On January 6, 2017, the Securities and Exchange Commission filed an Administrative Action announcing a settlement with two global agribusiness companies. The Order is brief and short on facts. The facts that it does share leads to a bit of head-scratching, and raises questions about how the SEC penalizes companies for not voluntarily disclosing potential violations of the FCPA.

Essentially, Company 1 failed “to conduct appropriate due diligence on” and “monitor the activities of” an agent that its Indian subsidiary engaged in January 2010. Company 2 bought Company 1 in February 2010, but was precluded from conducting far-reaching anti-corruption due diligence. The Indian subsidiary made approximately $90,000 in payments to the agent from February to October 2010. In October 2010, Company 2 received information questioning the payments to the agent and as the result of an internal investigation terminated the agent and stopped any further payments.

According to the Order, Company 1’s failure “created the risk that funds paid to [the agent] could be used for improper or unauthorized purposes.” Moreover, the subsidiary’s books and records did not accurately and fairly reflect the nature of the agent’s services and Company 1 did not devise and maintain an adequate system of internal accounting controls. Company 2 was tabbed with successor liability.

The Indian subsidiary sought government licenses and approvals necessary for expansion and solicited assistance from an outside agent. Subsidiary representatives met with, negotiated with and recommended hiring the agent, who management approved without further due diligence. In the six months that followed, the agent submitted several invoices purportedly for the preparation and submission of license applications, when in fact those documents were prepared by employees of the Indian subsidiary. In addition, after receiving each payment, the agent withdrew the money from the bank in cash.

When Company 2 acquired Company 1, it conducted “substantial, risk-based, post-acquisition compliance-related due diligence reviews in 24 countries, including India. This post-acquisition due diligence review did not identify the relationship between [the agent and Company 1].” However, the Order further states that “In October 2010, upon commencement of an internal investigation related to [the agent], [Company 2] required [Company 1] to end the relationship with [the agent] and no further payments were made.”

The Order also notes that Company 2 cooperated with the SEC’s investigation and undertook extensive remedial actions.

Sounds pretty good, doesn’t it? Successor company takes over target and conducts serious post-acquisition due diligence as well as responds to what must have been a whistleblower complaint that identified a problem, stopped payment and fired an agent, and took remedial action. Isn’t that appropriate action for a good corporate citizen? Isn’t that what most lawyers would advise a company to do?

Yet the reward for such good corporate behavior was a cease and desist order for both Company 1 and Company 2 as well as a $13 million civil penalty for Company 2. A $13 million penalty for a successor company that inherited a problem it did not create, and for which it tried to conduct due diligence to detect and prevent seems highly unusual.

The Order is especially surprising in light of the government’s FCPA Guidance on successor liability. The Guidance notes that the government has not gone after companies that have voluntarily disclosed the violations, and states that “DOJ and SEC have only taken action against successor companies in limited circumstances, generally in cases involving egregious and sustained violations or where the successor company directly participated in the violations or failed to stop the misconduct from continuing after the acquisition.” From the facts articulated in the Order, this does not appear to be an “egregious and sustained violation,” nor does it appear that Company 2 directly participated in the violation. Most importantly, Company 2 stopped the conduct upon discovery.

The Guidance also states: “Importantly, a successor company’s voluntary disclosure, appropriate due diligence, and implementation of an effective compliance program may also decrease the likelihood of an enforcement action regarding an acquired company’s post-acquisition conduct when pre-acquisition due diligence is not possible.” To quote Meatloaf, two out of three ain’t bad. But under this settlement, apparently missing the voluntary disclosure results in a fairly punitive fine.

When viewed objectively, Company 1 had operations in 60 countries and employed 45,000 people, including 2,100 in India. That’s a huge operation to get your hands around. Company 2 did everything right: “substantial, risk-based, post-acquisition compliance-related due diligence reviews in 24 countries, including India.” It stopped the conduct within 9 months of the takeover and apparently immediately after the conduct was called to its attention.

Thus, it appears the successor company’s only mistake was to not voluntarily disclose this one issue to the government. Given that voluntary disclosure is not required (hence the term voluntary), the $13 million penalty seems extreme.

If additional conduct led to the penalty amount, the SEC did not reference it in the Order – which creates the issue we discuss above. If the SEC is not willing to include all pertinent facts/allegations in the Order, then it serves no explanatory or deterrent purpose. And that makes it difficult for companies to properly read the tea leaves.