Implications of DOJ’s New Safe Harbor for Disclosing Misconduct Uncovered During M&A Transactions

U.S. Deputy Attorney General Lisa Monaco recently announced that the Department of Justice (DOJ) is adopting a new safe harbor policy to incentivize corporations to voluntarily self-disclose criminal misconduct discovered during merger and acquisition (M&A) transactions. Although the announcement leaves open questions, the anticipated policy described in Monaco’s speech sets forth how an acquiring company can avoid criminal charges for misconduct that occurred in the acquired company by timely disclosing the misconduct, cooperating with the DOJ’s investigation, and remediating the misconduct. Following are key points about the policy and practical considerations for conducting due diligence in light of the policy.

Safe Harbor Policy for Voluntary Self-Disclosures from M&A

Monaco announced the new safe harbor policy during a speech given at the Society of Corporate Compliance and Ethics’ 22nd Annual Compliance & Ethics Institute on October 4, 2023. To date, DOJ has not yet issued a formal written policy or incorporated the safe harbor in the Justice Manual, so more details about the new safe harbor may be forthcoming.

Under the safe harbor policy, an acquiring company will receive a presumption of declination of charges if it meets certain conditions:

• First, the acquiring company must voluntarily disclose the discovered misconduct promptly, which the policy defines as within six months after the transaction closes. This timeline applies regardless of when the misconduct was discovered — i.e., if the misconduct is discovered five months after closing, and it must be reported within the next month, subject to a reasonableness analysis.
• Second, the acquiring company must fully cooperate with DOJ’s investigation. DOJ’s corporate criminal enforcement policy sets a high bar for cooperation, requiring timely disclosure of all facts and all individuals involved in misconduct.
• Third, the acquiring company must fully remediate the misconduct within one year after closing, including making any appropriate restitution or disgorgement, regardless of when the misconduct is discovered.

Monaco provided additional caveats, noting the safe harbor policy provided only a presumption against charges. The safe harbor is only available for bona fide, arm’s length transactions. The timelines for disclosure and remediation are subject to a reasonableness review, as Monaco acknowledged that companies may be granted a longer timeframe for reporting if the circumstances or complexity of a transaction warrant it. Monaco also noted that companies that discover misconduct threatening national safety and security, or which involve ongoing or imminent harm, will remain subject to more stringent reporting obligations and may not rely on the safe harbor provision to shield it from penalty.

Additionally, voluntary self-disclosure by the acquiring entity does not guarantee that the DOJ also will decline to prosecute the acquired entity that committed the misconduct. However, the acquired entity may qualify for benefits, including declinations, in the absence of aggravating factors. Finally, misconduct voluntarily disclosed under the Safe Harbor policy will not be used against the acquiring company in future recidivist analyses.

This new safe harbor policy is just the latest development in DOJ’s broader changes to its corporate criminal enforcement policies. In September 2022, DOJ announced changes meant to encourage voluntary self-disclosures by standardizing policies and incentives for self-disclosures across DOJ (as detailed here). At the same time, DOJ has heightened the requirements to qualify for cooperation credit, emphasizing that disclosures must be timely, must encompass all relevant facts and individuals, and must include disclosure of all communications — including communications on social messaging applications (as detailed here). That higher bar to earn cooperation credit may undermine DOJ’s goal of encouraging voluntary self-disclosures.

Monaco stated that the M&A safe harbor policy will be implemented department-wide and will be tailored specifically to apply to each DOJ-component’s jurisdiction. She noted, however, that the policy will not apply to civil merger enforcement, and she did not address how the policy would apply to other civil enforcement areas such as the False Claims Act.

Practical Considerations for M&A Transactions

The new safe harbor policy has key implications for companies that engage in mergers or acquisitions. In her remarks, Monaco stressed that “compliance must have a prominent seat at the deal table if an acquiring company wishes to effectively de-risk a transaction.” To benefit from this new policy, acquiring companies should consider the following:

• Have the right team: Ensure your due diligence team includes attorneys and compliance personnel who can assess the acquired company’s risk profile, who can assess the effectiveness of the acquired company’s compliance program, and who can identify potential violations.
• Conduct robust compliance diligence: When possible, conduct robust due diligence before a transaction’s closing. This means assessing the target’s risk profile, taking steps to identify any known compliance issues and obtaining information on the target company’s compliance programs, including policies, risk assessments, hotline complaints, investigations, and remediation efforts. Consider both historical misconduct and forward-looking compliance risks. Look to past audit findings and consider performing your own targeted audits.
• Conduct post-closing due diligence: Especially when robust due diligence is not feasible before closing, engage in post-closing scrutiny to identify misconduct early enough that it can be disclosed within the safe harbor’s six-month window. Consider deploying measures like forensic transaction testing, risk assessments, and auditing.
• Integrate the acquired company into the compliance program: Soon after closing, prioritize incorporating the acquired company into the acquiring company’s existing compliance program. In addition to extending policies, also conduct specialized training to employees from the acquired company, encouraging the reporting of misconduct and internal investigations to increase the chances of misconduct being identified soon after closing. For higher-risk targets, consider prioritizing testing and auditing of key compliance controls.
• Understand the risks of voluntary self-disclosure: Especially with DOJ’s heightened bar for cooperation, voluntary self-disclosure remains a challenging decision. Self-disclosure does not guarantee declinations and may invite additional scrutiny from the government. Consult with experienced outside counsel to assess options on a case-by-case basis.

Foley has the resources to help you navigate complex due diligence obligations. Please reach out to the authors, your Foley relationship partner, or to our Government Enforcement Defense & Investigations Practice Group with any questions.