The DOJ Mergers & Acquisitions Safe Harbor Policy (“Safe Harbor’ or “Policy”) offers a presumptive criminal declination to acquirers that self-disclose criminal conduct, remediate, make restitution and disgorge illegally gained profits.[1] The Safe Harbor applies to both the buyer and seller and extends to misconduct discovered before or after the acquisition.[2]

But the carrot wields a powerful stick. The DOJ warns, “[I]f your company does not perform effective due diligence or self-disclose misconduct at an acquired entity, it will be subject to full successor liability for that misconduct under the law.”[3]

Justifying failure to detect and report misconduct presents a stiff challenge, particularly against a criminal investigation’s 20-20 hindsight. And it is not only acquiring companies at risk. Law firms, underwriters and other advisers may face potential civil liability and reputation risk for failing to detect misconduct.

This article suggests practical steps companies and external counsel can take pre- and post-closing to maximize the Safe Harbor benefits and minimize enforcement risks. And the business benefits—better deal terms, rep. and warranty claims, accelerated post-deal incremental integration—eclipse the comparatively modest incremental costs.

1. Obtain Rep. & Warranty

It is common for sellers to guarantee the quality of financial statements by giving buyers a representation and warranty (“rep. & warranty”) to the effectiveness of internal controls over financial reporting. The rep & warranty might provide, for example:

The Company and its Subsidiaries have established and maintained systems of internal accounting controls sufficient to provide reasonable assurances that transactions are recorded as necessary to permit the preparation of the financial statements under GAAP and to ensure that its transactions accord with general or specific management authorization.

Buyers should ask for a similar rep. & warranty to internal controls over compliance, e.g.:

The Company and its Subsidiaries implemented an ethics and compliance program and system of internal controls over compliance reasonably designed to prevent and detect significant criminal conduct.

It is also common for sellers to provide a rep. & warranty of their knowledge, e.g.:

The Company and its Subsidiaries have received no notification of any (i) significant deficiency in the internal controls over financial reporting or (ii) fraud, whether material, that involves management or other employees with a significant role in the internal controls over financial reporting.

Sellers can expand upon this type of rep. & warranty, e.g.:

The Company and its Subsidiaries have received no notification of any material violation of law.

Acquiring companies might be indemnified for losses if they discover significant misconduct after closing. Counsel can rely on the rep and warranties to defend due diligence effectiveness.

However, before relying on reps. and warranties, buyers should make sure the seller’s compliance program and internal controls have been tested for design and operating effectiveness, as the rep and warranty must have substance behind them. Outside of the M&A context, DOJ and SEC corporate settlements commonly require companies to certify compliance program effectiveness, which includes providing a basis for the certification.[4]  For example, the SEC requires companies to provide written evidence supported by exhibits when they certify compliance program effectiveness.[5] Attachments C and D to DOJ corporate settlement agreements require an evidentiary basis for certifying compliance program effectiveness.[6] Buyers and their advisors similarly should ask about the basis for the seller’s compliance program and internal controls rep. & warranty.

2. Leverage Business Intelligence and Enhanced Due Diligence

Mergers and acquisitions are critical moments in the life of a business, representing opportunities for growth, expansion, and increased market share. However, beneath the surface of these transactions lies the specter of past misconduct, reputational pitfalls, and potential liabilities. DOJ’s Safe Harbor provides significantly more incentive to conduct fulsome due diligence. Enhanced due diligence is critical in protecting the interests and reputation of acquiring companies. Uncovering past misconduct, gathering corporate intelligence, and evaluating the track record of the target entity and its leadership team are essential parts of this process.

Enhanced due diligence goes beyond the numbers and documents and simple “red flag checks;” it extends to the people at the center of an organization’s decision-making and corporate culture, its Senior Leadership Team (SLT).

The SLT warrants a thorough examination during the due diligence process utilizing open source and, in some cases, source-based research, including an in-depth evaluation of the SLT’s qualifications, background, track record and reputation Past actions can serve as red flags or green lights for the transaction. By developing insights into the SLT, its reputation, business practices, track record and potential risks, buyers and their advisors can negotiate better terms and establish strategies to mitigate or rectify any issues discovered during the due diligence process.

3. Conduct a GAP Analysis

Buyers must scrutinize the seller’s ethics and compliance program independently. Buyers should assess the seller’s program against a commonly accepted compliance program framework. DOJ’s recently updated Evaluation of Corporate Compliance Program (“ECCP”) is the most logical choice given the focus on DOJ’s Safe Harbor. DOJ styled the framework as questions for DOJ prosecutors to consider in evaluating the compliance program effectiveness at the time of the misconduct and settlement.

Buyers should ask sellers for answers to the ECCP questions. Areas warranting particular attention include risk assessment, policies and procedures, third-party management, mergers & acquisitions, and investigation and remediation.

a. Risk Assessment. The ECCP describes risk assessment as the “starting point” for evaluating a company’s compliance program. It is also the starting point for a buyer’s assessment to understand the potential criminal risks at the acquired company.

Buyers must conduct a compliance risk assessment if the buyer’s assessment is deficient. This task should be neither expensive nor time-consuming if the acquiring company’s team includes risks, controls, and industry experts.

b. Policies and Procedures. The ECCP directs prosecutors to consider the organization’s risk response, i.e., the policies, processes and controls companies rely on to prevent and detect reasonably likely and high-impact ethics and compliance risk events. The risk response should link to specific risks and include a combination of preventive, detective, manual, and automated control activities. For example, if the company operates in countries with high corruption risk, the buyer should ask about the seller’s anti-bribery and corruption (“ABC”) program and controls.

The DOJ ECCP expects compliance programs to include periodic testing, continuous Improvement, and review. Effective compliance diligence should assess the design[7] and operating effectiveness[8] of the risk response. Buyers should also consider the seller’s control testing process, including the quality and frequency of testing response and objectivity of the testing team. If the seller’s compliance control testing is deficient, the acquiring company should plan to conduct control testing as soon as possible after closing.

c. Third Party Management. The ECCP includes third-party management because corporate misconduct almost always involves third parties. DOJ expects companies to “apply risk-based due diligence to its third-party relationships,” understand the “business rationale,” and assess the “risks posed by third-party partners.”^[9] Buyers should evaluate potential third-party roles in the seller’s portfolio of criminal risks and whether the buyer has an adequate third-party risk management program to mitigate the risks.

d. Mergers & Acquisitions. The ECCP specifically calls out pre-deal due diligence and post-deal integration as criteria for an effective compliance program.^[10] DOJ will consider the quality of the acquiring company’s diligence and integration efforts if the government investigates the buyer for acquired company misconduct. As for the GAP analysis, the buyer should consider the seller’s acquisitions and the quality of the seller’s M&A compliance diligence and post-deal integration program, particularly if the acquired company grew by acquisitions.

e. Misconduct Allegations, Investigation and Remediation. The quality of the buyer’s processes for reporting, triaging, investigating, and remediating misconduct is essential to meeting ECCP and buyer compliance diligence expectations. Buyers must be comfortable that the seller has no hidden misconduct time bombs. Most companies have integrity hotlines to allow employees and sometimes third parties to report misconduct suspicions. Sellers, however, should not overlook other channels for companies to learn about potential misconduct (e.g., media inquiries, customer complaints, performance reviews, exit interviews) and the company’s processes for triaging misconduct allegations.[11]

Buyers must also be comfortable that the seller adequately investigated and remediated reported misconduct allegations. Preferably before and, if not, right after the deal closes, buyers should examine the seller’s portfolio of misconduct allegations. Drawing on the ECCP guidance, buyers should assess and test how the buyer scopes, assigns resources, conducts, and documents the investigation of suspected or alleged misconduct. Similarly, the buyer should evaluate the seller’s remediation processes (e.g., root cause analysis, read-across, control enhancements) to gain comfort that the buyer addressed the issue.

4. Perform Forensic Audits & Investigations (If Necessary)

Internal misconduct investigations focus on proving (or disproving) an allegation or suspicion. Forensic audits lack an allegation or suspicion. Forensic audit procedures search for indications of misconduct (e.g., artificial intelligence, data analytics, transaction testing). Companies generally prefer a forward-looking approach and devote resources to curing deficiencies.

The DOJ Safe Harbor changed the calculus. Forensic audits might be appropriate depending on the likelihood and significance of the risk and deficiencies in the risk response.

Forensic audits begin with identifying scenarios giving rise to the risk. For example, if bribery risk is significant and the ABC controls are materially deficient, forensic auditors would start by pinpointing motives and ways the acquired company might pay bribes (e.g., excessive discounts to distributors, charitable donations). Next, working with data analytics and industry experts, forensic auditors collect data and business records and perform audit procedures to search for risk indicators.

Because it requires self-reporting within six months after closing, the Safe Habor incentivizes buyers to determine pre-closing if there are open allegations or suspected misconduct to investigate post-closing. Like the decision to self-report, this decision is a judgment companies make in consultation with counsel.[12]

5. Prepare for the Worst

Optimism bias —the belief that it won’t happen to me—lures acquiring companies to be unprepared when due diligence and post-calling integration effectiveness come under government scrutiny. Detailed, contemporaneous compliance diligence documentation is essential. Obtaining proof after the breach is difficult and less persuasive than contemporaneous documentation.

Companies can also prepare by keeping a contemporaneous “good deeds” scrapbook of their ethics and accomplishments (e.g., turning down acquisitions because of ethical concerns). These examples will go a long way if the company must defend compliance program effectiveness.

This article originally appeared in Law360, October 2023. All rights reserved. Download a PDF of this article here.

[1] DOJ. Deputy Attorney General Lisa O. Monaco Announces New Safe Harbor Policy for Voluntary Self-Disclosures Made in Connection with Mergers and Acquisitions (October 2023) (“DOJ Policy Announcement”) www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-announces-new-safe-harbor-policy-voluntary-self.

[2] The principal difference is that the acquired company, not the acquiring company, is subject to the “aggravating factors” provisions of the DOJ and US Attorney Voluntary Self-Disclosure (“VSD”) policies.

[3] DOJ Policy Announcement, supra.

[4] See generally J. Frank, Great Expectations: Certification of Ethics and Compliance Program Effectiveness, Society of Corporate Ethics & Compliance Officers (2023) https://stoneturn.com/insight/certification-of-ethics-and-compliance-program-effectiveness; J. Frank, Meeting DOJ and SEC Post-Settlement Obligations: A Practical Guide, StoneTurn Whitepaper (2023) (“Post-Settlement Guide”) https://stoneturn.com/insight/meeting-doj-and-sec-post-settlement-obligations-a-practical-guide.

[5] See, e.g., In the Matter of KPMG, Release No. 4051 ¶¶ 73, 80 (2019) https://www.sec.gov/files/litigation/admin/2019/34-86118.pdf; see generally, J. Frank, SEC and DOJ-Imposed Monitors, SEC Compliance and Enforcement Answer Book (2023 Edition) Practising Law Institute (2023)

[6] See Post-Settlement Guide, supra.

[7] Design effectiveness refers to whether the company’s policies, processes, and controls—if they operate as prescribed by competent personnel—bring the risk within risk appetite.

[8]  Operating effectiveness refers to how risk response works in practice and whether the personnel performing the control possess the necessary authority and competency. Controls auditors evaluate design and test operating effectiveness by (1) reviewing policies, processes, and controls, (2) conducting control walkthroughs with business personnel, (3) evaluating vulnerability to collusion, override, and other circumvention methods; (4) observation of controls and processes, (5) sample testing, (6) re-performance, and (7) competency assessment. They then assess Identified weaknesses to determine if they equate to a deficiency, significant deficiency, or material weakness. See generally  Public Company Accounting Oversight Board, “AS 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements,” Release No. 2007-005A, June 12, 2007, https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201.

[9] ECCP, supra, §I.E.

[10] ECCP, supra, §I.F.

[11] See Post-Settlement Guide, supra (compliance with DOJ settlement obligation to report misconduct allegations).

[12] See J. Frank, To Disclose or Not to Disclose: That is NOT the Only Question, Business Crimes  Bulletin (2016) https://stoneturn.com/insight/disclose-not-disclose-not-question/.