FORUM: Managing corruption risks in M&A pre- and post-transaction


Financier Worldwide Magazine

February 2018 Issue

FW moderates a discussion on managing corruption risks in M&A pre- and post-transaction between Rodrigo S. Grion at GE Healthcare, Adrian D. Mebane at The Hershey Company, Frank Vormstein at Siemens AG and Martin J. Weinstein at Willkie Farr & Gallagher LLP.

FW: Could you provide an overview of the most common corruption risks facing M&A dealmakers, both pre- and post-transaction?

Grion: Acquiring a company that has historically engaged in corrupt practices can carry significant reputational, business and legal consequences. The specific areas of concern vary by industry, geography, dealings with governments and the sophistication of the companies involved. While there is a tendency for acquirers to be concerned with bribery issues, corruption is a significantly broader topic and it is advisable to think broadly about all the interrelated risks, regardless of industry. For example, when bribery exists, it is not uncommon for other related problems to be present, such as violations of competition laws, money laundering and employee fraud. As far as pre- versus post-acquisition, the risk areas do not change significantly. What generally changes are the goals for the compliance team. In the pre-acquisition due diligence phase, the focus is on informing the acquirer’s decision-making team about potential corruption risks.

Mebane: The global reach of the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act 2010, as well as similar local anti-corruption regulations, requires a company to undertake certain considerations when seeking to merge with or acquire another entity. In an environment of broad and increasing anti-corruption enforcement, assessment of corruption-related exposure associated with the acquisition or merger is more important than ever. As a result, several factors should be considered prior to and after the transaction, including the target entity’s operating model and locations, the structure of the transaction such as acquiring assets versus a company with assumed liability, the regulatory and legal risks given possible ongoing or past misconduct of the target company, the reputational impacts associated with the transaction and the strategy for how each company’s compliance programme and expectations are maintained post-transaction.

Vormstein: The target’s customer or supplier contracts, which have been concluded as a consequence of, or in connection with, corrupt behaviour or other illegal behaviour of the target, such as anti-trust violations, money laundering or export control violations, are usually the basis for a respective termination right of the target’s contract partners. In the event that such contracts are material for the target’s business, such a termination may negatively affect an M&A transaction’s underlying business plan. In any event, the acquiring company, as the new contract owner, will have to bear the consequences of any contract termination. Furthermore, severe damages claims may be filed against the acquiring company as the liability successor of the acquired target.

Weinstein: One of the most prominent risks facing M&A dealmakers is the use of third parties. By some accounts, more than 80 percent of FPCA prosecutions relate to actions taken by third parties. These include traditional marketing agents, but one of the challenges for M&A professionals is that third-party risks defy easy categorisation or labels. They can include consultants, finders, brokers, joint venture partners, lobbyists, lawyers, vendors, contractors and others. To identify these high-risk relationships, it is essential to obtain an understanding of the way the business operates, how business is generated, and where its government touchpoints are. Another common risk area is customs and immigration. Moving goods and people around the world, and needing to do so expeditiously, creates many government touchpoints and opportunities for corruption. Likewise, tax can be a high-risk area for companies that have to deal with tax authorities around the world.

Deals have been broken and billions of dollars of market capitalisation lost as a result of latent corruption issues that were not discovered in due diligence.
— Martin J. Weinstein

FW: In your opinion, how important is it for acquirers to integrate corruption checks and controls into their M&A decisions from the outset of a transaction? What are the potential consequences of inadequate due diligence and undiscovered violations?

Mebane: Anti-corruption due diligence is not unfamiliar to US companies considering acquiring entities abroad. But, companies operating outside of the US considering acquisitions may still be adapting to the requirements of newly established local anti-corruption legislation that affects the scope of a company’s due diligence efforts. Regardless, it is important for acquirers to consider corruption checks and controls in their M&A decisions. If adequate considerations are not made, there could be an impact on the overall success of the transaction itself and exposure for the acquiring company after the transaction closes. Potential consequences of not thoroughly assessing corruption-related risks during due diligence include inheriting misconduct leveraged to obtain business by the target company, which may include improper engagement and compensation of third parties, inappropriate gifts, entertainment and hospitality practices and a propensity to make facilitating or improper payments to expedite routine procedures with various government entities.

Vormstein: The integration of comprehensive compliance due diligence as a mandatory part of M&A projects is important for every company dealing with M&A transactions on a regular basis. The company’s successor liability under the FCPA and the Bribery Act is maybe one of the most underestimated liability risks of companies when acquiring another company or even another group of companies. In fact, an acquiring company may be fully liable for the corrupt practices of a target, if comprehensive compliance due diligence has not been conducted during the M&A project phase, or if it has been completed in an insufficient manner and thus as a consequence the acquiring company can be accused of ‘wilful blindness’ with regard to corrupt practices of the acquired target. Potential successor liability risk may be even higher and more likely in M&A transactions in which the target of an acquisition, or one of its subsidiaries, is based in so-called ‘high-risk-countries’ in terms of corruption.

Weinstein: For any transaction that involves an entity with international sales or business operations, it is critical that acquirers include anti-corruption compliance in due diligence and decision-making processes from the outset. A failure to do so can leave an acquirer, and its senior managers, vulnerable to potential criminal and civil liability under the FCPA or other anti-corruption laws. Prosecutors and regulators expect responsible companies to undertake this kind of diligence, and proceeding with a transaction without it may be viewed as a control failure or even, under some circumstances, as ‘wilful blindness’ should ongoing corruption later be discovered, an essential element of an FCPA charge. Beyond these legal risks, corrupt practices by a target entity can materially affect valuation and deal structure. Deals have been broken and billions of dollars of market capitalisation lost as a result of latent corruption issues that were not discovered in due diligence. Both legal and business risks make appropriate attention to anti-corruption compliance an imperative.

Grion: It is critical for acquirers to integrate corruption checks and controls. There are significant consequences for inadequate due diligence. First, there is successor liability. The acquirer may be liable for any improper conduct that has occurred prior to the acquisition. This may lead to significant costs associated with government enforcement actions, including significant reputational damage, sometimes years into the future. Second, if the acquired company was engaged in large-scale improper activity, it is possible that those activities would be a key driver of profitability or competitive advantage. If these unlawful activities are detected and stopped post-acquisition, the acquired company might experience a significant decline in performance that was not anticipated in the purchase price. Finally, poorly conducted due diligence is unlikely to get any sympathy from regulators, if issues are identified after the transaction closes.

FW: How should a company approach pre-transaction due diligence to tackle corruption risk? What are some of the challenges a potential acquirer might face during this process?

Vormstein: Comprehensive compliance due diligence should at least consist, firstly, of general internet research and additional researches with special compliance tools with regard to the target, its shareholders and key employees in order to discover known compliance issues. Second, there must also be a comprehensive review and legal analysis of the compliance-relevant information provided by the target in a data room. Third, there must be a Q&A process during which a list of all potentially relevant compliance questions related to the target or the seller is answered. Fourth, there must be an in-person expert-session, in which the compliance experts of the buyer are able to address any questions or potential areas of concern to the management of the target or seller and the employees responsible for compliance in the target, such as the compliance officer or the general counsel of the target.

Weinstein: The first step in pre-transaction due diligence is to undertake an objective and thoughtful risk assessment of the target. Businesses can have radically different exposures to corruption risk. Geographic reach, industry, private or government customers, regulatory environment and methods of getting goods or services to market all impact a target company’s corruption risk. Some of this information can be obtained from publicly available sources, but some will need to come from direct requests to the target company. Typically these requests will start broad but will quickly focus on the most material risks presented. Document requests and conversations with target company management are the most common ways to gather information to assess corruption risk, but in very high risk matters more detailed procedures may be warranted. The challenge in this area, as in many areas of M&A due diligence, can lie in the willingness of the target company to share sensitive business and legal information with the acquirer. Another challenge can be what to do if an acquirer finds evidence or indications of improper payments during due diligence. If improper conduct is ongoing, an acquirer will need to understand the root causes and scope of any misconduct, the potential legal and commercial ramifications and have a plan to remediate.

Grion: The challenges vary greatly, but what is generally consistent is that timelines are very compressed, access to information is imperfect and corruption issues are almost always difficult to identify. To deal with these challenges, due diligence teams must be rigorous and ensure that critical areas are not missed, but are also flexible enough to understand the nuances of each transaction. Contractual clauses can also be negotiated between the parties to allow for more time and leverage, which, in turn, can alleviate some of these constraints. As far as the actual diligence, it is critical for the teams conducting the assessment to have deep industry expertise to ‘ask the right questions’, prioritise what needs to be reviewed and not take answers at face-value. The forensics teams, in turn, should pressure-test the company’s controls, based on these initial questions and assumptions. The teams should leverage both internal and external data sources to triangulate information. Ultimately, it might not be possible to detect every issue that exists given various constraints, but the outcome of this process should be a reliable assessment that enables the acquirer to make an informed purchase decision.

Mebane: Companies should undertake a risk-based approach to anti-corruption due diligence that is initiated early in the process. Focusing on areas with the most regulatory exposure will offer an effective method to managing the cost of the process and a platform to begin to efficiently remediate matters that are most concerning. A company must consider existing levels of perceived corruption in the areas in which the target company operates, the current enforcement landscape, operating models, and the level at which government and state-owned entities are engaged as customers or key business partners. Assessing a target company’s viewpoint on compliance is equally important and can be achieved by reviewing ethics-related training records and content, types of third parties engaged and how they are evaluated and incentivised, hotline and internal investigation data, and ‘tone at the top’ by management. Possible challenges a potential acquirer may face during the due diligence process often arise because of findings uncovered during the risk assessment process. The acquirer may need to quickly pivot its due diligence priorities and undertake more robust efforts, such as an email review, targeted books and records reviews and employee interviews to better understand the actual impact possible compliance risks may have to the deal because of the concerns identified.

A company must consider existing levels of perceived corruption in the areas in which the target company operates.
— Adrian D. Mebane

FW: When assessing a target’s compliance programme, what do you view as the most significant red flags when analysing accounting and sales practices, business model, business associates, and so on?

Weinstein: Red flags come in many shapes and sizes, but there are some that we see frequently and usually signal trouble. A business model that relies exclusively or heavily on third-party sales agents in high risk jurisdictions. A decentralised organisational structure in which in-country managers are ‘kings’ without independent reporting channels for control functions such as legal, finance and internal audit. A lack of basic accounting and financial controls. An exclusive focus on sales results without any balancing messages from senior management relating to business ethics and accountability. Many of these red flags signal not only corruption risk but also risks relating to fraud, embezzlement, money laundering and other areas of potential criminal and civil liability.

Grion: There are the obvious red flags with business courtesies, government official entertainment and retaining third parties without proper vetting. But red flags are usually more nuanced. At a macro level, it is important to understand the target’s business model and the source of its competitiveness. Sales growth, market share or profitability significantly above industry standards need to be explored further to rule out corruption issues. The same applies to unusually complex commercial and distribution models that involve several intermediaries or marketing budgets that are significantly higher than one would expect. As far as the compliance culture, the acquired company’s commitment to an effective programme is critical. If the acquired company’s leadership team cannot articulate the key corruption risks in their industry or demonstrate what they are doing to mitigate these risks, it should be reason to pause. Similarly, a company with very few hotline complaints, with complaints that are not fully investigated or with known issues that are not promptly remediated, may be particularly at risk of corruption. Finally, corruption generally involves money transfers, so weak disbursement controls are generally a red flag.

Mebane: Examples of red flags identified during an analysis of the target company’s books and records, and operating model might include large or unexplained transactions with limited or no supporting documentation, the payment of third parties in cash or through an intermediary, evidence of lavish gifts, entertainment and hospitalities provided to third parties and expense claims that do not follow financial best practices or compliance policies in place at the target company. Additional red flags may be the use of agents or independent consultants without an agreement memorialising the scope of the engagement, ‘success fees’ offered to third parties absent a process to validate the appropriateness and legitimacy of the work performed, a poor business reputation that includes reports of unethical conduct by employees and third parties, and inadequate or no compliance programme or policies in place to address potential corruption exposure in higher risk markets. Lastly, a target company’s misrepresentation of information or failure to cooperate during the due diligence process should signal to the acquirer that a serious review of whether it should proceed with the transaction is necessary.

Vormstein: The first question really is whether the target has a comprehensive and effective compliance programme in place. Many target companies have compliance policies and some kind of a ‘code of conduct’ in place. But the decisive questions are: has the target company really implemented those compliance processes into its daily business? Is the compliance function an integral part of the daily business decisions or is the compliance officer just asked from time to time when compliance issues actually arise and otherwise is not involved in the daily business transactions at all? Is the compliance organisation sufficiently staffed in order to ensure compliant behaviour within the company and to be able to advise colleagues in the daily business respectively?

There are many compliance programmes which are quite detailed on paper. However, the most important question is how the compliance programme is actually implemented in the daily business of the company.
— Frank Vormstein

FW: In the event that pre-merger due diligence reveals problems that have the scope to derail or delay the deal, what options might be available to a potential acquirer?

Grion: If the issues are significant enough, consideration should be given to not going forward with the transaction. With that said, there are other options that can reduce risk to varying degrees, although none can fully eliminate it. For example, certain enforcement agencies have demonstrated willingness to negotiate resolutions with acquirers and target companies that disclose issues identified during due diligence, and agree to promptly and comprehensively remediate these issues during or immediately after acquisition. Deal structuring is another alternative that can reduce, but not eliminate, risks. If concerns are confined to a specific division or geography, an acquirer may be selective in what it chooses to acquire.

Mebane: Comprehensive due diligence efforts may not be able to remediate bribery concerns pre- or post-closing. In the same light, a potential bribery concern does not have to automatically end the deal. In situations where the acquirer still wants to consider the acquisition after concerning information is identified, it is important to appropriately assign financial risk to the target company and include bribery-related indemnifications and warranties in the final deal documentation. These warranties are often not subject to the same time restrictions and monetary thresholds as standard warranties considered during the M&A transaction. Additional steps include initiating an internal investigation to understand the conduct at issue and instructing the target company’s employees and business partners to promptly end all improper conduct, while undertaking efforts to confirm that behaviour has ceased. Depending upon the severity of the conduct, the acquirer may require the target company to terminate employees involved in the possible misconduct and implement a comprehensive anti-corruption compliance programme for employees and business partners post-closing. Often, and depending on the circumstances, regulators look favourably at acquirers that impose rigorous mitigating efforts for a target company when it uncovers concerning behaviour or transactions.

Vormstein: One option can be to simply exclude the respective ‘tainted’ asset, employee or contract from the M&A transaction. In the case of an asset deal, this is quite simple because the assets to be transferred via the asset purchase agreement have to be listed exhaustively anyway. In a share deal or merger, the respective asset needs to be excluded from the legal entity to be transferred before the deal becomes legally effective. Usually the respective assets are carved out in order to ‘clean up’ the respective entity before the share deal is closed. Other options are the implementation of seller warranties or indemnities granted in the respective purchase agreement in order to mitigate at least the economic and financial risks of potential or actually identified compliance issues within the target. A third option, especially in more complex scenarios, can be to implement a concept into the purchase agreement by which the transfer of assets, employees or contracts is subject to a prior compliance check of the asset, employee or contract in question.

Weinstein: If a potential acquirer finds a significant problem, that does not necessarily mean the deal is doomed. First, it is important to understand if the problem and its causes are in the past or if they are or may be ongoing. Both circumstances present risks, but the latter is more serious. If misconduct is limited to certain segments of the business, for example business line, division or country, it may be possible to carve the infected business operations out of the transaction. Alternatively, the price of the deal can be adjusted to account for the risk of potential fines and penalties in the future. Another tack is for the acquirer to condition the transaction on the target company reporting the issues to relevant regulatory authorities and reaching a resolution of any potential charges with those authorities. Although this can delay a transaction, it has the benefit of ‘cleansing’ the target and placing the liability for past misconduct where it belongs: on the target company before the transaction is completed.

FW: For companies using M&A to expand their international footprint, what guidance would you offer on the post-deal modifications they may need to make to a target company’s existing compliance programme? What factors can help achieve successful integration in this respect?

Mebane: Post-closing, the acquirer should consider devoting additional compliance resources to ensure compliance policies, processes and expectations are integrated successfully with those of the target company. These efforts should be structured to meet the realities of the target’s operating model and commercial priorities to help to ensure that mitigating activity is designed in a manner that responds to the target company’s risk profile.

Vormstein: The implementation of a comprehensive compliance programme is key for companies with an international footprint. There are many compliance programmes which are quite detailed on paper. However, the most important question is how the compliance programme is actually implemented in the daily business of the company. Furthermore, a comprehensive compliance integration process should be in place in order to ensure the successful integration of the acquired business, from a compliance perspective. One option is to implement the compliance programme of the buyer within the acquired company as well, especially if there has been no compliance programme, or at least if no sufficient compliance programme is in place within the acquired company before. Another option can be to only adopt the existing compliance programme of the target company to the extent necessary. This is particularly important when a more or less effective compliance programme, although different from the one in place within the acquiring company, has been in place within the acquired company before.

Weinstein: Post-acquisition integration is critical to mitigating risks in international M&A transactions. An acquiring company should have a plan before the transaction is consummated as to how it will integrate the target company into its compliance programme. This includes policies and procedures, employee training and third-party due diligence and contracts. Many companies utilise multi-functional teams to integrate newly acquired businesses – legal and compliance need to be a part of the integration team. Also, depending on the scope of pre-transaction due diligence, post-transaction internal audits can help ensure the integration efforts address all necessary areas.

Grion: Regulators have an expectation of ‘day one’ compliance and there can be significant consequences if corrupt activities continue post acquisition. Therefore, the first guideline is to act promptly, and if possible complement the pre-acquisition assessment with a more comprehensive audit or compliance review. Any material issues identified should be promptly remediated. Given that acquired companies can be smaller, less sophisticated and less accustomed to operating under a highly-regulated environment, a well thought-out compliance integration plan must include change management considerations. Preferably, the acquired company’s new leadership team, with close assistance from the compliance team, should lead the execution to ensure proper buy-in, resourcing and prioritisation and should be measured against specific milestones and timelines. Finally, the integration plan needs to be practical and risk based, so not to overwhelm the acquired company and to ensure adoption.

Corruption generally involves money transfers, so weak disbursement controls are generally a red flag.
— Rodrigo S. Grion

FW: Do you expect corruption risks to become an increasingly important aspect of M&A transactions going forward? Do acquirers need to divert more attention and resources to managing this risk?

Vormstein: The international business world is getting more complex, and the pressure of cost efficiency and remaining competitive, while maintaining or even bettering the quality of the products, is rising every year. Thus, a number of consolidations of companies or group of companies have occurred in recent years. Such consolidations, for example by way of a takeover, merger or formation of new joint ventures, are one way with which to deal with the challenges of the current and future modern business world. However, in such scenarios it is of the utmost importance that companies actually know what kind of compliance issues have to be dealt with during an M&A transaction. Otherwise the risk of a successor liability and not foreseeable reputational risks may be the consequence of an M&A transaction without conducting sufficient compliance due diligence, which may not only make the whole M&A transaction unprofitable but could even, in a worst-case scenario, become a question of economic survival for the respective companies.

Weinstein: As businesses become more global, and more countries enact and enforce transnational bribery laws, corruption risks inevitably become an increasingly important risk to attend to in any M&A transaction. Fines for violating anti-bribery laws frequently run into the hundreds of millions of dollars and investigation costs, shareholder lawsuits and debarment can increase the real cost of a corruption problem by orders of magnitude. Companies are well served to understand and manage these risks on the front end. Companies and executives that have had the misfortune to go through a corruption investigation can attest to the axiom that an ounce of prevention is worth a pound of cure.

Grion: For larger and more sophisticated companies, corruption due diligence has been on the radar for quite a long time, and these companies are generally resourced to handle the challenges. For smaller companies which are trying to expand overseas, there is growing recognition of the risks and resource needs, and more frequently than not, these companies need to rely on external advisers to conduct the work. Regardless of company size, one trend that is driving the need for additional resources is the growing number of countries enacting and evolving their own anti-corruption frameworks. While previously acquirers had to consider the frameworks of one or two regulators, they now must think more broadly on how to engage with enforcement agencies on a country-by-country basis. And in many cases, there is not a lot of history or precedent on how to engage with these new agencies, which inevitably drives complexity and risk.

Mebane: Managing corruption risks through M&A transactions will remain an important aspect going forward. Due diligence should be viewed by an acquiring company as the first step in a more in-depth evaluation of potential compliance risks associated with a target company. There has been an increase in enforcement activity by US and international regulators making an effective anti-corruption compliance assessment and programme even more important for acquirers. Furthermore, regulators continue to underscore the importance of a thorough, risk-based anti-corruption due diligence process to identify risks in M&A transactions. Regulators also stress the significance of ensuring the acquirer’s compliance function has a role in the risk assessment and integration processes. For US-based acquirers specifically, the DOJ and the Securities and Exchange Commission are becoming more transparent in what they consider an effective compliance programme, a component of which is appropriate due diligence for these M&A transactions, through recent policy and process announcements. Thus, US acquirers should prioritise deploying appropriate resources to support any due diligence efforts undertaken to evaluate a target company.


Rodrigo S. Grion is currently the executive compliance director at General Electric’s healthcare division. In his current capacity, he oversees the company’s overall compliance programme across the US, Canada and Latin America regions. Prior to this role, Mr Grion held several senior leadership roles at various General Electric divisions where he led multi-year initiatives to design, implement, simplify and enhance anti-corruption and compliance programmes around the globe. He can be contacted on +1 (414) 378 8789 or by email

Dr Frank Vormstein is an in-house corporate lawyer who specialises in compliance legal advice in connection with international M&A transactions. His current position is head of compliance legal M&A within Siemens AG. Over the years he has advised on a wide range of compliance-related issues in a number of major international M&A transactions of Siemens. Prior to his current position at Siemens, for several years he was the senior legal counsel in the legal M&A department of Siemens AG. Over 10 years ago he started his career as attorney-at-law in the corporate/M&A department of Latham & Watkins LLP. He can be contacted on +49 89 636 29280 or by email

Adrian Mebane is vice president and deputy general counsel for The Hershey Company. He is responsible for addressing high-impact risks in the global ethics and compliance, regulatory, commercial, strategy and growth, and intellectual property practice areas. A trusted adviser to executive leadership, senior management, the audit and finance & risk management committees, and the board of directors, he also supports the SVP, general counsel with overall management and direction of the company’s law department. He can be contacted on +1 (717) 534 7673 or by email

Martin J. Weinstein is a partner in the litigation department and is chair of the compliance and enforcement practice group. For two decades, he has represented corporations, organisations and individuals in a wide variety of sensitive matters ranging from bribery, fraud, whistleblower and corruption matters worldwide to Congressional inquiries into campaign contributions, as well as conducting investigations on behalf of the Commissioner of Major League Baseball. He can be contacted on +1 (202) 303 1122 or by email:

© Financier Worldwide

©2001-2019 Financier Worldwide Ltd. All rights reserved.