Life sciences companies: Is your third party FCPA-compliant?

As your life sciences company leverages resources abroad and expands globally, compliance with the Foreign Corrupt Practices Act (FCPA) and other similar global anti-corruption laws becomes a business imperative for your organization. Without proper policies, procedures and controls that address these bribery and corruption concerns, organizations expose themselves to potential liability in the form of legal, regulatory and reputational risk. Noncompliance with these strict laws, whether through your immediate business or via your third-party relationships, could be costly to your bottom line and future profitability. This challenge continues to grow as more and more life sciences companies enlist third parties and conduct business abroad.

According to RSM’s Global Corruption Law Compliance Survey, over half of the executives who responded indicated they were concerned about questionable or potentially illicit behaviors by third-party partners such as unusual compensation arrangements, audit refusals, incorrect invoice or overbilling issues, and nonroutine requests for customer discounts.¹ However, while many companies—life sciences included—recognize the worrisome challenges related to FCPA compliance, many are unsure of how to best manage these risks.

A closer look

Organizations should strive to protect themselves by establishing adequate policies, procedures and internal controls that adhere to anti-bribery and anti-corruption laws. Ensuring adequate controls is critical to being successful in the heightened enforcement environment surrounding the life sciences industry. On July 25, 2017, the United States attorney’s office has vocalized its position that it will be vigorously pursuing organizations who are not in compliance with the FCPA. Nathaniel Yeager, chief of the Boston U.S. attorney’s office’s health fraud unit recently stated, “One of the areas we have concern about is the impact… on compliance with federal regulations.” Sandra Moser, principal deputy chief, fraud section, criminal division, U.S. Department of Justice (DOJ), said the DOJ views the health care industry as one that “faces serious compliance and corruption challenges not only in high-risk markets overseas but right here at home as well.” ^{2, 3}

Consistent with these statements:

• In February 2017 the DOJ issued its program guide, “Evaluation of Corporate Compliance Programs,” which includes a list of questions that the criminal fraud section will ask during an investigation
• In March 2017 the Department of Health and Human Services Office of Inspector General and the Health Care Compliance Association issued its resource guide: “Measuring Compliance Program Effectiveness: A Resource Guide”

The DOJ has noted that these are basic compliance components that the DOJ expects international corporations to have.

Addressing your risks

There are some key bribery and corruption risk questions that organizations should consider before entering a third-party relationship. Assessment of these risk areas can help maintain safeguards within third-party partnerships. These questions include:

• Has your company implemented adequate compliance training programs, as well as policies that promote a strong and ethical culture, particularly when they relate to interactions with third parties?
• Has your company performed a corruption risk assessment with an emphasis on understanding and assessing local corruption risk indicators, operational controls and residual risk?
• What level of global governance and central control does your organization maintain over local anti-corruption efforts and local business activities? Does sufficient transparency exist to manage corruption risk?
• How is your organization tracking activities (contracting, employment, human resources issues, sales targeting, marketing, regulatory compliance, research and development) of management, sales personnel and other key parties in local markets around the world?
• How is your organization assessing and monitoring the level of pressure placed on employees and third-party partners to meet global financial performance targets?
• How closely are you monitoring third-party compensation, including compliance with fair market value pricing requirements, if applicable?
• What level of understanding does your organization have with regards to instances where third parties are acting on your behalf in each market? How is the company monitoring potentially inappropriate or high-risk third-party relationships between government officials and local managers, sales, regulatory compliance personnel and others?
• What technology and resources does your organization use to monitor activity and promptly identify and prioritize issues? How is your company leveraging data analytics, technology and resources to effectively use available data? Does data analytics identify high-risk activities, detect abnormalities and enable proactive monitoring?
• Does your organization have a documented fraud response strategy that can effectively mitigate the impact caused by FCPA violations? ⁴

In addition, consider the following tips to address your risk areas with your third parties:

• Conduct rigorous and comprehensive third-party vetting. Regulatory bodies look favorably on life sciences companies that have a well-defined process in place that involves an effective level of inquiry to assess and mitigate risks associated with doing business with third parties.
  • Assess risk domains. A third-party vendor self-assessment questionnaire should be distributed, focused on documenting the vendor’s current understanding of their business, any conflict of interests, fourth-party operations, and other areas involving their information security and compliance environment.
  • Perform internal due diligence. Organizations should take steps to gather publicly available information to understand their third-party vendor’s identity, reputation and financial operations.
  • Complete vendor scorecard. Utilizing the data gathered, determine a final recommendation regarding the third-party vendor’s operations, including those instances where current controls exceed expectations, additional monitoring needs to be implemented or whether starting a relationship with the third-party should not commence.
  • Conduct ongoing internet and database searches. It is important to monitor the third party. This may include use of alerts for the third party so you receive notice when negative media is published about the third party.
• Utilize audit rights. Where possible include audit rights within all contracts. Evaluations of third-party business operations and reporting can detect indiscretions and risk areas as they are developing, allowing you to tackle challenges early on before a noncompliance issue turns into a full-blown crisis.
• Provide annual training to third parties. Some vendors may not have appropriate resources or knowledge to establish anti-bribery or anti-corruption policies. Consider whether adequate training of third parties exists to encourage adherence to your organization’s policies and align with your organization’s culture and ethical values.⁵

1. Greg Naviloff, Managing risk with third parties or intermediaries, Aug. 18, 2017.
2. Melissa Jampol and Matthew Savage Aibel, Jampol and Aibel: DOJ targets healthcare with FCPA enforcement, The FCPA Blog, Aug. 10, 2017.
3. Jeff Overley, What the DOJ's elite health fraud squads are watching, Law360, Sept. 21, 2017.
4. Greg Naviloff, What life sciences boards need to understand about corruption risk, May 1, 2017.
5. Greg Naviloff, Managing risk with third parties or intermediaries, Aug. 18, 2017.