Life sciences: Managing compliance risk from third parties

To augment internal staff, nearly every business uses a combination of third parties — such as subcontractors, distributors, agents, consultants and other service providers — in their daily operations. When these parties engage in corrupt or inappropriate activities, the organization that contracts with them can be held accountable. A recent rise in enforcement actions has brought the issue of third-party risk management to the forefront.

Indeed, as the United States has ramped up its scrutiny of such practices under the Foreign Corrupt Practices Act (FCPA), life sciences companies — especially those with operations in countries with reputations for corruption — are particularly vulnerable. For example, a large biotech company that designs and manufactures laboratory equipment for life sciences and clinical diagnostics recently found itself in the crosshairs of a U.S. Department of Justice (DoJ) probe into its operations overseas. At issue were allegations that its subsidiaries employed third parties that then bribed government officials in several Asian countries to win government contracts. In a settlement with the DoJ, the company agreed to pay $14.35 million in penalties, as well as relinquish tens of millions of dollars in profits to address allegations from an ongoing SEC investigation.

This case illustrates the risk that life sciences businesses face regarding third-party compliance, as well as what’s at stake. Violations of anti-corruption laws, whether by employees or third parties acting on a company’s behalf, may result in major liabilities, large fines, jail time and reputational damage. Executives can safeguard their organizations by understanding the attributes that heighten the risk of noncompliance, educating themselves on the most common violations, and then developing a response plan in the event they uncover any potential violations.

How life sciences is different In many industries, third-party risk comes from expansive sales networks, service providers or global supply chains that operate beyond the company’s direct supervision. The life sciences industry is much more heavily regulated than many other industries, due to its connection to public health. Further, executives are under constant pressure to develop new, improved products and services at reduced costs. Since companies must gain government approval for these products before bringing them to market, a green light from regulatory agencies is a crucial milestone in beginning to recoup product development costs.

Adding to the complexity, life sciences organizations have a high number of touch points with government officials, especially with employees of state-run health care facilities. Since life sciences companies reside at the crossroads of commerce and government, executives must closely monitor and manage the interactions of their subsidiaries with government officials. Businesses that operate in countries with a reputation for corruption should be more vigilant. In emerging nations with legacies of intractable red tape, thriving gray markets and a poor record of enforcement, bribery of government officials has simply been the way to get things done — and old habits can be difficult to correct among local third parties.

Inside the FCPA’s anti-bribery provisions In recent years, the U.S. government has increased its enforcement efforts, with a focus on corruption and bribery across industries. The FCPA’s anti-bribery provisions prohibit a company or third parties acting on a company’s behalf from “offering anything of value to a foreign public official with the purpose of obtaining or retaining business or otherwise intending for the official to misuse authority.1” Notably, the definition of “anything of value” extends beyond straightforward cash payments and can include gifts, discounts, travel and entertainment, and preferential treatment in hiring and promotion. In countries with state-run health care providers, employees of hospitals and clinics also fall under the designation of “foreign government officials,” significantly increasing the interactions that companies must monitor. Three high-risk areas in life sciences In recent investigations, U.S. government agencies have zeroed in on practices common within the life sciences industry that are ripe for malfeasance. According to Andrew Ceresney, director of enforcement at the SEC, three categories are common sources of violations.2
  1. Pay-to-prescribe cases: These violations typically occur when subsidiaries or third parties compensate doctors and medical officials in return for prescribing a company’s drugs or products to patients. These bribes can include cash payments, as well as other compensation, such as tickets to concerts or events. A global pharmaceutical company, for example, was the target of a whistleblower in Romania who alleged the company’s subsidiary regularly paid hundreds of doctors to prescribe its prostate drugs.
  2. Bribes for formulary placement: Companies regularly lobby governments in countries with a state-run system to add drugs or products to an approved list for reimbursement. Such efforts can easily cross the line — for example, several years ago a multinational corporation paid $29 million to settle allegations from the DoJ and SEC that its subsidiaries and third parties had paid government officials in a number of Eastern European and Asian countries to obtain formulary approval.
  3. Bribes disguised as charitable contributions: In an effort to disguise illicit payments to doctors and government officials, third parties sometimes go to extreme lengths. From 1999 to 2002, a subsidiary of a U.S.-based pharmaceutical company made tens of thousands of dollars in donations to an Eastern European nonprofit run by a government official. In return, the company saw sales of its oncology products in this region increase dramatically. After allegations surfaced, the company paid a fine of $500,000 and agreed to strengthen its due diligence activities.

In most cases, the settlement figures are just part of the total cost of noncompliance. Companies must devote considerable resources to investigate claims as well as to remediate reputational damage in the aftermath of penalties and negative publicity when such infractions are alleged.

Mitigating the impact from third-party noncompliance Life sciences executives should develop a compliance strategy and integrate it with the organization’s existing enterprise risk management efforts. Proactive companies must have a robust and systematic process for onboarding and regularly monitoring third-party vendors. This approach relies on certification and training, verification, and financial controls.

Data analytics can be a valuable tool in identifying potential risks. By aggregating data on third-party vendors, companies can use analytics to flag factors associated with risk (for example, if a country has a reputation for corruption) as well as certain positions (e.g., sales associates, government relations professionals) that may have interactions that are conducive to illicit activities. These tools can provide compliance personnel with greater visibility into operations. Data analytics also enables companies to cover more ground: It’s not feasible to monitor every email, conversation and interaction manually, but software can aggregate information and highlight the areas of greatest risk — essentially giving risk professionals a roadmap for further inquiry.

If companies uncover any wrongdoing by third parties, they should take four steps to ensure that they are prepared to respond quickly and forcefully.

  1. Determine the extent of the violations. Companies can develop an effective response plan by getting an accurate picture of the severity of violations. If the wrongdoing is isolated — say, the work of a small number of employees or even a lone wolf — the proper response might be to terminate the third parties involved and reinforce existing policies. However, if executives find that the violations are systemic and suggest a culture of noncompliance that could extend throughout their organization, then a re-examination of onboarding and monitoring practices of third parties would be warranted.
  2. Evaluate the cause and reassess your plan. If violations or improprieties occur, companies should examine their current risk models, financial controls, third-party training, audit protocols and contract provisions to prevent similar issues in the future. If the issues could have been avoided, managers must identify the causes and continually refine and enhance their compliance functions.
  3. Balance the cost of potential fines with the expense of defending against an enforcement action. As noted earlier, the fines that companies must pay to settle third-party compliance violations are just one expense. The cost of an internal investigation and defense can sometimes cost significantly more. In 2015, Avon Products reached a settlement with U.S. authorities to pay $135 million to resolve an FCPA investigation. However, the company had spent approximately $350 million on legal fees and other activities related to the government probe prior to the settlement.3
  4. Understand the benefits of self-reporting. Self-reporting enables companies to signal their intent to government officials to clean up trouble areas proactively. Although companies aren’t required by law to divulge violations, they can reduce potential penalties and fines by doing so. A recent article in The Wall Street Journal describes what life sciences company Bio-Rad did after becoming aware of third-party corruption issues — the company self-reported and proactively addressed the issues. In the end, Bio-Rad paid a $55 million fine, but that represented about half what the company may have been compelled to pay without self-reporting.4 In effect, this reduction was a reward for the company’s cooperation with authorities.

The far-flung nature of global networks makes third-party monitoring a daunting task for life sciences companies, especially if they lack the processes and culture to prevent abuses and noncompliance. When penalties for violations can run into the hundreds of millions of dollars, executives would do well to take a proactive stance and invest in preventive measures.

1 See for the full text of the Anti-Bribery Provision, Section 30A of the Securities Exchange Act of 1934.
2  Ceresney, Andrew. “FCPA, Disclosure, and Internal Control Issues Arising in the Pharmaceutical Industry,” March 3, 2015.
3  SEC. “SEC Charges Avon with FCPA Violations,” Dec. 7, 2014.
4  Ensign, Rachel Louise. “Why Companies Might Opt to Self-Report Potential Bribery Issues,” The Wall Street Journal, Nov. 2, 2014.

Contacts Lisa Walkush
Principal, Business Advisory Services
T +1 215 814 4000

Matthew Ruble
Senior Manager, Business Advisory Services
T +1 215 814 4063