By Randy Stpehens and Mary Bennett
Smart device manufacturers implement compliance programs to minimize the risk of corruption through policies, hotlines, training and auditing. However, such controls are largely aimed at shaping the behavior of their employees. What about agents, distributors and other third party partners? After all, the GlaxoSmithKline corruption scandal allegedly involved the use of travel agencies1. What about third parties acting on their own, yet on behalf of a medical device firm?
Medical device makers operate under myriad laws and standards focused on avoiding the improper influence or bribery of healthcare professionals (HCPs) when selling their wares. Yet, despite global anti-corruption rules and regulations, the news is rife with many high-profile health industry investigations, fines, penalties and settlements. Think of GlaxoSmithKline, Eli Lilly, Baxter, Johnson & Johnson, Biomet, Stryker Corp, to name a few.
Much of the corruption is perpetrated by employees, operating alone or as part of a scheme. That coupled with large fines, penalties, and civil and criminal indictments, can tear into a company’s reputation. The ongoing GlaxoSmithKline investigation in China is one example.
In the U.S., makers of medical devices are subject to anti-kickback laws. The AdvaMed Code of Ethics on Interactions with Healthcare Professionals (the device industry "code of conduct") is all about avoiding the offer of anything of value to motivate prescriptions and sales of products. Additionally, companies with operations or sales outside the U.S. must comply with the Foreign Corrupt Practices Act (FCPA) and, depending on the countries in which they work, potentially the U.K. Bribery Act and other country-specific anti-corruption laws.
The FCPA specifically penalizes companies and individuals for "offering to pay, paying, promising to pay, or authorizing the payment of money or anything else of value to a foreign official in order to influence any act or decision of the foreign official in his or her official capacity or to secure any other improper advantage in order to obtain or retain business."
Many of these compliance failures could be prevented or quelled by the presence of and implementation of an effective compliance program with a scope and application that goes beyond employees.
Third-party risks
Third party partnerships, on both the supplier and sales sides, potentially may increase the risk of a compliance failure or corruption scandal in four key ways.
1: Risk and lack of awareness
Outside the U.S., HCPs are employed by or work on behalf of the government. In the eyes of the DOJ and SEC, they are government agents. Because of this quasi-governmental nature, medical device manufactures have been under FCPA scrutiny since 2009 when, then U.S. Assistant Attorney General, Lanny Breuer, publicly declared, "Nearly every aspect of the approval, manufacture, import, export, pricing, sale, and marketing of a drug product may involve a ‘foreign official’ within the meaning of the FCPA."
Interacting with these medical professionals to encourage them to recommend or purchase products may open a company up to allegations of FCPA violations. While some companies challenge this definition, until the courts rule that these medical professionals are not foreign officials, this debate will continue to be the focus for FCPA allegations leveled by the DOJ.
Distributors in these countries may not be aware of the corruption risk, of their local anti-corruption laws, or even what constitutes "improper payment" or "anything of value." These partners may not have a compliance program with policies and training to drive awareness. And they may subcontract with sales agents, other distributors, or even suppliers who also lack such controls. Recent research has indicated that people recognize only 50 percent of wrongdoing they see2, making education an especially important corruption control.
2: Inappropriate incentives
Compensation for work done or products bought is not a bad thing, unless it is structured to incentivize bad behavior. Don’t sales incentives always pose that risk? Not true — when incentives are balanced with a strong message about achieving goals the right way. And beyond words, rewards are based on balanced achievement of performance and principles.
3: Lack of accountability
Even though no country officially sanctions bribery, bribery may be more accepted in other countries as a way to do business. How many of your suppliers and distributors are in jurisdictions known for high corruption rates3? The risk extends well beyond the BRIC countries. Third parties operating in these areas may feel little accountability for upholding the laws. The historical lack of consequences is difficult to overcome, especially when "everyone else is doing it."
On the opposite side of this coin is the potential that previously complacent governments may unexpectedly begin selective or targeted enforcement. For example, China has recently been very active in aggressively prosecuting pharmaceutical companies and their executives for bribing Chinese HCPs.
4: No Due Diligence
Finally, appropriate due diligence on third party partners is often incomplete or lacking altogether. In the U.S., healthcare employers are required to avoid hiring parties barred from working with federal healthcare programs. However, this is only one element of good background checking and is not enough to identify partners with a propensity to break the law. Good due diligence goes much further.
Protecting the company
What steps can a medical device or pharmaceutical company take to support a strong compliance program where third parties are concerned?
Have clear and published policies
First and foremost, companies should address their positions on any element of operations that could be used to allow a violation of anti-bribery and corruption laws. These positions should be clearly stated in internal and external written policies, training materials and communications. These policies should address gifts, sponsorships, travel, entertainment, charitable contributions, etc.
Implement internal controls on spending and reimbursement
Since corrupt payments are often classified in "corruption code language" as commissions, marketing expenses or miscellaneous, it is important to have systems designed to detect these improper payments. In many FCPA violations (including the recent Stryker Corp case, settled in October 2013 for almost $13,000,000 in fines, penalties, interest and disgorgement) the DOJ or SEC pursued actions under the "books and records" section of the FCPA. In these cases, the violation occurs because bribes are mischaracterized. Payments to HCPs or any other foreign officials must be properly recorded and accompanied by receipts, documentation and sufficient detail.
Conduct a third party risk assessment and due diligence
To paraphrase a well-known quote, "The best defense is a strong (risk-based) offense."
Where third parties are involved, this is not a platitude. Preventing the engagement of third parties with a history of corruption or a serious number of corruption red flags is the best approach. In reality, some of these third parties may slip through the cracks, but a company can demonstrate a good faith effort to minimize the number of cases with a due diligence program performed on potential third parties before engagement. The guidance on the elements of this risk-based due diligence can be found in A Resource Guide to the U.S. Foreign Corrupt Practices Act, issued jointly by the criminal division of the DOJ and the SEC in November of 2012.
According to the Guide, risk-based due diligence addresses the following:
- Qualified 3rd parties
The obligation is on the company to make sure that it understands the qualifications and responsibilities of third parties it engages. The Guide makes it clear that "the degree of scrutiny should increase as red flags surface."
What are some issues which might be considered "red flags"?
- Industry
- Corruption Index for the country in which the third party is operating
- Large size or sensitive nature of the transaction
- No history of past relationship with the third party
- Abnormally high commission or compensation
- Lavish gifts and entertainment expenses
- Third parties making unexpected, unreasonable, or illogical decisions
- Unusually smooth processing of matters where individual does not have the expected level of knowledge or expertise
- The business rationale
The company should understand why a third party is needed for the engagement and ensure that the third party has reasonable expertise and compensation for the engagement
- Mitigating risk
If you do ultimately engage a third party you need to ensure that you are managing your third party program and mitigating your risks. This is going to require due diligence for each third party and watching for red flags or risks that need to be mitigated. Check multiple sanction/watch lists, adverse publicity, and know the principals of the third party and the possibility that they may have relationships with foreign officials. This may be done in-house if you have a limited number of third parties, but a preferable approach in cases where you engage either a large number of third parties or third parties who are spread all over the international map, is to use an automated provider who can swiftly and completely conduct the appropriate level of due diligence on all of your third parties.
- Ongoing monitoring and auditing
The Guide explicitly states that one guiding principle of third party due diligence is that "companies should undertake some form of ongoing monitoring of third party relationships."
So if you have a third party program, it can’t be a "one and done" process. Even if your due diligence did not turn up any red flags or issues with your existing or newly on-boarded third parties, you can’t close the book. Things change. With any effective compliance program, one of the critical factors is regular monitoring and auditing to ensure that nothing new has arisen which might change the risk profile.
Consider:
- Regular updates of previous due diligence
- Ensure that the contract provides for audit rights, and exercising audit rights when appropriate
- Provide or ensure that the third party is receiving periodic training on anti-bribery and your company’s policies on anti-bribery and corruption, gifts and entertainment and accurate record keeping
- Think about annual certifications of compliance
Medical device manufacturers may be exposed to serious corruption risk through their third party relationships. Regulators know it and are focused on following up on any hint of corrupt activity. But manufacturers can build a solid line of defense against bribery and its potential harmful consequences by establishing an effective compliance program, especially with respect to third party relationships — including education, appropriate incentives, audits and remediation, and a strong, ongoing third party due diligence system.
Randy Stephens, JD, CCEP, is vice president of Navex Global’s ELG group, a lawyer and compliance specialist who has worked in roles with legal and compliance responsibility for over 30 years, including operations in Mexico, China and Canada. Previously he led compliance programs and worked for some of the largest and most diverse public and private corporations in the United States, e.g. Home Depot, Family Dollar and US Foods.
Mary Bennett, R.Ph. is a vice president of Navex Global’s ELG group and a pharmacist by training. She joined the organization as its first employee in 1999 after serving as vice president in the Compliance and Integrity office at Caremark, where she implemented the requirements of one of the first government agreements in healthcare.
1: http://nytimes.com/2013/07/16/business/global/glaxo-used-travel-firms-in-bribery-china-says.html Back.
2: ERC – In Mind of Whistleblower, 50% of wrongdoing not recognized. Back.
3: Transparency International Corruption Risk rating of countries. Back.