In an October 4, 2023 speech, U.S. Department of Justice (“DOJ”) Deputy Attorney General Lisa Monaco announced a new “safe harbor” policy for voluntary self-disclosures made in connection with mergers and acquisitions ("M&A”) (the “M&A Safe Harbor Policy” or “Policy”). This Policy is a continuation of DOJ’s broader self-disclosure policy reform efforts, which began in September 2022.
The Policy appears to be part of DOJ’s overall effort to ensure consistent treatment of companies that disclose misconduct and to create an incentive for acquiring companies to disclose misconduct without suffering significant consequences. The DOJ’s continued focus on self-disclosure underscores the importance of rigorous regulatory due diligence to assess both the extent of a transaction’s existing regulatory risk and any prospect for safe-harbor treatment. This Alert reviews recent DOJ compliance reforms, summarizes key aspects of the new M&A Safe Harbor Policy, and discusses practical considerations for companies along with potential next steps.
The New Policy Builds on Recent DOJ Reforms to Its Corporate Compliance Programs
In September 2022, Deputy Attorney General Monaco issued a memorandum directing all DOJ components to update their compliance enforcement policies to ensure that companies benefit from promptly and voluntarily disclosing misconduct. By March 2023, every DOJ component engaged in corporate criminal enforcement had revised or formalized their voluntary self-disclosure policies, which now include details on the specific benefits corporations can expect to receive if they meet the standards for voluntary-self disclosure. Also pursuant to the September 2022 Memo, DOJ updated its policies on full and effective cooperation. Under those revisions, to qualify for cooperation credit, companies must timely preserve, collect, and disclose all relevant documents, regardless of whether those documents are in the United States or overseas.
In line with these reform efforts, in January 2023, DOJ updated its Foreign Corrupt Practices Act (“FCPA”) Corporate Enforcement Policy to formally include guidelines on voluntary self-disclosure. The FCPA Corporate Enforcement Policy extends to misconduct discovered during M&A due diligence. To receive cooperation credit, an acquiring entity must follow the policy’s guidelines, which require self-disclosure within a reasonably prompt time, timely disclosure of all non-privileged facts, and engagement in timely and appropriate mediation.
Two months after updating the FCPA Corporate Enforcement Policy, DOJ revised its Evaluation of Corporate Compliance Programs (“ECCP”) to include consideration of companies’ policies on the use of personal devices and third-party messaging platforms, along with companies’ polices on preservation of business-related electronic data and communications. These ECCP revisions instruct prosecutors evaluating a company’s compliance program to consider whether the company’s compensation policies incentivize compliance and deter noncompliance. Alongside these revisions, DOJ also announced a pilot program to award a dollar-for-dollar penalty credit to companies that withhold or claw back compensation from employees engaged in non-compliance. Please see our previous alert for additional information.
The New M&A Safe Harbor Policy
The Deputy Attorney General’s statement this week marks DOJ’s latest effort to incentivize voluntary self-disclosures. The new M&A Safe Harbor Policy establishes that DOJ will presumptively decline to prosecute any acquiring entity that:
(1) voluntarily self-discloses criminal misconduct within six months from the date of closing, regardless of whether the misconduct was discovered before or after the acquisition; and
(2) fully remediates the misconduct within one year from the date of closing.
Although, unlike the FCPA Corporate Enforcement Policy, the M&A Safe Harbor Policy does not require “prompt” self-disclosure and timely remediation, the timing must be reasonable. Deadlines may be extended based on facts, circumstances, and complexity of the transaction, but discovery of misconduct relating to national security, or ongoing or imminent harm must be disclosed immediately.
The M&A Safe Harbor Policy is also subject to the following qualifications:
- The acquired entity, in addition to the acquiring entity, may qualify for voluntary self-disclosure benefits, including a presumption that DOJ will decline to prosecute, as long as aggravating factors are not present at the acquired company.
- The presence of aggravating factors at the acquired entity will not impact the acquiring company’s ability to avoid prosecution.
- Misconduct disclosed under the M&A Safe Harbor Policy will not factor into DOJ’s analysis of any future recidivist conduct.
- The M&A Safe Harbor Policy only applies to conduct discovered in bona fide, arms-length M&A transactions and does not apply to misconduct that is publicly known or should have been otherwise disclosed.
- The M&A Safe Harbor Policy does not apply to civil merger enforcement programs.
Practical Considerations and Potential Next Steps
In her remarks on Wednesday, Deputy Attorney General Monaco emphasized that, “[c]ompliance must have a prominent seat at the deal table if an acquiring company wishes to effectively de-risk a transaction.” Her comments reflect the growing importance of regulatory due diligence during any M&A transaction. Companies should make sure their evaluations of regulatory risk operate to catch and analyze potential compliance problems as early as possible.
DOJ's clearly stated policy puts acquiring companies on notice that any failure to perform detailed regulatory due diligence may result in successor liability, even if those companies have robust compliance cultures. The onus is now squarely on acquiring companies to assess and allocate, or minimize, compliance risks.
Given DOJ’s heightened focus in this area, companies that proactively invest in robust compliance programs will reap the benefits if misconduct occurs.
Deputy Attorney General Monaco concluded her remarks by stating that, going forward, in addition to the M&A context, DOJ intends to apply the full range of its new corporate enforcement principles to the areas of cybersecurity, technology, and national security. Entities operating in those sectors should ensure their compliance programs meet current DOJ standards.
For More Information
Van Ness Feldman’s Litigation and Investigations team has extensive experience with designing and implementing compliance programs, conducting regulatory due diligence, leading internal investigations, and handling government investigations. For more information on how our team can help with regulatory and compliance due diligence in transactions, or any other compliance-related analyses, please contact Mike Farber, Charlene Koski, Justin Panitchpakdi, Rachael Lipinski, or any other member of our Litigation and Investigations team.