A View from Abroad: Unpacking DOJ’s M&A Safe Harbor Policy, Part II

15 min read

On October 4, 2023, United States Deputy Attorney General (DAG) Lisa Monaco announced a new Department of Justice (DOJ) Mergers & Acquisitions Safe Harbor policy that encourages companies to self-disclose criminal misconduct discovered by an acquiring company during the acquisition of a target company.  Under the policy, the acquiring party will receive a presumption of criminal declination if it promptly and voluntarily discloses criminal misconduct, cooperates with any ensuing investigation, and engages in appropriate remediation, restitution and disgorgement. While the DOJ has offered little guidance as to what it might expect from a company that self-discloses under the policy, many jurisdictions outside the United States offer corporate self-disclosure and cooperation incentives. This alert analyzes several of those practices in Europe and Asia, and what can be learned from their application.
Part I of our alert examined the Safe Harbor policy and addressed important questions surrounding what it might take for a company to obtain the “carrot” dangled by the DOJ, as well as the “stick” the DOJ might wield if a company’s self-disclosure does not achieve safe harbor. However, the policy offers little guidance, leaving companies to guess what it will take to meet the DOJ’s expectations and whether even commencing a dialogue with the DOJ is a good idea. And of course, the policy offers no guidance about how identified issues will be viewed by regulators outside the US.
In assessing these questions, much can be learned from examining voluntary self-disclosure policies and practices in other jurisdictions where White & Case attorneys practice. While no jurisdiction outside the United States has a mechanism or practice directly comparable to the Safe Harbor policy, most jurisdictions encourage self-disclosure of misconduct pre- or post-acquisition to authorities that could lead to a deferred prosecution agreement (DPA) or a full defense to a substantive charge. Under these circumstances, how self-disclosure works elsewhere is a reasonable metric for measuring whether to seek safe harbor with the DOJ.
Indeed, all such policies bear hallmarks of the US policy, including the expectation of a company’s full cooperation with authorities and the “reasonable” timeframe wherein a disclosure must take place to benefit from any disclosure incentives. A multi-jurisdictional analysis of self-disclosure policies further highlights the importance of thorough diligence prior to an acquisition so a company is best positioned to respond to and defend against inquests from regulators. An examination of the policies additionally cautions that companies take a measured approach when considering disclosure under the Safe Harbor policy, as disclosure in other jurisdictions may not lead to a favorable resolution or declination and instead place a company in unanticipated regulatory crosshairs.  Ultimately, the decision and process of self-disclosure is complex and requires nuanced consideration that companies should undertake, together with their counsel.



Under English law, resolutions of actions brought under the UK Bribery Act 2010 (the Bribery Act) and the UK Proceeds of Crime Act 2002 (POCA), which criminalize corporate bribery and money laundering, emphasize the importance that UK authorities place on corporate voluntary-self disclosure.  

Liability for pre-acquisition bribery by the target

The purchaser of a target that committed historic violations of the Bribery Act, including failure to prevent bribery, does not automatically inherit criminal liability under the Act, as any underlying bribery would not have been committed with the intention of benefitting the purchaser. If, however, a target is convicted of Bribery Act offenses post-acquisition, its purchaser is subject to penalties, including a potentially unlimited fine and debarment from bidding for public contracts, rendering the target a significantly less financially attractive acquisition.

As an alternative to prosecution, English law allows corporates that have committed various economic offenses, including bribery offenses, to enter a DPA, subject to the agreement of the UK Serious Fraud Office (the SFO). DPAs are usually preferable to prosecution for a corporate and can yield discounted penalties—historically as much as 50%—compared to fines imposed upon conviction. Indeed, most of the corporate failure to prevent bribery investigations under the Bribery Act have been resolved with DPAs since the Act’s introduction.  

In deciding whether to enter a DPA rather than pursue prosecution, the SFO considers whether corporate management proactively cooperated with the SFO in self-reporting offending conduct. Further, the extent of the corporate’s cooperation with the SFO’s investigation figures significantly in the SFO’s determination of the applicable penalty discount, and voluntary self-reporting within a “reasonable time” that suspicions of wrongdoing arise has been highlighted by the SFO as a key facet of cooperation. Because the information available to a purchaser during pre-acquisition due diligence would likely not give it a full sense of any offending conduct, this “reasonable time” window seemingly allows a purchaser to initiate its own internal investigation of the target immediately following acquisition to better understand any issues, before deciding whether to facilitate self-reporting by the target. The purchaser must then assess whether self-reporting is the best path forward, and decide, in the circumstances, what constituted “within a reasonable time”—these are complex calls to make, and numerous considerations come into play in making them. The SFO offers no timeframe to qualify, neither six months after closing nor otherwise.

Money laundering considerations

While a purchaser cannot be held liable for historic bribery offenses by the target, in the event that proceeds of crime resulting from that bribery remain within the target, the purchaser (and its directors, officers and employees) could be liable for money laundering under POCA if it acquired, used or possessed those crime proceeds, knowing or suspecting that they represented the benefit of bribery.

A defense to substantive money launder exists in the UK, however, if: (i) a defense against money laundering suspicious activity report (DAML SAR) is made to the UK National Crime Agency (the NCA) requesting consent to acquire, use or possess any such suspected proceeds of crime; and (ii) appropriate consent is given by the NCA before any action is taken.

Further, if the purchaser is a regulated entity in the UK, its officers, directors and employees are obligated (under criminal penalty) to report knowledge or suspicions of money laundering to their Money Laundering Reporting Officer or the NCA, if that knowledge developed in the course of due diligence. If the purchaser wanted to proceed with the acquisition, it would be required to file this “intelligence” SAR along with the DAML SAR seeking to proceed with the acquisition. Given intelligence sharing capabilities between UK enforcement agencies, it is very possible that such a SAR would find its way to the SFO and play a role in instructing the direction of any future prosecution or DPA process.


While there is also no regulation comparable to the Safe Harbor policy in France, French regulators clearly encourage acquiring companies to self-disclose criminal misconduct discovered during the acquisition of a target company. Such disclosure could culminate in a Convention Judiciaire d’Intérêt Public (CJIP), the French equivalent of a DPA, for offenses of bribery, influence peddling, tax fraud, tax fraud laundering and any related offenses. As in the US and UK, achieving a CJIP after disclosure is not guaranteed; rather, it rests at the discretion of the Public Prosecutor, who may instead decide to prosecute the company that self-disclosed.

Under French law, persons and entities can only be held criminally liable for their own conduct (Article 121-1 of the French Penal Code). Consequently, as part of a target acquisition, where the purchaser has not taken part in the misconduct (corruption, money laundering, etc.) committed by the target prior to the transaction, it cannot be criminally liable; only the target remains criminally liable in theory. However, if a purchaser is aware of criminal conduct committed by the target before the transaction, and proceeds of the criminal activity remain within the target, it could be held liable for money laundering or unlawful benefit from such proceeds (“recel”).

Guidance published by the French Anti-Corruption Agency (AFA), which enforces Sapin II, France’s anti-corruption law, recommends that companies engage in anti-corruption due diligence during mergers and acquisitions. Depending on the situation of the target company, AFA’s recommended diligence can be extensive and includes reporting any misconduct discovered through diligence to the Public Prosecutor. However, following AFA’s recommended guidance—including self-disclosure to criminal authorities—does not confer criminal immunity on a company. Rather, according to AFA, it is in the companies’ interest to carry out these procedures to avoid administrative sanctions in the event of an AFA inspection (€1 million for the legal entity, €200,000 for the legal representative in a personal capacity) and to enable companies to take remedial measures, report facts to the Public Prosecutor, and improve the target company’s anti-corruption program.

Further, while self-disclosure to the Public Prosecutor is not required of a purchaser, French law incentivizes such a disclosure “with a view to settling the company’s criminal situation by concluding a deferred prosecution agreement.” Indeed, according to Article 41-1-2 of the French Code of Criminal Proceedings (based on Sapin II), the Public Prosecutor can resolve a matter with a legal entity implicated or under judicial investigation for corruption, influence peddling, tax evasion, money laundering, or for related offenses, via a CJIP. 

Guidance on CJIPs published by the French Financial Prosecutor in January 2023 requires good faith cooperation from a company in order to obtain a CJIP. The guidance further states that a company’s voluntary disclosure to the Public Prosecutor constitutes a guarantee of good faith when it takes place within a reasonable time. This “reasonable time” period is assessed based on the time elapsed between the company’s knowledge of the facts and its disclosure. The guidelines also specify that the prompt adoption of corrective measures to reinforce the quality of the compliance program is a criterion testifying to the company’s good faith. 

A company’s voluntary disclosure of criminal conduct can reduce the amount of the applicable fine by up to half.  The guidelines further specify other minor factors that can reduce the ultimate fine a company will pay, such as internal investigations, active cooperation, corrective measures, unequivocal acknowledgement of the facts, and the prior compensation of victims. However, as with the decision to offer a CJIP in the first instance, the weight and applicability of these factors is at the discretion of the Public Prosecutor, and the company is not entitled to a reduction simply by disclosing misconduct.  


Apart from special subject matters such as tax evasion or violations of foreign trade regulations, there are no formalized leniency programs or self-disclosure schemes under German law. However, a company may still benefit from self-disclosure of misconduct discovered during an M&A to law enforcement. For example, German courts have ruled that a company’s self-disclosure can be factored into the determination of fines a company might pay. In addition, German regulators have discontinued investigation proceedings where a company has self-disclosed misconduct and engaged in remediation and continuous cooperation. 

Even though there are generally no formal programs incentivizing self-disclosure in Germany, an acquiring company in an M&A nonetheless faces legal risk from a target’s non-compliant legacy that could confer liability on the acquiring entity. This is especially true if the misconduct has not been remedied and continues after acquisition. In cases where the M&A is structured in a way of universal succession, the German legislator has enacted a specific provision which makes it possible to impose a fine on the legal successor of a company even if the misconduct has been remedied. In this case, a fine may not exceed the value of the assets taken over or the amount of the appropriate fine that would have been imposed on the legal predecessor.

Regardless of whether a target’s lack of compliance “infects” the acquirer, at a minimum, the target’s non-compliance creates a liability risk for the target company itself that continues after the takeover. Therefore, it is important for the acquirer to identify potential non-compliance during due diligence in order to consider any misconduct in its purchase decision and, if necessary, in negotiations with the seller regarding the purchase price or indemnifications. Most warranty and indemnity insurance policies cover those types of indemnifications.


Under Polish law, there are generally no special benefits for voluntary disclosure of criminal offenses, including for self-disclosure. As an exception, in the case of some specific offenses, disclosure of all the substantive circumstances of an offense can result in lack of punishment. One example is active bribery. A person giving a bribe (a financial or personal benefit) is not subject to punishment (i) if the bribe or its promise has been accepted by a public official, and (ii) the person giving the bribe has reported all the key circumstances of the crime (iii) before the law enforcement authorities have learned about it. The same principle applies when the bribe is offered or given to a company manager in exchange for an abuse of the manager’s powers or for non-performance of their duty (the offense of active managerial corruption).

If, during due diligence preceding in an M&A transaction, the company learns that one of the above offenses has been committed and the target company has benefited, or could have benefited, in any way as a result of the individual’s offenses, the acquiring company should encourage voluntary self-disclosure of the offenses by the individual perpetrators. Under the current Act on Liability of Collective Entities for Acts Prohibited Under Punishment (the Act), corporate criminal liability is only triggered when the court issues a final judgment against an individual committing the offense. Meanwhile, if the individual perpetrator self-discloses before the law enforcement authorities have learned about the offense, no proceedings are initiated against him in the first place. 

Otherwise, the acquiring company might potentially be held liable under the Act if the individual perpetrator is convicted post-transaction. This principle however only applies to transactions where the target company survives, i.e., in case of acquisition. At the same time, there are no specific rules limiting the corporate criminal liability of the new owner for offenses from before the transaction. Also, as noted by Polish scholars, it is unclear how criminal corporate liability is affected in the case of mergers or demergers of companies, as they result in creation of new legal entities.

With respect to fiscal offenses, an entity committing the offense could potentially avoid criminal fiscal liability if they voluntarily disclose their failure to either timely submit their tax return or pay tax due. There are many specific requirements for such voluntary disclosure to be effective. Most importantly, the voluntary disclosure must be made before tax authorities initiate proceedings for the fiscal offense, and it must be made together with fulfilling the outstanding tax obligation.

Voluntary disclosure of fiscal offenses by the target company should also be encouraged, as it allows for avoiding additional penalties for non-payment or overdue tax payment, limiting the obligation to the entire overdue tax and the related interest.   


The only leniency programs in place in Spain are related to anti-trust and cartels. In 2012, following schemes in place in the 1980s and 1990s, the Spanish government approved a “tax amnesty” for individuals and corporates to disclose unreported income or assets for tax years that are within the statute of limitations. While there are no formal polices or mechanisms in place that mitigate the legal consequences of corporate self-disclosure of misconduct in Spain, Spanish authorities have, on many occasions, considered a corporate’s self-disclosure in determining and lowering applicable fines.  

Hence, liability derived from tax, social security, labor contingencies and criminal offenses (which may also involve tax-social security payments) is a topic for discussion in M&A deals and restructurings. If a transaction involves a universal succession (including the purchase of assets), Spanish regulation provides for specific liability provisions that cannot be contractually disapplied. Therefore, vis-à-vis the relevant authorities and employees, the target company, the seller and the purchaser may be joint and severally liable. Moreover, depending on the type of liability, M&A and/or D&O insurance policies frequently contain exclusions, and coverage is very limited or cost prohibitive.

With respect to criminal offenses, the Spanish Criminal Code establishes that the transformation, merger, takeover or spin-off of a legal person does not extinguish its criminal liability, which transfers to the resulting entity or entities. However, the application of this type of successor liability is debated in practice, especially as to whether any extension of liability should apply only in cases of fraud or more broadly. Notwithstanding this debate, there is consensus under Spanish law that an acquiring company must have committed some violation itself to be considered criminally liable for offenses committed by the target (e.g., having ineffective compliance mechanisms or a negligent lack of detection).


None of the APAC jurisdictions where White & Case attorneys practice have a specific rule for self-reporting of criminal misconduct in the context of M&A transactions similar to the DOJ’s M&A Safe Harbor Policy. However, in certain jurisdictions, including China, Hong Kong, India, Singapore (which also has a DPA scheme in place for certain corruption and economic offenses), Vietnam, Japan and Korea, prosecutors and courts may view self-reporting of criminal misconduct as a mitigating factor in charging and sentencing determinations. Further, self-reporting of misconduct can, in practice, lead to similar mitigation. This is true, for example, in Malaysia, where disclosure of internal investigations to the authorities or voluntary-self disclosure of misconduct may factor into law enforcement’s decision to commence proceedings against a corporation. Furthermore, in other jurisdictions, such as Thailand and Indonesia, an individual’s provision of useful, cooperative information can lead to the reduction of criminal penalties and lighter sentences.  

The nature and extent of investigation, remediation and disclosure necessary to derive the benefits available in each of these non-US jurisdictions, as in the US for those seeking “safe harbor” from the DOJ, remains difficult to precisely predict. For cross border M&A transactions, where jurisdiction may arise in two or more countries simultaneously, the complexities are increased. Advice from experienced cross-border M&A, investigations and compliance counsel certainly can assist in navigating these various expectations.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2023 White & Case LLP