Today I want to use the Christie’s story Ingots of Gold as an introduction to some of the regular communications that the Securities and Exchange Commission (SEC) representatives frequently provide in public forums, regarding their views on Foreign Corrupt Practices Act (FCPA) enforcement and, more importantly for the compliance practitioner, FCPA compliance. In this story, told by Miss Marple’s friend, he was spending a holiday in Cornwall with an acquaintance called John Newman. It involved a shipwreck and, as the title foretold, valuable cargo. After a stormy night Newman was missing but was later found bound and gagged in a ditch. It is revealed that Newman used this as ruse to cover his tracks from a theft of gold, which, of course, Miss Marple resolves when no one else can do so.
It was the language of this story that struck me. For as famous as Agatha Christie is for her puzzles, she had a great facility for language. At one point Miss Marple said, “You wouldn’t like my opinion, dear. Young people never do, I notice.” Later she describes the antagonist with the following, “his mind might run in strange, unrecognized channels”. Fortunately for the compliance community, one of the significant ways that the SEC communicates with compliance practitioners is through public speeches. We were recently treated to another such example when Andrew Ceresney, the SEC Director, Division of Enforcement, spoke at CBI’s Pharmaceutical Compliance Congress in Washington DC. Ceresney provided some clear guidelines for the compliance practitioner about what the SEC expects from companies in the area of FCPA compliance. More specifically he talked about some specific bribery schemes the SEC has seen in FCPA enforcement actions involving the pharmaceutical industry. These examples provided scenarios that any compliance practitioner in the pharmaceutical space can investigate for their organization.
Pharmaceutical Industry Bribery Schemes
Ceresney discussed ‘Pay-to-Prescribe’ bribery schemes where physicians and hospitals are paid bribes in “exchange for prescribing certain medication, or other products such as medical devices.” These schemes can involve payments of cash or other forms of non-cash benefits such as gifts, travel and entertainment. He described an example where a company “invited “high-prescribing doctors” in the Chinese government to club-like meetings that included extensive recreational and entertainment activities to reward doctors’ past product sales or prescriptions.” Another such scheme involved a running total of points for doctors who prescribed a company’s products, which could later be cashed in for items of value. Another involved a rebate of part of a hospitals overall purchase to certain doctors or hospital administrators.
Another form of bribery was seen where a company would direct charitable donations to the decision-makers “pet” charity. In a couple of FCPA enforcement actions, the charity had nothing to do with the pharmaceutical industry but in one case there was “a purported donation of nearly $200,000 to a public university to fund a laboratory that was the pet project of a public hospital doctor. In return, the doctor agreed to provide business to” the company in question. The point of all of these examples is that “that bribes come in many shapes and sizes, and those made under the guise of charitable giving are of particular risk in the pharmaceutical industry. So it is critical that we carefully scrutinize a wide range of unfair benefits to foreign officials when assessing compliance with the FCPA – whether it is cash, gifts, travel, entertainment, or charitable contributions.”
I certainly agree with Ceresney, only adding that I do not think you can say it too loud or too often, when he stated, “The best way for a company to avoid some of the violations that I have just described is a robust FCPA compliance program.” It all begins with a risk assessment so that you will understand what your company’s risks are and you can manage them accordingly through your compliance program. From there Ceresney said, “The best companies have adopted strong FCPA compliance programs that include compliance personnel, extensive policies and procedures, training, vendor reviews, due diligence on third-party agents, expense controls, escalation of red flags, and internal audits to review compliance.” He also specifically mentioned third parties, as they are still perceived to be the highest risk in any FCPA risk matrix. He stated, “To properly combat against these abuses, a compliance program must thoroughly vet its third-party agents to include an understanding of the business rationale for contracting with the agent. Appropriate expense controls must also be in place to ensure that payments to third-parties are legitimate business expenses and not being used to funnel bribes to foreign officials.”
Self-Reporting and Cooperation
Next Ceresney turned to self-reporting and cooperation. After initially noting that the current enforcement environment is greatly aided by self-reporting, he went on to explain why it is in a company’s interest to do so. Beyond the simple credit a company receives for self-reporting, by doing so “parties are positioned to also help themselves by aggressively policing their own conduct”. The SEC will also “continue to find ways to enhance our cooperation program to encourage issuers, regulated entities, and individuals to promptly report suspected misconduct. The Division has a wide spectrum of tools to facilitate and reward meaningful cooperation, from reduced charges and penalties, to non-prosecution or deferred prosecution agreements in instances of outstanding cooperation.” He ended this section of his remarks with a couple of thoughts that I believe succinctly provided the SEC’s position on self-reporting and cooperation. First he said “When I was a defense lawyer, I would explain to clients that by the time you become aware of the misconduct, there are only two things that you can do to improve your plight – remediate the misconduct and cooperate in the investigation.” He then ended with the following, “Companies that choose not to self-report are thus taking a huge gamble because if we learn of the misconduct through other means, including through a whistleblower, the result will be far worse. “
Ceresney had some interesting remarks around internal controls. He said they were in the “context of financial reporting”; however I found that they might well have significant implications for the compliance practitioner. I thought his money line was “Internal control problems have been prominently featured in recent enforcement cases we have brought in the financial reporting area, even in cases without accompanying charges of fraud. This reflects our view that adequate internal controls are the building blocks for accurate financial reporting and can prevent fraudulent activity.” While the specified area of these remarks was around SOX §§302 and 404, I think this portends directly to internal controls under the FCPA.
He went on to state, “my key takeaway is that senior leadership of companies should place strong emphasis on the importance of designing and implementing strong internal controls. Senior officers need to ask questions about what they are being told about their internal controls – but perhaps more importantly, ask questions about the things that are not being reported to them. Dropping those occasional inquiries into conversations where they won’t be expected sends a powerful message that you want these issues to be on your employees’ minds. And what is needed is not just involvement from senior leadership but also from the audit committee. Instead of a check-the-box mentality, it is important to use careful thought at the outset to how controls should be designed in light of a firm’s business operations. This entails an up-front assessment of financial reporting risks, designing controls that address those risks, and ensuring that the resulting controls are well documented and communicated. And, as the company’s business evolves and changes, management must consider whether the existing internal controls are appropriate, or need to be enhanced or changed. Appropriate resources and attention also need to be devoted to monitoring those controls for effectiveness and making changes as needed.” Every time you see the words ‘financial’ simply substitute compliance and I think you will see where the SEC is headed in its internal controls enforcement of the FCPA.
Just as Agatha Christie communicated with her audience in ways broader than simply puzzles, through her great facility for delicious language, the SEC communicates in substantive ways with the compliance community through its speeches. You really do not have to read the tea leaves when you have such a clear message as was delivered by Ceresney at the CBI conference. Moreover, with all the sites that reported on it, talked about it and even linked to the printed text, you did not have to pay to attend. It is all there for you to read and to read for free.
For a copy of the text of Ceresney’s remarks, click here.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2015