This post first appeared on Risk Management Magazine. Read the original article.
The U.S. Foreign Corrupt Practices Act (FCPA) is the primary U.S. law that prohibits companies and individuals from making or offering bribes to foreign officials. The law was enacted in 1977 and is administered by the U.S. Department of Justice (DOJ) and, in the case of companies with securities registered in the United States, the U.S. Securities and Exchange Commission (SEC).
In recent years, enforcement volumes and penalties have risen exponentially. Numerous companies, including many in the health care space, have paid millions and even hundreds of millions of dollars to settle FCPA matters.
Given the health care regulatory landscape, which leads to regular interaction between companies and government officials, there is ample opportunity for corruption. It is thus essential that health care companies understand and take steps to protect against those risks.
Previous Enforcement
On its face, the FCPA is quite simple: It prohibits paying, offering, promising or authorizing payment of money, a gift, or anything of value to a non-U.S. government official to obtain a business advantage. Yet in its broad interpretation of the law, the U.S. government has extended the FCPA to cover a wide range of conduct.
For example, in January 2017, Zimmer Biomet Holdings, a medical device manufacturer, entered into a deferred prosecution agreement (DPA) with the DOJ to resolve allegations that the company had made payments through third-party representatives to government officials in Brazil and Mexico. Under the DPA, Zimmer agreed to pay $17.4 million to the DOJ and to retain an independent compliance monitor for a period of three years. Zimmer also settled with the SEC for $13 million in penalties and disgorgement. This 2017 resolution was in addition to a March 2012 resolution in which the company’s corporate predecessor, Biomet Inc., settled with the SEC and entered into a three-year DPA with the DOJ over alleged bribery of health care professionals (HCPs) at state-run hospitals throughout Latin America.
In Brazil, according to the government, Zimmer made improper payments to the HCPs in exchange for those HCPs procuring and using Zimmer’s products. The DOJ asserted that the HCPs were government officials because they worked for hospitals in Brazil that are government instrumentalities. Payments to these HCPs in order to obtain business were therefore prohibited under the FCPA.
In Mexico, payments were made by Zimmer’s customs broker to Mexican customs officials to facilitate the import of the company’s products. According to the DOJ, the payments were made because of difficulties Zimmer encountered when trying to import its heavily regulated products into Mexico. The DOJ emphasized that Zimmer’s import difficulties arose in connection with Mexican legal requirements around labeling and product registration. The settlement documents also noted that the company’s alleged failure to implement due diligence procedures and accounting controls led to use of the customs brokers at issue.
As this case demonstrates, the definition of foreign official is broadly defined under the FCPA. The matter also illustrates how broadly defined a business advantage is. In Mexico, the payments made by Zimmer’s customs broker were to address challenges navigating the Mexican customs process, not to win a contract from the Mexican government. The DOJ took the position that payments to circumvent Mexican import requirements resulted in an unfair business advantage for Zimmer.
Perhaps most notably, and as is the case in the vast majority of FCPA resolutions, the problematic conduct involved third-party representatives acting on behalf of the company. Over 90% of FCPA enforcement actions involve third parties and approximately 75% of improper payments are made through third-party intermediaries. Nearly any company operating internationally has at least some third-party representative acting on its behalf in certain jurisdictions, whether as a sales agent, customs broker, distributor, lawyer, consultant and/or other representative. These local operatives often are not as familiar with, or as committed to, the compliance requirements enshrined in the FCPA and similar laws. Simply put, third parties are almost always a significant compliance hazard.
Likewise, in March 2019, Fresenius Medical Care AG & Co. agreed to pay $231 million dollars to resolve FCPA investigations by the DOJ and SEC. According to the government, between 2007 and 2016, the company allegedly made improper payments to government officials, including HCPs employed by state-owned enterprises, in more than ten countries. The company allegedly used schemes such as sham contracts for services never rendered, cashing checks made out to employees to obtain cash for bribe payments, and falsifying invoices and other documents.
Notably, and despite making a voluntary disclosure of the misconduct to both the DOJ and the SEC, Fresenius settled FCPA-related charges with the DOJ through a non-prosecution agreement (NPA), which required the company to pay a criminal penalty and retain an independent compliance monitor. The company also settled charges with the SEC and agreed to disgorge ill-gotten profits.
Identifying Risks
As demonstrated in the Zimmer and Fresenius resolutions, when a company seeks to import and sell a highly regulated product in an environment in which many customers are governmental entities, there is substantial FCPA risk. And this is precisely the environment in which most health care industry companies operate when pursuing international business. To address risks, it is critical to first identify them.
In the past few years, the DOJ has published several iterations of guidance on what it looks to when assessing a company’s compliance program. First published in February 2017 and most recently updated in June 2020, the DOJ’s “Evaluation of Corporate Compliance Programs” includes specific details on how the DOJ expects companies to identify and prioritize risk. Among other things, the DOJ suggests that companies are expected to make a “reasonable, individualized determination” of risk based on factors such as “size, industry, geographic footprint, regulatory landscape, and other factors.” In addition, DOJ expects that companies will conduct “periodic review” of their compliance programs by conducting assessments on a regular basis. The most substantial risks for health care companies operating internationally include the following:
- Extensive government regulation. As noted above, because the health care industry is heavily regulated, there is frequent interaction between companies and regulators related to obtaining safety certifications, licenses, permits, registrations and other approvals. These interactions create an inherent opportunity for bribery and corruption. Moreover, “regulatory landscape” is a particular risk factor that DOJ has identified in its compliance program guidance.
- Role of government-owned entities. In many countries, the health care sector is state-owned or controlled, which means that doctors, nurses and other medical professionals are foreign officials for purposes of the FCPA. Any payment or other benefit provided to one of these individuals—for example, to encourage a doctor to use a particular medical device—can implicate the FCPA.
- Expediency of medical issues. The urgency of the provision of medical care means that medical goods often must be imported into a country as quickly as possible. This is particularly the case for medicines, which may be perishable. Customs clearance in many countries is slow and ripe for bribery.
- Reliance on third parties. The health care and life sciences industries rely heavily on sales agents and distributors to market and sell their products internationally, and companies are generally liable for actions of their third-party representatives. The DOJ and SEC have specifically targeted situations in which life science companies used distributors to exert improper influence over government decisions.
- Less rigorous rules. Rules for conducting medical trials are often less strict in the developing world. Pharmaceutical companies may have an incentive to target trials in such countries, where corruption is often perceived to be an acceptable way to facilitate business
Addressing and Protecting Against Risks
Once risks are identified, companies and their personnel must practice vigilance with respect to those risks. The DOJ and SEC have well-established expectations for FCPA compliance programs, including the expectation that companies will regularly review and address third-party and other risks.
With respect to third parties, careful diligence needs to be conducted before a third-party relationship is commenced. Failure to conduct appropriate pre-contracting due diligence is often cited by the DOJ and SEC when resolving FCPA enforcement actions.
It is often useful to collect information about a potential third party through a questionnaire that can elicit information about the potential third-party’s ownership, business experience, sophistication about compliance, relationship to government officials and other relevant information. References should also be obtained and checked. It may be best to enlist business personnel to gather this information if they have a relationship with the potential third party, and also to invest them in the compliance process.
Once information about the third party is obtained, it should be reviewed by a legal or compliance official to identify potential problems, or “red flags.” Before engaging the potential third party, each of the red flags should be reviewed and addressed satisfactorily. If that is not possible, no relationship should be established.
If the decision is made to proceed with engaging the third party, a written agreement should be put in place that includes clear compliance representations and warranties to which the third party is bound. Provision should also be made for the third party to provide, whenever reasonably requested, a certification as to continuing compliance with the agreement. In many cases, it may also be appropriate to provide compliance training to the third party.
Critically, vigilance cannot end once an agreement is signed with the third party. Instead, all personnel who deal with the third party must know to keep their eyes and ears open for any potential issues and, if such issues arise, they must be reported immediately to legal or compliance personnel. Initial diligence is essential but not by itself adequate.
To assist with this sort of monitoring, the third party should be required to provide regular activity reports. Corresponding invoices, expense reports (if any), and related supporting documentation also should be obtained and reviewed. These documents not only help to ensure the third party is in fact performing useful services on behalf of the company. They also can help to identify interactions or meetings the third party is having or contemplating with government officials and which could create compliance concerns. Being aware of such interactions can help a company prepare appropriate protections to avoid an improper action by the third party.
The health care and life sciences industry is not alone in facing challenges under the FCPA. A number of other industries such as aerospace and defense, energy, and telecommunications are also highly regulated by most governments. Such a regulatory environment can create situations where bribery is likely or at least can be beneficial in terms of avoiding bureaucracy and delays, especially in the developing world. A strong compliance process to review transactions and, especially, third parties—and an overall commitment to proactive risk assessment more generally—will go a long way to promoting compliance and protecting against costly violations.