, it is possible, depending on the circumstances at hand, that the timelines could be extended.

With respect to aggravating factors, those acquiring companies that self-disclose the presence of aggravating factors at the acquired company will still receive the presumption of declination. However, if aggravating factors exist, the acquired company itself will likely not qualify for voluntary self-disclosure benefits. If no aggravating factors exist, the acquired company may qualify for voluntary self-disclosure benefits, including potentially declination. Finally, misconduct disclosed pursuant to the Policy will not factor into the DOJ’s recidivism analysis for the acquiring company.

The DOJ wants the takeaway of its new Policy to be clear: Companies that invest in a strong compliance program will not be penalized for lawfully acquiring companies when they perform their due diligence and discover and self-disclose misconduct. DOJ explained that “Compliance must have a prominent seat at the deal table if the acquiring company wishes to effectively de-risk a transaction.”

Takeaways

• Focus on ensuring thorough and timely due diligence in all M&A transactions.
• Insist on robust warranties and indemnification clauses in the purchase agreement to address restitution or other liability.
• Be cognizant of the short timeframes for reporting misconduct and remediating the same.
• Upon acquisition, promptly and thoroughly evaluate the acquiring companies’ compliance program and practices for gaps, issues, and misconduct for potential disclosure.
• If not already in place, promptly implement formal compliance programs upon closing the acquisition that are structured to identify misconduct and disclose the same.
• Promptly train management and employees of the acquired entity to be aware of compliance-related issues.
• Be mindful that this Policy only provides relief from criminal liability; it will still require disgorgement, restitution, and potential civil liability.
• Since the Policy was announced during a speech, there are still a number of unanswered questions, including how such self-disclosure will work with other self-disclosure frameworks, such as the Centers for Medicare & Medicaid Services’ Office of Inspector General self-disclosures.