Giving regulatory due diligence its due

Anne K Walsh
Hyman, Phelps & McNamara, Washington, DC
awalsh@hpm.com

J P Ellison
Hyman, Phelps & McNamara, Washington, DC
jellison@hpm.com 

The global pandemic slowed day-to-day operations for life sciences companies, but there was little negative impact on the continued desire to invest and grow these companies through corporate transactions. In the United States, at least, 2020 and 2021 presented a consistent stream of mergers and acquisitions within this industry, including (but not exclusively) those companies directly involved in developing products to address the Covid-19 pandemic. Although these activities are good for the economy, there are risks for potential buyers who are evaluating a corporate transaction with an FDA-regulated entity, as this article highlights.

Before committing to a merger or acquisition with another company, a potential buyer must conduct due diligence to identify the imperfections of a target company so the buyer knows what it is buying. This diligence is particularly critical when the target company is privately held, and thus not subject to scrutiny from public markets. The results of the diligence inform the buyer as it weighs the benefits, costs and risks associated with a potential transaction to determine whether, and on what terms, to proceed. 

There are standard topics typically covered by diligence: financial, employment, environmental, tax, intellectual property and litigation, among other things. For companies that play in the FDA-regulated space, however, a focused regulatory diligence should be a high priority. Of course, a solid understanding of the regulatory compliance status of a target company is necessary for pure business reasons, but the scope of regulatory diligence and its application to post-acquisition activities has broader implications, namely whether the government will hold the Buyer responsible, either criminally, civilly or administratively, for the regulatory issues it inherited through the acquisition. Thus, identifying risks and appropriately structuring a transaction, while critical, are only part of a strategy to manage regulatory compliance risks. Equally important is the question of what steps a company has taken post-acquisition to address the issues identified during the diligence process. 

The Justice Manual from the US Department of Justice (DoJ) requires prosecutors to consider certain factors in deciding whether to bring criminal charges against a corporate entity, one of which is whether the company maintains a well-designed compliance programme. In its June 2020 updated guidance document, ‘Evaluation of Corporate Compliance Programs’, the DoJ makes clear that pre-M&A due diligence is a critical aspect of that determination: ‘A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.' The DoJ expects companies to act promptly on information obtained during the diligence process.  Specifically, it asks: 'What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? [emphasis added]’

Similarly, in  the civil context, the Justice Manual highlights the importance of taking remedial action once it is known.^[1] Such remedial actions may include:

• demonstrating a thorough analysis of the cause of the underlying conduct and, where appropriate, remediation to address the root cause;
• implementing or improving an effective compliance programme designed to ensure the misconduct or similar problem does not occur again;1
• appropriately disciplining or replacing those identified by the entity as responsible for the misconduct either through direct participation or failure in oversight, as well as those with supervisory authority over the area where the misconduct occurred; and
• any additional steps demonstrating recognition of the seriousness of the entity’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.

In a recent civil False Claims Act case settlement, the DoJ relied on the information the company gleaned during diligence to hold a buyer responsible for the violative conduct: ‘Specifically, the United States alleges that Ancor, through its due diligence [...] learned about the alleged conduct in Paragraphs E.1 and E.2. [...] The United States contends that Ancor caused false claims when it allowed the alleged conduct described in Paragraphs E.1 and E.2 to continue [emphasis added].’

Last, in considering whether to impose integrity obligations on healthcare companies, the Office of Inspector General for the US Department of Health and Human Services has noted that certain successor owners may avoid such obligations if they can demonstrate, among other conditions, that they 'purchased the entity after the fraudulent conduct occurred’ and ‘took appropriate steps to address the predecessor’s misconduct and reduce the risk of future misconduct’.

Companies considering an acquisition need to be mindful of these and similar government pronouncements as they evaluate the merits of such transactions as part of their regulatory diligence.  Should they proceed with the transaction, companies can minimize potential liability by appropriately prioritising the remediation activities for those uncovered regulatory issues.