Industry executives may be unfamiliar, however, with a less obvious interpretation of the statute that poses a more difficult compliance challenge. This challenge entails payments made to, or benefits provided to, physicians, technicians, or hospital administrators as part of a device or pharmaceutical company’s normal marketing and promotional efforts.
|David W. Simon|
This is more than a theoretical concern. Recent government actions make it clear that medical device and pharmaceutical companies are squarely in the crosshairs of those charged with enforcing the FCPA. Senior Department of Justice (DOJ) officials publicly have stated that the DOJ intends to make FCPA enforcement in the pharmaceutical and medical device industries a top priority.
On November 12, 2009, Assistant U.S. Attorney General Lanny Breuer stated that “one area of criminal enforcement that will be a focus for the Criminal Division in the months and years ahead [is] the application of the Foreign Corrupt Practices Act... to the pharmaceutical industry."1 He further noted that prosecution would not be limited to corporations but also would extend to the “investigation and prosecution of senior executives,” a remark that was echoed during the same conference by Assistant U.S. Attorney General Tony West, Chief of the DOJ’s Civil Division. West noted that he recently had testified before the Senate Judiciary Committee that “[i]n those cases where the facts and law allow us to pursue criminal cases against individuals responsible for illegal conduct, we will do so.”2
|Erin J. Holland|
Furthermore, Charles McKenna, Chief of the U.S. Attorney’s Office for the District of New Jersey Criminal Division, informed attendees at a 2009 meeting of the American Bar Association’s program on medical device and pharmaceutical litigation that FCPA enforcement trailed only terrorism as a DOJ enforcement priority. It is clear, therefore, that both medical device and pharmaceutical companies and individuals working in the industry need to be aware of FCPA issues.3
Although the FCPA was enacted in 1977, the statute has seen unprecedented enforcement activity in the first decade of the 21st century. This enhanced attention has resulted in both repeated record fines (culminating in total FCPA fines exceeding $800 million paid by Siemens) and attention to numerous industries that traditionally had not seen enforcement activity. As discussed below, multiple companies in the pharmaceutical and life sciences area already have been the subject of enforcement activity and have paid large fines, including fines for payments to government-owned hospitals. Because the healthcare industry has been targeted for increased scrutiny and enforcement activity, pharmaceutical and medical device companies and their executives would be wise to enhance their FCPA compliance efforts. For example, in its most recent 10-K, Eli Lilly disclosed that the DOJ and SEC had expanded its FCPA investigation of Lilly’s subsidiaries. Lilly indicated that it had been subpoenaed by the SEC and that both the SEC and DOJ had asked the company to voluntarily provide information related to the activities of subsidiaries in “a number of other countries.”4 These requests follow SEC subpoenas that Lilly previously received regarding an FCPA investigation into activities by Polish subsidiaries of a number of pharmaceutical companies.
FCPA, Antikickback Statute Explained
The FCPA prohibits U.S. companies and citizens, foreign companies listed on a U.S. stock exchange, or any person acting while in the United States, from paying or offering to pay, directly or indirectly, money or anything of value to a foreign official in order to obtain or retain business. These are the statute’s “antibribery provisions.”5 The FCPA also requires “issuers” (i.e., any U.S. or foreign companies with securities traded on a U.S. exchange or otherwise required to file periodic reports with the SEC) to keep books and records that accurately reflect business transactions. These entities also must maintain effective internal controls.6
- In November 2009, John Joseph O’Shea, former General Manager of Swiss ABB Ltd.’s Texas-based subsidiary, was arrested for his alleged role in a conspiracy to violate the FCPA. The DOJ alleges that the ABB subsidiary hired a third-party representative to pay bribes to officials at the Comisión Federal de Electricidad (CFE), a Mexican state-owned electricity company, to secure contracts with the CFE.18
- In December 2009, the SEC charged Bobby Benton, former vice president of western hemisphere operations for Texas-based offshore oil rig operator Pride International, with FCPA violations.19 The SEC alleged that Benton authorized a $10,000 payment to a third-party agent for payment to a Mexican customs official in return for lenient treatment in connection with an inspection of port facilities leased by Pride’s Mexican subsidiary.
- In February 2009, KBR and Halliburton settled allegations by the SEC that KBR subsidiary Kellogg Brown & Root bribed Nigerian government officials to obtain construction contracts. The SEC held Halliburton responsible because it was the parent of KBR, which was a member of a joint venture that allegedly hired the agents who paid bribes to the Nigerian officials.20
FCPA Recordkeeping Requirements
- Provide reasonable assurances that transactions are executed in accordance with management’s authorization.
- Ensure that expenses are recorded as necessary to permit preparation of financial statements and to maintain accountability for assets.
- Limit access to assets except in accord with management’s authorization.
- Make certain that recorded accountability for assets is compared with the existing assets at reasonable intervals and that appropriate action is taken with respect to any differences.21 While the recordkeeping provisions technically apply only to issuers and not to foreign subsidiaries, the enforcement agencies routinely hold parent companies liable for false or fraudulent entries for subsidiaries, especially where there are any books or records that ultimately are consolidated with an issuer’s books and records for financial reporting purposes.
- Difficulty Identifying Foreign Officials. Of great concern to healthcare companies is the difficulty of identifying “foreign officials” for purposes of the FCPA. As well as the obvious officials, such as health ministry and customs officials, foreign officials may include less obvious actors, such as doctors, pharmacists, and lab technicians, because hospitals and other medical facilities in many foreign countries often are partially or completely government-owned or controlled. As Assistant Attorney General Breuer stated, because most healthcare facilities are state-owned, “under certain circumstances and in certain countries, nearly every aspect of the approval, manufacture, import, export, pricing, sale and marketing of a drug product in a foreign country will involve a ‘foreign official’ within the meaning of the FCPA.”23
- Increasing globalization of healthcare. As developing nations increase spending on healthcare, U.S. providers are expanding their operations abroad to meet the increased demand for medical devices, pharmaceuticals, and medical supplies.24 Since many of these nations have a history of corruption, these new business opportunities are accompanied by increased FCPA risks.
- Significant regulation. Medical devices frequently are subject to a high degree of regulation, leading to frequent interaction with government officials. In addition to the marketing and promotion risks discussed above, medical device companies face FCPA risks in connection with the approval of devices, licenses, permits, and the like. This is especially true where companies hire agents or consultants to obtain approvals on their behalf.
- Frequent and large transactions. The sale of medical devices may involve frequent and large transactions, making government approvals and purchases extremely valuable, thereby giving agents and distributors an even greater incentive to use illegal incentives to achieve their goals.
- Competitive sales focus. For many healthcare companies, the competitive nature of their business requires them to persuade providers to use their products or services, raising the difficult question of determining where legitimate persuasion becomes improper inducement. This risk is particularly high in countries where business norms may conflict with the FCPA’s strict requirements.
- Reliance on third parties. Many healthcare companies rely on third-party intermediaries, whether in the form of a joint venture, distributors, agents, consultants, or other facilitators to market their products in foreign countries. Absent sufficient due diligence and controls, intermediaries can heighten FCPA risks. Given the broad scope of the FCPA’s antibribery provisions, a company cannot escape liability by turning a blind eye to a third party’s activities.
Avoiding FCPA Exposure
- Written policies and internal controls. A compliance program should begin with a clearly articulated corporate policy prohibiting violations of the FCPA and other applicable anti-corruption laws. It also should reflect the promulgation of a compliance code, standards, and procedures designed to detect and deter violations of the FCPA and other anticorruption laws, and should otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance.
- Oversight. The board of directors should have overall responsibility for the compliance program and must remain knowledgeable about the content and operation of the program. One or more senior corporate officials within the organization should have day-to-day responsibility for the implementation and oversight of the FCPA policies, standards, and procedures. The person or persons responsible for the day-to-day compliance program must be given adequate resources and authority and periodically report to senior officials within the organization and to the board of directors or to a designated subgroup, such as an audit committee.
- Communication and training. Mechanisms should be designed to ensure that the FCPA’s policies, standards, and procedures are communicated to all directors, officers, employees, and third parties, including through periodic training and periodic written communications regarding FCPA requirements. Each individual should be required to certify annually and in writing that: one, he or she has read, understands, and will comply with the company’s FCPA policies, standards, and procedures; two, has not participated in any unreported or prohibited transactions or activities within the reporting period; and three, knows of no participation in prohibited activity by any other director, officer, employee, or third party.
- Reporting procedures. Companies need to ensure that they have both direct and confidential reporting mechanisms, such as hotlines or special Web sites, for individuals to report suspected criminal conduct or violations of FCPA compliance policies, standards, and procedures. Companies should have procedures that ensure that credible complaints are dealt with in a timely manner.
- Accounting procedures. Companies should integrate their antibribery procedures and internal accounting controls. An effective set of accounting controls is essential to ensure that illegal payments are not made. Companies should incorporate review and approval guidelines designed to detect and deter questionable payments and put in place mechanisms to ensure the accurate tracking of funds and recording of disbursements, including for payments made to agents and consultants.
- Addressing potential violations. The compliance program should include policies, standards, and procedures that allow an organization to respond reasonably to any violations detected, including appropriate investigative procedures and mechanisms. After the completion of any investigation, a final analysis should be made to determine what modifications to the compliance program may be necessary to prevent future similar misconduct.
- Disciplinary procedures. Appropriate disciplinary procedures should be developed and implemented to address, among other things, conduct that violates the FCPA and other applicable anticorruption laws, as well as the failure to take reasonable steps to prevent and detect misconduct by others.
- Due diligence for third parties. Companies need to ensure that the organization’s compliance program includes appropriate vetting and oversight of third parties.25 Before selecting a third party, companies should consider contacting the commercial attaché of the U.S. embassy, conducting background checks using Department of Commerce’s Commercial Service’s private databases, and checking references. After selecting a third party, companies should consider conduct frequent audits of expenditures by agents and consultants, particularly in high-risk countries. Compensation systems for agents and consultants that create potential incentives for corrupt payments to foreign officials, such as success fees, also need to be monitored closely.
- Standardized agreements for third parties. Standard provisions should be included in contracts with third parties that are reasonably calculated to prevent and detect FCPA violations. These provisions may include: one, FCPA representations and undertakings relating to compliance with the FCPA; two, the right to conduct audits of books and records; and three, termination rights if there is any breach of any anticorruption law or a breach of representations and undertakings related to such matters. The provisions must also provide the ability to disclaim and reverse any economic benefit that otherwise would be received based on the actions of the third parties.
- Periodic audits and risk assessments. An effective compliance program should include periodic audits and risk assessments to ensure compliance with, and the successful implementation of, FCPA policies, standards, and procedures.