Did You Just Buy an FCPA Problem? How to Design Post-M&A Compliance Integration and Audit Plans

Acquirers Can be Liable for the Target’s Misdeeds

Overview of the FCPA

The FCPA’s anti-bribery provisions make it unlawful for any U.S. corporation (or for any corporation that has issued securities trading on a U.S. exchange) to make (or promise to make) payments to foreign government officials[1] for the purposes of influencing or inducing the foreign official to act in a particular manner or to secure an improper business advantage.[2] This applies to any officer, director, employee, agent or shareholder acting on behalf of the corporation. Importantly, there is no de minimis exception to the anti-bribery provisions.[3] No matter how small the violation, it can elicit enforcement.

The FCPA’s accounting provisions require that an issuer of securities trading on a U.S. exchange maintain books, records and accounts that accurately and fairly reflect the company’s transactions and that the issuer devise a system of internal accounting controls sufficient to provide reasonable assurances that the issuer’s financial statements are accurate.[4] There is criminal liability for persons who knowingly circumvent or fail to implement a system of internal controls or who knowingly falsify an issuer’s books, records or accounts.[5] Importantly, there is no “materiality” component to a books and records violation.

Parent/Subsidiary Liability

By statute, corporations subject to the FCPA are responsible for the corrupt acts of their agents. The act does not define “agent;” therefore, “agent” is broadly understood to mean any legal relationship whereby one person is authorized by another, a principal, to act on that person’s behalf and is empowered to do what the principal could lawfully do in person. The U.S. authorities have predicated numerous FCPA enforcement actions against parent companies on the theory that a subsidiary or affiliate company was acting as an “agent.”[6]

Merger & Acquisition Liability

The U.S. authorities recently stated that “successor liability applies to all kinds of criminal and civil liabilities, and FCPA violations are no exception.” Indeed, there have been 76 FCPA enforcement actions related to M&A activity (approximately 15 percent of all cases). Moreover, the U.S. authorities have charged successor liability not only for a target’s relatively small, isolated misconduct, but also for a target’s substantial, ongoing criminal behavior. Simply put, acquirers can be prosecuted wherever they fail to detect, halt and remediate FCPA violations post-acquisition.

Mondelēz – Successor Liability for the Target’s Relatively Small, Isolated Misconduct

On February 2, 2010, Mondelēz (formerly known as Kraft Foods) acquired Cadbury, Ltd. and its subsidiaries, including Cadbury India. From February to July 2010, Cadbury India (with the knowledge of its senior management) paid an agent $90,666 to obtain 30 licenses and approvals (some of which were backdated) that were needed to build a factory. Cadbury India did not conduct due diligence or monitor the agent, did not have a written contract with the agent and did not have any documentary support demonstrating that the agent performed any work. Although Mondelēz did conduct “substantial, risk-based, post-acquisition compliance-related due diligence reviews of Cadbury’s business,” Mondelēz “did not identify a relationship between the agent and Cadbury India.” Ultimately, the bribes were reported by an internal whistleblower. In January 2017, Mondelēz settled with the SEC and agreed to pay $13 million in fines and penalties to resolve the investigation into the misconduct of its newly acquired Cadbury India subsidiary.

Halliburton/KKR – Successor Liability for the Target’s Substantial, Ongoing Criminal Behavior

In 1998, Halliburton acquired Dresser and its subsidiary, KBR. KBR was a member of a joint venture that won $6 billion in contracts by paying $183 million in bribes to Nigerian government officials via third-party agents from 1998 to 2006. KBR employees allegedly knew about the corruption but did not disclose it. Halliburton did not identify the corrupt scheme during pre-acquisition diligence, it did not conduct diligence on KBR’s agents post-closing and its internal controls failed to detect or prevent the closing from continuing post-closing. In order to resolve the case, Halliburton and KKR paid a combined $579 million in criminal and civil fines and penalties, KBR entered into a guilty plea and KBR was required to retain an independent compliance monitor.

Recent Regulatory Guidance Underscores the Need for and Benefits from Post-Closing Audits

The DOJ and SEC’s FCPA Resource Guide

The most concise statement regarding the U.S. authorities’ view of the adequacy of an acquirer’s response to FCPA risks posed by a target is found in their written FCPA guidance (the “Resource Guide”). The Resource Guide outlines the concrete steps that a company subject to the FCPA should take when considering a merger or acquisition:

• Conduct thorough risk-based FCPA and anti-corruption due diligence on potential new business acquisitions;
• Ensure that the acquirer’s code of conduct and compliance policies and procedures regarding the FCPA and other anti-corruption laws apply as quickly as is practicable to newly acquired businesses or merged entities;
• Train the directors, officers and employees of newly acquired businesses or merged entities and, when appropriate, train agents and business partners on the FCPA and other relevant anti-corruption laws and the company’s code of conduct and compliance policies and procedures;
• Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable; and
• Disclose any corrupt payments discovered as part of its due diligence of newly acquired entities or merged entities. The DOJ and SEC will give meaningful credit to companies who undertake these actions, and, in appropriate circumstances, the DOJ and SEC may consequently decline to bring enforcement actions.

Notably, only Step 1 — conducting a thorough risk-based assessment — is a step that must be completed before the transaction closes to insulate the U.S. acquirer from potential successor liability. The remaining steps, including the FCPA-specific audit, are post-closing obligations.

The DOJ’s FCPA Corporate Enforcement Policy

First announced in a November 29, 2017 speech by the then-Deputy Attorney General, the DOJ’s FCPA Corporate Enforcement Policy “provid[es] additional benefits to companies based upon their corporate behavior once they learn of misconduct.” As relevant here,

“… where a company undertakes a merger or acquisition, uncovers the misconduct through thorough and timely due diligence or, in appropriate instances, through post-acquisition audits or compliance integration efforts, and voluntarily self-discloses the misconduct and otherwise takes action consistent with this Policy (include, among other requirements, the timely implementation of an effective compliance program at the merged or acquired entity), there will be a presumption of a declination [from prosecution] …”[7]

In other regulatory guidance, the DOJ has indicated that post-closing FCPA-specific audits and compliance integration efforts should be completed within 180 days post-acquisition.

Designing a Post-Closing Compliance Integration and Audit

Given the potential successor liability exposure, it should be clear that compliance professionals (“compliance”) within acquirers have a key role to play in the post-close integration process. In particular, compliance should be prepared to (1) integrate the target and its employees into the acquirer’s compliance program and (2) promptly conduct an FCPA risk assessment and audit to identify, correct and, where appropriate, report violations by the target company. The following sections provide a framework for conducting post-close integration and compliance audit activities that are not only efficient and cost-effective, but also defensible before U.S. enforcement agencies and other stakeholders. While the practices described below focus on FCPA-related risks, they apply generally to other compliance risks as well.

Compliance Integration Best Practices 

After closing, it is important to integrate the target’s employees into the acquirer’s compliance program. The Resource guide describes two primary components to doing so: (1) apply the acquirer’s code of conduct and FCPA policies and procedures to the newly acquired target and (2) train directors, managers, employees and third parties at the acquired target on the FCPA, code of conduct and FCPA-related policies and procedures.

In addition, the acquirer should review the quality and effectiveness of the target company’s FCPA compliance program and controls. If a target’s FCPA compliance program is at least as robust and effective as the acquirer’s, it may be appropriate to allow the program to operate largely as it did pre-close. If not, compliance should determine how to both enhance the target’s compliance program and ensure visibility into and control over the target’s compliance program.

Policies and Procedures and Training

A first step of integrating a target and its employees into the acquirer’s compliance program is rolling out (1) the acquirer’s code of conduct, (2) FCPA policies and procedures to the target’s management and employees and (3) related training, including on policies and procedures related to gifts and entertainment, interacting with government officials, charitable giving and political contributions, maintaining accurate books and records, use of petty cash or similar policies created to mitigate bribery and corruption risks.

Assess the Quality and Effectiveness of the Target’s Compliance Program and Controls

As part of pre-close due diligence and post-close integration, compliance should review the quality and effectiveness of the target’s compliance program and controls. If this review finds that the target’s compliance program is well-designed and implemented, the acquirer may only need to implement procedures to ensure adequate oversight and visibility into the target’s compliance functions. In general, however, this review helps compliance understand the gaps or weaknesses to be addressed while integrating the target into the acquirer’s compliance program.

Post-Closing Audit 

Conducting a thorough and prompt post-close FCPA compliance audit (and remediating and reporting issues) can help insulate the acquirer from successor liability based on past or ongoing misconduct by the target. These audits are particularly important where pre-close due diligence uncovers potential wrongdoing, violations of applicable law, unethical behavior or significant weaknesses or gaps in the target’s FPCA program and controls. A post-close FCPA audit should be conducted whenever a transaction raises FCPA risks. The following describes the steps that should be taken when conducting such a post-close FCPA compliance audit.

Risk Assessment and Audit Scope

The first step should be a risk assessment to determine the audit scope. While a holistic compliance risk assessment should be conducted on a target where possible, resource and time limitations may require either a limited or phased approach. The scope of a risk assessment may depend on several factors, including:

• Jurisdictional Risk: Does the target operate in high-risk corruption risk jurisdictions (e.g., countries that score lower than “60” on Transparency International’s Corruption Perception Index)?
• Industry Risk: Does the target have business units in industries known to pose a high risk for corruption or that otherwise require frequent government touchpoints, such as resource extraction, transportation or real estate development and construction?
• Regulatory Relationships, Licenses, Permits and Government Approvals: The post-close audit should focus on what regulatory licenses, permits and approvals are needed to operate the target’s business, how those approvals were obtained and who is responsible for any ongoing government relations.
• High-Risk Customers — Sales to Government Entities and State-Owned Enterprises: If the target engages in government sales, contracting or procurement, then the post-close audit should focus on how these high-risk customer contracts were awarded and review any associated third parties, gifts, entertainment, hospitality or travel.
• High-Risk Third Parties: Acquirers may be held liable for the conduct of the target’s third parties. Accordingly, any risk assessment should review the nature of the third-party relationship, the services provided, interactions with government officials and the target’s oversight and controls over its third-party relationships. Examples of potentially high-risk third-party relationships include joint venture partners, sales channel partners (such as distributors and resellers) and sales agents, lobbyists and government affairs consultants, customs clearing and freight forwarders and tax consultants.

Audit Review Steps

Once the scope of the post-close audit is determined, compliance should conduct a thorough audit, including:

• Review of internal audit records, compliance investigations, and whistleblower allegations. As internal audit records may not always include review of regulatory compliance risks, compliance investigations and whistleblower reports are particularly important to review.
• Interview target employees who are most knowledgeable about the target’s operations, practices, procedures, and compliance culture. At minimum, identify interviewees who can speak to the target’s interactions with government officials (including through third parties) and the target’s FCPA compliance program and controls. Interviews should include individuals from senior management, legal, compliance, finance, internal audit, human resources, communications, marketing, sales, procurement and supply chain.
• Conduct transaction testing of the target’s books, records and accounts to verify information obtained during interviews and document review. Unusual transactions, such as anomalous lump-sum payments, round-dollar transactions, cash dispersals, transactions lacking support (e.g., receipts, contracts or invoices) or transactions with vague or unusual descriptions (e.g., “for business advice” or “for services rendered”) should be reviewed. Furthermore, transaction testing should review the following high corruption risk transaction types:
  • Gifts and entertainment expenses and reimbursements;
  • Travel, meals, events and hospitality expenses and reimbursements;
  • Charitable donations;
  • Political contributions;
  • Sponsorships;
  • Petty cash, cash advances and cash disbursements;
  • Discretionary (“slush”) funds;
  • Support for payments to high-risk third parties (as identified in the risk assessment);
  • Support for interactions with high-risk customers (as identified in the risk assessment).
• Targeted e-mail review. Depending upon the risk assessment and results of the transaction testing, compliance should consider whether to conduct a targeted e-mail review of employees whose activities either create FCPA risk or indicate that misconduct may have occurred.

Upon conclusion of the audit, compliance should consider what, if any, remediation work is necessary. To the extent that serious misconduct was discovered during the course of the audit, compliance should consult with internal or external legal advisors to determine whether self-disclosure to the U.S. authorities is appropriate.

[1] “Government official” is broadly defined to include “any officer or employee of a foreign government or any department, agency, or instrumentality thereof, or of a public international organization, or any person acting in an official capacity for or on behalf of any such government or department, agency, or instrumentality, or for or on behalf of any such public international organization.” Importantly, “state instrumentality” is not defined by statute, and there have been instances in which employees of commercial entities owned or controlled by the state have been deemed to be “foreign officials” under the FCPA. See, e.g., U.S. v. Airbus SE, 1:20-cr-00021-TFH (Information at para. 16) (D.D.C. Jan. 28, 2020) (stating that decision makers at Chinese state-owned airlines are “foreign officials” under the FCPA).

[2] See 15 U.S.C § 78dd-1(a) et seq.; Section 30A of the Exchange Act of 1934.

[3] Although the FCPA provides an affirmative defense for “facilitation payments” or “grease payments” that are small payments to cause a government official to perform a routine, non-discretionary governmental act, such as providing police protection or connecting a building to a power grid, determining whether these payments are “facilitation payments” or illegal bribes is highly dependent on the facts and circumstances. Moreover, the laws of other jurisdictions, such as the U.K. Bribery Act, criminalize facilitation or grease payments.

[4] See 15 U.S.C § 78m(b)(2), Exchange Act § 13(b)(2).

[5] See 15 U.S.C § 78m(b)(5).

[6] See, e.g., In the Matter of Alcoa, SEC Admin. Pro. No. 3-15673 at para. F (Jan. 9, 2014) (“As described above, Alcoa violated Section 30A of the Exchange Act by reason of its agents, including its subsidiaries …indirectly paying bribes to foreign officials in Bahrain in order to obtain or retain business.”).

[7] Id. (emphasis added).

[8] Such as personnel in legal, compliance, procurement, HR, internal audit, finance and accounting departments.