DOJ’s M&A Safe Harbor Highlights Importance of Post-Close Due Diligence and Integration

On June 16, the U.S. Department of Justice’s (DOJ’s or Department’s) National Security Division (NSD or Division) announced they had declined to prosecute the private equity firm White Deer Management LLC for violations of U.S. sanctions and export control laws committed by a company it acquired, Unicat Catalyst Technologies LLC. This marks the first declination by the DOJ since the Department released its Merger and Acquisitions Policy in March 2024.

M&A Safe Harbor Policy

This Department-wide policy, often referred to as the M&A Safe Harbor Policy, was first announced by then Deputy Attorney General Lisa Monaco in October 2023. In her speech, she explained that the “last thing the Department wants to do is discourage companies with effective compliance programs from lawfully acquiring companies with ineffective compliance programs and a history of misconduct. Instead, we want to incentivize the acquiring company to timely disclose misconduct uncovered during the M&A process.”

To formalize this policy, in March 2024 the DOJ updated the Justice Manual to include that the Department will apply a “presumption in favor of declining prosecution of a corporation that voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated misconduct uncovered as a result of due diligence conducted shortly before or shortly after a lawful, bona fide acquisition of another corporate entity.” More specifically, the manual states that, to qualify for the declination, the acquiring company must disclose the misconduct within 180 of the closing of the acquisition and remediate the issues within one year of the closing date. These deadlines may be extended, “provided that prosecutors have a reasonable basis for extending such deadlines based on the specific facts and circumstances of the matter.” Also in March 2024, NSD released an update to its Enforcement Policy for Business Organizations, which incorporated the Division’s new M&A Policy, mirroring the requirements of the Justice Manual.

White Deer Management Declination

According to the DOJ’s December 19, 2024, declination letter, from 2014-21, Unicat made 23 unlawful sales to customers in Cuba, Iran, Syria and Venezuela in violation of U.S. economic sanctions and export control laws. The company also falsified invoices to reduce tariffs.

White Deer acquired a majority interest in Unicat in September 2020. The misconduct was discovered in June 2021 after Unicat’s new CEO traveled to the United States to begin integrating the operations of the company. At that time, the CEO discovered a pending transaction with Iran, which sparked an internal investigation and voluntary self-disclosure to the DOJ. According to the DOJ, White Deer then remediated the misconduct within one year of discovery and took other measures required to qualify for a declination under the Safe Harbor Policy. Separately, Unicat received a non-prosecution agreement related to the violations, and Unicat’s former CEO, who was involved in the misconduct, pleaded guilty to criminal charges.

Key Takeaways

Buyers can face significant financial, enforcement and reputational risks for the past or ongoing misconduct of an acquired entity. Whether a buyer is a corporation or private equity firm, pre- and post-acquisition due diligence combined with robust compliance integration can help mitigate both commercial and compliance risks, including risks presented by any criminal or regulatory misconduct by a target entity. The DOJ’s Safe Harbor Policy provides significant benefits for companies taking such actions.

Because of the policy’s premium on prompt and complete self-disclosure, it is important for companies to proactively align their M&A policies and processes with these qualification requirements, with particular focus on post-close action, to position themselves to best take advantage of the safe harbor. While companies will need to weigh the potential advantages and disadvantages of self-disclosure, losing out on an opportunity to avoid or mitigate the consequences of a DOJ enforcement action because a company failed to  identify criminal activity in a timely fashion not only increases potential  financial and other consequences but now presents a greater risk of negative scrutiny by internal and external stakeholders, including the risk of a shareholder suit when things go wrong.

Looking beyond the United States, which has long recognized the doctrine of successor liability — holding acquirors strictly liable for the misconduct of their acquired companies — additional jurisdictions, such as France, have begun to embrace the concept. While other jurisdictions may not have created a safe harbor program similar to that of the DOJ, the risk of scrutiny by multiple enforcement agencies that may impose liability on the acquiror highlights the criticality of this issue for companies based and operating around the world.

Pre-close: Conduct as robust a pre-close due diligence exercise as possible to identify issues that could create liability or impact the value of the investment.

To take advantage of safe harbor protections and otherwise mitigate potential successor liability, companies should first and foremost conduct thorough pre-close due diligence. Such diligence can help companies identify and mitigate issues that could:

• Reduce the long-term value of the investment, such as the loss of assets, contracts or licenses obtained through corruption, or revenue generated from sales to sanctioned countries, companies or individuals; and
• Require disclosure to regulators, risking penalties and reputational harm.

Identifying areas that present these risks prior to finalizing a transaction allows companies to adjust purchase prices accordingly and build in additional and tailored contractual protections.

Diligence should be tailored to the risks presented by the target company, with particular focus paid to areas of greater enforcement and regulatory exposure (e.g., bribery or trade controls).

This pre-close review should look for not only evidence of misconduct or heightened risk but also the existence and adequacy of the target company’s compliance program and controls. A well-designed and tailored compliance program with evidence of robust implementation can provide some comfort that significant misconduct is being prevented and detected, while the absence of the same heightens the potential that illegal activity has or is occurring and has not been identified by the target.

Based on this review, and before closing, companies should develop mitigation strategies and plan for post-close diligence and integration. The details of any violations will determine whether successor liability will arise (e.g., FCPA jurisdiction is not retroactively applied to bribery that does not fall within the reach of the law prior to close), but ensuring there is a plan to identify and stop such misconduct post-close is necessary to more fully mitigate inherited risk. Accordingly, such planning should include steps for reviewing information not available before conclusion of the transaction and aligning the target’s controls and culture with the acquiring company’s program as quickly as possible.

Post-close: Time passes quickly. Six months is a short window to identify issues. Remediating issues within a year can be challenging.  Adopt a risk-based diligence and integration plan to move quickly and adapt as needed.

Post-close, companies should reassess and refine their diligence and integration plans as needed. This may include conducting post-close diligence, testing and auditing, as well as completing the assessment of the acquired company. Where pre-close diligence was limited (e.g., due to antitrust considerations or during an auction-structured sale), such post-close review should be more comprehensive, including steps that normally would have been conducted pre-close. Similarly, where the pre-close diligence indicates the existence of red flags or the absence of a sufficient compliance program and internal controls, the post-close review should be more robust.

Like pre-close diligence, this should be tailored to the risks presented. This may include prioritizing certain jurisdictions, business units and risk areas. Identifying previously undiscovered misconduct quickly is essential for safe harbor protections, and the areas of review selected for the first six months post-close are strategically significant. As noted above, the DOJ may agree to extend these deadlines based on the “specific facts and circumstances of the matter.” In White Deer, for example, the DOJ still afforded the company safe harbor even though the six-month disclosure deadline was not met due to “all of the relevant circumstances, including the COVID-19 pandemic and in the context of White Deer’s acquisition of Unicat and efforts to integrate the company’s operations into another acquired entity.” Companies, however, should not presume that DOJ will provide such extensions in all cases and will need to have a record to demonstrate that identification and disclosure were done as quickly as possible. Critically, six months is a short period of time to conduct a robust assessment, especially if the acquisition involves a company with global operations or multiple business lines. Companies must be agile, adapting their diligence or audit plans as issues are identified. A perceived failure to move aggressively could lead to second-guessing by DOJ and other agencies down the road.

Next, the company must take steps to ensure any ongoing misconduct is stopped and future misconduct is prevented. This requires implementation of compliance controls at the acquired company. If the acquiror has an existing program and the acquired company will be merged into its operations, this entails promptly integrating the acquired company into the acquiror’s compliance program. However, where the acquired company’s operations present new risks not addressed by the acquiror’s program, or where the acquired entity will operate independently or as a portfolio company, different steps will be necessary. This should include either enhancing the acquired entity’s existing program or designing and implementing a new program at the acquired company.

Identification of Misconduct

If red flags are identified during diligence, audits or testing, or otherwise during integration (e.g., an employee reports issues through the acquiror’s reporting channels), the acquiror should promptly initiate an investigation. If misconduct is identified, the company must decide whether to make a voluntary disclosure to the DOJ or other government agencies, whether in the U.S. or abroad, or to other entities, such as multilateral development banks. These decisions can be difficult and time-consuming and typically require engagement with senior management and the board of directors and consideration of all potential consequences. These may include (i) disgorgement, forfeiture and/or restitution; (ii) criminal liability for the acquired company; and (iii) compliance and reporting obligations imposed by the DOJ, the latter of which typically includes required certifications from senior executives that can carry the risk of individual criminal liability.

If a voluntary disclosure is made, full cooperation with the DOJ is required to qualify for safe harbor credit. In White Deer, for example, the DOJ noted that the company and Unicat “fully cooperated with the government’s subsequent investigation by proactively identifying, collecting, and disclosing relevant evidence to investigators, including foreign language evidence and evidence located overseas, and providing detailed and timely responses to the government’s requests for information and evidence. White Deer’s and Unicat’s cooperation materially assisted the government’s investigation, leading to the successful prosecution of Unicat’s former CEO.” The latter point is a notable factor, given the Department’s focus on prosecuting culpable individuals.

Remediation must also start promptly to address the misconduct and meet the second safe harbor deadline. This may require adjustments to the integration plans, such as accelerating certain activities or designing and implementing new controls not previously planned. Like all investigations, remediation may also include terminations and other employee discipline and pauses or termination of tenders, contracts and other transactions. White Deer is again informative on this point. There, the company immediately cancelled deals with Iranian customers and, within a year of discovery, terminated culpable employees, disciplined other employees involved in the misconduct, sought reimbursement from Unicat’s previous owners, and designed and implemented “a comprehensive and robust internal controls and compliance program that has proven effective in practice at identifying and preventing similar potential misconduct.” The “proven effective” language is informative. As a general rule, the DOJ expects companies to test their compliance programs and related internal controls to verify they are effective as implemented. As such, remediation and integration plans should include appropriate testing.

The type of remediation undertaken by White Deer can be costly. Bringing the analysis full circle, this further supports the criticality of comprehensive pre-close diligence and negotiation of adequate buyer protections (e.g., indemnification, holdbacks, representations and warranty insurance), which can be exercised to mitigate financial losses.

* * * *

Paul Hastings has extensive experience guiding clients through these processes, both designing and executing tailored due diligence reviews and developing comprehensive integration plans, including for acquiring and target companies located and operating around the world. We have counseled numerous clients through challenging transactions, including successful outcomes like what was afforded to White Deer under the new Safe Harbor Policy prior to the policy’s formalization, and we have designed and executed investigation and disclosure strategies to enforcement agencies and regulators in the United States and around the world.