In early October 2023, Deputy Attorney General (DAG) Lisa Monaco announced a “new” (but not new) Department of Justice (DoJ) policy intended to incentivize acquiring companies to voluntarily self-disclose criminal misconduct uncovered during a merger or acquisition. But it comes with a caveat that could have more of a chilling effect on self-disclosures than anything else.

Under the M&A Safe Harbor Policy, an acquiring company will receive a presumption of a declination where it “promptly and voluntarily” discloses criminal misconduct uncovered within six months from the date of closing on a deal; cooperates with the DoJ’s ensuing investigation; and engages in “requisite, timely, and appropriate remediation, restitution, and disgorgement,” DAG Monaco said in remarks announcing the policy.

“The presence of aggravating factors at the acquired company will not impact in any way the acquiring company’s ability to receive a declination,” DAG Monaco added, and any misconduct disclosed “will not be factored into future recidivist analysis for the acquiring company.” Acquired entities, too, may qualify for applicable benefits, “including potentially a declination,” absent aggravating factors, DAG Monaco said.

The safe harbor applies only to criminal conduct discovered in “bona fide, arms-length M&A transactions,” not to misconduct that otherwise is “required to be disclosed or already public or known to the Department. Nor will anything in this policy impact civil merger enforcement,” DAG Monaco explained further.

Regarding the “bona fide, arms-length” M&A transaction language, the intent there could have just been to ensure that the DoJ “preserve its own prosecutorial discretion to say, ‘This isn’t the type of case or transaction we had in mind in terms of providing credit if you come forward and disclose,’” said Brian Benczkowski, former assistant AG for the Criminal Division and now a partner at Kirkland & Ellis.

Newly Restrictive Timeline

The safe harbor isn’t so much a new policy as it is old wine in a new bottle. The DoJ formally established the presumption of a declination for acquiring companies in M&A deals in March 2019 within the revised Foreign Corrupt Practices Act Corporate Enforcement Policy. That policy was superseded in January 2023 by the Criminal Division’s revised Corporate and Voluntary Self-Disclosure Enforcement Policy, which incorporated new language stating that acquiring companies that voluntarily self-disclose misconduct may be eligible for a declination, “even if aggravating circumstances existed as to the acquired entity.”

While the safe harbor is not new, the restrictive 180-day deadline for reporting misconduct is, which for many reasons could have a chilling effect on acquiring companies self-reporting misconduct. “[T]he fact of the matter is most companies in the M&A context would rather just be analyzed and evaluated under the existing voluntary self-disclosure policy without regard to the M&A provisions because you don’t have that six-month timeline,” Benczkowski said.

He added that it often takes “much longer” than six months to find potential misconduct, investigate it at the level it needs to be investigated, and gain enough comfort to make an informed decision about whether to voluntarily self-disclose those findings to the DoJ. “Candidly, that’s a tall order,” he said.

Pre-deal Due Diligence

The go or no-go decision of an M&A deal requires a careful due diligence analysis, the speed and efficiency of which are dictated by many factors, including the complexity of the deal – for example, a competitive bidding process involving multiple bidders seeking to acquire the same company versus a private deal that involves a single buyer.

“The most important thing is the risk assessment,” said David Simon, a partner at Foley & Lardner. This requires triaging due diligence to focus on the highest-risk areas first.

From a deal lawyer’s perspective, the pre-acquisition and pre-close process encompasses not only legal and regulatory due diligence, but also financial due diligence, technology due diligence, supply chain due diligence, and more, Benczkowski stressed.

Practically speaking, to identify high-risk areas on the front end and focus on them at the outset, Simon recommended the following key measures: interviewing the heads of legal, compliance, and finance, and at times the company’s business leaders in high-risk regions of the world; seeking out key documents and information; and getting an overall sense of whether the company has an effective and well-resourced compliance program. While less common, it may even be necessary to bring in a forensic accounting firm to do forensic transaction testing to uncover potential misconduct, he said.

“Suffice to say, pre-merger due diligence generally is not geared to the kind of searching examination of the wide swathe of federal crimes that could be implicated by the target’s former business activities,” said David Rybicki, a partner at K&L Gates and co-leader of the firm’s White-Collar Defense and Investigations practice group. “The question will in many cases focus on how flexible DoJ is willing to be about the six-month window on either side of the deal.”

With or without a safe harbor, acquiring companies might decide it best to not to go through with a deal if misconduct is uncovered. “If the acquiring company flags a major, systemic FCPA problem, a lot of times the answer is, ‘No thanks. We’re not doing this deal,’” Simon said. Other times, the acquiring company might say, “‘You need to clean this up with the Securities and Exchange Commission or DoJ before we close.’”

Post-deal Due Diligence

The new policy effectively establishes a higher bar for legal and compliance teams to meet. “In many cases, companies will need to dive much deeper in the pre-acquisition period—something which many companies will be unwilling to do—or work expeditiously in the post-deal context to integrate and examine the target’s compliance function and operations to detect potential issues,” Rybicki said.

In the post-deal context, it will be crucial for legal and compliance teams to undertake “immediate and aggressive” implementation measures, Simon said. Especially with high-risk deals, the process of quickly integrating IT systems, policies and procedures, and internal controls can function like a risk-based audit, providing a good line of sight into where compliance problems could be, he said.

Getting the heads of legal and compliance on-site to meet with the employees and management team of the newly acquired target and engaging in compliance questionnaires are other recommended steps.

Remediation Timeline

In cases where an acquiring company does uncover and self-disclose misconduct, the safe harbor affords acquiring companies one year to take remedial action. What the DoJ wants to see is that the company has done everything possible to make sure that whatever misconduct was disclosed won’t occur again in the future, Benczkowski said.

Depending upon the facts and circumstances of each case, remediation can take several forms. Common remediation measures include revising the company’s internal policies and procedures and/or code of business conduct; educating and training employees on those new policies and procedures; and sanctioning or terminating those responsible for the misconduct. “DoJ now also wants to see that companies have denied wrongdoers bonuses or clawed back their compensation,” Benczkowski said.

Rybicki said the “nightmare scenario” is when a company decides to disclose, but for whatever reason the DoJ decides that it doesn’t qualify for the safe harbor, such as if the remediation wasn’t sufficient or timely. Even if the company does qualify for the safe harbor, another weighted factor to consider is the potential personal liability of company officers, he said.

“The bottom line is, even if a company tries to do everything right and voluntarily disclose, it might miss the deadline or otherwise fall short of DoJ’s demands with respect to disclosure or remediation,” concluded Rybicki. “Practically speaking, I don’t think it will meaningfully change the calculus companies already apply when considering self-disclosure, because so many open questions remain, and no track record has developed yet showing how the Department will actually treat these cases.”