Last month, U.S. Deputy Attorney General Lisa O. Monaco announced a new Safe Harbor Policy for voluntary self-disclosure (the “Policy”) made in connection with merger and acquisition activity1. The Policy is intended to bring about consistency in ensuring that “going forward, acquiring companies that promptly and voluntarily disclose criminal misconduct within the Safe Harbor period, and that cooperate with the ensuing investigation, and engage in requisite, timely and appropriate remediation, restitution, and disgorgement – they will receive the presumption of a declination.” It provides a six-month window post the transaction closing date for the acquirer to disclose activity, whether it was discovered pre- or post-acquisition, and a further year from the date of closing to fully remediate. Deputy Attorney General (DAG) Monaco also declared that the policy is department-wide and will cover a broad range of misconduct, including cybersecurity, technology, and national security.
So, what does this mean for acquirers? While this Department of Justice (DOJ) guidance is welcomed news, there remains the operational challenge for acquirers to identify and unpack problematic activity in a six-month window -- while the acquirer is likely also mired in complex integration activities -- and then take the requisite follow-on actions to avail themselves of the safe harbor. Below are four key considerations to deploying an effective due diligence process that can help acquirers better position themselves to address the temporal and operational complexities of identifying problematic activity.
1. Involve Compliance Personnel Early in the Deal Process
DAG Monaco makes clear in her pronouncement that to take advantage of the safe harbor, compliance needs a “prominent” seat at the deal table. How might this be achieved? Among other things, acquirers should consider incorporating compliance professionals early in the deal process. Doing so allows compliance risks to be flagged sooner, which in turn allows for more time to evaluate and address risks in the lead-up to a transaction. It also can help inform pricing strategy by integrating into the analysis costs related to addressing compliance concerns pre- or post-transaction. It further better ensures that any contractual commitments or integration timelines built into the acquisition can more fully account for the operational and financial demands imposed by compliance considerations. At the bottom, addressing the risks associated with the safe harbor likely necessitates the early involvement of subject matter experts positioned to issue spots and take appropriate action.
2. Broaden the Scope of Reputational Due Diligence
Reputational due diligence into the track record and reputational history of the target’s management team is important but can have its limitations in uncovering problematic activities within a business. Compliance concerns derived from localized business practices, within certain emerging markets, or through important, high-risk business partners may not surface during routine diligence on executive management or the official legal history of the target. Given the tight timelines associated with deals, it may not be feasible to comprehensively analyze every possible risk. Despite that reality, acquirers should strongly consider an upfront risk assessment of the target’s sector and footprint to inform whether additional enhanced diligence is warranted as to certain activities. Some examples of red flags that could be identified through enhanced diligence include:
- Dominant local country managers operating in complex or opaque business environments with less oversight
- Significant government influence over access to critical resources, security, and/or business dealings
- Concentration of business with, and/or opacity of, certain suppliers or sales intermediaries
- Circuitous product logistics through problematic/unrelated third countries
- Opacity around ultimate end-customers
3. Go Beyond Governing Compliance Policies
Considering the Policy’s limited windows for disclosure and remediation, acquirers would benefit from leveraging pre-deal compliance program diligence to more comprehensively understand how compliance policies are implemented and operate across the target’s organization. This will better position the acquirer to identify risks and problematic activities. Gaps or inconsistencies in how policies are understood and applied, differences in local business norms, and general appetite for risk can all limit the effectiveness of a compliance program and create residual risk for an acquirer. Knowing these limitations pre-deal can make for better prioritization of post-close compliance integration or further analysis required over high-risk business activities. To address these potential risks, additional pre-deal questioning could focus on:
- Whether there have been any audits or monitoring of compliance activities at local operations and within Joint Venture (JV) partnerships
- Oversight and level of direct government interactions
- How sanctions and trade control policies are embedded in product, client, or supplier risk assessments and onboarding
- The procure-to-pay process over areas of heightened corruption risk
- Cybersecurity infrastructure
4. Incorporate Data Analysis and Controls Testing
Forensic data analysis and internal controls testing are critical in identifying and contextualizing problematic activities during the diligence process. Yet, they often get pushed into post-close activities due to time and access limitations, if undertaken at all. Further, acquirers may have the misperception that traditional financial due diligence activities are sufficient to identify problematic payments. Financial due diligence is often focused on business fundamentals and the overall accuracy of the target’s financial position. Through this lens, transactions that are problematic from a compliance perspective could be financially immaterial or viewed as commercially sound based on how they are accounted for. Pre-closing analysis of accounting and operational data from a compliance risk perspective can shed light on potentially high-risk activities and provide insight as to what additional diligence will be required post-closing.
Closing removes some of the hurdles to undertaking additional analysis of corporate data and testing of controls. Whether through internal audit/monitoring functions or via external advisors, acquirers should consider the following:
- Red-flag analytics across accounting and operational data focused on corruption and sanctions typologies to focus transactional testing and internal controls work
- Detailed reviews of internal controls and transaction testing over procurement, payments, travel, entertainment/hospitality, donations & community investments, and use of cash
- Third-party risk management in light of sanctions and corruption risk exposures
- Technology infrastructure pertinent to cybersecurity and U.S. national security concerns (where relevant)
- Industry-specific controls, for example, broader financial crime controls for regulated Financial Services firms or healthcare compliance in the Life Sciences sector.
While each acquisition presents its own challenges and requires a practical and tailored diligence process specific to those challenges, the DOJ’s guidance on the safe harbor should inform operational and temporal considerations that acquirers build into their approach to transactions. While recognizing the challenges presented by competing priorities and limited resources both pre- and post-closing, executing a timely and thorough diligence process of sufficient depth to identify problematic activities that may warrant disclosure and availing of the safe harbor is critical to reducing the acquirer’s liability risk. Incorporating the above-described best practices as part of that broader diligence effort will allow acquirers to identify issues more quickly and provide more time for thorough investigation and mitigation to maximize the acquirer’s options and more effectively minimize compliance risk.
Click here to learn more about Ankura’s risk and compliance offerings or contact our authors to discuss how we can support you.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.