Giving Regulatory Due Diligence Its Due
September 2, 2021The adage that “no one is perfect” applies as equally to companies as it does to people. Before committing to a merger or acquisition with another company, a potential Buyer must conduct due diligence to identify the imperfections of a target company so the Buyer knows what it is buying. This diligence is particularly critical when the target company is privately held, and thus not subject to scrutiny from public markets. The results of the diligence inform the Buyer as it weighs the benefits, costs, and risks associated with a potential transaction to determine whether, and on what terms, to proceed.
There are standard topics diligence typically covers: financial, employment, environmental, tax, intellectual property, and litigation, among other things. For companies that play in the FDA-regulated space, however, a focused regulatory diligence should be a high priority. Of course a solid understanding of the regulatory compliance status of a target company is necessary for pure business reasons. But the scope of regulatory diligence and its application to post-acquisition activities has broader implications, namely whether the government will hold the Buyer responsible, either criminally, civilly, or administratively, for the regulatory issues it inherited through the acquisition. Thus, identifying risks and appropriately structuring a transaction, while critical, are only part of a strategy to manage regulatory compliance risks. Equally important is the question of what steps a company has taken post-acquisition to address the issues identified during the diligence process.
The US DOJ’s Justice Manual requires prosecutors to consider certain factors in deciding whether to bring criminal charges against a corporate entity, one of which is whether the company maintains a well-designed compliance program. In its June 2020 updated guidance document, “Evaluation of Corporate Compliance Programs,” DOJ makes clear that pre M&A due diligence is a critical aspect of that determination: “A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.” DOJ expects companies to act promptly on information obtained during the diligence process. Specifically, DOJ asks: “What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process?” (emphasis added).
Similarly, in the civil context, the Justice Manual highlights the importance of taking remedial action once it is known. Such remedial actions may include:
- demonstrating a thorough analysis of the cause of the underlying conduct and, where appropriate, remediation to address the root cause;
- implementing or improving an effective compliance program designed to ensure the misconduct or similar problem does not occur again;1
- appropriately disciplining or replacing those identified by the entity as responsible for the misconduct either through direct participation or failure in oversight, as well as those with supervisory authority over the area where the misconduct occurred; and
- any additional steps demonstrating recognition of the seriousness of the entity’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.
In a recent civil False Claims Act case settlement, DOJ relied on the information the company gleaned during diligence to hold a Buyer responsible for the violative conduct: “Specifically, the United States alleges that Ancor, through its due diligence . . . learned about the alleged conduct in Paragraphs E.1 and E.2. . . . . The United States contends that Ancor caused false claims when it allowed the alleged conduct described in Paragraphs E.1 and E.2 to continue . . . . ” (emphasis added).
Last, in considering whether to impose integrity obligations on healthcare companies, the HHS OIG has noted that certain successor owners may avoid such obligations if they can demonstrate, among other conditions, that they “purchased the entity after the fraudulent conduct occurred;” and” took appropriate steps to address the predecessor’s misconduct and reduce the risk of future misconduct.”
Companies considering an acquisition need to be mindful of these and similar government pronouncements as they evaluate the merits of such transactions as part of their regulatory diligence. Should they proceed with the transaction, companies can minimize potential liability by appropriately prioritizing the remediation activities for those uncovered regulatory issues.