Minimising antitrust whistleblower risk in the M&A context

July 2026  |  SPOTLIGHT | MERGERS & ACQUISITIONS

Financier Worldwide Magazine

July 2026 Issue

The Department of Justice’s (DOJ’s) ‘M&A Safe Harbor’ policy offers companies a potential path to avoid prosecution when misconduct is uncovered during transactions – but its benefits are increasingly difficult to secure.

A rapidly expanding whistleblower landscape – including new financial incentives and broader reporting avenues – heightens the risk that regulators will learn of issues first. In this environment, companies must carefully align diligence, integration and compliance practices to preserve eligibility for Safe Harbor protections.

The DOJ’s M&A Safe Harbor

In October 2023, Lisa Monaco, former US deputy attorney general under the Biden administration, announced a department-wide Safe Harbor policy for voluntary self-disclosures made in the context of M&A transactions.

The policy creates a presumption in favour of declining prosecution of an acquiring company where the company voluntarily self-discloses, fully cooperates, and timely remediates misconduct discovered through M&A due diligence or post-closing integration activities.

To qualify for a criminal declination under the Safe Harbor policy companies must: (i) establish that the misconduct was discovered in connection with a bona fide, arm’s length M&A transaction; (ii) disclose criminal misconduct discovered at the acquired entity within six months from the date of closing (whether it was discovered pre-or post-closing); (iii) fully remediate the misconduct one year from the date of closing; and (iv) provide full cooperation with the DOJ’s investigation.

These deadlines are subject to a reasonableness analysis, taking into account the complexity of the transaction. In addition, absent aggravating factors, the acquired entity itself may be eligible for voluntary self-disclosure benefits, including a potential declination. The policy has since been codified in the Justice Manual and applies across DOJ components.

Most critically, the policy does not apply to misconduct that was otherwise required to be disclosed or already public or known to the DOJ. In other words, any disclosure under the programme of information that has already been reported to the DOJ by a whistleblower will not confer to the disclosing company the full benefits offered under the programme.

At the time of the Safe Harbor’s launch, the whistleblower landscape – which at the time was largely confined to the qui tam provisions of the False Claims Act and the SEC whistleblower programme – posed some risk to companies that whistleblower disclosures that precede their own disclosures under the Safe Harbor programme would render them ineligible for non-prosecution for the disclosed conduct.

Since then, however, the whistleblower ecosystem has changed significantly, with the Trump administration’s active encouragement of whistleblower reporting and the creation of a number of additional DOJ whistleblower programmes and initiatives offering more financial incentives for reporting a wider array of federal offences.

This new ecosystem has created significant additional whistleblower risk for companies in enforcement areas not previously implicated, and companies engaging in M&A activity should give serious consideration to how best to undertake pre-close diligence and post-close integration to best position themselves to qualify for non-prosecution under the Safe Harbor.

In August 2024, the DOJ, under the Biden administration, launched a ‘Corporate Whistleblower Pilot Awards Program’ to fill gaps in existing federal whistleblower programmes. As originally launched, the policy was targeted at individual whistleblowers as opposed to corporate self-disclosure.

To be considered eligible, an individual must report: (i) certain crimes involving financial institutions, from traditional banks to cryptocurrency businesses; (ii) foreign corruption involving misconduct by companies; (iii) domestic corruption involving misconduct by companies; or (iv) healthcare fraud schemes involving private insurance plans.

Under the Trump administration, the DOJ expanded the programme to cover additional enforcement priorities, including customs and trade fraud, sanctions violations, federal procurement fraud, and immigration law violations.

The programme prohibits payments to any individuals who meaningfully participated in the criminal activity they report. Although the presumption is to award whistleblowers 30 percent of the net proceeds forfeited, the DOJ evaluates several factors that may affect the award amount. These factors include culpability, unreasonable delay in reporting, interference with internal reporting systems or whether the whistleblower exercised oversight of the misconduct.

An employee who reports misconduct through a company’s internal compliance system can still report the misconduct to the DOJ, provided that the person submits the information within 120 days of their internal report.

On 8 July 2025, the DOJ’s antitrust division introduced its own version of the monetary whistleblower programme. The programme offers monetary rewards to individuals who report antitrust crimes and related offences.

According to the memorandum of understanding between the three agencies implementing the programme, when an investigation initiated by whistleblower reporting leads to a criminal conviction and a fine of at least $1m – or an equivalent recovery from a deferred prosecution or non-prosecution agreement – the whistleblower is deemed eligible for a monetary award paid out by the US Postal Service.

The amount of the award is subject to the sole discretion of the antitrust division, with a presumption that the total award will be at least 15, and up to 30 percent, of the recovered criminal fine.

Eligible criminal offences include violations of sections 1, 2 and 3 of the Sherman Act, federal criminal violations committed to effectuate, facilitate or conceal violations of the Sherman Act, and federal criminal violations targeting or affecting federal, state or local public procurement and the conduct of federal competition investigations and proceedings.

The whistleblower programme supplements the antitrust division’s longstanding leniency programme, which offers the first in an antitrust conspiracy to disclose the conspiracy to the government with immunity from criminal prosecution for participating in antitrust offences.

On 1 April 2026, the Financial Crimes Enforcement Network published a ‘Notice of Proposed Rulemaking’ to operationalise its own whistleblower programme under the Bank Secrecy Act (BSA). The proposal includes several provisions that mirror the structure of the Criminal Division Pilot Program and Antitrust Division Whistleblower Program.

For instance, whistleblowers who report violations that lead to a successful enforcement action resulting in monetary sanctions exceeding $1m are eligible to claim a reward and may receive awards of up to 30 percent of monetary sanctions. The proposal intends to encourage individuals to report violations of the BSA, International Emergency Economic Powers Act, Trading with the Enemy Act of 1917 and Foreign Narcotics Kingpin Designation Act.

Recommendations

Companies always face the risk of whistleblowers going directly to the government to report what they perceive as violations of law. Those risks, however, are heightened for companies engaged in an M&A transaction, particularly in the context of pre-close diligence and post-close integration.

Pre-closing diligence requires employees to collect for a ‘data room’ operational and financial information, some of which may reveal evidence of illegality, and any internal reporting may not be given its due treatment given management pressure to close the transaction.

Post-closing integration presents a perfect storm of newly revealed operational and financial information obtained through integration efforts with a pool of potentially disaffected employees from the acquired entity who may not trust new management.

When combined with the new breadth of offences covered by, and increased financial incentives offered under, the newest whistleblower programmes, the unique whistleblower risk facing companies engaged in M&A makes it all the more important that companies tailor their compliance programme to the M&A context in a way that permits most effectively the availment of the M&A Safe Harbor’s benefits.

To that end, companies should consider the creation and specialised training of a team within the compliance group that is dedicated to reviewing and overseeing from a compliance perspective the scoping, collection, presentation and review of information in support of both pre-close diligence and post-close integration.

Such oversight need not involve a granular review, but it should focus on the identification of red flags to allow for follow-up investigation. Appropriately tailored artificial intelligence can also assist with this level of oversight, and the specially designated compliance team should be well-versed in its use. Both purchasers and sellers would benefit from this level of compliance focus, as both have an interest in maximising the likelihood of a successful use of the Safe Harbor.

Companies should also emphasise and remind employees involved in the deal process of the importance of internal reporting of misconduct learned during the diligence and integration processes, including misconduct by the counterparty in an M&A deal. It should also remind all involved of the protections in place that protect those employees who report evidence of misconduct, including use of the company’s anonymous hotline and the company’s whistleblower anti-retaliation policy.

Although the Safe Harbor programme allows for disclosure up to six months after close of the transaction, such disclosure will not qualify for the Safe Harbor if a whistleblower has already disclosed to the DOJ. To maximise the likelihood that any company disclosure under the Safe Harbor programme precedes any reporting by a whistleblower, companies should seek to identify any evidence of misconduct as early as possible in these processes.

To the extent the circumstances surrounding a transaction required accelerated, and consequently limited, pre-close diligence, the selling company should take that fact into consideration in crafting the breadth, depth and pace of its post-close integration process.

An acquisition’s aftermath often involves legacy employees who did not receive any severance or other compensation in connection with the transaction, who may believe that their days as an employee at the company are numbered, and who may not trust their new management to address any internally reported misconduct.

These circumstances create the potential for an employee distrustful of new management and lacking any continued loyalty to new management to bypass the company’s internal compliance reporting structure and seek compensation through external reporting to the DOJ under one of the whistleblower programmes.

By retaining some subset of the legacy management and staff from the newly acquired company – through adequate compensation – to play a significant role alongside new management and staff in the post-close integration process, the acquiring company can create an operational environment conducive to internal reporting and minimise the risk of external reporting by unhappy and distrustful employees.

 

Patrick Linehan and Brigida Benitez are partners at Steptoe LLP. Mr Linehan can be contacted on +1 (202) 429 8154 or by email: plinehan@steptoe.com. Ms Benitez can be contacted on +1 (202) 429 3902 or by email: bbenitez@steptoe.com.

© Financier Worldwide

BY

Patrick Linehan and Brigida Benitez

Steptoe LLP

©2001-2026 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.