Last year’s Foreign Corrupt Practices Act (FCPA) Guidance makes clear that one of the 10 hallmarks of an effective compliance program is around mergers and acquisitions (M&A), in both the pre and post-acquisition context. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. But equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.
Pre-Acquisition Risk Assessment
It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.
The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, this pre-acquisition risk assessment can be used by company management to attain what might be required in the way of integration post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.
Next comes a five-step process on how to plan and execute a strategy to perform pre-acquisition due diligence in the merger context:
Establish a point of contact. Determine one point of contact with whom you can liaise throughout the process. Typically, this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full-time position.
Collect relevant documents. Obtain a detailed list of sales going back three to five years, broken out by country and, if possible, obtain a further breakdown by product and/or services, all joint venture (JV) contracts and due diligence on JVs and other third-party business partners, travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries, internal audit reports and other relevant documents. You do not need to investigate de minimis sales amounts, but focus your compliance due diligence inquiry on high sales volumes in high-risk countries. If the acquisition target company uses a sales model of third parties, obtain a complete list, including JVs. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; again, your focus should be on large commissions in high-risk countries.
Review the compliance and ethics mission and goals. Look at the code of conduct or other foundational documents that a company might have to gain some insight into what they publicly espouse.
Review the seven elements of an effective compliance program.
- Oversight and operational structure of the compliance program.
Here, you should assess the role of board, CCO and the compliance committee, if there is one. Regarding the CCO, you need to look at his reporting and access – is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program, including a review of personnel, the budget and overall resources? Review high-risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.
- Policies/procedures and code of conduct.
In this analysis, you should identify industry practices and any legal standards which may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles for compliance policies, if any. Lastly, you need to know how everything is distributed and what the enforcement mechanisms are for compliance policies. You should also check with HR for terminations or disciplinary action relating to compliance.
- Education, training and communication.
Review the compliance training process as it exists, both formally and informally. You should ask such questions as “What are the plans and schedules for compliance training?” Next, determine if the training material itself is fit for the intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels. Is the compliance training delivered live, online or through video? Finally, assess whether the company has updated their training based on changing legislation. You will need to interview the acquisition target company personnel responsible for its compliance program to garner a full understanding of how they view their program. You may wish to engage in discussions with the target company’s General Counsel (GC), Vice President (VP) of Sales and head of internal audit regarding all corruption risks. You should also delve into the target’s compliance efforts and any other corruption-related issues that may have surfaced.
- Monitoring and auditing.
Review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are: (1) Is it consistent over a period of time? and (2) What is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit. You will need to review the travel and entertainment records of the acquisition target company’s top sales personnel in high-risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high-risk countries where your company does business.
What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there, turn to who does the investigations and how they are conducted. A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.
- Response to detected violations.
This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations? Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto? Further, you may be required to self-disclose any FCPA violations that you discover. There may be other reporting issues in the M&A context such as any statutory obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer?
- Enforcement practices/disciplinary actions.
Determine if there were any disciplinary actions delivered in the past, up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?
Do not forget to take a look at any periodic evaluation of the program’s effectiveness. Here, a review of the target’s internal audit reports or outside investigations is suggested. Finally, while you are performing the anti-corruption due diligence, you should also review issues for anti-money laundering (AML) and export control issues.
It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain. These would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include reps and warranties in the final sales agreement that the entire target company uses for participation in transactions as permitted under local law, that there is an absence of government owners in company and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a rep that all the books and records presented to the acquiring company for review were complete and accurate.
To emphasize all of the above, the U.S. Department of Justice (DOJ) stated in the Pfizer deferred prosecution agreement (DPA), in the M&A context, that a company is to ensure that, when practicable and appropriate on the basis of an FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence have been conducted by a suitable combination of legal, accounting and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition of a new business for reasons beyond a company’s control, or due to any applicable law, rule or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.
Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity Expro. In the spring of 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre- and post-acquisition. On June 18 2012, the DOJ released the Data Systems & Solutions LLC (DS&S) DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity.
08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the department within 180 days of closing.
Halliburton committed to the following conditions in 08-02, if it was the successful bidder in the acquisition:
- Within 10 business days of the closing, Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.
- Within 90 days of closing, Halliburton would report to the DOJ the results of its high-risk due diligence.
- Within 120 days of closing, Halliburton would report to the DOJ the results to date of its medium-risk due diligence.
- Within 180 days of closing, Halliburton would report to the DOJ the results to date of its lowest-risk due diligence.
- Within one year of closing, Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.
Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However, we advised our clients not to be discouraged, because 08-02 laid out a clear roadmap for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed, the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”
Johnson & Johnson (J&J)
In Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations,” there is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. With regard to the M&A context, J&J agreed to the following:
- J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records or inadequate internal controls as required by … the deferred prosecution agreement.
- J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event, no less than one year post-closing, to newly-acquired businesses and promptly. For those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA audits or will incorporate FCPA components into financial audits. J&J also committed to:
- Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners and relevant employees thereof, who present corruption risk to J&J, on the anti-corruption laws and regulations and J&J’s related policies and procedures and
- Conduct an FCPA-specific audit of all newly-acquired businesses within 18 months of acquisition.
These enhanced obligations agreed to by J&J in the M&A context were less time-sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to implement actions in the following time frames:
18 Months: Conduct a full FCPA audit of the acquired company.
12 Months: Introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”
In the DS&S DPA there were two new items listed in the corporate compliance program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 and 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:
- DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this agreement.
- DS&S will ensure that its policies and procedures regarding the anti-corruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:
- Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anti-corruption laws.
- Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.
This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J Enhanced Compliance Obligations incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities.
FCPA M&A Box Score Summary
|Time Frames||Halliburton 08-02||J&J||DS&S|
||18 months to conduct full FCPA audit||As soon “as practicable”|
|Implement FCPA Compliance Program||Immediately upon closing||12 months||As soon “as practicable”|
|Training on FCPA Compliance Program||60 days to complete training for high risk employees, 90 days for all others||12 months to complete training||As soon “as practicable”|
The Guidance, coupled with the 08-02 and two enforcement actions, speaks to the importance that the DOJ puts on M&A in the FCPA context. The time frames for post-acquisition integration are quite tight. This means that you should do as much work as you can in the pre-acquisition stage. The DOJ makes clear that rigor is needed throughout your entire compliance program, including with regard to M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense.