The Foreign Corrupt Practices Act (FCPA) Guidance, issued in 2012, makes clear that one of the ten hallmarks of an effective compliance program is around mergers and acquisitions (M&A), in both the pre and post-acquisition context. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue - with all the attendant harms to a business's profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target's value and negotiate for the costs of the bribery to be borne by the target. But, equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.
Nat Edmonds, in an interview in the Wall Street Journal (WSJ) entitled, "Former Justice Official: How to Buy Corrupt Companies" said "I think most companies and their outside counsel believe any potential corruption problem should stop a deal from occurring. Companies would be surprised to learn that neither the Securities and Exchanges Commission nor the DOJ takes that position. In many ways the SEC and DOJ encourage good companies with strong compliance programs to buy the companies engaged in improper conduct in order to help implement strong compliance in companies that have engaged in wrongful conduct. What companies must do and what outside counsel should advise them to do is to have a realistic perspective of what effect that corruption or potential improper payment has on the value of the deal itself. Because of the concern that any corruption would stop the deal or implicate the buyers, many times companies don't look as thoroughly as they should at potential corruption. There is often concern that if you start to look for something you may find a problem and it could slow down or stop the whole deal."
The FCPA Guidance was the first time that many compliance practitioners focused on the pre-acquisition phase of a transaction as part of a compliance regime. However, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) made clear the importance of this step. In addition to the above language, they cited to another example in the section on Declinations where the "DOJ and SEC declined to take enforcement action against a U.S. publicly held consumer products company in connection with its acquisition of a foreign company." The steps taken by the company led the Guidance to state the following, "The company identified the potential improper payments to local government officials as part of its pre-acquisition due diligence and the company promptly developed a comprehensive plan to investigate, correct, and remediate any FCPA issues after acquisition."
In a hypothetical, the FCPA Guidance provided some specific steps a company had taken in the pre-acquisition phase. These steps included, "(1) having its legal, accounting, and compliance departments review Foreign Company's sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of Foreign Company's customer base; (3) performing an audit of selected transactions engaged in by Foreign Company; and (4) engaging in discussions with Foreign Company's general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other corruption-related issues that have surfaced at Foreign Company over the past ten years."
Pre-Acquisition Risk Assessment
It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a "lens through which to view the feasibility of the business strategy" and help to value the potential target.
The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.
Next is a five step process on how to plan and execute a strategy to perform pre-acquisition due diligence in the M&A context.
- Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. Typically this would be the target's Chief Compliance Officer (CCO) if the company is large enough to have full time position.
- Collect relevant documents. Obtain a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all Joint Venture (JV) contracts, due diligence on JVs and other third party business partners; the travel and entertainment records of the acquisition target company's top sales personnel in high risk countries; internal audit reports and other relevant documents. You do not need to investigate de minimis sales amounts but focus your compliance due diligence inquiry on high sales volumes in high-risk countries. If the acquisition target company uses a sales model of third parties, obtain a complete list, including JVs. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; your focus should be on large commissions in high risk countries.
- Review the compliance and ethics mission and goals. Here you need to review the Code of Conduct or other foundational documents that a company might have to gain some insight into what they publicly espouse.
- Review the seven elements of an effective compliance program as listed below:
a. Oversight and operational structure of the compliance program. Here you should assess the role of board, CCO and if there is one, the compliance committee. Regarding the CCO, you need to look at their reporting and access - is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources? Review high-risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.
b. Policies/Procedures, Code of Conduct. In this analysis you should identify industry practices and legal standards that may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles, if any. Lastly, you need to know how everything is distributed and what the enforcement mechanisms for compliance policies are. Additionally you need to validate, with Human Resources (HR), if there have been terminations or disciplines relating to compliance.cEducation, training and communication. Here you need to review the compliance training process, as it exists in the company, both the formal and the informal. You should ask questions, such as "What are the plans and schedules for compliance training?" Next determine if the training material itself is fit for its intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels, for example is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws. You will need to interview the acquisition target company personnel responsible for its compliance program to garner a full understanding of how they view their program. Some of the discussions that you may wish to engage in include visiting with the target company's General Counsel (GC), its Vice President (VP) of sales and head of internal audit regarding all corruption risks. You should also delve into the target's compliance efforts, and any other corruption-related issues that may have surfaced.
c. Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit(s). You will need to review the travel and entertainment records of the acquisition target company's top sales personnel in high-risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high-risk countries which your company does business.
d. Reporting. What is the company's system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to turn to who does the investigations to determine how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.
e. Response to detected violations. This review is to determine management's response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations? Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto? Further, you may be required to self-disclose any FCPA violations that you discover. There may be other reporting issues in the M&A context such as any statutory obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target's value or the purchase price that your company is willing to offer?
f. Enforcement Practices/Disciplinary Actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?
- Periodically evaluate the M&A review procedures' effectiveness benchmarked against any legal proceedings, FCPA enforcement actions, Opinion Releases or other relevant information.
Tomorrow, I will review how you use the information that you are able to obtain in the pre-acquisition process.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2014