Key Takeaways from DOJ’s New “Mergers & Acquisitions Safe Harbor” Policy for Companies that Self-Report Misconduct

On October 4, 2023, Deputy Attorney General (DAG) Lisa Monaco announced a new U.S. Department of Justice (DOJ) Mergers & Acquisitions Safe Harbor Policy (the Safe Harbor Policy) for companies that voluntarily and timely self-report misconduct discovered during the due diligence of an acquisition target or the integration of the acquired entity. The speech by DAG Monaco before the Society of Corporate Compliance and Ethics builds on several recent DOJ efforts to codify and encourage voluntary self-disclosure, including most recently its Corporate Voluntary Self-Disclosure Policy (available here). The Safe Harbor Policy is designed to offer substantial benefits, including the presumption of a declination of prosecution, to acquiring companies that self-report misconduct within six months of a transaction closing — regardless of whether the misconduct was discovered pre- or postacquisition. DOJ will also provide an acquiring company one year from the date the transaction closes to investigate and remediate the self-reported misconduct, with exceptions due to certain extenuating circumstances.

The new Safe Harbor Policy will be applied departmentwide; however, DOJ’s components will have discretion in tailoring how the policy should apply to their specific enforcement regimes.

Below are some of the key takeaways from the new Safe Harbor Policy.

First, acquiring companies that promptly and voluntarily disclose misconduct within a defined safe harbor period of six months, cooperate with the ensuing DOJ investigation, and engage in timely and appropriate remediation, restitution, and disgorgement will receive the presumption of a declination of prosecution from DOJ. An acquiring company that does not self-disclose misconduct within the requisite timeline in accordance with this new policy will potentially be subject to full successor liability for that misconduct. DOJ’s position has been that when a “company merges with or acquires another company, the successor company assumes the predecessor company’s liabilities,”¹  including criminal and civil liabilities. While the Safe Harbor Policy is designed to potentially insulate an acquirer from any successor liability if it moves fast to identify misconduct to DOJ, it does not offer protection from foreign enforcement authorities that may later learn of the misconduct through a public favorable resolution with DOJ or from other U.S. federal or state enforcement authorities.

Second, the policy applies to misconduct identified at a target or acquired entity that was either uncovered during the preacquisition due diligence phase of a merger or acquisition or during the postclosing integration process. DOJ has previously encouraged companies to perform preacquisition diligence to identify prior illegal conduct, reduce the risk that an acquired company continues to engage in illegal conduct postclosing, and permit the parties to negotiate costs and responsibilities of potential violations of law identified during an acquisition.

Third, the voluntary self-disclosure must occur within six months from the date of the transaction closing, regardless of whether the misconduct is discovered pre- or postacquisition. In other words, if the misconduct is identified five months after the closing date, the acquiring company would arguably have just one month to voluntarily self-disclose under the Safe Harbor Policy. This six-month Safe Harbor period for disclosure does not apply, however, when the misconduct detected “threatens national security or involv[es] ongoing or imminent harm.” In that situation, DAG Monaco suggested DOJ expects self-disclosure to occur immediately upon discovery.

Fourth, the acquiring company must remediate the misconduct within one year from the date of closing, not from the date of detection. However, both the six-month and one-year deadlines for disclosure and remediation can be extended “depending on the specific facts, circumstances, and complexity of a particular transaction.”

Fifth, the acquiring company will not be affected by the presence of aggravating factors or circumstances at the acquired entity. Aggravating factors include, for example, involvement of company executives in the misconduct, significant profits to the company from the misconduct, misconduct that is egregious or pervasive within the company, or repeated misconduct. Under the new policy, the acquiring company can still obtain a full declination despite the presence of these factors at the acquired company.

Sixth, any misconduct disclosed under this Safe Harbor Policy will not be factored into future recidivist analysis for the acquiring company. This means that an acquiring company that self-discloses misconduct at the acquired company will not be considered a “recidivist” in future enforcement actions. As such, if misconduct is detected in the future — whether at the acquiring company or the acquired company — the acquiring company could still benefit from a declination under the DOJ’s 2023 Corporate Enforcement Policy.²

Seventh, the safe harbor does not apply to misconduct that was otherwise required to be disclosed or already public or known to DOJ. Similarly, this policy will not affect civil merger enforcement.

DAG Monaco advised at the conclusion of her speech that companies and their leaders must devote time and attention to compliance matters and diligence on acquisitions, both preclosing (or very shortly after closing) and during postclosing integration. For this diligence process, DOJ expects all companies to

• review the target’s compliance program including any risk assessments conducted by the target; policies and procedures set forth to mitigate those risks; and any evaluations or testing of the compliance program
• ensure that the purchase agreement contemplates who will be responsible for disgorgement or restitution and what recourse the acquiring company has against the acquired company postacquisition

Though the Safe Harbor Policy offers acquirers more clarity on DOJ’s posture toward successor liability, the decision to self-report will remain fact intensive and require a complete assessment of the risks and potential benefits. Regardless of whether a company chooses to avail itself of the Safe Harbor Policy, it serves as a reminder that acquiring companies should have in place a robust due diligence and postclosing integration process reasonably designed to detect potential violations of law and position an acquirer to assess the risks and possible substantial benefits afforded to companies that timely self-disclose misconduct to DOJ. It also should serve as a reminder to target companies that failure to implement compliance controls could lead to liability that will be uncovered and disclosed by an acquirer before or even after a transaction closes. 

¹A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition (2020), p. 29, available at https://www.justice.gov/criminal-fraud/file/1306671/download.
²https://www.sidley.com/en/insights/newsupdates/2023/01/invigorating-the-corporate-criminal-enforcement-program