Integration of a compliance programme after acquisition
There is plenty of guidance available for any compliance practitioner seeking clarity on what the United States Department of Justice (DOJ) expects in the way of post-acquisition activity around Foreign Corrupt Practices Act (FCPA) compliance. The first guide was provided in 2008, in DOJ Opinion Release 08-02, which related to oil company Halliburton’s proposed acquisition of United Kingdom entity Expro.
Opinion Release 08-02 began after Halliburton requested the DOJ to clarify some issues that arose in its pre-acquisition due diligence of Expro. Halliburton had submitted a request to the DOJ specifically asking whether it would be held criminally liable for any post-acquisition unlawful conduct by the target company before completion of FCPA and anti-corruption due diligence, if such conduct was identified and disclosed to the DOJ within 180 days of closing. The resulting Opinion Release laid out a clear roadmap for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context.
More guidance came in 2011, after Johnson & Johnson agreed to a deferred prosecution agreement (DPA) with the DOJ as part of a settlement for bribing doctors.
Attachment D of the DPA was a list of ‘enhanced compliance obligations’ that Johnson & Johnson agreed to undertake for at least the duration of its DPA.
With regard to mergers and acquisitions, Johnson & Johnson agreed that:
- if anti-corruption due diligence could not be completed before the acquisition of a new business for reasons beyond its control or because of a certain law or regulation, it would conduct FCPA and anti-corruption due diligence immediately after the acquisition, and report any corrupt payments, falsified books and records or inadequate internal controls to the DOJ
- it would ensure that its anti-corruption policies and procedures were integrated into the acquired entity as quickly as possible, but in any event within a year of the acquisition being finalised
- it would train all directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners and relevant employees who present corruption risks within one year of the acquisition
- it would conduct an FCPA-specific audit of all newly-acquired businesses within 18 months of the acquisition.
And in 2012, the FCPA enforcement action involving Rolls-Royce subsidiary Data Systems & Solutions LLC (now known as Optimized Systems and Solutions LLC) provided yet another timeframe for post-acquisition compliance work.
Data Systems & Solutions’ DPA with the DOJ – agreed to as part of a bribery settlement – specified that training of acquired employees, integration of the newly-acquired entity into the company’s compliance regime and a forensic FCPA audit should all occur ‘as soon as practicable’. The company would also be required to report the results to the United States Government.
All of the above outcomes were collated into the DOJ’s and SEC’s 2012 A Resource Guide to the US Foreign Corrupt Practices Act, giving compliance practitioners more information on what a company can do to protect itself in the context of merger and acquisition activity.
The FCPA Guide, coupled with Opinion Release 08-02 and the two DPAs, confirm the importance that the DOJ puts on the FCPA in a merger and acquisition context.
The timeframes for post-acquisition integration are quite tight, meaning that as much work as possible must be done in the pre-acquisition stage. The DOJ also makes it clear that the entire compliance programme must be rigorous, including for mergers and acquisitions. This rigour should be viewed as something more than just complying with the FCPA; it should be viewed as business common sense.
In an interview with The Wall Street Journal, former DOJ attorney Nathaniel Edmonds said, ‘DOJ and SEC generally recognise that sometimes it’s not possible to do complete due diligence beforehand. However, if there are good-faith efforts to conduct due diligence, integrate compliance programmes and take remedial actions by removing those wrongdoers – if all of that is done on a quick basis [authorities] give very strong credit.’
All of these factors point to the fact that compliance officers must hit the ground running at the first mention of an acquisition. But, more importantly, they need a plan and team in place to accomplish the requirements laid out by the DOJ.