Key Considerations in Conducting M&A Anticorruption Due Diligence

An effective and efficient Foreign Corrupt Practices Act (FCPA) or anticorruption due diligence process (hereinafter jointly referred to as FCPA due diligence process) is a critical underpinning of any successful merger and acquisition (M&A) transaction that includes people and assets outside the United States. Among other things, international conventions such as the Organisation for Economic Co-operation and Development (OECD), Anti-Bribery Convention, and the United Nations Convention against Corruption (UNCAC), have required signatory countries to criminalize foreign bribery and cooperate with other countries during investigations. These conventions have played a major role in triggering and guiding recent domestic reforms, as the great majority of countries that have recently approved new anti-bribery regulation have done so to comply with the requirements of such conventions.

The most notable countries seeking reform (e.g., Brazil, China, and Russia) have a notoriously corrupt business environment. Other countries, such as Chile, Ireland, Israel, Luxembourg, Peru, the Slovak Republic, Spain, Turkey, and Ukraine, have recently adopted new bribery related regulations in the past two years, while Brazil, India, and Indonesia are currently discussing proposals to improve their anticorruption legal framework. Multinational counsel that are contemplating a large M&A of entities must focus on the risks of inheriting and assuming the liability for bribery conduct elsewhere.

In light of the fact that a growing number of countries throughout the world have enacted anticorruption legislation and the intensified enforcement of the FCPA in the United States (FCPA), many prospective buyers (the acquirers) are using enhanced due diligence resources to ensure that the companies they are seeking to purchase (the target(s)) are indeed complying with the FCPA and all other applicable anticorruption legislation throughout the world.

The legal, economic, and reputational consequences of an acquirer failing to detect and end any of a target’s noncompliance with the FCPA are severe. Both individuals and entities who violate FCPA laws may be subject to criminal and civil charges which, among other things, include great reputational harm, penalties, fines, profit disgorgement, prejudgment interest, and the potential incarceration of individual wrongdoers. Furthermore, a collateral consequence of a corruption conviction for a company can also include severe disruption of business operations and disqualification from contracting with governmental agencies and public international organizations.

Under the FCPA, an acquirer can, under certain circumstances, be held liable for violations of the FCPA by the target if the acquirer failed to detect, cease, and remediate the target’s improper conduct. The possibility of a governmental enforcement action premised on successor liability underscores the importance of an acquirer undertaking an effective pre-acquisition FCPA due diligence investigation, as well as additional risk-mitigation steps following the final consummation of the transaction.

Conducting effective and efficient pre-acquisition risk based anticorruption due diligence

While the FCPA does not include an affirmative defense of “due diligence” in an M&A context, acquirers that conduct timely, well-designed, and credible FCPA due diligence on their targets should be able to demonstrate to US enforcement authorities like the US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) that there is a strong commitment to FCPA compliance, which is often taken into account if compliance problems arise post-closing. Conducting FCPA due diligence on a target before signing a final agreement related to a deal also permits the potential buyer to reevaluate or terminate a deal if significant corruption related problems involving the target are discovered by the acquirer during the course of the due diligence process. Moreover, effective pre-acquisition due diligence not only helps mitigate legal risks but also allows potential acquirers to more accurately value potential targets and, if necessary, to negotiate with the target regarding a price adjustment or an inclusion of indemnification and escrow provisions in the final deal documents that specifically address the FCPA risk.

In the context of M&A transactions, an effective due diligence process is vital to uncovering potential FCPA and other types of regulatory violations, as well as being an integral part of a larger strategy for the acquirer to set the tone for the target’s transition to tighter internal controls and FCPA compliance protocols. Such controls protect the acquirer against future liability and ensure that the acquirer’s post-acquisition FCPA due diligence process properly supplements its pre-acquisition strategy. FCPA and other types of regulatory due diligence throughout the M&A process should seek to accomplish a number of broad goals, including:

• Identifying FCPA-related risks arising from the M&A transaction including but not limited to any past FCPA or other regulatory violations by the target;
• Evaluating the quality of the target’s code of conduct, anticorruption policies, including conflicts of interest, training, and compliance programs;
• Confirming the existence and consistency of FCPA warranties and representations in the target’s contracts;
• Evaluating the existence, scope, and effectiveness of any of the target’s FCPA audit or risk assessment programs;
• Evaluating any unusual or higher risk business models of the target from an FCPA standpoint;
• Interviewing the target’s key managers and employees, such as CEO, general counsel, chief financial officer, chief compliance officer, and key country and regional line managers in the target’s high risk locations;
• Determining the feasibility and cost of implementing adequate FCPA compliance measures with the target’s employees after acquisition;
• Evaluating whether to adjust the target’s personnel, contracts, markets, and third party relationships to minimize FCPA compliance risks;
• Communicating the acquirer’s strong commitment to FCPA compliance to a target’s management and employees; and,
• Immediately after the closing of acquisition of a target, documenting a good faith effort to always conduct business in an FCPA-compliant fashion.

While FCPA due diligence is vital for all US companies and issuers, this is particularly true when potential targets are located in countries perceived to be “high risk” from a corruption perspective or are thought to have extensive foreign operators. In addition to identifying and scrutinizing at-risk countries and industry sectors in an FCPA or anticorruption context, a prospective acquirer must respond promptly and effectively to any “red flags” discovered during its FCPA due diligence process. The following are some of the key “red flags” that may signal a high likelihood that FCPA violations may be occurring and require additional scrutiny:

• A target’s lack of FCPA policies, trainings, compliance programs, or codes of conduct;
• Past FCPA violations or internal investigations, as well as any other FCPA or corruption-related investigation involving the target;
• Past violations or allegations relating to business integrity or other violations of local law by the target, including tax and customs compliance;
• Past disciplinary actions taken by the target as a result of corrupt acts, books, and records violations, or poor internal controls;
• A target’s use of agents or third parties who are paid unusually high commissions or billing rates without sufficient supporting details and documentation of unusual payment terms, such as payments in cash or requests that payments be made to a third party or to accounts in an unrelated jurisdiction;
• A target’s use of agents or third parties who appear to lack qualifications to perform the duties contemplated by the engagement or a heavy reliance on political or governmental contacts as opposed to knowledgeable employees or staff;
• A target’s employment or engagement of any person or party based on personal, familial, or professional relationships with a foreign official or the suggested use of any party by a foreign official;
• Lavish travel, gift, and entertainment practices by the target’s employees or third parties and inadequate related policies;
• Unusually high or frequent political contributions made by the target;
• Unusually high or frequent charitable donations made by the target;
• Extravagant foreign sponsorships by the target;
• A lack of written agreements with agents or third parties, particularly where there are close relationships with foreign officials and regulators;
• A lack of fulsome third party due diligence files;
• Payments by the target to third parties that are not well-known in the industry or that reside outside of the country where the goods or services are to be provided;
• A target’s reliance on shell companies or cash transactions; and,
• Any misrepresentations, reluctance or failure of the target to cooperate in acquirer’s FCPA due diligence process.

All FCPA red flags must be thoroughly investigated and resolved by the acquirer. Additionally, if FCPA violations are uncovered, the potential acquirer should negotiate appropriate contractual provisions from the target in the applicable transaction document, such as requesting the spin-off or closing of the corrupt business. If it can be isolated prior to closing, the acquirer should retain audit and indemnification rights post-closing, and secure escrowing proceeds. Potential acquirers should not rely solely on information provided by the target or by interested third parties in the course of its FCPA due diligence process.

In situations where comprehensive and robust pre-acquisition FCPA due diligence is not possible, it is important to note that, in some justified instances, the US authorities like the SEC and DOJ will not prosecute acquirers who undertake timely and extensive post-acquisition FCPA due diligence regarding the target.

Either during or subsequent to conducting of FCPA due diligence, the parties should consider and discuss disclosure of any discovered FCPA violations to the SEC and DOJ. The possibility of cooperating with these agencies and mitigating penalties may provide incentives to self-disclose any FCPA violations in advance of the closing. A pre-acquisition law enforcement action against the target, rather than the acquirer, is likely to cause less reputational damage and/or result in smaller fines. The DOJ and/or the SEC may impose on the acquirer an obligation to implement an enhanced compliance program and improved internal controls in a timely manner.

Post-acquisition FCPA due diligence steps in an M&A transaction

The SEC and DOJ take the position that thorough pre-acquisition FCPA due diligence and responses to red flags alone are not fully sufficient to eliminate possible successor liability for the acquirer. Rather, in post-acquisition, the acquirer must (1) ensure that acquirer’s code of conduct and FCPA compliance policies and procedures apply as quickly as is practicable to the target; (2) train the directors, officers, and employees of the target and, when appropriate, train the target’s agents and business partners on the FCPA, the acquirer’s code of conduct, and compliance policies and procedures; (3) conduct an FCPA-specific audit of all of the target’s merged businesses as quickly as practicable; and (4) consider disclosure of any corrupt payments made by the target that are discovered as part of the acquirer’s FCPA due diligence to the SEC, DOJ, or other relevant non-US corruption enforcement officials. Depending on the level of corruption risk uncovered during acquirer’s pre-acquisition due diligence, a post-acquisition plan may entail anything from establishing requirements concerning FCPA compliance and remediation procedures to obtaining re-certifications of FCPA compliance from key employees and business partners. As with pre-acquisition FCPA due diligence, a company’s strategy post-closing must be risk-based and proportional to the size and scope of the transaction. The SEC and DOJ will give meaningful credit to acquirers who undertake these actions, and, in appropriate circumstances, may consequently decide not to bring enforcement actions.

An integration plan should be prepared for implementation immediately after the acquirer’s acquisition has closed with the target. The contents of the acquirer’s FCPA compliance integration plan will be tailored to the particular issues uncovered during FCPA due diligence. The areas discussed below would, in whole or in part, form the contents of a standard integration plan.

• Accounting system — The acquirer’s accounting system will be installed into the target in most circumstances. An installation is not a simple project. In all likelihood, the installation process will require a transition period wherein the target’s accounting system is reviewed to determine how to best integrate it. The target’s existing accounting system may be maintained for an extended period of time before full transition is completed. Full transition can be costly and take a considerable period of time to accomplish with larger global companies.
• IT systems — Typically, the acquirer’s network and email system will be installed in the target as soon as possible. Prior to closing, the acquirer’s IT department should assess the amount and type of equipment that will need to be added to the existing equipment in order for the acquirer’s network to run efficiently in the target’s environment.
• Payroll system and employee benefits — Integration plans should include plans to implement a payroll system consistent with the acquirer’s payroll systems and policies. In addition, the plan should outline how the target’s employees will be transitioned to employee benefits that are consistent with or part of the acquirer’s own employee benefit plans. In addition, employees of the target should be considered for eligibility based on years of service.
• Transition services agreement — Integration plans may rely on the continuation of certain accounting, IT, payroll, and employee benefits services being provided by the target for some period after the closing. If a transition services agreement will be relied on as part of the integration plan, there should be clear plan for conversion from the target’s systems to the acquirer’s systems.
• Books and records — Depending on the facts and circumstances, an overhaul of the books and records of the target may need to be accomplished by the acquirer to ensure that they are maintained in accordance with the requirements of the FCPA or any other applicable anticorruption legislation. In some circumstances, corrections, or modifications to the target’s books and records may be necessary.
• Internal controls — The internal controls maintained by the target may not meet the standards required by the FCPA, other applicable anticorruption legislation, or standards of the acquirer. Any deficiencies must be cured immediately.
• Training of personnel — As soon as possible after the completion of any acquisition, all personnel of the target in high risk countries or with actual or planned high risk country oversight, responsibility, or interface must receive appropriate FCPA or anticorruption training.
• HSE standards — Any condition observed during the acquirer’s due diligence that does not meet its HSE standards should be addressed as soon as possible after closing to bring the condition in compliance with the acquirer’s policies and procedures. In addition, applicable employees of the target should receive training with respect to the acquirer’s HSE policies and procedures as soon as possible after closing.
• FCPA compliance review — Ideally, an FCPA compliance review/audit needs to be conducted on the target within one to six months after its acquisition of target.
• Agents/JV partners/distributors — The target’s use of agents/distributors and its involvement in joint ventures outside of the United States may require the acquirer’s termination of relationships and/or due diligence on the target’s agents, distributors, and joint venture partners. In some cases, due to contractual requirements, it may be necessary to instruct the target’s agents to cease all services for the target, pending termination notification requirements.
• Acquirer’s compliance policies — All personnel of the target should be made aware of and trained with respect to, among other things, all applicable polices made by the acquirer, such as the core values, code of conduct, FCPA compliance guide, offshore payment policy, and procedures regarding gifts, travel, and entertainment for public officials.
• Notice to third parties — Appropriate notices regarding the acquisition should be given by the acquirer to customers, suppliers, and other business partners of the target, particularly outside of United States. To the extent formal approvals of third parties, assignments of contract or assignment of licenses are required and were not obtained prior to closing these should be addressed as part of the acquirer’s integration plan. If new licenses or government registrations are required and were not obtained prior to closing, these should also be addressed as part of the integration plan.
• Interactions with government agencies/public officials — The target’s interaction with non-US government agencies and foreign officials may arise in many different contexts, requiring any number of monitoring activities post-closing.
  • Contracts. In some cases, the target may have contractual relationships with government agencies in non-US jurisdictions. Again, depending on the particulars of these relationships, it may be necessary for the acquirer to closely monitor all communications with the agency and its personnel.
  • Routine interactions. Many times the interactions between the target and a non-US government may be routine, but these interactions may present risks, which need to be appropriately managed to ensure FCPA and acquirer policy and procedure adherence. Below are several areas of routine interaction that are likely to be encountered and present risk areas if a target operates outside the United States.
    • Facility, plant, and vehicular inspections by local government agencies;
    • Customs and freight forwarding;
    • Visa processing;
    • Licensing/registrations/permits required to operate in a given non-US location;
    • Professional services by accountants and attorneys who interact with non-US government or foreign officials, such as tax officials and court personnel; and,
    • Construction of new facilities requiring many types of approvals and permits.
• Special concerns — Lastly, an acquirer’s integration plan will need to address specific concerns that have come to light during the acquirer’s FCPA due diligence. It is difficult to identify the myriad issues that may arise. However, as examples, it may be necessary:
  • To terminate certain employees;
  • To implement special procedures to address issues unique to a particular location;
  • To sever relationships with customers and agents;
  • To disclose certain matters to the SEC and DOJ in the United States or similar enforcement agencies;
  • To prepare and implement special monitoring procedures of individual employees;
  • To implement special procedures related to cash expenditures;
  • To alter bank signatory procedures and terminate any credit facilities of the target;
  • To appoint temporary oversight personnel to monitor the operations of the target in a particular location;
  • To appoint new officers and directors in the case of an equity acquisition;
  • To make appropriate public announcement of the acquisition if material to the acquirer’s financial statements or otherwise desired to make the acquisition known to customer, suppliers, or other third parties;
  • To modify insurance policies to provide necessary coverage for the acquired business;
  • To obtain and review the target’s compliance plans, conduct manuals, and FCPA policies and determine portions of these materials that may need to be incorporated into the acquirer’s similar materials;
  • Depending on the nature of the acquisition/merger, to determine whether the acquirer needs to roll out new FCPA materials;
  • To use the opportunity to make all relevant target employees complete the acquirer’s training, even if the target employees have undergone FCPA training;
  • To determine if the acquisition creates new areas where the acquirer’s employees now need additional training; and,
  • To review FCPA language in these contracts and add FCPA language where necessary, if possible. Also, to make sure all new agreements contain clear FCPA language.

Conclusion

Under current laws, an acquirer can be held liable for the violations of the FCPA or other anticorruption legislation by the target if such violations were relatively evident and the acquirer did not undertake an adequate investigation that would establish facts to the contrary. The possibility of a government enforcement action premised on successor liability highlights the importance of timely and thorough pre-acquisition and post-acquisition FCPA due diligence by the acquirer. The extent of this pre- and post-acquisition FCPA due diligence should be determined by identifying risk factors that may suggest past or ongoing FCPA violations.

A potential acquirer may wish to reduce the purchase price, strengthen existing indemnity or escrow provisions, and/or include fulsome and protective representations and warranties, covenants and termination rights to reflect the discovery of any bribery violations involving the target. The uncertainty and costs associated with bribery violations may also cause a potential acquirer to terminate the deal altogether. Corporate and FCPA counselors for the acquirer should, prior to a merger or acquisition, design a comprehensive FCPA due diligence plan that addresses the corruption risks of the target and monitor carefully its implementation and completion.