Late Monday, the Department of Justice (DOJ), without fanfare, released an update to its 2019 Evaluation of Corporate Compliance Programs, the 2019 Guidance. For simplicity this new document will be called the 2020 Update. The 2020 Update is most welcome news for every Chief Compliance Officer (CCO), compliance professional and corporate compliance program in the US and beyond. The reason is simple; it ends, once and for all, the dysfunctional reliance on paper compliance programs written by lawyers for lawyers and those who advocate for them. The DOJ has now articulated what both the business and compliance communities have learned that compliance is a business process and as a process, it can be measured, managed and, most importantly, improved. I have looked at some key big picture themes and the specific tactical steps of moving towards both continuous monitoring and continuous improvement of your compliance program. Today, I want to consider the changes in the areas of mergers & acquisition (M&A) and your third-party risk management protocols.

Mergers and Acquisitions

Under M&A, the 2020 Update stated: (all changes in italics) “F. Mergers and Acquisitions (M&A) A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed  or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”

The specific questions posed by the 2020 Update are:

• Due Diligence Process – Was the company able to complete pre-acquisition due diligence and, if not, why not? Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What is the M&A due diligence process generally?

• Integration in the M&A Process – How has the compliance function been integrated into the merger, acquisition, and integration process?

• Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post-acquisition audits, at newly acquired entities?

The clear emphasis of the DOJ is around the pre-acquisition phase in M&A work. Were you prevented from engaging in pre-acquisition due diligence because of some rule or regulation? If so, what did you do about it? Did you take the approach of Halliburton, as it did in the resulting Opinion Release 08-02 and seek DOJ input? Was your post-acquisition integration protocol more robust? If so, how? Also, after closure, did you perform a full audit of the acquired entity? For the sake of your compliance program, I hope you did.  Yet the clear emphasis here was on the pre-acquisition phase.

Pre-acquisition due diligence provides an early assessment which will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a lens through which to view the feasibility of the business strategy and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus. 

Third Parties

Even in 2020, third parties still represent the highest risk under the Foreign Corrupt Practices Act (FCPA). Here the DOJ noted, “Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials…In sum, a company’s third-party management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to “detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”

The DOJ then posed the following questions:

• Management of Relationships – How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks? How does the company monitor its third parties? Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past? How does the company train its third party relationship managers about compliance risks and how to manage them? How does the company incentivize compliance and ethical behavior by third parties? Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?

It is the new final question, coupled with the new language in the preamble to the section on third parties which is so significant. It makes clear that management of third parties is a process and one that must continue on an ongoing basis throughout the lifetime of the relationship with your organization. This also re-emphasizes the importance of managing the relationship after the contract is executed from the compliance perspective. Your role in the compliance function is not simply to review due diligence and add compliance terms and conditions to the contact. Your role is to oversee the relationship which the business sponsor manages on the ground. This is fully operationalizing your compliance regime.

Join me tomorrow where I take a deep dive into the 2020 Update to explore the updated role of the CCO and compliance function.

[View source.]