FCPA risk in M&A remains while policy shifts, and buyers inherit liabilities if they skip risk-based due diligence or delay remediation.
I’m Angie Reed, and in seven years of compliance analysis, I have seen FCPA risk persist through enforcement cycles. The latest guidance, plus a 180-day pause in early 2025 and refined enforcement rules in June 2025, does not erase risk. It reshapes how a buyer should approach diligence, remediation, and disclosure in an M&A deal. If you’re buying a target with foreign touchpoints, you enter a liability cone you cannot ignore.
The core FCPA framework still matters. Anti-bribery provisions prevent issuers, domestic concerns, and certain foreign persons from bribing foreign officials to win or keep business. The accounting provisions require accurate books and internal controls. In M&A, the acquirer can incur liability for pre- and post-acquisition misconduct, especially if the target is an issuer subject to accounting rules. That requires robust pre-closing due diligence or a risk-based post-closing review and remediation plan.
The risk is higher in M&A because you inherit the target’s people, contracts, and compliance posture.
Do you have high-risk jurisdictions or government touchpoints in the target’s footprint? Are there third-party agents, distributors, or JV relationships that could hide improper payments? Do you have a credible path to implement your code of conduct, training, and termination of problematic intermediaries (Third-party agents or brokers involved in transactions (e.g., distributors, consultants) that could facilitate improper payments) after closing? These questions drive the due diligence plan. If you find issues, you need a clear remediation and disclosure path because DOJ and SEC seek rapid action, not a slow, after-the-fact fix.
Recent policy updates matter. In February 2025, the White House issued an Executive Order pausing new FCPA investigations for 180 days to reassess enforcement. During that window, the DOJ reviewed enforcement guidance; after that, enforcement matters require explicit presidential authorization. In June 2025, DOJ released updated FCPA enforcement guidelines, signaling a tighter emphasis on prompt investigation, remediation, and, when applicable, voluntary disclosure. The practical effect for M&A: buyers cannot slow-walk issues. If you find a material FCPA exposure pre-close, you must decide whether to disclose, remediate, and integrate quickly, or walk away.
The enforcement landscape shows that when buyers act fast, they can receive declinations or penalty reductions. The DOJ’s M&A policy and post-guideline framework reinforce the value of quick disclosure and remediation.
Real-world outcomes show that during past enforcement cycles, investigations into multinational operations center on Brazil, China, India, and Mexico, with common threads around third-party intermediaries and government procurement channels. In 2020-2023, several settlements underscored that pre-close due diligence and post-close remediation can influence enforcement posture.
A concrete, well-known case anchors the discussion. Walmart’s acquisition of Flipkart in 2018 represents a real acquirer-target pairing with public FCPA risk implications. Walmart disclosed FCPA investigations related to its subsidiaries in India, Mexico, Brazil, and China. In 2019-2020, Walmart faced scrutiny for potential improper payments tied to those markets. The company resolved these issues with a combined civil and criminal penalty package totaling roughly $282 million. The resolution did not bar Walmart from future transactions, but it set a high bar for how a buyer should handle FCPA risk in e-commerce and tech-heavy platforms tied to emerging markets. The lessons for M&A are clear: diligence must cover third parties, government touchpoints, and cross-border governance, and remediation must be timely and integrated into the post-merger entity.
From a practitioner’s viewpoint, five operational priorities recur in every deal.
- First, risk-based due diligence. Focus on high-risk jurisdictions, government licenses, customs, and procurement processes. Map the target’s third-party network end-to-end, including subagents and distributors. Because FCPA offenses can be predicate offenses for other actions, identify red flags early, not after closing.
- Second, pre-close integration planning. If you detect material issues, develop a remediation roadmap that aligns with your compliance program. This includes updating internal controls, extending your anti-corruption policy to the merged entity, and planning training for key personnel in high-risk areas.
- Third, rapid post-close remediation. If a gap exists, implement corrective actions quickly. This can involve terminating or revalidating agents, enhancing monitoring, and revising compensation structures to remove incentives for improper payments.
- Fourth, disclosure strategy. DOJ guidance on voluntary self-disclosure under the corporate policy and M&A guidance indicates that prompt reporting can yield favorable outcomes, including declinations or manageable penalties.
- Fifth, governance and integration. Align the target’s control environment with the acquirer’s standards. Documentation matters: keep records of diligence steps, remediation actions, and ongoing monitoring plans. In the FCPA space, governance reduces risk and protects deal value.
Now, a practical, deal-centric view. In any M&A process, treat FCPA risk as a live thread from LOI through post-close integration. Early inclusion of FCPA diligence in the data room, live diligence walkthroughs with the target’s GC and compliance officer, and a documented remediation plan as part of the definitive agreement can prevent later disputes. As deals scale and complexity grows, embed a post-closing compliance integration workstream with milestones and owner assignments. This is where most gaps appear, lack of sustained attention after signing, not necessarily a single red flag found in due diligence.
To ground the discussion in numbers and outcomes: the 2025 enforcement updates do not eliminate FCPA risk. They shift the playbook. The Walmart/Flipkart case shows that large, sophisticated multinationals face FCPA exposure in cross-border acquisitions.
The settlement amount and public enforcement record create a cautionary tale for deal teams: governance gaps will not be absorbed by the parent post-close. Instead, design the deal so that risk is documented, controlled, and monitored from day one.
From my perspective, the most important takeaway is this: in M&A, FCPA risk is a live liability, not a hypothetical. Diligence must quantify risk, remediation must be actionable, and disclosure must be ready to execute promptly if needed. If you skip any of these, you lose leverage in negotiations and increase the chance of post-closing penalties and operational disruption.
A few days ago I discussed these points with a partner at a regional deal team. We agreed on a practical framework: (1) treat FCPA due diligence as a deal-defining risk, (2) require binding remediation milestones in the agreement, (3) demand continuous post-close monitoring for at least 12-24 months, and (4) prepare a voluntary disclosure playbook that can be activated immediately if a material issue arises. Kept it simple, kept it real.
Looking ahead, the enforcement landscape will evolve. The pause and new guidelines teach us to act decisively, document thoroughly, and coordinate with DOJ and regulators if issues surface. For practitioners, the enduring lesson is to integrate FCPA risk management into every phase of an M&A process, not treat it as a separate compliance checkbox.
Practical notes for readers:
– Build a standardized FCPA due diligence checklist tailored to target geography, government interfaces, and third-party networks.
– Include a remediation budget and timeline in the deal memo; tie it to post-close governance changes.
– Prepare a voluntary disclosure plan with a clear trigger, scope, and management responsible for disclosure.
– Ensure post-close training and auditing catch issues early, with a defined escalation path.
– Review and refresh the M&A policy to reflect the June 2025 guidelines and align with any new presidential authorizzation requirements.
If you want more in-depth steps, check the Matactic glossary and sign up for the free M&A course. My apologies if you’re seeking a quick fix; this is about durable risk management, not shortcuts. For more terms and case studies, keep reading, and stay engaged with the latest enforcement developments. Gettin’ jiggy with it isn’t the goal here; it’s establishing the right controls before you close.
Would you like me to pull a concrete diligence checklist you can adapt for your next deal, anchored to the 2024-2025 policy shifts and the Walmart/Flipkart example? I’d like to try it.
Sources:
- https://www.whitehouse.gov/presidential-actions/2025/02/pausing-foreign-corrupt-practices-act-enforcement-to-further-american-economic-and-national-security/
- https://www.debevoise.com/-/media/files/insights/publications/2025/07/fcpa-update-june-2025.pdf
- https://www.strtrade.com/trade-news-resources/str-trade-report/trade-report/december/$60-million-criminal-penalty-for-bribery-of-foreign-officials
- https://levellegal.com/blog/ediscovery/fcpa-enforcement-in-2025-what-companies-need-to-know-after-the-dojs-shift/
- https://www.corporatecomplianceinsights.com/fcpa-enforcement-changing-what-does-it-mean-compliance-programs/
