Fiche pratique

Cahiers
59 Compliance Risks in the M&A Context. Navigating French
and U.S. Guidelines and Jurisprudence
p. 50

pratiques
FUSIONS-ACQUISITIONS

59
Compliance Risks in the
M&A Context
Navigating French and U.S. Guidelines and Jurisprudence

Christopher Bolyai,
Associate, Skadden

Sidne Koenigsberg,
Counsel, Skadden

Margot Sève,
Associate, Skadden

1. Context
In the past several years, U.S. and French authorities have published
guidance emphasizing the importance of addressing compliance
risks in all phases of the M&A process, from pre-acquisition due
diligence to post-deal integration. This guidance applies to regula-
ted and non-regulated entities alike and impacts virtually all M&A
transactions, particularly in the assessment of compliance risks rela-
ted to anti-corruption, anti-money laundering (AML) and economic
sanctions laws. For example, in August 2020, Harmonic, a U.S.-based
video technology company, disclosed that it was cooperating with the
U.S. Department of the Treasury’s Office of Foreign Assets Control
(OFAC) in an investigation regarding transactions involving Iran
conducted by a French company Harmonic acquired in 2016.
Given the increasingly material consequences of non-compliance,
understanding current guidance regarding compliance risks in M&A
transactions is critical for companies and their advisors, particular-
ly because certain French and U.S. statutes have an extraterritorial
reach. Further, an understanding of successor liability in the com-
pliance context, including recent developments in French jurispru-
NdA : The views expressed in this article are those of the authors only. The authors
would like to thank Hélène Luciani for the quality of her research.
dence, will allow parties to better assess compliance risks, adjust deal
prices where necessary, insure against risks where possible and nego-
tiate contractual provisions to appropriately allocate related liabilities.
2. Comments
2.1. Guidelines Relating to M&A Compliance Reviews
In the U.S., the Department of Justice (DOJ) first published specific
guidance in 2017 regarding how prosecutors should evaluate corpo-
rate compliance programs in the context of criminal investigations
and resolutions. With respect to M&A transactions, the current
version of DOJ’s Evaluation of Corporate Compliance Programs sets
forth a baseline expectation that “[a] well-designed compliance pro-
gram should include comprehensive due diligence of any acquisition
targets, as well as a process for timely and orderly integration of the
acquired entity into existing compliance program structures and
internal controls”.
Regarding anti-corruption compliance specifically, in the U.S., DOJ
and the Securities and Exchange Commission (SEC)’s Resource Guide
to the U.S. Foreign Corrupt Practices Act (FCPA) contains a dedica-
ted section regarding M&A. In France, the French anti-corruption

50 REVUE INTERNATIONALE DE LA COMPLIANCE ET DE L’ÉTHIQUE DES AFFAIRES - N° 1 - FÉVRIER 2021 - © LEXISNEXIS SA

CAHIERS PRATIQUES
agency (AFA) published a practical guide in January 2020 on Anti-
corruption diligence reviews in the context of M&A transactions. Both
guides discuss the expectations of the authorities regarding the scope
and quality of due diligence procedures relating to compliance issues
in the context of M&A transactions.
Regarding economic sanctions, in May 2019, OFAC published gui-
delines entitled “A Framework for OFAC Compliance Commitments”,
which establish OFAC’s expectations for sanctions compliance pro-
grams. The guidelines state that “[r]isk assessments and sanctions-rela-
ted due diligence [are] important during mergers and acquisitions, par-
ticularly in scenarios involving non-U.S. companies or corporations”.
Regarding AML, U.S. and EU AML obligations may apply to various
covered entities. Due diligence prior to the acquisition of a covered
entity must therefore evaluate the target’s AML compliance fra-
mework. In France, the banking regulator, ACPR, recommends that
groups subject to AML requirements implement their AML fra-
mework within all local entities and update it regularly, for example
following an internal change such as the acquisition of subsidiaries
carrying out a new activity and having new customers (see ACPR,
Lignes directrices relatives au pilotage consolidé du dispositif de LCB-FT
des groups, March 2, 2020). Similarly, in the U.S., guidance for federal
bank examiners states that “[e]very bank must have a comprehensive
[Bank Secrecy Act]/AML compliance program” that should “ensure
that all affiliates, including those operating within foreign jurisdic-
tions, meet their applicable regulatory requirements” (see Federal
Financial Institutions Examination Council, BSA/AML Examination
Manual, 2015).
2.2. Successor Liability in M&A Transactions
Although the French and U.S. approaches differ, an acquiring com-
pany or resulting company post-merger is generally liable for pre-ac-
quisition misconduct by a target or absorbed company.
In the U.S., an acquiring company generally assumes the existing lia-
bilities of the predecessor company, including those arising from civil
or criminal statutes. DOJ’s FCPA Corporate Enforcement Policy, which
is often followed in the enforcement of other statutes, provides that
federal prosecutors may choose to exercise discretion and not bring
an enforcement action against the successor entity if the latter unco-
vers misconduct during due diligence, self-discloses the misconduct,
remediates it on an appropriate and timely basis, and otherwise coo-
perates with any subsequent investigation. OFAC applies a similar
approach and may consider proper pre-transaction due diligence and
post-transaction remediation measures as mitigating factors when
issuing civil penalties for economic sanctions violations (e.g., OFAC’s
March 27, 2019 settlement with Stanley Black & Decker, Inc.).
In France, until recently, according to long-standing case law, com-
panies could not be held criminally liable for acts committed by an
acquired entity prior to the merger or acquisition. In November 2020,
the French Cour de cassation reversed this case law, ruling that, under
certain conditions and for certain companies, an absorbing company
may be fined or have its property confiscated for criminal offences
REVUE INTERNATIONALE DE LA COMPLIANCE ET DE L’ÉTHIQUE DES AFFAIRES - N° 1 - FÉVRIER 2021 - © LEXISNEXIS SA
Fiche pratique
committed by the absorbed entity before the merger (see Cass. crim.,
25 nov. 2020, n° 18-86.955 : JurisData n° 2020-019279).
Even in cases where successor liability does not apply, financial and
reputational risks can arise from criminal or administrative procee-
dings brought against an acquired subsidiary for acts committed
prior to the acquisition, and an acquiring company could be exposed
to criminal liability for concealment of stolen goods or laundering the
proceeds of corruption.
A number of recent examples show how penalties have been imposed
following M&A transactions, including in cross-border transactions.
Regarding corruption, two of the eleven Judicial Public Interest
Agreements (CJIP) published to date involved companies that were
sanctioned for historical misconduct after having been acquired by a
third party, including:
- February 14, 2018, CJIP between the prosecutor of Nanterre and
SET Environnement (carrying an €800,000 penalty and a two-year
compliance program for a cost of €200,000).
- May 4, 2018, CJIP between the prosecutor of Nanterre and Poujaud
(carrying a €420,000 penalty and a two-year compliance program
for a cost of €276,000).
In the U.S., DOJ and the SEC will often only pursue cases against
the predecessor company when the acquiring company uncovered
and remediated the violations as part of the transaction, but there are
examples of successor liability also being sought, including:
- March 26, 2018, settlement between the SEC and Kinross Gold (for
US$950,000). Kinross Gold had identified that African subsidiaries
acquired in 2010 did not maintain an anti-corruption program and
then failed to implement adequate procedures post-acquisition.
- June 25, 2019, settlements between TechnipFMC plc and U.S. and
Brazilian authorities (for US$296 million), for bribery schemes
conducted by Technip S.A. and FMC Technologies before they mer-
ged in 2017.
Regarding economic sanctions, OFAC recently signed several settle-
ments of over US$1 million where U.S. companies had acquired non-
U.S. subsidiaries and had failed to stop practices that violated U.S.
economic sanctions, including:
- February 14, 2019, settlement between OFAC and AppliCHem
GMBH (for US$5.5 million). AppliCHem was acquired by a U.S.
company in 2012 but continued its operations with Cuba after the
acquisition.
- March 27, 2019, settlement between OFAC and Stanley Black &
Decker, Inc. (for US$1.9 million). The company agreed to settle for
violations of U.S.-Iran sanctions programs committed by a Chinese
subsidiary acquired in 2013.
Finally, in relation to AML, ACPR previously sanctioned deficiencies
in the AML compliance framework of fintech companies, which are
often the object of M&A transactions.
2.3. Practical Guidance
Thorough due diligence focused on compliance risks and mitigating
controls will assist an acquiring entity in reducing the risks of prose-
51
CAHIERS PRATIQUES
cution and may reduce any ultimate fine, if an enforcement action is
taken.
Companies should conduct compliance-related due diligence based
on a target’s risk profile and with an audit trail in case enforcement
proceedings are later initiated. Generally, such diligence should begin
prior to signing and continue after closing to include, where neces-
sary, post-acquisition audits or internal investigations, and remedial
measures if issues are identified. AFA, DOJ and OFAC recommend
that corporate compliance functions be integrated in the M&A due
diligence process.
At the outset of a transaction, the acquiring company should formu-
late a list of compliance topics and key questions to address via a do-
cument exchange or calls between management teams. The analysis
should typically focus on:
- The target’s inherent compliance risks, in particular information
relating to the target’s business type, structure, geographic locations,
types of customers and suppliers, and the existence of ongoing or
past investigations, legal proceedings or past or ongoing com-
pliance-related incidents.
- An analysis of the target’s compliance program, following a risk-
based approach, to assess the mitigation of inherent risk. In parti-
cular, the analysis should include discussion of the program with
management and compliance officers and a review of relevant do-
cumentation to determine the quality of the compliance framework
(decision-making committees, compliance risk mapping, proce-
dures and controls, description of the compliance teams and tools,
training program and audit reports) and the level of involvement of
senior management.
This approach generally tracks the approach that a company should
take in its regular course of risk assessment, so if the target has alrea-
dy performed a risk assessment, the most recent assessment and its
methodology can be starting points to understand the target’s risk
profile.
Acquiring companies must also review a target’s compliance pro-
gram and operations against applicable regulations, paying particular
attention to statutes that can apply extraterritorially, for example, the
FCPA in the U.S., the Sapin II Law in France or OFAC regulations for
companies falling under the jurisdiction of U.S. sanctions programs.
Lastly, an acquiror should plan for potential changes in the applicabi-
lity of regulations that may result from a transaction (for example, the
crossing of the Sapin II applicability thresholds, or the acquisition of a
financial services company subject to AML regulations by a company
otherwise not subject to such regulations).
In addition to its potential impact on the purchase price of the tar-
get, the pre-acquisition due diligence will allow the acquiring entity
to negotiate contractual provisions as well as specific insurance cove-
rage. Relevant contractual clauses, adapted to the specific risks of the
transaction, may include representations and warranties (such as a
general or specific clauses concerning compliance with laws, absence
52 REVUE INTERNATIONALE DE LA COMPLIANCE ET DE L’ÉTHIQUE DES AFFAIRES - N° 1 - FÉVRIER 2021 - © LEXISNEXIS SA
Fiche pratique
of past convictions and transactions in breach of regulations, absence
of ongoing investigations, and existence of an adequate compliance
program). The relevant clauses may also include covenants relating to
the improvement of the compliance framework if specific deficien-
cies are identified, or commitments related to ongoing compliance
and the transition of compliance-related teams and services during
integration. Exceptions to representations discovered during dili-
gence, such as ongoing investigations or past disclosures to relevant
authorities, may be listed in disclosure schedules.
As recognized by DOJ and SEC, “in certain instances, robust pre-ac-
quisition due diligence may not be possible”. In such instances, DOJ
and SEC will look to the timeliness and thoroughness of the acqui-
ring company’s post-acquisition due diligence and compliance inte-
gration efforts. A thorough post-acquisition review will seek to cover
any compliance topics not analyzed prior to closing and may include,
in a risk-based approach, review of sample transactions, customers,
suppliers, third parties and internal alerts.
If misconduct is discovered, the buyer will need to assess whether to
self-disclose to relevant authorities. As noted above, DOJ and OFAC
take self-disclosure into account in their enforcement policies. In
France, for corruption matters, AFA emphasizes the benefits of self-
reporting to the prosecutor, stating in its guidelines: “Although it is
not incumbent on a company’s management to report such acts to
the legal authority, it may be in its interest to do so with a view to
settling the company’s criminal situation by concluding a deferred
prosecution agreement”. As is highlighted both in the AFA guidelines
and the FCPA Resource Guide, the acquiring company must also ter-
minate any improper conduct and implement remedial measures in
a timely manner.
Post-closing, an acquiring company must take steps to integrate a tar-
get company into its compliance framework. AFA notes that “it is the
purchaser’s responsibility as parent company to set up an anti-cor-
ruption programme in the target company”. In the FCPA Resource
Guide, DOJ and the SEC also encourage acquiring companies to
implement their code of conduct and compliance policies as quickly
as practicable within newly acquired businesses and to train direc-
tors, officers and employees accordingly. Notably, DOJ includes com-
pliance integration efforts in its conditions to exercising discretion
not to bring a prosecution. OFAC also considers integration efforts
by the buyer (including training and communications to employees,
certifications of the implementation of procedures, implementa-
tion of ethics hotlines, and the amendment of the target’s contracts
relating to high-risk activities) and remedial actions (including ter-
minating the employees responsible for any suspected violations)
as mitigating factors (see OFAC’s February 7, 2019 settlement with
Kollmorgen Corporation). OFAC also recommends that an acquiring
company monitor and audit the acquired entity on a regular basis
to ensure continued compliance with group procedures (see Stanley
Black & Decker’s OFAC settlement).