Deputy US Attorney General Lisa O. Monaco recently introduced a new M&A Safe Harbor Policy focused on voluntary self-disclosures that according to Monaco, will put an “enhanced premium on timely compliance-related due diligence and integration.”

Under the policy, companies that promptly and fully report and investigate suspected misconduct that has been found at an acquired entity should expect to receive a presumption of declination from the US Department of Justice (DOJ). In addition to requiring full disclosure, cooperation and disgorgement, the policy formalizes certain—to some, aggressive—time-sensitive requirements of which companies need to be aware. Specifically, companies must: 

  1. Disclose misconduct discovered at the acquired entity within six months of the closing date. 
  2. Fully remediate the misconduct within one year of the closing date. 

The DOJ can extend these deadlines after considering factors such as the complexity of the transaction, significant facts or other circumstances. However, extensions remain at the DOJ’s discretion.

The limited timeline to fulfill the safe harbor prerequisites is undoubtedly a challenge. In our experience, a typical integration plan for acquired companies is often measured in years, not months. This estimate does not take into account the typical amount of time it takes companies to investigate, remediate and disclose suspected misconduct. 

While having this policy in place enables acquiring companies to mitigate more predictably transactional risk and steer clear of potential successor liability related to wrongdoing by the acquired company, it is imperative for companies to establish thorough due diligence and integration procedures to guarantee the timely detection and reporting of any misconduct to the DOJ. 


“Good companies—those that invest in strong compliance programs—will not be penalized for lawfully acquiring companies when they do their due diligence and discover and self-disclose misconduct.”  – Lisa O. Monaco, Deputy US Attorney General

To maximize opportunities to identify and disclose reportable conduct within the safe harbor timeframe, acquiring companies can take the following steps:

  • Formalize an acquisitions playbook: Maintain a structured, repeatable acquisitions plan to guide the acquisition process. This should include not only a prioritized plan of objectives, activities and resources, but also close integration of compliance diligence into the deal process and strategy as a whole. The first 100 days after the deal closes will be critical and should be thoroughly planned. While the DOJ’s Safe Harbor Policy offers the incentive of avoiding prosecution, it also introduces the possibility of more severe consequences should misconduct come to light later.
  • Maximize your pre-acquisition diligence: Notably, the DOJ’s “clock” starts at the date of deal closing. By maximizing what is performed prior to closing, companies can ensure a deep understanding of potential risks and the compliance status of the target company.

    • Ideally, pre-acquisition due diligence should include an integrated combination of investigative reputational due diligence with a forensic review of the acquired company’s compliance program design and implementation. It is imperative to identify key operational risks, such as conflicts of interests, misappropriation of funds by senior management, false claims relating to product quality or safety, and poor governance controls, as well as financial crimes, such as bribery and corruption, before the transaction and when preparing to disclose and address these issues at the date of closing.  
    • Limitations on time and resources, among other factors, are pressures that limit the extent of compliance-related due diligence conducted prior to deal closing. The Safe Harbor Policy provides a strong incentive to fight through these limitations to obtain a “head start” identifying areas of heightened risk for further investigation.
  • Rely on risk assessments and data to focus efforts: Leverage risk assessments and data analytics to direct your compliance efforts toward areas that pose the greatest risk. Companies will not have the luxury of evaluating every risk at the same level, and decisions will need to be made about where to prioritize and focus diligence and integration efforts. Data should be your best friend, enabling you to see and analyze the real activities of an acquired company across a broad spectrum of risk areas.
  • Go beyond the surface level: Delve deeper than policy reviews and rollouts, desktop checklists and online training, to uncover misconduct. A surface-level evaluation will not reveal reportable misconduct. Investigative reputational due diligence, data analytics, risk assessments and compliance audits are all effective tools for truly understanding the risks that you have acquired and maximizing your opportunities to identify misconduct.
  • Focus on compliance integration steps that surface whistleblowers: Prioritize compliance integration steps that encourage and facilitate reporting from whistleblowers within the organization. This certainly includes an effective communication strategy for your whistleblowing policies and reporting avenues; however, it should also include steps that reach people locally: through in-person trainings, meetings with local compliance officers and other activities that would provide ample opportunities for reports.

Deputy US Attorney General Monaco underscored the importance of effective compliance programs in shielding companies from significant financial risks and penalties. The DOJ’s new Safe Harbor Policy aims to create a more transparent and predictable environment for companies, while enhancing the fight against corporate crime, particularly in the context of those implicating national security risks, such as corruption, sanctions, export controls, money laundering and cyber security. 

Control Risks has extensive experience helping clients navigate the compliance risks of major investments through enhanced due diligence, compliance measures and data insights. For a fuller discussion or any questions regarding measures that companies can take to ensure compliance under the new Safe Harbor Policy, please contact any of our experienced experts.

Finding this article useful?

Get in touch

Can our experts help you?