The Justice Department is extending yet another olive branch to companies to encourage stronger compliance programs, saying it typically will not prosecute companies that self-disclose issues at acquisition targets if the company makes that disclosure within six months of closing the deal.
So said deputy attorney general Lisa Monaco on Wednesday, speaking at the Society of Corporate Compliance & Ethics’ annual conference happening in Chicago. The new policy had been rumored for several months.
“The last thing the department wants to do is discourage companies with effective compliance programs from lawfully acquiring companies with ineffective compliance programs and a history of misconduct,” Monaco said. “Instead, we want to incentivize the acquiring company to timely disclose misconduct uncovered during the M&A process.”
To that end, the department will now have a safe harbor policy for voluntary self-disclosures arising from the mergers and acquisition process. If that self-disclosure happens within the first six months of the deal closing, the company will receive the presumption of a declination to prosecute. The company will also typically have one year from the deal closing to remediate the control failures.
A few other important details…
First, the six-month disclosure window starts on the closing date, regardless of whether you discover the compliance issues pre- or post-acquisition. So the sooner you discover the issue (ideally, in pre-acquisition due diligence), the more time you have to disclose it. Conversely, if management weenies blocks the compliance team from pre-acquisition due diligence and you don’t discover the issue until after deal closing, you’ll have less time.
“We are placing an enhanced premium on timely compliance-related due diligence and integration,” Monaco said. “Compliance must have a prominent seat at the deal table if an acquiring company wishes to effectively de-risk a transaction.”
Second, if the target company’s misconduct includes aggravating factors (which can dash a company’s chances for a declination), the presence of those factors “will not impact in any way” the acquiring company’s ability to receive a declination. Nor will the target’s misconduct count as recidivist behavior for the parent company, in case you have other trouble in the future and prosecutors are looking at your company’s past performance.
Third, those deadlines of six months for disclosure and one year for remediation are flexible. Depending on specific facts and circumstances, prosecutors might extend either deadline — although, Monaco warned, if the target’s misconduct somehow threatens national security or ongoing harm, a company can’t wait six months to disclose; the disclosure must be made immediately.
And as always, companies will still need to fulfill the three basic tenets of the Justice Department’s Corporate Enforcement Policy: voluntary self-disclosure of the issue, cooperating in the ensuing investigation, remediating the control failures that allowed the misconduct to happen in the first place.
Context for Compliance Officers
Monaco’s announcement today is the latest in a string of policy shifts the Justice Department has made over the last 18 months, each one offering more forgiveness to companies that voluntarily disclose their misconduct, cooperate with the ensuing investigation, and have an effective compliance program by the time the issue is settled.
That’s all welcome news for compliance professionals, but we do still have a few points to consider about this M&A Safe Harbor Policy.
First, to take advantage of it, you’ll actually need to perform due diligence on the acquisition target. And since the stakes of the game are higher, this due diligence will need to be much more exhaustive than the questionnaires you might send out to resellers or other intermediaries. You’ll need a thorough process that works through every compliance risk this target might pose. That might start with a questionnaire or some other checklist, but from there the compliance team will need to probe much further — gathering documentation, conducting interviews, confirming statements from the company with third parties, and so forth.
Second, there’s still the question of compliance officers being involved in pre-acquisition due diligence at all. Some management teams might take the short-sighted approach here, figuring that they can just go ahead and close the deal immediately, since they can always disclose compliance violations later and still secure a declination to prosecute.
I do see Monaco’s logic with the six-month timeframe: that if management decides to push through the acquisition and then let compliance officers perform due diligence, the company will have less time to discover and report any issues. I’m just not sure whether that logic is also wishful thinking. Some companies inevitably will try to confine compliance officers to post-acquisition due diligence only.
So what happens if the company goes that route, and you don’t discover any issues until after the six-month deadline elapses? Will management then blame you, the compliance officer, for blowing their opportunity at a declination? That’s not fair, but I certainly wouldn’t put it past some CEOs and general counsels out there to try.
I’m also curious to see how the one-year deadline for remediation would work in practice. Integrating acquisitions into a parent enterprise is tumultuous under the best of circumstances. If the compliance officer also has to conduct an investigation, swap out a bunch of defective policies and controls for the compliance program you currently have in place, test those new policies to confirm they work, and train your newly acquired employees — that’s a lot. Compliance officers would need strong support from senior management to push such changes through to completion.
Monaco did have other comments about compensation clawback programs, national security cases, and other issues, so we’ll have more posts about her speech (and about the SCCE conference generally) in coming days. The M&A safe harbor policy is plenty enough for now.