Coming on the heels of major policy rollouts and updated guidelines, the Department of Justice (DOJ) announced in October 2023 the Safe Harbor Policy for voluntary self-disclosures, which encourages acquiring companies to report misconduct uncovered during the M&A process. This latest policy expands upon existing guidelines that prompt companies to self-report misconduct or wrongdoing to protect themselves from hefty financial risks and legal penalties down the line.

During the announcement, Deputy Attorney General Lisa O. Monaco explained the intent behind the Department's policy, stating: "In a world where companies are on the front line in responding to geopolitical risks, we are mindful of the danger of unintended consequences. The last thing the Department wants to do is discourage companies with effective compliance programs from lawfully acquiring companies with ineffective compliance programs and a history of misconduct. Instead, we want to incentivize the acquiring company to timely disclose misconduct uncovered during the M&A process."

Let's take a closer look at what the policy says and how it’ll impact acquiring companies and compliance teams moving forward.

What is the Safe Harbor Policy?

Under the Safe Harbor Policy, acquiring companies can voluntarily disclose any findings of misconduct or wrongdoing discovered before or during the M&A of a target company. To qualify and fall within the safe harbor period, the acquiring company must report its findings within six months of the acquisition's closing date and then fully remediate the underlying problems within a year.

According to the DOJ, deadlines are subject to a reasonableness analysis based on the deal's complexity. Companies that disclose findings within the safe harbor period, cooperate with the ensuing investigation, and engage in requisite, timely, and appropriate remediation will receive the presumption of declination, where the DOJ declines to bring about charges or take enforcement action, absent any aggravating factors.

How acquiring companies can stay compliant throughout the M&A process and beyond

For companies and compliance teams undergoing the M&A process, there are a few takeaways from the DOJ’s latest policy:

• Begin the due diligence process early. Smaller companies often lack the resources and infrastructure to implement ongoing third-party due diligence, so it's best to get the process rolling before acquiring the target company. Due diligence is critical to any acquisition to ensure you understand exactly what you’re buying. It also enables you to allocate resources more efficiently — conducting the right amount of diligence to the right risk is key.  
  
  
• Cross-functional collaboration is key. Every relevant department within an organization must be involved in the acquisition strategy and due diligence process, from finance to legal.
  
  
• Start the risk-reward conversation. Is it a big deal if a red flag pops up during the due diligence process, or would the risks of reporting them outweigh the benefits? Acquiring companies must also understand their risk tolerance while conducting due diligence. Start by reviewing the target company's processes, contracts, and so forth and tiering them by risk level; this requires understanding internal and external vulnerabilities and encourages you to assess risk across domains, including IT and operational risk.

Go beyond checklists with enhanced due diligence 

The DOJ has made it clear that while due diligence is crucial, taking a risk-based approach is just as important — especially in the context of mergers and acquisitions. Learn what enhanced due diligence involves and why it’s important to protect your organization. 

Read next: The art of enhanced due diligence for third parties