Last year’s Foreign Corrupt Practices Act (FCPA) Guidance makes clear that one of the 10 hallmarks of an effective compliance program is around mergers and acquisitions (M&A), in both the pre and post-acquisition context. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. But equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.
Pre-Acquisition Risk Assessment
It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.
The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, this pre-acquisition risk assessment can be used by company management to attain what might be required in the way of integration post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.
Next comes a five-step process on how to plan and execute a strategy to perform pre-acquisition due diligence in the merger context:
Establish a point of contact. Determine one point of contact with whom you can liaise throughout the process. Typically, this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full-time position.
Collect relevant documents. Obtain a detailed list of sales going back three to five years, broken out by country and, if possible, obtain a further breakdown by product and/or services, all joint venture (JV) contracts and due diligence on JVs and other third-party business partners, travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries, internal audit reports and other relevant documents. You do not need to investigate de minimis sales amounts, but focus your compliance due diligence inquiry on high sales volumes in high-risk countries. If the acquisition target company uses a sales model of third parties, obtain a complete list, including JVs. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; again, your focus should be on large commissions in high-risk countries.
Review the compliance and ethics mission and goals. Look at the code of conduct or other foundational documents that a company might have to gain some insight into what they publicly espouse.
Review the seven elements of an effective compliance program.
Do not forget to take a look at any periodic evaluation of the program’s effectiveness. Here, a review of the target’s internal audit reports or outside investigations is suggested. Finally, while you are performing the anti-corruption due diligence, you should also review issues for anti-money laundering (AML) and export control issues.
It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain. These would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include reps and warranties in the final sales agreement that the entire target company uses for participation in transactions as permitted under local law, that there is an absence of government owners in company and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a rep that all the books and records presented to the acquiring company for review were complete and accurate.
To emphasize all of the above, the U.S. Department of Justice (DOJ) stated in the Pfizer deferred prosecution agreement (DPA), in the M&A context, that a company is to ensure that, when practicable and appropriate on the basis of an FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence have been conducted by a suitable combination of legal, accounting and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition of a new business for reasons beyond a company’s control, or due to any applicable law, rule or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.
Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity Expro. In the spring of 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre- and post-acquisition. On June 18 2012, the DOJ released the Data Systems & Solutions LLC (DS&S) DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity.
08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the department within 180 days of closing.
Halliburton committed to the following conditions in 08-02, if it was the successful bidder in the acquisition:
Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However, we advised our clients not to be discouraged, because 08-02 laid out a clear roadmap for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed, the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”
Johnson & Johnson (J&J)
In Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations,” there is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. With regard to the M&A context, J&J agreed to the following:
These enhanced obligations agreed to by J&J in the M&A context were less time-sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to implement actions in the following time frames:
18 Months: Conduct a full FCPA audit of the acquired company.
12 Months: Introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”
In the DS&S DPA there were two new items listed in the corporate compliance program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 and 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:
This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J Enhanced Compliance Obligations incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities.
FCPA M&A Box Score Summary
|Time Frames||Halliburton 08-02||J&J||DS&S|
||18 months to conduct full FCPA audit||As soon “as practicable”|
|Implement FCPA Compliance Program||Immediately upon closing||12 months||As soon “as practicable”|
|Training on FCPA Compliance Program||60 days to complete training for high risk employees, 90 days for all others||12 months to complete training||As soon “as practicable”|
The Guidance, coupled with the 08-02 and two enforcement actions, speaks to the importance that the DOJ puts on M&A in the FCPA context. The time frames for post-acquisition integration are quite tight. This means that you should do as much work as you can in the pre-acquisition stage. The DOJ makes clear that rigor is needed throughout your entire compliance program, including with regard to M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Thomas Fox has practiced law in Houston for 25 years. He is now assisting companies with FCPA compliance, risk management and international transactions. He was most recently the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously Division Counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division, which included the logging, directional drilling and drill bit business units. Tom attended undergraduate school at the University of Texas, graduate school at Michigan State University and law school at the University of Michigan. Tom writes and speaks nationally and internationally on a wide variety of topics, ranging from FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets. Thomas Fox can be contacted via email at firstname.lastname@example.org or through his website www.tfoxlaw.com. Follow this link to see all of his articles.