Caveat emptor: literally, “let the buyer beware.” It’s as true in modern day M&A transactions as it was in the markets of ancient Rome. In addition to financial and commercial diligence, an M&A buyer routinely undertakes a traditional legal review of its target. But there are a host of sometimes overlooked compliance areas where issues lurk that can add significant risks for acquiring companies—even when the deal otherwise makes great business sense. Compliance with international anti-corruption laws, U.S. immigration requirements, U.S. health care laws, and U.S. trade laws are examples of such areas that buyers ignore at their peril.

Take, for example, the difficulties Mondelēz (formerly known as Kraft Foods) ran into when it bought Cadbury in a stock purchase that closed in 2010. Along with the business, Mondelēz acquired liability for Cadbury’s alleged violations of the books and records provisions of the Foreign Corrupt Practices Act (FCPA) regarding bribes allegedly paid by a third-party consultant for a Cadbury operation in Baddi, India. As a result, Mondelēz ended up paying $13 million in a settlement with the Securities Exchange Commission for compliance errors Mondelēz never detected prior to closing the acquisition.

Conventional wisdom suggests that buyers can avoid a target’s hidden liabilities by structuring the acquisition as an asset, rather than stock, purchase. But caveat emptor; even in an asset purchase, there are situations where the purchaser can end up stuck with responsibility for the compliance failures of the seller. Most obviously, an asset purchaser can acquire liability for compliance failures if it specifically contracts to do so. However, an asset purchaser can also acquire liability under certain state or federal common law doctrines such as the “mere continuation” doctrine, the “substantial continuity” doctrine, or a “de facto” merger. See, e.g., United States ex rel. Bunk v. Government Logistics N.V., 842 F.3d 261 (2016 (federal common law); Kaiser Foundation Health Plan of Mid-Atlantic States v. Clary & Moore, P.C., 123 F.3d 201 (1997) (Virginia law).

The “mere continuation” doctrine holds that a buyer of assets may be the continuation of a seller where after the transfer of assets (a) only one corporation remains and (b) there is an identity of stock, stock holders and directors between the two companies. See U.S. v. Carolina Transformer Co., 978 F.2d 832 (1992).
Similarly, the “substantial continuity” doctrine considers a series of factors to determine whether one corporation is the successor to another, including:

  • Retention of the same name, employees, supervisory personnel, and production facilities in the same location.
  • Production of the same product.
  • Continuity of assets and general business operations.
  • Whether the successor holds itself out as the continuation of the previous enterprise.

Id. Likewise, whether a “de factor merger” arises depends upon the following four factors:

  • There is a continuation of the enterprise of the seller corporation, so that there is a continuity of management, personnel, physical location, assets and general business operations.
  • There is a continuation of shareholders that results from the purchasing corporation paying for the acquired assets with shares of its own stock—the seller’s shareholders ultimately become a constituent part of the purchasing corporation.
  • The seller corporation ceases its ordinary business operations, liquidates, and dissolves as soon as legally and practically possible.
  • The purchasing corporation assumes those liabilities and obligations of the seller ordinarily necessary for the uninterrupted continuation of normal operations of the seller corporation.

Bud Antle, Inc. v. Eastern Foods, Inc., 758 F.2d 1451, 1458 (1985). Along these lines, the federal government has attempted to impose liability on asset purchasers for the pre-acquisition compliance errors of a target. In United States v. Ataka, Inc., 826 F. Supp. 495 (CIT 1993), the Customs and Border Protection (CBP) sought to impose liability for customs penalties on Itochu, the acquirer who bought the stock of a company that had previously acquired Alps Wire Rope Corp. in an asset transaction. While the liability was not specifically assumed by the buyer of the assets, at the summary judgment stage the Court of International Trade found the acquirer could potentially be liable under a “de facto merger” or “mere continuation” theory. The case settled prior to trial without a final adjudication as to whether the acquirer was liable.

Similarly, the Bureau of Industry and Security charged biochemical produce Sigma-Aldrich with hundreds of violations of the Export Administration Regulations based on the activities a predecessor business transacted prior to its acquisition via an asset purchase. An administrative law judge found Sigma-Aldrich liable on a “substantial continuity” theory and the case was eventually settled for $1.76 million.

Even if an acquirer dodges the legal liability for a target’s compliance failures, there can be business risks that come with acquiring the assets of a company with lax compliance. A recent case demonstrates this exposure.

Post Holdings Inc. acquired National Pasteurized Eggs Inc. (NPE) in 2016 for $100 million. Post Holdings Inc. et al v. NPE Seller Rep. LLC et al, 2017-0772, Delaware Chancery Court. According to Post’s complaint against the former officers and security holders of NPE, three NPE executives were aware that some of its employees were not authorized to work under U.S. immigration laws but did not disclose this to Post. Only after the acquisition when Post informed employees they had to run E-Verify to satisfy government contracting requirements did the company learn that more than 60 percent of the employees were not authorized to work in the United States.

Post was not fined or otherwise punished by the government for NPE’s compliance failures. However, Post allegedly suffered multimillion-dollar losses due to having to hire temporary employees, hire and train new employees at higher wages, as well as the resulting delays and lost productivity. Post may have dodged the regulatory fines, but it certainly does not believe it got what it bargained for.

So How Does an Acquiring Company Stay Out of Trouble?

Don’t throw out the acquisition with the bathwater! There are steps companies can take to limit the compliance risk involved in acquiring another company. The first and most important of these is a thorough, tailored pre-acquisition compliance diligence review. Companies should engage counsel well-schooled in each individual area of compliance to assist in performing the due diligence.

M&A compliance counsel will likely provide a list of due diligence requests to the target related to the areas of compliance at issue and tailored to the specific company and its business. Compliance inquiries typically cover three general areas:

1. Policies and programs to prevent and detect violations. For example, counsel will inquire as to any risk assessments performed, compliance policies and procedures, and business ethics policies in place as well as any associated training provided to employees. It also typically will inquire into the availability of compliance reporting, whether reporting can be anonymous, and the number and types of reports received. In addition to flushing out specific areas of concern, these inquiries can give the buyer a good idea as to the strength of the target’s compliance culture.

2. Government actions. While general M&A due diligence will likely inquire into any litigation the target has been involved in, compliance due diligence will focus on government investigations, subpoenas, civil investigative demands (CIDs) or notices of inspection (NOIs), and any resulting enforcement actions, whether civil, criminal, or administrative.

3. Review of area-specific compliance issues. For example, Form I-9 compliance counsel may, depending upon the nature of the business and risk involved, request to review a sampling of the Forms I-9 collected by the target. An anti-corruption review would likely focus on relationships with government officials and third-party agents as well as travel and gifts policies, while in the export area the nature and classification of the company’s products as well as the nationality of its customers would be of key importance. In addition, counsel may also need to review certain types of agreements the target has entered to assess risk there. In the Mondelēz situation described above, a request to review the third-party agent’s agreement and additional inquiries surrounding that agreement may have divulged the risk associated with that relationship.

If Counsel Identifies Risk, How Can It be Mitigated?

There are several steps buyers can take to mitigate identified compliance risk, depending on the magnitude of the potential exposure and the buyer’s appetite for risk. Companies can negotiate representations and warranties, indemnities and holdbacks in the purchase agreement specifically addressing the identified risks. Sometimes it may make more sense to reflect the identified compliance risks in a reduction of the deal price.

Where there is greater risk, and the option is available, the buyer may wish to restructure the transaction to avoid the risk (e.g., by carving out the division of the business where the risk resides, so that it is retained by the seller). Additionally, the buyer could require the seller to self-report the violations and take responsibility for any penalties prior to closing the acquisition. This is likely what happened in 2004 when GE discovered FCPA violations committed by InVision Technologies, Inc., a U.S. company GE sought to acquire. InVision self-reported the violations to the DOJ and SEC and extended the purchase agreement with GE until the violations could be resolved with the federal government.

Recently, Assistant Attorney General Matthew S. Miner offered one more option for buyers that discover FCPA compliance failures in a target during due diligence. Minor suggested the DOJ “would encourage [such companies] to come to the Department for guidance through [the] FCPA Opinion Procedures before moving forward with an acquisition,” and pointed out that no company had taken advantage of this option since 2014. This procedure can assist companies with assessing risk, at least with respect to the FCPA, before buying trouble.

Regardless of the risk level, there are steps companies should take after acquisition that can help mitigate risk. First, companies can perform more in-depth compliance audits post-transaction. Where issues are discovered, quick action in performing internal investigations and self-reporting violations can potentially still earn the company mitigation credit (and sometimes declination letters through which the government agrees not to prosecute) even where issues were not discovered in due diligence.

Additionally, after performing a risk-based assessment, acquirers should either immediately bring the target under its existing compliance policies and procedures or—for companies acquiring targets in industries not familiar to the acquirer—it may be necessary to create new policies. In those cases, it is best to engage compliance counsel knowledgeable in the relevant regulatory areas to assist with creating and implementing such policies. Any such policy implementation should include training for carryover employees.

Areas of compliance such as Form I-9 compliance can raise particular issues. Under U.S. law, acquiring companies may choose to treat the employees of a target as either all carryover employees or all brand-new employees. For carryover employees, the existing Form I-9 is kept and counts as the operative Form I-9 for the employee in the new company. However, if it appears the Forms I-9 are not in good order, an acquirer that treats all employees as new employees can start with a clean slate of Forms I-9 by having all employees complete new Forms I-9 on their first day of work for the new company. This helps ensure a correctly completed and documented Form I-9 is available for every employee after the acquisition and avoids fines.

However, as in Post’s case described above, such a tactic could result in the need to hire numerous employees quickly in order to keep the business running if it turns out the existing employees are unable to document their eligibility to work in the U.S. Companies should consult with their M&A compliance counsel before choosing which path to take.

Your M&A compliance counsel may have additional ideas to mitigate risk once he or she has identified the specific risks the acquisition raises. However, where risk is determined to be very large, some purchasers may decide terminating the transaction is the best course of action. This is not common in our experience, but it does happen. One good example is Fresenius’ aborted acquisition of Akorn, Inc. That acquisition was halted after Fresenius learned a top executive at Akorn knowingly submitted false and fabricated data to the U.S. Food and Drug Administration. In Fresenius’ case, it discovered the violations during due diligence and was able to get out before it assumed liability for such an egregious violation of law.

The key is performing comprehensive compliance due diligence on the front end—before it’s too late.

Annette Ebright counsels clients in criminal and regulatory investigations and compliance, including performing due diligence reviews in a variety of areas that include anti-corruption, AML, export controls, sanctions, Form I-9, and business ethics.