We conclude our exploration of the recently released Evaluation of Corporate Compliance Programs – Guidance Document(2019 Guidance), which was announced (ECI speech) by Assistant Attorney General Brian Benczkowski at the Ethics and Compliance Initiative (ECI) Impact 2019 Conference. It is an update to the 2017 Evaluation of Corporate Compliance Programs, released in February 2017. This new document is available for download at no charge. It should be mandatory reading for every Chief Compliance Officer (CCO), compliance practitioner and professional or any other person interested in the latest thinking of the Department of Justice (DOJ) on what constitutes a best practices compliance program. This series has reviewed the first substantive section of the 2019 Guidance, regarding what should go into a well-designed compliance program or as it states, “Is the corporation’s compliance program well designed?” This section on well-designed compliance programs included the basics of a risk assessment, the foundation of policies and procedures, effective training and confidential reporting and investigations. Today, I conclude this first section by taking a look at mergers & acquisitions (M&A) under the 2019 Guidance. Note: My exploration of the 2019 Guidance is not complete yet, so check back for more updates in the not too distant future.
On this point, the 2019 Guidance stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets. Pre-M&A due diligence enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete due diligence can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability. The extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization.”
Due Diligence Process – Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What is the M&A due diligence process generally?
The DOJ has consistently emphasized the pre-acquisition phase and the 2019 Guidance took a deeper dive into the need for the compliance component of your M&A regime to begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.
The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant, and they should be thoroughly evaluated in the decision-making calculus.
Integration in the M&A Process – How has the compliance function been integrated into the merger, acquisition, and integration process?
The 2012 FCPA Guidance emphasized the pre-acquisition phase and the 2019 Guidance takes an even deeper dive into the need for the compliance component of your M&A regime to begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.
The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant, and they should be thoroughly evaluated in the decision-making calculus.
Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities?
The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based on your pre-acquisition due diligence and risk assessment. Moreover, the 2019 Guidance clearly views both the pre- and post-acquisition phases of M&A as tied together in a unidimensional continuum. If pre-acquisition due diligence is not possible, you should review the requirements and time frames laid out in Opinion Release 08-02 or the 2012 FCPA Guidance, which noted, “pursuant to which companies can nevertheless be rewarded if they choose to conduct thorough post-acquisition FCPA due diligence.” Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as is practicable.
The earlier you can deploy these steps the better off your company will be at the end of the day. A merger or other acquisition that fails for compliance reasons is a preventable disaster of the first order. One need only consider the Latin Node Inc. FCPA enforcement actions where the acquiring company had to write off its entire investment because it had wholly failed to engage in appropriate pre-acquisition due diligence. Equally important to the costs of a potential FCPA violation(s) are the benefits to following this prescription from the 2019 Guidance in light of the Safe Harbor for M&A announced in July 2018.
When you engage in pre-acquisition due diligence, coupled with post-acquisition auditing, remediation and reporting and compliance program integration and training; it is clear the DOJ is once again demonstrating real incentives to companies to come forward to gain the benefits of the FCPA Corporate Enforcement Policy (Policy). Now, there will be a presumption of a declination, not simply the language from the 2012 FCPA Guidance that the DOJ “may” grant a declination.
This clarification highlights two key components of the Policy and 2019 Guidance: incentives and clarity. Companies are now highly incentivized to bring forward evidence of FCPA wrong-doing as the clarity around the benefits is clearer. This is even more true in the M&A context. If a company purchased a business, not previously subject to the FCPA and that target had engaged in bribery and corruption; it is not they who are violating the FCPA going forward but you. This reason alone provides a powerful incentive for companies to root out any corruption in the post-acquisition phase. Now that incentive is memorialized even further.
I hope you are planning to attend the 14th Annual Compliance Week conference this year, held from May 20-22 in Washington, D.C. at the Mayflower Hotel. It is truly one of the top compliance and ethics conferences of the year. It features not only speakers from compliance, but auditors, lawyers, government regulators, and industry leaders. Monday will include keynote address from the always-popular Hui Chen, which sets the tone for speakers throughout the event. To review the full agenda, see who is speaking or to review the registration information click on the appropriate link.
If you only attend one compliance conference in 2019, this is the event for you!
[View source.]
