LawFlash

A Closer Look at DOJ’s New Safe Harbor Policy for Voluntary Self-Disclosure in M&A

October 12, 2023

With the Department of Justice’s (DOJ’s) recently announced “Safe Harbor Policy” encouraging voluntary self-disclosure in mergers and acquisitions (M&A), this LawFlash discusses key considerations and measures that acquiring companies should undertake when conducting M&A due diligence, especially with respect to target companies that may implicate national security-related regulatory and enforcement regimes.

For more information on the Department of Justice’s (DOJ) new Safe Harbor Policy in M&A transactions, read our October 6 LawFlash on the subject.[1]

BACKGROUND

During the early years of the Biden administration, DOJ adopted a tough posture on corporate criminal enforcement, particularly as related to national security. Some observers claimed that this had a chilling effect on companies with respect to companies’ decisions regarding disclosure of misconduct to authorities, given DOJ’s rhetoric suggesting severe consequences for corporate wrongdoing. In recent months, in an effort to promote voluntary self-disclosure (VSD) by companies, DOJ has endeavored to strike more of a balanced tone, and the Safe Harbor Policy announced by the deputy attorney general earlier this month reflects this balance.

Under the Safe Harbor Policy, if an acquiring company makes a good faith effort to self-disclose previously unknown criminal misconduct by the target company within six months of closing a transaction, the acquirer will generally receive a presumption of a criminal prosecution declination. Disclosing companies must also fully cooperate with any ensuing investigation by the government; and fully remediate the disclosed conduct within one year of the closing date of the transaction, including any restitution and disgorgement.

Although the Safe Harbor Policy thus presents companies with a carrot to encourage VSD, the stick is that DOJ will be comfortable with harsher repercussions if companies fail to disclose and misconduct is later discovered by the government. For this reason, acquiring companies should prioritize and structure their due diligence practices in M&A transactions in such a way as to ensure that they are conducting the analysis necessary to uncover any misconduct by a potential target early in the deal process, and in many instances should dig even further post-closing in order to make sure nothing is missed before the safe harbor period runs out.

NEED FOR HEIGHTENED M&A DILIGENCE ON CRIMINAL MISCONDUCT AND COMPLIANCE WITH NATIONAL SECURITY REGULATIONS

Although full due diligence in the M&A process is always ideal, especially regarding compliance with regulations related to national security, the reality is that even robust due diligence is not always sufficient to discover prior violations. The Safe Harbor Policy therefore may be helpful in at least two situations: first, when due diligence is not successful in uncovering past misconduct; and second, when due diligence does uncover potential past misconduct, but it is not feasible to make a VSD—much less conduct remediation—prior to closing.

Current M&A due diligence practices already generally include relevant diligence on potential violations of the Foreign Corrupt Practices Act (FCPA), sanctions laws, anti-money laundering (AML) rules, export control regulations, and other authorities. To whatever extent companies may not already be addressing these areas in their M&A due diligence, it is especially important to start doing so now, since the “stick” component of the Safe Harbor Policy will heighten the government’s expectations that acquiring companies unearth potential compliance issues as the acquiring company prepares to assume the target’s liabilities.

DOJ has indicated that when acquirers fail to meet its expectations, it may pursue stiffer penalties for not utilizing the Safe Harbor Policy. In her speech announcing the Safe Harbor Policy, the deputy attorney general stated, “If your company does not perform effective due diligence or self-disclose misconduct at an acquired entity, it will be subject to full successor liability for that misconduct under the law.”[2]

As part of most M&A transactions, acquiring companies will initially issue a list of due diligence questions to the target company that establish a baseline of key issues to be disclosed. The primary purpose of due diligence is to balance the information asymmetry between the acquiring company and the target, but generally some degree of asymmetry will continue to exist until the acquisition actually occurs—or even later, depending on the size of the transaction and the integration timetable.

Moreover, there may be practical limitations on the acquirer’s ability to validate the accuracy of the target company’s responses to due diligence questions. For example, an acquirer may ask a target company whether it has fully complied with export control regulations. The target company may very well answer—even in good faith—that it has complied with export control regulations, but such representations are not always correct. Especially for smaller companies that may have limited or no export control compliance programs in place, acquirers need to be careful about relying on target disclosures.

The involvement of counsel, moreover, does not necessarily cure these issues, because deal counsel may also not be familiar with myriad regulatory and enforcement regimes. An acquirer can seek to drill down on the accuracy of the target company’s responses, but that sort of “trust but verify” approach may not always work in practice.

Acquiring companies will often request that their counsel in an M&A transaction prepare a due diligence memorandum listing the key legal issues and potential risk areas discovered during due diligence, including the state of regulatory compliance at the target company. However, depending on the nature and urgency of the deal, such memoranda are not universally done, and do not always address regulatory compliance matters.

Given the brighter light DOJ is shining on national security issues and other types of compliance, it may be necessary to not only beef up due diligence checklists to incorporate a broader array of questions regarding criminal exposure and regulatory compliance, but also to ensure that any resulting memorandum addresses not only the findings, but also whether VSD and remediation may be necessary post-closing, so the acquiring company can adequately evaluate the costs and risks of the overall transaction.

ADDRESSING CRIMINAL MISCONDUCT AND REGULATORY COMPLIANCE IN THE AGREEMENTS

The definitive agreements in M&A deals will contain representations and warranties, covenants, and closing conditions made by the target company. Any exceptions to the representations and warranties should be disclosed by the target company on a disclosure schedule and may be further vetted by the acquiring company, particularly as they relate to criminal misconduct and regulatory compliance. Some of the typical representations and warranties include statements of fact that the execution, delivery, and performance of such definitive agreement will not conflict with, violate, or result in any breach of law by the target company. Another common provision is that the target company is, and has been since its inception, in full compliance with all applicable laws.

However, these statements can often be vague or may unintentionally omit certain information that the acquiring company would need to know in order to comply with the Safe Harbor Policy. Consequently, although these provisions are important and may provide some commercial protection, they should not be viewed by acquirers as a substitute for conducting thorough due diligence, especially in light of the Safe Harbor Policy’s potential benefits (and the consequences of inadequate review).

Furthermore, definitive purchase agreements should address early disclosure, cooperation requirements among the parties, and post-closing liabilities with respect to any potential VSD if criminal misconduct or regulatory noncompliance is discovered. Parties should also address who bears the burden of potential costs, including the costs of internal investigations, cooperation, and compliance improvements, as well as restitution, disgorgement, and any other liabilities or penalties that might arise.

Such terms could be included as closing or post-closing conditions, and any costs can be factored into the purchase price or as separate obligations. Both parties to a transaction benefit by addressing such efforts in advance, and the likelihood of consummating the deal altogether may depend on it.

A breach of any of these representations, warranties, or covenants may give rise to an indemnification claim by the acquiring company to the target company. However, indemnification in practice typically amounts to a purchase price adjustment. The monetary value most likely does not incorporate the full potential cost—both financial and reputational—to the acquiring company regarding the potential restitution, disgorgement, and other penalties, if any, resulting from a DOJ investigation and resolution.

Therefore, any indemnification provisions in a definitive purchase agreement should also be viewed as an important commercial protection but not necessarily a full substitute for due diligence. In addition, notwithstanding any indemnification, it may still be advisable for an acquirer to self-disclose under the Safe Harbor Policy, rather than rely on indemnification to provide sufficient protection against government investigation and prosecution.

It should also be noted that even when the Safe Harbor Policy offers the acquirer a reduced risk of prosecution, it may not protect against other types of government enforcement action. For example, if an acquirer discovers that a target company produces items that it did not realize were export-controlled, and exported those in violation of the law, a VSD consistent with the Safe Harbor Policy may mitigate the risk of criminal prosecution, but separate regulatory enforcement risks may remain. For instance, the US Department of Commerce and other agencies with civil enforcement authority over export control laws will generally consider self-disclosure a mitigating factor, but the Safe Harbor Policy itself will not apply to parallel agency enforcement. In addition, if the acquirer in our example is a foreign entity, in some circumstances there may be a mandatory filing requirement with the Committee on Foreign Investment in the United States (CFIUS) that is triggered, because export-controlled technology is generally considered critical technology for CFIUS purposes.

The civil penalty for not making a mandatory CFIUS filing can be up to the value of the transaction itself, and although CFIUS will generally also consider self-disclosure a mitigating factor when considering enforcement action, it will not be bound by the Safe Harbor Policy. Acquirers and the counsel therefore need to take into account the full range of government tools, including both criminal prosecution and regulatory enforcement, when conducting due diligence and making VSD decisions.

FINAL TAKEAWAYS FOR ACQUIRING COMPANIES

The Safe Harbor Policy underscores the importance of robust due diligence during the acquisition process to make sure an acquiring company understands potential criminal and regulatory exposure of the target company and its executives.

These issues must be a foundational component of the overall due diligence process, and not simply a “checkbox” once a deal is about to close or as a post-closing item. The due diligence strategy should cover a broad array of risk that is appropriate to the business and industry, and that matches the breadth of DOJ’s criminal enforcement jurisdiction, as well as relevant regulatory jurisdiction.

While incentivizing voluntary self-disclosures through the presumption of declinations, the Safe Harbor Policy has specific requirements as to the timing of disclosure and remediation, as discussed in our previous LawFlash. Although DOJ suggested that there may be some flexibility in these deadlines, acquiring companies should presume that the deadlines will be enforced in the absence of other assurances from DOJ. Accordingly, acquiring companies should factor in sufficient time for pre-acquisition due diligence, recognizing that there is often tension between the time needed for due diligence and other deal timing considerations.

Acquiring companies must also be mindful that although the Safe Harbor Policy can provide meaningful protection in appropriate circumstances, DOJ has specified that the policy applies to only “criminal conduct discovered in bona fide, arms-length M&A transactions,” and “does not apply to misconduct that was otherwise required to be disclosed or already public or known to the Department.”

While the new Safe Harbor Policy has some benefits for companies engaged in M&A activity, to call the policy business-friendly would be an overstatement. Rather, the new policy should be looked at by companies as a tool that may limit legal liability in appropriate circumstances and should be considered if violations are discovered either during due diligence or afterwards. Whether to ultimately self-disclose violations will generally be partly a business decision and partly a legal decision, which companies will make in close coordination with their counsel.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:


[1] Lisa O. Monaco, Deputy Attorney General of the US Department of Justice, Remarks on Corporate Criminal Enforcement (Oct. 4, 2022).

[2] Id.