<img src="https://ws.zoominfo.com/pixel/BUJfPb8NrEnpjSiz8kRz" width="1" height="1" style="display: none;">

FCPA Compliance in M&A | The Phases of Due Diligence

on May 24, 2022

Whenever I’m in the market to make a large purchase, I do my homework. Am I paying the right price? Is there an advantage to purchasing the item from one merchant or another? Does it come with a warranty? Can I get my money back if I don’t like it? Warranties and return options can protect my investment, and the answers to each of these questions will have an impact on my decision to buy or to walk away.

Similarly, when it comes to mergers and acquisitions (M&A), a purchasing company must complete extensive FCPA due diligence to protect themselves from potential FCPA compliance violations. Due diligence is expected in every step of the M&A process (pre-acquisition, contracting, pre-closing remediation, and post-transaction), so purchasers cannot afford to take any shortcuts. 

Pre-acquisition Risk Assessment

During pre-acquisition, an initial risk assessment can provide details to help the purchaser determine the extent of FCPA due diligence needed. It also gives them the opportunity to identify any compliance-related provisions that may need to be included in the contract. 

Identifying the jurisdiction(s) in which a target company operates is an important factor to be considered during FCPA risk assessment. Transparency International’s Corruption Perceptions Index (CPI) is a basic tool used for measuring corruption risk within relevant jurisdictions, and, while useful, the CPI is based on perception and can misrepresent the actual corruption risks that exist within a given jurisdiction. Corruption risk rankings can differ not only by country but also by the regions within that country.

Due to the imperfect nature of CPI, it is also necessary to provide basic knowledge of the target company, including size, ownership structure, industry type, location(s) of operations (and known corruption practices in those areas), and any government interactions. Is the company publicly traded and likely to have better corporate governance than a private entity? Or, does the target company’s industry have a higher risk for corruption due to more interaction with government officials?2

When completing an FCPA risk assessment, every aspect of the target company’s business dealings should be taken into consideration. For the acquiring company to form a view of a target’s risk profile, many questions should be asked:

FCPA Compliance and Control Infrastructure: Are the target’s policies and procedures adequately designed? Are employees and high-risk third parties appropriately trained? How are the control functions (legal, compliance, and audit) resourced? Has the company conducted a risk assessment? Has an external or internal audit recently tested any of the key compliance controls?

Corporate Governance and ESG: Who is on the board? What issues are escalated to the board? Have there been any allegations of wrongdoing or breaches of the target’s internal policies? Does the target have any material outstanding litigation or investigations? Is the target’s supply chain free from child and slave labor? How does the target’s operations impact the environment? Is there any adverse media coverage related to the target?

Government and Regulatory Touchpoints: What licenses, permits or regulatory approvals does the target need to conduct its business? Who obtained these approvals? Who is responsible for government relations? Are there any lobbying efforts, political contributions, or political engagement — either directly or through a trade association?

High-Risk Customers: To whom is the target selling its products or services? Are there any governmental or state-owned enterprise customers? If so, how is that business typically awarded? Who is responsible for maintaining relationships with customers? What (if any) gifts, hospitality, entertainment, travel, corporate sponsorships, or charitable donations are connected to sales efforts?

High-Risk Jurisdictions: Does the target have sales or operations in any high-risk jurisdictions? Who oversees sales and operations in high-risk jurisdictions? What (if any) gifts, hospitality, entertainment, travel, corporate sponsorships, or charitable donations occur in high-risk jurisdictions?

High-Risk Third Parties: Do the target’s third parties engage them to interact with governmental entities, state-owned enterprises, or government officials? Does the target rely on sales channel partners, such as wholesalers, distributors, resellers, joint venture partners, locally-sourced content providers, customs clearing agents or freight forwarders? Who are the target’s key suppliers, and where are they located? What are the targets processes for FCPA due diligence and contracting with high-risk third parties?3

FCPA due diligence must be thorough

Pre-acquisition FCPA due diligence for mergers and acquisitions is necessary and should be thorough. U.S. authorities state that the standard of “appropriate due diligence is fact-specific and should vary based on industry, country, size and nature of the transaction, and the method and amount of third-party compensation.”4 While that sounds very official, what this statement does not include is a list of the sources or methods that should be used during FCPA due diligence. It is left up to those involved with the deal to decide how they will conduct the process.

Anti-corruption FCPA due diligence may include activities such as background checks on the target company, key members of management, and third parties (sales agents, distributors, consultants).  If an existing compliance program is in place, it should both be reviewed on paper and evaluated in practice, if possible. Any interactions with, payments to, or other benefits provided to government officials, agencies, or anyone acting on their behalf should be assessed and reviewed. Additionally, any known, suspected, or alleged corruption-related issues will require a thorough investigation.5

FCPA due diligence procedures can be completed with written requests, on-the-ground interviews, management discussions, or forensic accounting research to better understand the control environment. Ideally, basic due diligence should provide enough information to “determine the importance and scope of contractual representations, warranties and other terms; identify areas for pre-closing and post-closing remediation, if possible; define the basic scope of post-acquisition diligence; and inform negotiations related to price and indemnities.”6

In the event any compliance issues are uncovered during FCPA due diligence, the purchasing company does not have to walk away from the deal. Steps can be taken to minimize exposure, including:

  • Issuing instructions to the target’s affected affiliates and employees to cease all illicit payments or other questionable conduct and taking steps to ensure that the conduct has indeed ceased 
  • Requiring the target to disclose the conduct at issue to the DOJ/SEC and to the public 
  • Requiring the target to suspend or terminate the officers and employees implicated in the potentially violative conduct, pending the results of an internal investigation 
  • Implementing a comprehensive FCPA training program (or supplementing an existing training program) for the target company’s employees post-acquisition 

The purchaser must also examine how the issues will be remediated to reduce any risk of liability in the future.  


In the contracting phase of a merger or acquisition, a purchaser should consider certain compliance provisions or clauses to attach to the contract. While such clauses should be meticulous, they do not replace the requirement for thorough FCPA due diligence.

One clause for consideration should address compliance with all applicable anti-corruption laws and regulations, especially FCPA and laws specific to the countries where the transaction is taking place. Another might consider veto rights over key decisions and the right to appoint officers over key business functions, in addition to the right to perform a compliance audit after the deal is completed with ongoing audit rights.

It is imperative to address the requirement to maintain an effective compliance program to monitor future behavior.  If there is discovery of misconduct or corruption identified during FCPA due diligence, there should be provisions allowing for the purchaser to terminate a deal or remove any exceptions for confidentiality clauses so they can self-report their findings to the appropriate government authorities.

In the event of post-closing discovery of significant corruption or other issues, there should also be a clause for exit or put rights for the purchaser. If the company being acquired refuses to terminate a contract, litigation could lead to a significant decrease in the negotiated price.7

If FCPA liability is even a potential issue in a merger or acquisition, it is important for acquiring companies to include representations, warranties, and compensations within their deal documents that should cover the following: 

  • That the target, and any of its owners, employees, affiliates, agents, or representatives have not violated the FCPA 
  • That the target, and any of its owners, employees, affiliates, agents, or representatives will not violate the FCPA 
  • That no foreign government official or relative of a foreign government official has an ownership interest in the target 
  • That the target has received and reviewed a copy of the FCPA and understands its terms 
  • That the target (to the extent it still exists after the merger or acquisition) shall indemnify the acquirer against any liabilities, losses, and expenses, including any civil or criminal fines, that the acquirer may incur as a result of any violations of the FCPA by the target
  • That the acquirer may cancel the merger or acquisition without any penalties should a violation of the FCPA be uncovered prior to the execution of the merger or acquisition8

Pre-close FCPA Due Diligence

If any concerns are discovered during the pre-acquisition or contracting FCPA due diligence phases, a purchaser can take action to remediate these issues. However, if remediation is not possible, an alternative would be to carve out any portion of the acquisition that is found to be tainted by corruption. 

Before a deal closes, ethics and compliance officers must work with the target company to determine certain key factors:

  • Current controls: Are there already ethics and compliance and anti-corruption measures in place? For instance, is there a code of conduct, an anti-corruption policy, a gifts and entertainment process, adequate training, a helpline available for reporting, and established investigations processes?
  • High-risk touchpoints: Does the target have government clients, use intermediaries in pursuit of public sector business, or maintain operations in risky markets?
  • Transaction testing: Has high-level transaction testing identified any significant red flags, such as spending on gifts and entertainment, charitable or political contributions, and sponsorships?
  • Third parties: Which third parties does the target use? Have those relationships gone through due diligence? Does the target have contracts with those third parties? Are there adequate contractual provisions in those contracts, especially as they relate to high-risk third parties?

Integration should be a prime focus when finalizing a merger or acquisition. Senior management will set the tone around ethics and compliance with the newly acquired company’s employees by sharing the company’s resources, highlighting corporate policies and procedures, and expressing their commitment to non-retaliation. Code of conduct and anti-corruption training should be established and assigned to all employees. 

Communication is very important throughout and following the integration process.

The ethics and compliance team should always have a seat at the table during M&A. Any violations discovered during diligence should be disclosed to the DOJ and SEC. Any risks outside of anti-corruption should also be considered pre-close.9 

Post-close FCPA due diligence

It may not be possible to fully address all compliance risks during pre-close due to deal dynamics and limited timelines. However, while it might be easier to complete these procedures during the post-close process, contract provisions will determine whether the seller will have any trailing obligations.10

The US DOJ provided formal guidance in Opinion Procedure Release 14-02 that encourages companies engaging in mergers and acquisitions to ‘implement the acquiring company’s code of conduct and anti-corruption policies as quickly as practicable’ to ‘conduct FCPA and other relevant training for the acquired entity’s directors and employees, as well as third-party agents and partners’ and to ‘conduct an FCPA-specific audit of the acquired entity as quickly as practicable’.11

Acquirers should also consider undertaking a post-acquisition compliance review and/or post-acquisition audit as soon as practicable, depending on the extent of their pre-acquisition FCPA due diligence. Any decision-making regarding the timing of these reviews or audits should be documented.

Immediately taking steps to remediate any compliance issues or wrongdoings discovered in pre-closing or post-closing diligence is perhaps the most important action for an acquiring company to complete. Self-reporting any issues to relevant enforcement agencies warrants careful consideration and should be discussed with counsel.12

Summary FCPA due diligence 

If a purchasing company identifies misconduct during the FCPA due diligence process or through post-acquisition efforts, they can self-disclose the misconduct to the government. With the purchaser showing full cooperation and appropriately remediating the issue, the FCPA corporate enforcement policy can apply the same benefit to the purchasing entity as it would to an individual – “the presumption of a declination with disgorgement of any ill-gotten gains resulting from the misconduct.”  

Conducting thorough FCPA due diligence in every phase of M&A can result in improved compliance programs and internal controls as well as a reduction of the risk for continued bribery at a target company. It also allows for both parties to negotiate who will bear the responsibility of continued investigation or remediation efforts for any issues discovered during the process. Most importantly, due diligence demonstrates (to the DOJ and SEC) a high level of commitment to the discovery and prevention of any future FCPA violations. 

In Part Three, we will walk through a few case studies that effectively demonstrate what can happen when FCPA due diligence is not effective.

How can Oversight help you today? Subscribe and follow along with our Nothing Gets by You Now Blog Series or visit our website to learn more about how our AI platform can help you automate manual processes and empower you to See It All. Spot The Patterns. Steer The Future.

The Foreign Corrupt Practices Act (FCPA), enacted in 1977, generally prohibits the payment of bribes to foreign officials to assist in obtaining or retaining business. The FCPA can apply to prohibited conduct anywhere in the world and extends to publicly traded companies and their officers, directors, employees, stockholders, and agents. Agents can include third-party agents, consultants, distributors, joint-venture partners, and others.

The FCPA also requires issuers to maintain accurate books and records and have a system of internal controls sufficient to, among other things, provide reasonable assurances that transactions are executed, and assets are accessed and accounted for in accordance with management's authorization.

The sanctions for FCPA violations can be significant. The SEC may bring civil enforcement actions against issuers and their officers, directors, employees, stockholders, and agents for violations of the anti-bribery or accounting provisions of the FCPA. Companies and individuals that have committed violations of the FCPA may have to disgorge their ill-gotten gains plus pay prejudgment interest and substantial civil penalties. Companies may also be subject to oversight by an independent consultant.

The SEC and the Department of Justice are jointly responsible for enforcing the FCPA. The SEC's Enforcement Division has created a specialized unit to further enhance its enforcement of the FCPA.1

Part Two of a Four-Part Series

1 https://www.sec.gov/spotlight/foreign-corrupt-practices-act.shtml 


3 https://www.jdsupra.com/legalnews/effective-and-efficient-pre-transaction-4006873/

4 https://www.justice.gov/criminal-fraud/file/1306671/download




8 https://www.foley.com/en/-/media/9afd7bb437124214809843c2a6886d11.ashx






Becky Clay

Senior Product Marketing Manager