When companies commit criminal misconduct and then get acquired, the criminal liability is the buyer’s problem — a doctrine called “successor liability.”
But a new safe harbor announced by the Department of Justice (DOJ) in early October now gives acquirers a modicum of protection: if they self-disclose criminal misconduct at a business they’ve acquired within six months after the deal’s close, the [DOJ] “will go after the prior company's management but [it’s] not going to go after you,” said Chris Robertson, a partner at Seyfarth Shaw.
[The exception is if the acquired company’s misconduct has national security implications for the U.S. — then the acquirer must report it immediately.]
The acquirer must then rectify the misconduct within a year of the deal’s closing, according to the policy announced by Deputy Attorney General Lisa O. Monaco.
The safe harbor in connection with M&A deals is part of a long-running strategy of the DOJ to encourage voluntary disclosures and partner with companies to identify wrongdoing, particularly that individuals commit.
But while many corporations and management teams want to be good citizens and help the DOJ identify fraud and those who commit it, choosing to self-disclose will be a tough decision with many ramifications.
The safe harbor is not blanket protection from prosecution (it confers no rights or privileges), and qualifying can be a long process. In addition, self-reporting criminal violations of an acquired company carries significant risk for the buyer.
Limits of Due Diligence
In announcing the program, Monaco said, “The last thing the [DOJ] wants to do is discourage companies with effective compliance programs from lawfully acquiring companies with ineffective compliance programs and a history of misconduct.”
"Due diligence is not forensic accounting; it's not at a level where you're going to find everything.”
Partner, Seyfarth Shaw
Mostly, a buyer won’t discover criminality until after a deal closes. “We all know that in this world, companies buy other companies all the time only to find out afterward that they had been misled,” Seyfarth Shaw’s Robertson told CFO.
Conducting as deep due diligence as possible is in a buyer's interest. However, “due diligence is not forensic accounting; it's not at a level where you're going to find everything,” Robertson said.
Ideally, the acquirer might find some red flags during due diligence, and then if misconduct is present, identify it once it has control of the seller’s financial systems.
By identifying red flags in due diligence, “when you put your team on the ground for transition purposes, they know where they need to start digging to try and figure out whether or not there are issues that need to get fixed or get disclosed to the government to protect the longer-term interests of the company,” said Zane Memeger, a partner with Morgan Lewis and a former U.S. attorney.
At that point, the clock is ticking.
“At [many] companies, six months is not a long time to conduct a thorough internal investigation. If something comes up after closing, they will be on a pretty aggressive schedule to figure out exactly what it is,” Robertson, head of Seyfarth’s whistleblower practice, said. They will also have to determine whether the misconduct is material and whether, at that point, they should report it.
While DOJ has noted that the six-month clock post-acquisition has some flexibility, that flexibility is subject to its discretion.
Reporting criminal conduct of an acquired entity also requires reasonable certainty — “before you start accusing that company and its management of criminal conduct,” said Robertson.
Buyers should also should know that self-disclosure will “open up a huge investigation,” said Robertson, and “even though you’re seeking a safe harbor, it’s still going to be expensive, distracting, and demand resources.”
For the DOJ to decline to prosecute, the acquirer has to cooperate fully with the ensuing investigation and “engage in requisite, timely and appropriate remediation, restitution, and disgorgement [give up the profits from illegal or wrongful acts],” according to Monaco.
“You must meet your burden, cooperatively providing information,” said Memeger.
According to a client alert by Latham & Watkins’ white-collar defense and investigations practice, a notable risk of self-disclosure is that the safe harbor is not binding on any other enforcement or regulatory authority.
As with the DOJ’s anti-trust leniency program that “incentivizes companies to self-report collusive conduct by providing immunity from criminal antitrust liability,” the M&A policy will not shield a company from civil liability in private lawsuits. In the case of antitrust cases, private lawsuits almost always follow criminal investigations, said Latham & Watkins.
Of course, not disclosing misconduct discovered after a deal closes is also risky. If the fraud is revealed some other way, such as through a whistleblower, the DOJ will be asking the acquirer why it didn’t self-disclose and, in addition, perhaps, why the matter wasn’t discovered in due diligence.
Robertson said practitioners understand that a major focus of the policy will be improper payments — such as those covered by the Foreign Corrupt Practices Act — and antitrust issues, like collusive agreements with competitors. “Corrupt payments are really hard to find,” Robertson said.
As a result, Robertson recommends acquirers do “a deeper dive into the financial statements to see if there are any line items or payments that don't seem to connect to any specific contract or don't connect to any specific account.”
In addition, while M&A due diligence related to compliance programs is usually limited, that may have to change.