chevron-down Created with Sketch Beta.


DOJ's M&A Safe Harbor Policy Raises Stakes on Due Diligence and Compliance Programs

Sarah Flanagan and Lauren E Briggerman

DOJ's M&A Safe Harbor Policy Raises Stakes on Due Diligence and Compliance Programs

In a speech on October 4, 2023, Deputy Attorney General (DAG) Lisa O. Monaco announced a new Department of Justice (DOJ)-wide Mergers & Acquisitions (M&A) Safe Harbor policy to encourage voluntary self-disclosure of misconduct discovered during due diligence. That policy rewards acquiring companies with a presumption of declined prosecution if they: voluntarily report and remediate criminal conduct uncovered during the due diligence process within the safe harbor period; cooperate with DOJ’s investigation; and agree to disgorgement and restitution.

While the new policy gives acquiring companies increased certainty about when they may qualify for a DOJ declination, the deadlines leave little room for error or delay in detection, remediation, or decision-making regarding disclosures. The policy also underscores the strategic role of the compliance function in rooting out misconduct. As DAG Monaco stated, "[c]ompliance must have a prominent seat at the deal table if an acquiring company wishes to effectively de-risk a transaction."

Even if acquiring companies have robust compliance programs and meet the reporting and remediation deadlines, they must consider whether the benefit of a conditional declination outweighs the potential burden on the company and its employees of a voluntary disclosure.

Safe Harbor Policy Overview

While the new policy is not a departure from the approach some DOJ sections already applied to M&A voluntary self-disclosures, it gives companies the benefit of a consistent DOJ-wide presumption of declination if they meet the following criteria:

  • Discover the misconduct in a “bona fide, arm’s-length M&A transaction,”
  • Disclose misconduct within six months of closing (whether discovered pre- or post-acquisition),
  • Remediate misconduct within one year of closing,
  • Cooperate with any DOJ investigation, and
  • Agree to any restitution and disgorgement.

DAG Monaco noted that reporting and remediation periods will be subject to a fact-specific reasonableness analysis and prosecutors may grant extensions. National security issues or other misconduct involving ongoing or imminent harm, however, must be reported immediately.

The policy is designed to encourage companies to disclose misconduct discovered in due diligence and ensure that companies with effective compliance programs are not discouraged from acquiring companies with less effective programs and a history of misconduct. As DAG Monaco stated, “[o]ur goal is simple: good companies—those that invest in strong compliance programs—will not be penalized for lawfully acquiring companies when they do their due diligence and discover and self-disclose misconduct.” Aggravating factors at the acquired company will not impede declination for the acquirer, and misconduct disclosed under the policy will not be counted against the acquirer in any future recidivist analysis. The acquired company also may qualify for declination if no aggravating factors exist.

Due Diligence and Remediation Timeframe Considerations

The due diligence period in the policy may be challenging in practice, particularly for complex transactions or where there are other obstacles to due diligence. For example, the ability to conduct pre-acquisition due diligence may be limited when acquiring a company with a weak compliance program. And, post-acquisition, six months may be a tight timeline to comprehend complex, undisclosed risks and make disclosure determinations that may involve multiple jurisdictions and enforcers. Likewise, the one-year remediation period, may not fit situations where misconduct is widespread or long-standing, especially if remediation includes full integration into the acquirer’s compliance program and enterprise resource planning system. Overall, the time constraints should incentivize acquirers to tailor due diligence carefully to the acquired company’s profile (particularly if national security is a relevant risk area), be nimble in adapting as the transaction progresses, and have resources and a strategy in place to finish due diligence and integration as soon as possible after closing, even if they ultimately choose not to self-report.

Is Self-Disclosure Worth it?

Aside from the practical difficulties of conducting due diligence and remediation within the safe harbor periods, companies must thoughtfully consider whether the benefits of voluntary self-disclosure outweigh the risks. The Safe Harbor policy grants a presumption of a declination to companies that meet its requirements but does not guarantee DOJ immunity, nor does it shield companies from any other enforcer.

Furthermore, the policy imposes potentially burdensome obligations on disclosing companies, even if they timely report and remediate. Disclosing companies must cooperate with DOJ’s investigation by turning over documents and making executives and other employees available for interviews, which can be costly and time-consuming. They also must agree to disgorgement and restitution of the acquired company’s ill-gotten gains, which may be significant if that company reaped substantial profits from the misconduct.

Finally, while the Safe Harbor policy attempts to “double down” on clarity and predictability across DOJ, it may raise more questions than it answers. For example, it is unclear whether companies that disclose and remediate criminal antitrust misconduct may still be eligible for immunity under the Antitrust Division’s leniency program if they do not meet the deadlines for reporting and remediation.

Compliance’s Seat at the Table

The M&A Safe Harbor policy is the latest in a series of guidance from DOJ that have reinforced the value of corporate compliance programs and given companies increased clarity regarding DOJ’s expectations. At the same time, certain elements of the guidance have ratcheted up expectations in a way that may be more aspirational than connected with the reality of compliance on the ground.

As DOJ provides more clarity regarding the Safe Harbor policy in coming months, acquiring companies should examine how their compliance programs and due diligence processes work together to ensure that they are best positioned to seek safe harbor if it is in their interest to do so. As DAG Monaco warned, a company [that] does not perform effective due diligence or self-disclose misconduct at an acquired entity . . . will be subject to full successor liability for that misconduct under the law.” Regardless of whether companies avail themselves of the Safe Harbor policy, an effective compliance program is the single greatest tool that companies have for efficiently and fulsomely detecting potential misconduct by an acquired company (and more generally) and remediating it to reduce risk to the business and shareholders going forward.

This article was prepared by the Antitrust Law Section's Compliance and Ethics Committee.