Inheriting the wind: trends in US criminal enforcement based on successor liability

March 2026  |  SPOTLIGHT | MERGERS & ACQUISITIONS

Financier Worldwide Magazine

March 2026 Issue

Over the last decade, the number and size of M&A – especially acquisitions of start-ups and smaller companies by private equity (PE) firms – have risen significantly as buyers pursue expansion and diversification.

This uptick in M&A activity has also resulted in a flurry of enforcement activity against successor entities. Contributing to this trend in enforcement activity are compressed transaction timelines, dramatically varied diligence scopes by industry and varied willingness among buyers to invest in compliance-related due diligence.

While purchasers typically seek to derisk pre-closing liabilities through contractual mechanisms such as representations and warranties (R&W) and indemnification provisions, those tools do not universally protect an acquirer from enforcement liability post-closing.

Specifically, as a matter of statutory and enforcement law, successor liability doctrines can subject acquiring entities to criminal and civil enforcement liability for pre-acquisition misconduct of an acquired entity, irrespective of contractual risk allocation.

Moreover, the posture of enforcement agencies, particularly the US Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), on successor liability has evolved in recent years and continued changes are expected under the current administration.

This article explores the legal contours of successor liability with different enforcement examples, agency policy in the Biden era, changes in the Trump administration’s approach and practical recommendations for acquirers going forward.

Successor liability law

Generally, under US law an acquiring company does not automatically assume a target’s liabilities merely because an acquisition occurs. In stock acquisitions and statutory mergers, the acquired company continues to exist as the same legal entity, and any pre-acquisition misconduct remains the liability of that entity as the default rule.

Similarly, in asset acquisitions, the default rule under common law is that the buyer does not inherit the seller’s liabilities (rule of non-liability). Successor liability in this context can arise, however, under certain recognised exceptions.

Courts generally impose successor liability in asset transactions if the buyer: (i) expressly or impliedly assumes the liabilities; (ii) effects a de facto merger; (iii) is a mere continuation enterprise; or (iv) engages in a fraudulent transaction designed to evade liability. These exceptions are fact-intensive and focus on continuity of ownership, management, and operations and business activity, rather than formal transaction labels.

In the criminal and regulatory enforcement context, agencies apply these same legal doctrines but with an added focus on post-closing conduct and remedial steps. The DOJ’s Foreign Corrupt Practices Act (FCPA) Opinion Procedure Release (Halliburton, OPR No. 08-02) illustrates the point: in response to a request for guidance on whether the pre-acquisition conduct of an acquired company would subject the acquirer to successor liability, the DOJ said Halliburton’s acquisition would not, by itself, create FCPA liability, but only if the acquirer identified misconduct promptly and engaged with the DOJ, a touchstone for voluntary-disclosure practice.

This principle of successor liability in the absence of voluntary disclosure to the government runs through the spectrum of criminal and civil corporate enforcement statutes, albeit with important variations. Outlined below are some examples in key enforcement regimes.

The FCPA. The ‘DOJ and SEC FCPA Resource Guide’, which appears to have survived rescission despite the current Trump administration’s issuance of ‘Guidelines for Investigations and Enforcement of the FCPA’ in June 2025, explains that successor liability can apply when an acquiring company inherits an acquired entity’s pre-acquisition conduct and fails to remediate or disclose it.

However, the agencies have typically pursued successor liability only in cases involving egregious and sustained violations or where the successor “directly participated in the violations or failed to stop the misconduct from continuing after the acquisition”.

One of the earliest and most frequently cited examples of successor liability in the FCPA context arose from GE’s acquisition of InVision Technologies. Before the acquisition, InVision had engaged in a bribery scheme involving Chinese officials. GE uncovered the misconduct during post-closing integration and voluntarily disclosed it to the DOJ.

The DOJ required InVision to enter into a deferred prosecution agreement (DPA) and imposed a number of compliance obligations. GE itself, however, avoided charges, illustrating that while an acquisition does not extinguish enforcement exposure for pre-acquisition misconduct, the DOJ will distinguish between the culpable entity and an acquiring company that promptly discloses, cooperates and remediates.

The False Claims Act (FCA). In the civil context, the DOJ has applied similar successor liability principles under the FCA. In 2025, for example, the DOJ settled FCA claims brought against Raytheon, RTX and Nightwing Intelligence Solutions – the successor owner of Raytheon’s cyber security and intelligence services business line.

Nightwing acquired the line years after the charged conduct occurred – alleged false certifications of compliance with federal cyber security requirements. As a result, the inclusion of Nightwing in the settlement demonstrates that civil liability may attach to an acquirer where continuity of operations and contractual obligations supports successor liability.

Because the FCA is a civil enforcement statute and not a criminal statute, however, enforcement actions in non-intervened FCA cases will turn less on disclosure and remediation, and instead on the common law of successor liability, which recognises the four exceptions to successor liability outlined above.

Economic sanctions and export controls. US trade and sanctions authorities have long applied successor liability in enforcement actions. In the 2013 Meggitt settlement, for example, the Directorate of Defense Trade Controls held Meggitt-USA liable for International Traffic in Arms Regulations violations committed by subsidiary companies prior to their acquisition, including unauthorised exports of defence articles and technical data.

The Office of Foreign Assets Control (OFAC) has also pursued successor liability in M&A transactions. In 2020, it entered into a settlement agreement with Keysight Technologies Inc as the successor entity to Anite Finland OY. OFAC determined that, prior to its purchase by Keysight, Anite violated the Iranian Transactions and Sanctions Regulations by engaging in the export of goods intended for Iran with export administration regulations-controlled US-origin content. Keysight eventually agreed to pay $473,157 to resolve claims of Anite’s misconduct.

Contractual protections (R&W, indemnities, escrow and insurance) can allocate economic risk between parties. They do not, however, bind enforcement agencies. The DOJ and SEC FCPA Resource Guide, for example, determines the appropriateness of successor liability based on the degree of the acquirer’s due diligence, compliance integration and remediation post-acquisition.

But while it may consider whether to charge a successor entity alongside the pre-acquisition bad actors, enforcement agencies will never refrain from charging the parties that engaged in the bad conduct prior to the transaction – even the legacy company itself that otherwise transferred its liabilities along with the assets in an asset purchase agreement.

In other words, an acquiring company may allocate enforcement risk by contract vis-à-vis the seller, but it cannot eliminate or restrict the government’s ability to impose criminal or civil liability through contractual disclaimers.

Corporate criminal enforcement policy against acquirers

In considering what to expect for the next four years, it is worth first examining successor enforcement under the Biden administration, and comparing that approach to the enforcement activity in year one of the second Trump administration.

Biden administration. During the Biden administration, the DOJ significantly formalised its approach to successor liability through revisions to the corporate enforcement policy (CEP) for the criminal division and the creation of a department-wide M&A Safe Harbor Policy. These initiatives reflected a broader effort to incentivise corporate self-reporting, cooperation and compliance investment.

Under the revised CEP, prosecutors were instructed to consider voluntary self-disclosure, full cooperation and timely remediation in determining whether to bring charges, including in the M&A context. This marked a significant expansion of enforcement incentives beyond the FCPA and into all corporate criminal matters.

The M&A Safe Harbor Policy, announced in 2023 after the CEP’s issuance, not only provided more targeted guidance regarding when successor entities would be held criminally liable for acquired entities’ pre-acquisition conduct, but also offered a safe harbour whereby acquiring companies can affirmatively avoid criminal liability entirely through prompt voluntary disclosure and remediation.

Specifically, acquirers may receive a presumption of declination where they voluntarily disclose misconduct discovered at an acquired entity within 180 days of the acquisition’s closing, cooperate fully, remediate within one year and disgorge ill-gotten gains. The 180-day deadline may be extended based on the complexity of the transaction and the nature of the misconduct. Importantly, the policy does not extend to civil merger enforcement or displace criminal antitrust liability, which remains governed by separate statutory regimes.

The first DOJ resolution that publicly acknowledged application of the M&A Guidance was a declination of charges against White Deer and Unicat announced in June 2025, five months into the second Trump administration. The disclosure that led to the declination occurred during the Biden administration.

There, the DOJ declined to prosecute the PE acquirer after it discovered and self-reported sanctions and export-control violations at the acquired company, fully cooperated and remediated the misconduct – even as the DOJ pursued enforcement actions against the target and culpable individuals.

Trump administration 2.0. The current administration has attempted to reframe corporate criminal enforcement around “focus, fairness and efficiency”, all of which it claimed was lacking under the prior administration. As articulated in the 12 May 2025 Galeotti Memorandum issued by Matthew Galeotti, assistant attorney general, current corporate enforcement policy emphasises prioritising high-impact white-collar threats (including sanctions evasion and cartels), individual accountability and more calibrated corporate resolutions, including shorter and more targeted monitorships.

While the memo does not specifically address successor liability, it signals a shift toward more tailored and restrained corporate enforcement, rather than ending existing doctrines, suggesting that the current administration will, at a minimum, keep the Biden DOJ’s ‘M&A Safe Harbor Guidance’ in place (that guidance has not yet been withdrawn), and perhaps extend an even more forgiving hand where a successor entity took no part in the misconduct and was unaware of it at the time of the acquisition.

For example, the current DOJ may be more flexible in applying the M&A safe harbour when it comes to the timing of disclosure and the speed of remediation. It may also revise the Safe Harbor Guidance’s presumption of declination, to a firm commitment to decline where a company has fulfilled its requirements, and thus align the Guidance with a similar change to the CEP made by the Galleotti Memorandum.

Moreover, although the M&A safe harbour by its terms applies only to the DOJ’s criminal division, the administration may also either formally extend it or apply its principles in practice to the civil division’s approach toward civil FCA enforcement, given the administration’s more aggressive use of the FCA as an enforcement tool in the areas of customs evasion, healthcare fraud and even civil rights violations based on diversity, equity and inclusion practices.

In other words, the mechanisms that allow an acquiring company to mitigate or avoid successor liability remain available, but they will now be filtered through the administration’s broader emphasis on efficiency and individualised outcomes.

In addition to the White Deer/Unicat resolution, which was approved under the current administration, the only resolution remotely implicating successor liability under the current administration was the Comcel/Millicom DPA announced in November 2025. In this resolution, the DOJ tied corporate liability to a subsidiary’s pre-acquisition misconduct, with Millicom’s eventual full ownership and ongoing cooperation factored into the negotiated two-year DPA and significant penalty reduction.

Although not a formal application of the M&A safe harbour, this resolution illustrates how the DOJ may still consider post-acquisition remediation and cooperation as significant mitigating factors in determining corporate liability and penalties.

Recommendations for acquiring companies

Considering the M&A safe harbour’s apparent survival, along with the current administration’s more corporate‑friendly approach to criminal enforcement and its broader pro‑merger posture, companies involved in acquiring and integrating new businesses into their legacy operations should take several key steps.

These include prioritising compliance due diligence tailored to FCPA, sanctions, export control, antitrust and cyber security risks, as well as engaging early with enforcement agencies when issues are identified, as voluntary self‑disclosure and cooperation can materially influence outcomes. It is also important to develop post‑closing integration and remediation plans with clear timelines aligned with the M&A safe harbour criteria, and to ensure that the acquired entity’s compliance programme is adequately resourced, documented and subject to appropriate controls and oversight.

Companies should further consider how transaction structure affects successor‑liability risk. Early and thorough pre‑acquisition due diligence can guide decisions on the scope and duration of the target’s R&W, its covenants, the seller’s indemnification obligations and even the overall transaction price. Although these contractual protections may not ultimately shield a buyer from successor liability vis-à-vis the government, they can offer potential avenues for recoupment after a corporate resolution has been reached.

Finally, companies should evaluate whether to seek the benefits of the M&A Safe Harbor Guidance, even if certain deadlines have passed. While diligence, integration and remediation efforts should be paced with the Guidance’s timelines in mind, it remains possible that current DOJ leadership may still grant declination‑level or other significant credit to an acquiring company otherwise available under the Guidance, where a disclosing company’s efforts fall short of strict deadlines, particularly where the company otherwise meets the criteria for an unqualified declination under the administration’s new Corporate Enforcement Policy.

Successor liability remains an evolving feature of the US enforcement landscape in M&A transactions. While traditional corporate law doctrines continue to govern the formal allocation of liabilities, enforcement agencies increasingly emphasise post-acquisition conduct in determining whether and how successor entities will be held accountable.

The DOJ’s M&A safe harbour and recent enforcement practice reflect a policy equilibrium: acquirers cannot contract out of regulatory exposure, but those that invest meaningfully in compliance and integration retain significant opportunities to mitigate, or even avoid, successor liability altogether.

 

Patrick Linehan and Caitlin Conroy are partners and Luisa Saboya is an associate at Steptoe LLP. Mr Linehan can be contacted on +1 (202) 429 8154 or by email: plinehan@steptoe.com. Ms Conroy can be contacted on +1 (202) 429 8022 or by email: cconroy@steptoe.com. Ms Saboya can be contacted on +1 (212) 378 7647 or by email: lsaboya@steptoe.com.

© Financier Worldwide

BY

Patrick Linehan, Caitlin Conroy and Luisa Saboya

Steptoe LLP

©2001-2026 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.