Does Your Overseas R&D Organization Comply With the US FCPA?

As clinical research and manufacturing expand globally, pharmaceutical and medical device companies face increased risk of noncompliance with the US Foreign Corrupt Practices Act (FCPA), an anti-bribery law enacted in 1977. Although more than 30 years old, the FCPA has nevertheless ensnared several global pharmaceutical and medical device companies in recent years, resulting in costly fines, collateral expenses, and reputational damage.

Pharmaceutical and medical device companies may be especially vulnerable to FCPA risks when conducting overseas clinical trials involving third parties, such as clinical research organizations (CROs) or other intermediaries. According to the terms of the FCPA statute, noncompliance by a company’s agents or representatives can put the company at risk itself. Many pharmaceutical and medical device companies have not taken appropriate steps to mitigate that risk.

The FCPA: stepping up enforcement
Among other things, the FCPA outlaws bribing foreign officials in an effort to secure business. The law applies to US-based companies and companies whose securities trade on US exchanges. It also applies to third parties acting on behalf of such companies, such as vendors, suppliers, contractors, agents, and other intermediaries, as well as individuals, including non-US citizens. The FCPA requires all of these entities to maintain proper books and records, and to put in place controls designed to prevent bribery and the accounting fraud often used to hide it. Some other countries have also adopted statutes similar to the FCPA—if not tougher—suggesting that a global compliance framework is essential for multinational corporations.

FCPA enforcement activities have increased steadily in the past decade, particularly for pharmaceutical and medical device companies, and this trend is unlikely to change any time soon. In November 2009, the Assistant Attorney General for the US Justice Department's criminal division announced that the Justice Department will sharpen its focus on dealings between pharmaceutical companies selling their products overseas. The Justice Department also plans to redouble efforts to prosecute pharmaceutical companies that try to bribe foreign officials to obtain preferential treatment for their products.

Because many clinical trials for drugs approved by the US Food and Drug Administration (FDA) take place outside of the United States, this trend of newly strengthened enforcement directly affects pharmaceutical research activities. Many health care providers (HCPs) that offer research assistance may be working for government healthcare programs or institutions, or for state-owned enterprises, and may therefore be deemed to be “foreign government officials” under the terms of the FCPA.

In addition to investigating companies’ direct interactions with foreign government officials, US authorities are more closely scrutinizing their use of third-party intermediaries. The FCPA does not allow companies simply to ignore actions taken by third-party providers. As companies expand their research activities into emerging markets with higher known corruption risks, and as they rely more heavily on CROs to manage research activities abroad, their ability to effectively manage both direct and indirect bribery risks is critical.

Paying the price of noncompliance
An “out-of-sight, out-of-mind” approach to compliance can have serious consequences. Criminal and civil penalties can cost millions and immeasurably damage a company’s reputation. In addition to assessing monetary fines and penalties, US authorities may require companies to retain independent, government-appointed monitors as part of any deferred prosecution agreement. Although the government appoints these monitors, the company is required to pay their fees, which can be in the tens of millions of dollars. Monitors may have access to corporate records and be able to impose additional FCPA-related compliance requirements, which can add further to the overall cost of any settlement. Individuals may also face financial damages, loss of reputation, and even prison terms.

FCPA risks in overseas clinical trials
Any payment to an HCP considered to be a government official under the FCPA can create risk, but not all payments do. In the case of research activities, payments that reasonably compensate an HCP for providing a valuable, needed service generally are not viewed as an FCPA risk so long as the payment is not intended to unduly influence the HCP. Likewise, payment of standard, documented fees to government officials as required to conduct research activities would also not be viewed as an FCPA risk.

The challenge lies in ensuring that a company has taken the necessary steps to demonstrate that its interactions and payments in all markets are appropriate, and that the individuals acting on its behalf throughout the world are compliant with the company’s standards for managing FCPA-related risks. This challenge is further complicated because many interactions with HCPs and other government officials for research-related activities are increasinly being managed through a CRO, particularly in parts of the world where companies have less experience and fewer resources. In those regions, a company’s ability to ascertain compliance by a CRO may be limited for a variety of reasons (see Sidebar #1). For example, it may be that the agreement between the company and the CRO does not specifically address the company’s expectations regarding compliance with the FCPA and other relevant anti-bribery statutes; or that the agreement does not allow the company to review the CRO’s activities for compliance with specific legal requirements. Even if the agreement does contain such provisions, the company may not have enough appropriately trained resources to monitor the CRO for compliance in all relevant markets. In addition, CRO personnel may not understand how the FCPA applies to their activities, and therefore may not implement controls to mitigate risk. This is particularly challenging in markets where making improper payments to government officials is common or even “a way of doing business.”

Mitigating the risks
Companies can take several important actions to reduce anti-bribery risk when using a CRO (seeSidebar #2). First, they should adopt a comprehensive corporate FCPA/anti-corruption policy that addresses the activities of employees and third parties acting on the company’s behalf. Second, they should conduct documented due diligence before engaging a CRO to identify any potential FCPA red flags (see Sidebar #3). Due diligence should include gaining an understanding of the substantive activities that the CRO will be engaging in on behalf of the company and its relationships with foreign government officials, as well as assessing the CRO’s processes and controls for ensuring compliance with anti-bribery laws. Third, the written agreement with the CRO should require the CRO to comply with the company’s FCPA/anti-bribery policy and to provide training to its employees on the applicable compliance policies, and should allow the company the right to audit the CRO’s activities for compliance with the policy. It should also allow the company to terminate the agreement for violation of these terms. Finally, the company should conduct periodic, documented assessments of the CRO’s activities to ensure that the CRO complies with the FCPA/anti-bribery policy

Conclusion

As global enforcement of the FCPA and other anti-bribery laws intensifies, companies engaged in clinical trials must be aware of compliance requirements—and the risks of noncompliance. A comprehensive anti-corruption program, including controls that address CRO activities, can help ensure compliance and mitigate the risks of noncompliance with FCPA and other anti-bribery laws.

The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young LLP.

Eileen Erdos is a principal and leader in Ernst & Young’s Life Sciences team of the Fraud Investigation & Dispute Services practice and Ted Acosta is a Global Leader of the Life Sciences and the Corporate Compliance teams in the firm’s Fraud Investigation & Dispute Services practic eat Ernst & Young LLP.

Sidebar #1: Common Challenges to Monitoring the FCPA Compliance of a CRO

A company may have a limited ability to identify the compliance of its CRO’s activities for a variety of reasons:

• Compliance expectations are not specified in the contract

• There is no contractual ability to audit the CRO’s activities

• The company lacks trained personnel to monitor the CRO for compliance

• The CRO may not understand that the FCPA applies to its activities

• There may be a general lack of effective CRO controls to mitigate FCPA/bribery risk

Sidebar #2: Managing the Risks: Due Diligence is the Key

Before engaging a CRO, companies should conduct documented due diligence to identify any
potential FCPA-related risks:

• Implement an FCPA/anti-bribery policy that addresses third-party activities including CROs

• Perform due diligence on all CROs

• Contractually require compliance with the company’s FCPA/anti-bribery policy

• Include a contractual right to audit the CRO for compliance with FCPA/anti-bribery requirements—and then perform such an audit

Sidebar #3: Potential FCPA Red Flags

Companies must be alerted to possible danger signals that could indicate an increased risk, such as the following:

• CRO has ties to one or more government officials and/or relies heavily on political or government contacts

• CRO refuses to certify compliance with FCPA/anti-bribery requirements

• Country has a reputation for corruption and bribery

• The CRO asks the company to make payments to a third party, to an account in a country in which the CRO does not operate, or in cash or untraceable funds