In light of the SFO Director Nick Ephgrave’s vocal support for implementing whistleblower incentives in the UK, this begs the question, what other US policies might the SFO look to replicate in the UK? One which we explore in this article is the Mergers & Acquisitions Safe Harbor Policy (“M&A Policy”) introduced by the US Department of Justice (“DOJ”).

What is the DOJ’s M&A Policy?

In October 2023, Deputy Attorney General Lisa Monaco announced the implementation of the M&A Policy.1 The M&A Policy aims to encourage the voluntary self-disclosure of criminal misconduct discovered during the acquisition process of a target company (i.e. during due diligence). Under the M&A Policy, there is a presumption that the DOJ will decline prosecution of an acquiring company for criminal misconduct identified in the target, provided that the acquiring company:

  • voluntarily self-discloses the misconduct “in a timely manner” (generally within 180 days of the closing date of the acquisition) regardless of whether the illegal activity was identified pre-acquisition or shortly thereafter;
  • cooperates with any ensuing investigation; and
  • fully remediates the misconduct (generally within one year of the date of closing), including the payment of any disgorgement/forfeiture and/or restitution/victim compensation payments resulting from the misconduct identified.

The M&A Policy applies only to criminal conduct discovered in M&A transactions (undertaken on a bona fide and arms-length basis) that is not already subject to regulatory disclosure requirements or that the authorities are not already aware of. It also does not apply to Sherman Act violations, and therefore does not impact upon antitrust/competition merger-related violations.

The current UK system

Under the Bribery Act 2010 (the “Act”), an acquiring company does not automatically inherit liability and so is unlikely to be held liable for historic or concluded bribery in the target company. However, an acquiring company does remain at risk of prosecution if: (i) it fails to identify and prevent bribery as a result of inadequacies in its due diligence; and (ii) an associated person of the acquiring company continues the bribery post-completion of the acquisition.2

In addition, prosecution of the target company (including its subsidiaries or senior officers) for bribery predating the acquisition, may take place post completion of the transaction. This could potentially expose: (i) the acquiring company to reputational damage; and (ii) the target company (alongside its officers involved at the time) to criminal conviction, a potentially unlimited fine and debarment from bidding for public contracts. There would also be the significant time and costs involved in responding to a prosecution. Failure by the acquiring company to act on the discovery of bribery and make a timely self-report will likely result in potential charges arising on account of a failure to prevent bribery under section 7 of the Act. The nature and extent of the due diligence process undertaken will also be instrumental in the acquiring company’s ability to avail itself of the “adequate procedures defence” under section 7(2) of the Act.

Should the proceeds of crime remain within the target company following its acquisition, the acquiring company (and its directors, officers and employees) may risk incurring liability under the Proceeds of Crime Act 2002 (“POCA”) if it knew or suspected such proceeds to originate from bribery. For example, in the context of a merger, the merged corporate entity may, for instance, be liable for the proceeds of an ongoing revenue-generating contract entered into by the target company as a result of bribery. Businesses in the regulated sector3 are subject to even stricter obligations and are required to file suspicious activity reports to the NCA where they know or have reasonable grounds to know or suspect that money laundering has taken place, if that knowledge stemmed from any due diligence. Failure to do so exposes the relevant person to a maximum of five years’ imprisonment and an unlimited fine under section 334 of POCA.

Under the Economic Crime and Corporate Transparency Act 2023, a new offence of failure to prevent fraud, modelled on the failure to prevent bribery offence under the Act, will also come into force on 1 September 2025 and apply to large organisations across the UK. Therefore, whilst the UK has robust laws in place to prevent bribery, money laundering and now fraud, current laws do not explicitly incentivise acquiring companies to engage in detailed M&A due diligence to identify current and historic criminal misconduct in target entities.

What would be the impact of a UK M&A Policy?

Whilst there are not yet any concrete steps for the UK to implement its own M&A Policy, it is already a live issue for any M&A deals that have US touchpoints, such as payments in US dollars or the involvement of US based assets or persons.

As emphasised by Deputy Attorney General Monaco, the M&A Policy places an “enhanced premiumon timely compliance-related due diligence and integration” and is designed to ensure that “compliance [has] a prominent seat at the deal table if an acquiring company wishes to effectively de-risk a transaction.”4

Arguably, compliance does not yet have a prominent “seat at the deal table” in the UK; current approaches to deal due diligence may not always be broad or detailed enough to uncover sophisticated criminal misconduct in a target company prior to closing. Similarly, operational compliance checks of the target company in the first six months post-closing may not always be sufficiently prioritised by the acquiring company and so fail to reveal any historic or ongoing criminal misconduct.

If the UK does implement an M&A Policy in similar terms to that in the US, we can expect to see a change in focus and approach to compliance due diligence from companies both prior to the acquisition of the target company and in the immediate period thereafter. More specifically, it is likely that acquiring companies may wish to “get under the hood” and undertake robust post-acquisition audits of target companies (and the data provided by the sellers during the M&A process) far sooner than is currently the case.

Concluding thoughts

Whilst many sophisticated companies are already well versed in the importance of compliance due diligence, the imposition of a UK M&A Policy will likely require a reassessment of current due diligence processes so as to ensure that acquiring companies benefit from the clemency offered. In particular, acquiring parties will need to ensure that their approach is sufficiently robust to identify criminal misconduct of all shapes and sizes. If it is not, then companies may not only miss out on the opportunity to avoid liability for past criminal conduct, but if the UK does follow the US approach, they may find themselves subject to increased sanctions for failing to do so, thereby compounding the impact of any compliance due diligence failings.

If you have any questions or concerns regarding the above, or more broadly on the topic of compliance, please contact a member of our expert team listed below, who would be happy discuss further.


  1. https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-announces-new-safe-harbor-policy-voluntary-self. ↩︎
  2. Section 7 of the Act. ↩︎
  3. Schedule 9 of the Proceeds of Crime Act 2002. ↩︎
  4. Ibid at [1]. ↩︎