Cardinal Health Inc. (Cardinal) settled its Foreign Corrupt Practices Act (FCPA) matter with the Securities and Exchange Commission (SEC) last week. According to the SEC Press Release, Anita B. Bandy, Associate Director in the SEC’s Division of Enforcement, said “Cardinal’s foreign subsidiary hired thousands of employees and maintained financial accounts on behalf of a supplier without implementing anti-bribery controls surrounding these high-risk business practices. The FCPA is designed to prohibit such conduct, which undermined the integrity of Cardinal’s books and records and heightened the risk that improper payments would go undetected.” Per the SEC Cease and Desist Order (the Order) Cardinal agreed to pay $5.4 million in disgorgement, $916,887 in prejudgment interest, and a civil penalty of $2.5 million.

As you might expect from the first exclusive SEC resolution of a FCPA enforcement action in the new decade, this matter has some interesting factors and significant lessons to be garnered by the compliance professional.

Background Facts

Cardinal entered the Chinese market through an acquisition. The acquired entity had “longstanding distribution agreements with a number of global manufacturers of prescription medications, medical devices, and consumer health products.” After the acquisition, Cardinal China “terminated most of the marketing accounts due in part to known FCPA-related compliance risks associated with channeling the marketing expenses of third parties through its own books and records. But despite these risks, until 2016, Cardinal China maintained and operated marketing accounts for a European supplier [European company] of non-prescription, over-the-counter dermocosmetic products for which Cardinal China served as the exclusive product distributor in China.” It was through this European relationship that Cardinal came to FCPA grief.

This business relationship was extremely unusual to say the least. For reasons not made clear in the Order, Cardinal “formally employed approximately 2,400 employees for the dermocosmetic company pursuant to an administrative and HR services agreement.” While the largest numbers of these employees were beauty assistants and their supervisors, Cardinal also employed “approximately 100 employees were sales, marketing, management, and back office employees.  The sales and marketing employees were responsible for marketing and selling the dermocosmetic company’s products in China, and regularly drew down funds from the marketing accounts to pay third parties for marketing-related expenses.”

It was this final action which caused problems and raised red flags for Cardinal. The company did not put the same rigor around the European company that it did around its Chinese operation. It is not clear from the Order, whether Cardinal did not correctly assess the FCPA risk at the European company or thought because it was headquarted in a lower risk area than China, if such rigorous approach was not warranted. Regardless, Cardinal did put sufficient internal controls at this business operation and after red flags were raised, however they did not take sufficient steps to stop the actions of this business operation.

The marketing, sales and management employees contracted to Cardinal made payments out of the marketing funds that were not only unauthorized but also failed to accurately records payments on the company’s books and records. These actions included failing to obtain verification of a legitimate business purpose for payments and making payments which were “redirected to government-employed healthcare providers and employees of Chinese state-owned retailers to promote the sale of the dermocosmetic company’s products.”

Some Lessons Learned

Clearly there were internal controls violations, as laid out in the Order. I was equally interested in the business relationship that Cardinal had with the European company and how it did not fall neatly into any established nomenclature of business affiliation. Most compliance professionals are familiar with a standard third-party relationship such as with a commissioned sales agent, distributor, joint venture partner and the like. Yet the relationship between Cardinal and the European company was something very different. Cardinal “administered the marketing accounts” of the European company. Further, it “retained approximately 2,400 employees” on behalf of the European company. Finally, even the marketing employees were managed day-to-day by, and reported to the European company, “Cardinal China entered into employment contracts with the marketing employees, administered their payroll, and assumed other human resource and administrative functions for them.”

What do you call that type of business relationship? Equally important, how would even think about assessing them from a compliance perspective? You should start with the lifecycle of a third-party relationship and the five basic steps: (1) Business Justification; (2) Questionnaire; (#) Due Diligence and its evaluation; (4) Contract; and (5) Managing the Relationship thereafter. Did Cardinal engage in any of these five steps in its relationship with the European company? There is no evidence from the Order that it did so.

In addition to the ‘follow the money’ issues present in every business relationship; the European company obviously had its own interactions with foreign government representatives and representatives of state-owned enterprises in the Chinese health care market. This would have mandated the need to train the European company on Cardinal’s compliance programs and make sure that the European company had its own compliance program in place or place them under the Cardinal compliance program. Both compliance structure and oversight are required. In a business relationship such as Cardinal and the European company, a company must use its full compliance tool kit in managing that relationship. There must be active management of the compliance risk going forward on an ongoing basis.

The bottom line is that many compliance practitioners have not thought through the specific risks of business ventures such the one between Cardinal and the European company. I hope the Cardinal FCPA enforcement action will help facilitate discussions that will lead to recognition of the different types of business relationships, greater consideration of the risk parameters and perhaps put a better risk management strategy in place

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2020