Noncompliance with the US Foreign Corrupt Practices Act carries heavy penalties.
As clinical research and manufacturing expand globally, pharmaceutical and medical device companies face increased risk of noncompliance with the US Foreign Corrupt Practices Act (FCPA), an anti-bribery law enacted in 1977. Although more than 30 years old, the FCPA has nevertheless ensnared several global pharmaceutical and medical device companies in recent years, resulting in costly fines, collateral expenses, and reputational damage.
TOM GRILL/GETTY IMAGES
Pharmaceutical and medical device companies may be especially vulnerable to FCPA risks when conducting overseas clinical trials involving third parties, such as clinical research organizations (CROs) or other intermediaries. According to the terms of the FCPA statute, noncompliance by a company's agents or representatives can put the company at risk itself. Many pharmaceutical and medical device companies have not taken appropriate steps to mitigate that risk.
The FCPA: stepping up enforcement
Among other things, the FCPA outlaws bribing foreign officials in an effort to secure business. The law applies to US-based companies and companies whose securities trade on US exchanges. It also applies to third parties acting on behalf of such companies, such as vendors, suppliers, contractors, agents, and other intermediaries, as well as individuals, including non-US citizens. The FCPA requires all of these entities to maintain proper books and records, and to put in place controls designed to prevent bribery and the accounting fraud often used to hide it. Some other countries have also adopted statutes similar to the FCPA—if not tougher—suggesting that a global compliance framework is essential for multinational corporations.
FCPA enforcement activities have increased steadily in the past decade, particularly for pharmaceutical and medical device companies, and this trend is unlikely to change any time soon. In November 2009, the Assistant Attorney General for the US Justice Department's criminal division announced that the Justice Department will sharpen its focus on dealings between pharmaceutical companies selling their products overseas. The Justice Department also plans to redouble efforts to prosecute pharmaceutical companies that try to bribe foreign officials to obtain preferential treatment for their products.
Because many clinical trials for drugs approved by the US Food and Drug Administration (FDA) take place outside of the United States, this trend of newly strengthened enforcement directly affects pharmaceutical research activities. Many health care providers (HCPs) that offer research assistance may be working for government healthcare programs or institutions, or for state-owned enterprises, and may therefore be deemed to be "foreign government officials" under the terms of the FCPA.
In addition to investigating companies' direct interactions with foreign government officials, US authorities are more closely scrutinizing their use of third-party intermediaries. The FCPA does not allow companies simply to ignore actions taken by third-party providers. As companies expand their research activities into emerging markets with higher known corruption risks, and as they rely more heavily on CROs to manage research activities abroad, their ability to effectively manage both direct and indirect bribery risks is critical.
An "out-of-sight, out-of-mind" approach to compliance can have serious consequences. Criminal and civil penalties can cost millions and immeasurably damage a company's reputation. In addition to assessing monetary fines and penalties, US authorities may require companies to retain independent, government-appointed monitors as part of any deferred prosecution agreement. Although the government appoints these monitors, the company is required to pay their fees, which can be in the tens of millions of dollars. Monitors may have access to corporate records and be able to impose additional FCPA-related compliance requirements, which can add further to the overall cost of any settlement. Individuals may also face financial damages, loss of reputation, and even prison terms.
Any payment to an HCP considered to be a government official under the FCPA can create risk, but not all payments do. In the case of research activities, payments that reasonably compensate an HCP for providing a valuable, needed service generally are not viewed as a FCPA risk so long as the payment is not intended to unduly influence the HCP. Likewise, payment of standard, documented fees to government officials as required to conduct research activities would also not be viewed as a FCPA risk.
The challenge lies in ensuring that a company has taken the necessary steps to demonstrate that its interactions and payments in all markets are appropriate, and that the individuals acting on its behalf throughout the world are compliant with the company's standards for managing FCPA-related risks. This challenge is further complicated because many interactions with HCPs and other government officials for research-related activities are increasingly being managed through a CRO, particularly in parts of the world where companies have less experience and fewer resources. In those regions, a company's ability to ascertain compliance by a CRO may be limited for a variety of reasons (see "Common Challenges" sidebar). For example, it may be that the agreement between the company and the CRO does not specifically address the company's expectations regarding compliance with the FCPA and other relevant anti-bribery statutes; or that the agreement does not allow the company to review the CRO's activities for compliance with specific legal requirements. Even if the agreement does contain such provisions, the company may not have enough appropriately trained resources to monitor the CRO for compliance in all relevant markets. In addition, CRO personnel may not understand how the FCPA applies to their activities, and therefore may not implement controls to mitigate risk. This is particularly challenging in markets where making improper payments to government officials is common or even "a way of doing business."
Companies can take several important actions to reduce anti-bribery risk when using a CRO (see "Managing the Risks" sidebar).
Managing the Risks First, they should adopt a comprehensive corporate FCPA/anti-corruption policy that addresses the activities of employees and third parties acting on the company's behalf. Second, they should conduct documented due diligence before engaging a CRO to identify any potential FCPA red flags (see "Potential FCPA Red Flags" sidebar). Due diligence should include gaining an understanding of the substantive activities that the CRO will be engaging in on behalf of the company and its relationships with foreign government officials, as well as assessing the CRO's processes and controls for ensuring compliance with anti-bribery laws. Third, the written agreement with the CRO should require the CRO to comply with the company's FCPA/anti-bribery policy and to provide training to its employees on the applicable compliance policies, and should allow the company the right to audit the CRO's activities for compliance with the policy. It should also allow the company to terminate the agreement for violation of these terms. Finally, the company should conduct periodic, documented assessments of the CRO's activities to ensure that the CRO complies with the FCPA/anti-bribery policy.
Potential FCPA Red Flags
As global enforcement of the FCPA and other anti-bribery laws intensifies, companies engaged in clinical trials must be aware of compliance requirements—and the risks of noncompliance. A comprehensive anti-corruption program, including controls that address CRO activities, can help ensure compliance and mitigate the risks of noncompliance with FCPA and other anti-bribery laws.
Editors' Note: This article originally appeared on www.appliedclinicaltrialsonline.findpharma.com in September 2010. The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young LLP.
Ted Acosta is Principal, e-mail: firstname.lastname@example.org, and Eileen Erdos is Principal, e-mail: email@example.com, at Ernst & Young LLP.