Mergers and acquisitions under the FCPA
The Foreign Corrupt Practices Act (FCPA) Guidance, issued in 2012, highlights mergers and acquisitions (M&A) due diligence as one of the 10 hallmarks of an effective compliance program, in both the pre- and post-acquisition context. Without adequate FCPA due diligence prior to a merger or acquisition, a company risks legal consequences.
Most commonly, inadequate due diligence can allow bribery to continue—including the harm to a business’s profitability and reputation, as well as potential civil and criminal liability. Companies that effectively conduct FCPA due diligence can more accurately evaluate each target’s value and negotiate the costs of the bribery. Equally important is following guidelines to insulate, or at least lessen, the risk of FCPA liability going forward.
The FCPA Guidance was the first time that compliance practitioners focused on the pre-acquisition phase as part of a compliance regime. It provided specific steps a company had taken, including:
- Having its legal, accounting, and compliance departments review Foreign Company’s sales and financial data, its customer contracts, and its third-party and distributor agreements
- Performing a risk-based analysis of Foreign Company’s customer base
- Performing an audit of selected transactions engaged in by Foreign Company
- Engaging in discussions with Foreign Company’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other corruption-related issues that have surfaced at Foreign Company over the past 10 years
Pre-acquisition risk assessment
It should begin with a pre-acquisition internal controls risk assessment, which could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. Conducting this early will inform the transaction research and evaluation phases, act as a “lens through which to view the feasibility of the business strategy,” and help to value the potential target.
The following step is to develop a base document. From this, a focused series of queries and requests can be created to be obtained from the target company. Management can use this during integration, post-acquisition. It would also help explain how corporate and business functions could be affected and assist in planning for overall expenses of post-acquisition integration.
Next, plan and execute a strategy to perform pre-acquisition due diligence in the M&A context in five steps:
- Establish a point of contact. Determine one point of contact to liaise with throughout the process. Typically, this would be the target’s chief compliance officer (CCO) if the company is large enough to have full-time position.
- Collect relevant documents. Obtain a detailed list of sales going back three to five years, broken out by country, and if possible, by product and/or services; all joint venture (JV) contracts, due diligence on JVs, and other third-party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; and internal audit reports and other relevant documents.
- Review the compliance and ethics mission and goals. Evaluate the code of conduct or other foundational documents to gain some insight into what they publicly espouse.
- Review the seven elements of an effective compliance program as listed below:
- Oversight and operational structure of the compliance program
- Policies/procedures, code of conduct
- Education, training, and communication
- Monitoring and auditing
- Response to detected violations
- Enforcement practices/disciplinary actions
- Periodically evaluate the M&A review procedures’ effectiveness benchmarked against any legal proceedings, FCPA enforcement actions, opinion releases, or other relevant information.
There are three major activities in the post-acquisition phase: performing a full forensic FCPA audit, integrating your compliance program into the newly acquired entity, and providing FCPA training to the high-risk employees of the entity.
Many compliance practitioners had based decisions in the M&A context on a 2008 DOJ Opinion Procedure Release 08-02. In 2011, a pharmaceutical company's deferred prosecution agreement (DPA) changed the perception of requirements related to FCPA due diligence related to M&A for compliance practitioners, both pre- and post-acquisition. Released in 2012, a technology company's DPA gave additional insight on how to protect a company during M&A activity.
The FCPA guidance appears to follow the later actions more closely. However, you should always be aware that an acquired entity's violations of the FCPA, past, present, or in the future, are now your responsibility.
|Time frames||2008 action||2011 action||2012 action|
|FCPA audit||High-risk agents - 90 days
Medium-risk agents-120 days
Low-risk agents 180 days
|18 months to conduct full FCPA audit||As soon "as practicable"|
|Implement FCPA compliance program||Immediately upon closing||12 months||As soon "as practicable"|
|Training on FCPA compliance program||60 days to complete training for high-risk employees, 90 days for all others||12 months to complete training||As soon "as practicable"|
The information is out there for a merger or acquisition to avoid FCPA liability. Emphasis should be placed on both the pre- and post acquisition phases equally because, as with most FCPA compliance program components, they just make good business sense.