On October 4, 2023, Deputy Attorney General Lisa Monaco announced a new safe harbor policy that may shield companies from criminal prosecution for misconduct they uncover at companies they are acquiring or have recently acquired.1 Under the Mergers & Acquisitions (M&A) Safe Harbor Policy, the Department of Justice (DOJ) will presumptively decline to prosecute acquiring companies that voluntarily self-disclose misconduct they discover within six months from the date of closing, that cooperate with the DOJ and “fully remediate” the misconduct within one year from the date of closing. “Our goal is simple: good companies—those that invest in strong compliance programs—will not be penalized for lawfully acquiring companies when they do their due diligence and discover and self-disclose misconduct,” Monaco said in prepared remarks to be delivered at the Society of Corporate Compliance and Ethics’ 22nd Annual Compliance & Ethics Institute.
The new policy, which will be applied across the entire DOJ (particularly in areas implicating cybersecurity, tech, and national security), adds timelines and more precise standards to a similar policy that had previously been applied in the Foreign Corrupt Practices Act (FCPA) Unit of the DOJ and follows previous policy revisions aimed at encouraging voluntary self-disclosures of criminal misconduct by similarly offering potential declinations of prosecutions. The M&A Safe Harbor Policy is also the latest in a series of policy and guidance updates from the DOJ regarding corporate compliance programs that are aimed at incentivizing companies to discourage and disclose corporate malfeasance. The new policy is, however, the DOJ’s most focused effort regarding M&As across industries and enforcement areas.
As WilmerHale previously explained in a prior Client Alert, Assistant Attorney General for the Criminal Division Kenneth A. Polite Jr. announced revisions in January 2023 to the DOJ’s FCPA Corporate Enforcement Policy and expressly extended its application to all corporate criminal matters handled by the Criminal Division of the DOJ in order to incentivize companies to “do the right thing” in self-disclosing alleged misconduct and cooperating with DOJ investigations.2 Similar to the M&A Safe Harbor Policy, the revised and expanded Corporate Enforcement Policy offers a presumption of a declination to companies that voluntarily self-disclose misconduct to the DOJ, fully cooperate, timely and appropriately undertake remedial measures, and disgorge any profits from unlawful conduct.3 The Corporate Enforcement Policy also extended that presumption to acquiring companies that report and remediate misconduct uncovered during due diligence at acquired companies, regardless of whether the misconduct occurred pre- or post-acquisition.4 The policy did not, however, provide timelines and other specifics.
New M&A Safe Harbor Policy
The M&A Safe Harbor Policy builds on the Corporate Enforcement Policy by implementing a department-wide framework that focuses specifically on the M&A process. This is intended to create greater consistency across the DOJ. To be eligible for a declination under the M&A Safe Harbor Policy (which applies to antitrust, sanctions and other criminal violations), an acquiring company must:
- Self-report misconduct committed by the acquired company within six months from the date of closing, regardless of whether the illegal activity was identified before or after the acquisition.
- Fully remediate the misconduct within a year of the closing date.
Monaco stated that these baseline timeframes are subject to a reasonableness analysis and may be extended by the DOJ depending on the facts and circumstances of a particular transaction.
The new policy provides that aggravating factors—which include involvement by executive management in misconduct, significant profits from misconduct, and egregious or pervasive misconduct5 —at the acquired company will not have any impact on the acquiring company’s ability to obtain a declination. At the same time, aggravating factors may prevent an acquired company from receiving a declination based on a self-disclosure from an acquiring company. Furthermore, misconduct disclosed under the M&A Safe Harbor Policy will not be taken into consideration for any future recidivist analysis for the acquiring company.
“We are placing an enhanced premium on timely compliance-related due diligence and integration. Compliance must have a prominent seat at the deal table if an acquiring company wishes to effectively de-risk a transaction,” Monaco said in prepared remarks. “Through careful due diligence and timely post-acquisition integration—alongside self-disclosure, remediation, disgorgement, and cooperation where warranted—acquiring companies can protect shareholders, promote compliance, and advance the goal of fighting corporate crime.”
Monaco also made clear that the new policy applies only in the criminal context and does not affect civil merger enforcement.
Even before the M&A Safe Harbor Policy was announced, recent enforcement actions demonstrate the premium the DOJ has placed on voluntary self-disclosure in the M&A context. For example, in December 2022, Safran S.A. received a declination of prosecution with disgorgement after it voluntary disclosed information about improper pre-acquisition payments to consultants made by two companies Safran acquired, cooperated with the ensuing investigation, and remediated the issues.6
Key Considerations for Companies
- The M&A Safe Harbor Policy underscores the importance of robust due diligence during the acquisition process to make sure an acquiring company understands potential criminal exposure at the target company. Including compliance issues as a regular part of the diligence process, and not an afterthought as a deal is about to close, is key to identifying and addressing relevant risks.
- While incentivizing voluntary self-disclosures through the presumption of declinations, the M&A Safe Harbor Policy does have specific requirements as to the timing of disclosure and remediation. Although the DOJ suggested there may be some flexibility in these deadlines, companies should expect the deadlines will be enforced in the absence of discussions and assurances from the DOJ and in situations involving ongoing or imminent harm (particularly in the area of national security), companies should not delay self-disclosure if they wish to take full advantage of the policy.
- Acquiring companies should act diligently during the M&A process to identify criminal misconduct at acquired companies and consider the benefits and risks of potential disclosure to the DOJ. At the same time, companies must remain mindful that the DOJ has specified that the policy applies to only “criminal conduct discovered in bona fide, arms-length M&A transactions,” and “does not apply to misconduct that was otherwise required to be disclosed or already public or known to the Department.”
- The M&A Safe Harbor Policy provides potentially helpful incentives to disclose malfeasance and avoid prosecution, but companies should proceed cautiously to ensure they are eligible for the policy’s benefits. They should also be mindful that restitution and disgorgement, as well as a public recitation of the facts, will be required even if DOJ declines prosecution.