An allegation of bribery or corruption also entails operational risks. The accused company must sever ties with third parties that were founded on improper payments, kickbacks, discounts, or rebates. It may have to exit certain business relationships, while it invests in maintaining relationships with reputable suppliers, customers, and other business partners. These requirements may negatively affect the efficiency and effectiveness of the company's operations. Among many other issues, customers may experience frustration if services or products are delayed, or quality is affected, as the company builds relationships with new suppliers. Ultimately, the situation may end in a loss of revenue and deterioration of margin, which could negatively affect the valuation of the business as it exits the M&A transaction.

The reputational risks that accompany bribery and corruption charges can be tough to measure because the consequences to both the organization and its executives may be difficult to quantify. However, reputational risks can prove costly. Negative publicity and disclosures around both internal and government investigations can rattle an organization, its investors, and companies it does business with. Directors, senior executives, fund managers, and others with management or guidance responsibilities over the acquired operations may face enforcement actions, as well as exposure to financial liability as a result of the acquired company's misconduct.

Even well-intentioned members of management may lose their positions with the company or damage their careers if it comes out that they either failed to detect issues in the past, or haven't taken adequate measures to prevent future issues in the acquired company. Executives may face scrutiny based not just on what they knew, but on what they should have known.

Regulators Expect Sufficient ABAC Due Diligence

Regulators in the United States remain committed to the enforcement of compliance-related laws across a wide range of industries and focus areas. In 2014, FCPA enforcement actions alone resulted in total corporate penalties of approximately $1.6 billion, with the average affected company paying fines and penalties totaling $156.6 million—the highest average on record.

The trend of significant enforcement also continues, as evidenced by the regulators' selection of cases. Recently, the Securities and Exchange Commission (SEC) brought an FCPA enforcement action against a financial services firm for providing internships to family members of foreign government officials affiliated with a sovereign wealth fund, and settled the matter with a $15 million penalty. This case is the first in which the SEC has based an FCPA-related enforcement action solely on the improper hiring of relatives of foreign government officials. In a separate enforcement action, two senior executives of an international consulting company pleaded guilty to one count each of conspiracy to violate the FCPA and one substantive count of violating the FCPA. The defendants had recorded improper payments made to retain government contracts under various unrelated expense categories including "commitment fees," "counterpart per diems," and "logistics support and travel cost."

The Department of Justice (DOJ) recently strengthened its position on seeking individual accountability for corporate wrongdoing. In a speech, assistant attorney general Leslie Caldwell emphasized this point, stating:

No individual or entity is above the law. The Criminal Division will continue to investigate and prosecute corporate misconduct and, with or without corporate cooperation, is committed to holding individuals accountable for criminal misconduct—whether it occurs in a boardroom, a C-suite, or a regional sales office—in the U.S. or in another part of the globe.

Notably, in order to receive "cooperation credit" (i.e., DOJ consideration of reduced fines and penalties in exchange for cooperation with the investigation), corporations must proactively disclose all relevant facts related to individual misconduct. Furthermore, except in extraordinary circumstances, the DOJ will not release culpable individuals from criminal or civil liability, and liability can result in jail time and significant financial penalties.

In the context of mergers and acquisitions, cases around bribery and corruption can mean significant remediation costs for the acquiring organization, as well as a loss in value of the investment. In addition to the DOJ and SEC's joint guidance, "A Resource Guide to the U.S. Foreign Corrupt Practices Act," the DOJ has provided guidance to buyers through opinion letters and deferred prosecution agreements regarding the necessity of performing adequate due diligence, both pre- and post-close, in order to mitigate financial, operational, reputational, and enforcement risks associated with the possibility that improper conduct occurred at the acquired company.

Evaluating Compliance Risk Before the Deal Closes

Generally speaking, pre-acquisition ABAC due diligence includes a review of company-, industry-, and geography-specific risks, as well as an assessment of the processes and controls that a target company or entity has in place to mitigate ABAC risks. After the close, buyers tend to focus on integration of the two companies' compliance functions and processes, in addition to resolution and remediation of any outstanding issues that came to light during the pre-acquisition due diligence. An acquiring company may perform additional ABAC procedures post-close if the availability of data and information prior to close was insufficient for a thorough ABAC assessment.

Best practices involve a risk-based approach to ABAC due diligence. Specifically, a buyer may conduct more thorough due diligence where corruption risk is high, and more narrowly focused due diligence where risk is low. Broadly speaking, company- and industry-specific risks may include:

• use of third parties, including attorneys, lobbyists, promoters, and investment advisers;
• key customers' and suppliers' government relationships;
• use of commissions, discounts, and rebates;
• public tender processes;
• quantity and type of government licenses, and permits required to conduct key business activities;
• use of distribution and logistics networks for both importing and exporting goods; and
• types and quantity of charitable and political contributions and lobbying expenses.

Geographic assessments generally include an analysis of local business practices, such as expectations for facilitation payments and use of third-party intermediary relationships. An acquiring company should likewise look at cultural considerations, such as anticipated gift-giving, particularly for religious or cultural holidays.

Assessments of a company's controls generally include an analysis of a target's ABAC program, including ongoing monitoring and evaluation, and the effectiveness of measures put into place to remediate prior issues. Specifically, these considerations include the:

• strength of existing compliance-related policies and procedures;
• adherence to established policies and procedures;
• existence of a formal escalation process for compliance-related concerns;
• sufficiency of dedicated compliance resources;
• use of ongoing monitoring and/or evaluation of key supplier, customer, and third-party relationships;
• effectiveness of internal controls for recording financial transactions; and the
• approval processes for gifts, meals, travel, and entertainment expenses.

Increasingly, acquiring companies are requiring ABAC due diligence in each of these areas—company, industry, geography, and controls processes—for each deal, with specific procedures tailored to the perceived level of risk within the company being acquired.

The Board and Senior Management Have Responsibility

Different parties within a company have various roles and responsibilities related to ABAC due diligence. In many organizations, an individual within compliance—commonly the chief compliance officer (CCO)—is required to certify that ABAC due diligence has been performed before a deal may be presented to the investment committee or board of directors for approval.

The CCO and others responsible for compliance may work in conjunction with outside counsel and forensic accountants to ensure that geography- and industry-specific risks have been adequately assessed. A summary of industry- and geography-specific risks, as well as the controls assessment, will be incorporated into a pre-acquisition due diligence report, which will highlight key areas for improvement.

Specifically, the CCO will seek to use the due diligence process to understand:

• What are the areas of potential compliance-related risks?
• If red flags or potential concerns have been highlighted, can we request more information to resolve these concerns?
• If red flags must remain, is the strategic value of the deal sufficient to justify taking these risks?
• What steps should be taken to achieve "Day One" compliance readiness?
• What steps should be taken post-close to resolve outstanding compliance concerns?
• Do we have the resources to integrate the two companies' policies and procedures, or to bring the target company up to industry standards? If not, what resources do we need?

Deal teams often work with professional services firms, such as law firms and accounting firms, to ensure the company's ABAC procedures are appropriate for the contemplated transaction. Such procedures may require that management of the acquisition target produce specific data, complete a questionnaire, and provide complete and transparent answers in management interviews. Although access to detailed information may be limited in certain scenarios, deal teams generally make diligent efforts to facilitate the collection of information and to emphasize to the management team at the target company how much importance the acquiring organization places on the ABAC due diligence process.

The level of involvement of the acquiring company's board of directors may vary depending on specific characteristics of the transaction. In some organizations, the board may be involved only under specific circumstances, such as when a transaction presents a high level of ABAC risk. In such cases, a CCO may need to present detailed risk assessments to the board at multiple points in the deal, updating the initial assessment as additional information becomes available. The board will then weigh the financial, operational, and reputational risks of completing the acquisition, including the potential costs of compliance-related integration, against the value of the investment. At a minimum, one may expect the board to take ABAC risks directly into account while deciding whether to approve a transaction.

'Check the Box' Compliance Doesn't Necessarily Satisfy FCPA

As SEC associate director of enforcement Antonia Chion noted earlier this year, after the BHP Billiton settlement, "A 'check the box' compliance approach of form over substance is not enough to comply with the FCPA."

In order to complete ABAC due diligence effectively, buyers need to weigh potential compliance-related concerns with the strategic value of the anticipated acquisition, given the information that's available. Thorough ABAC due diligence can often raise red flags prior to closing; this due diligence may be conducted as a joint effort of attorneys, forensic accountants, compliance officers, and the deal team.

Then the acquiring company can plan any enhancements to the target company's compliance program that the due diligence process suggests need to be made. The acquirer should also plan to integrate the target's compliance department into its own in a manner that allows for completion of the integration at closing, or as soon after closing as possible.

An acquiring organization that engages in adequate pre-acquisition ABAC due diligence, and subsequent enhancement and integration of strong compliance programs, is more likely to manage ABAC risk appropriately after the close.

Gregory Wolski is a partner in EY's Fraud Investigation & Dispute Services (FIDS) practice and global leader of the Transaction Forensic practice. He has managed over 200 FCPA and anti-bribery/anti-corruption due diligence engagements on behalf of strategic and private-equity clients and has served as an independent arbitrator or as an expert on more than 250 mergers and acquisitions. You can reach him at [email protected].

Tony Hounshell is a senior manager in the FIDS practice. With nearly 15 years of experience, he specializes in investigations of financial impropriety, FCPA compliance and investigations, regulatory and policy compliance, and post-acquisition disputes. You can reach him at [email protected].

Sara Kramvis is a manager in EY's FIDS practice. She has experience conducting anti-corruption transaction due diligence reviews, developing and implementing anti-corruption compliance programs for multinational corporations, and managing cross-border investigations pertaining to allegations of FCPA violations. You can reach her at [email protected].

EY refers to the global organization, and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. The views expressed are those of the author and do not necessarily represent the views of EY.