Globalizing Your Compliance Program
I. Legal Consequences of an Inadequate Compliance Program
Multinational companies continue to face intense enforcement scrutiny related to their global compliance practices by oversight authorities worldwide. These companies rely heavily on local regulatory developments, evolving statutory structures such as the Foreign Corrupt Practices Act (“FCPA”) and UK Bribery Act, and trends raised by Deferred Prosecution Agreements (“DPAs”) and enforcement settlements for guidance on implementing an effective global compliance program. As recent U.S. settlements involving Orthofix, Teva Pharmaceuticals, and Olympus indicate, domestic companies that fail to adequately train, monitor, and audit compliance for ex-U.S. operations are particularly subject to intense scrutiny—each of these companies recently entered into DPAs related to FCPA allegations and settled with the U.S. Department of Justice (“DOJ”) or Securities Exchange Commission (“SEC”) for amounts ranging from $6 million (Orthofix) to $646 million (Olympus). In each case, the government found that compliance program implementation, oversight, and training were insufficient to prevent improper (and even overtly corrupt) conduct.1 Moreover, in the case of Teva, the DOJ found that compliance personnel were “unable or unwilling” to implement its anti-corruption programs, and for Olympus, the DOJ criticized the lack of an anti-corruption “tone at the top.” Accordingly, the DOJ and SEC are requiring health care companies conducting ex-U.S. operations to do more than just “check the boxes” in establishing a compliance program—an effective compliance program requires on-the-ground and executive commitment. The most effective programs establish institutional commitment at the very outset and require ongoing monitoring and continuous updates. Companies that internally identify and self-report (when appropriate) material non-compliance with applicable legal mandates can significantly decrease the risk of regulator-imposed compliance counsel or monitorships, mitigate the threat of substantial monetary penalties, and potentially avoid other adverse consequences, such as exclusion from U.S.-based health care programs, disqualification from government contracts, and widespread reputational harm.
II. Globalizing Your Compliance Program
Organizations implementing effective global compliance programs face particular challenges in navigating disparate regulatory regimes in the numerous jurisdictions in which they may operate. Maintaining and updating regional or country-specific policies and program oversight procedures requires substantial resources and continuous updates. Faced with these challenges, some multinational companies implement uniform global compliance policies that may include requirements that are more or less restrictive than local laws. Others develop policies that identify areas of regulatory overlap and apply some consistent standards globally, and then supplement with country-specific guidance that accounts for variation in local law.2 To account for the disparate requirements in the various jurisdictions in which a company may operate, global organizations can develop analytic tools in order to identify and prioritize high-risk areas based upon locality. From there, global organizations can target these items for improvement through heightened training and monitoring programs. High-risk topics for global organizations to consider monitoring may include T&E; third-party due diligence; interactions with government entities; interactions with health care professionals; grants, donations, and sponsorships; and free product and price concessions.3
The DOJ recently offered guidance relevant to an increasingly globalized market and the unique compliance requirements associated with multinational business operations in its 2017 Evaluation of Corporate Compliance Programs guidance.4 The guidance emphasizes key elements and controls applicable to global compliance program operations, such as accessibility of policies and procedures, whether a company provides “gatekeepers” (persons with payment authority in applicable jurisdictions) clear guidance and training, and how the company uses incentives to promote ethical conduct. In addition, confidential reporting, risk assessment, auditing and control testing are emphasized as integral compliance processes. The U.S. Department of Health and Human Services, Office of the Inspector General (“OIG”) has also issued compliance guidance applicable to health care and life sciences companies, which may be useful to companies in these sectors.5
All of the traditional “seven elements” of compliance programs should be designed to meet evolving global requirements, such as policies and procedures; oversight; employee and third-party screening; training and communication; auditing, monitoring and internal reporting; disciplinary actions and incentives; and investigations and remediation.6 When developing training programs, companies should tailor presentations and materials to the roles of its workforce members, and policies and training should be presented in local languages and in person, to the extent possible, with real-world examples. Regulatory oversight bodies consistently demand that compliance programs evolve to meet developing statutory structures and industry standards, identify risks through internal monitoring, and promptly implement effective corrective action plans. Specific local requirements, such as meal or gift limits, are often best built into localized standard operating procedures and should be tied to other systems (i.e., expense control systems) in order to both facilitate with compliance tracking efforts and, to the extent possible, act as a stop-gap for instances of non-compliance. For example, companies operating in South Korea and Brazil require specific focus and robust monitoring for recently enacted laws imposing spending restrictions more burdensome than under the FCPA: South Korea’s “Kim Young-ran Act” sets a threshold for improper payments to public officials (whereas the FCPA prohibits certain payments regardless of amount), and includes a broader definition of public officials to encompass certain private actors, and Brazil’s “Clean Companies Act” applies strict liability to interactions with public officials.
Establishing effective communications and audit processes between headquarters and regional business lines are essential for establishing accountability within global organizations. A centralized audit process is germane to an effective business model—multinational companies are advised, however, to consider implementing periodic audits as close to the ground as possible as well, to monitor training effectiveness and implementation. Single-country and even regional audits substantially increase the likelihood of identifying instances of noncompliance. Throughout the process, multinational companies should maintain strong communication channels so that if the company identifies a risk at the local level, headquarters can assess whether the problem exists elsewhere at the regional level or across multiple business lines, and can then continue to target these risks through updated training and monitoring initiatives.
Health care companies and institutions must be proactive in their review of the specific requirements associated with cross-jurisdictional operations and deployment of institutional and local oversight mechanisms. Such efforts will help meet the evolving expectations of regulatory and enforcement agencies to operate a risk-based, global compliance program.
For more resources to help you navigate compliance obligations and risks related in an international environment, please visit our microsite: Global Health Care Compliance.
1 In the Teva settlement, the DOJ noted that the Company found FCPA violations through an internal audit, but failed for years to implement training around these issues. Department of Justice, Teva Pharmaceutical Industries Ltd. Agrees to Pay More than $283 Million to Resolve Foreign Corrupt Practices Act Charges, available here; in the Olympus settlement, the DOJ found that Olympus failed to appoint a compliance officer until 2009. Department of Justice, Medical Equipment Company Will Pay $646 Million for Making Illegal Payments to Doctors and Hospitals in United States and Latin America,
2 In a recent survey of participants in a webinar on global compliance, including compliance officers and counsel for several multinational companies in various sectors, 64% of respondents indicated that they used global policies that set minimum standards with additional local SOPs, 4% used global policies with less strict local SOPs, and 32% used a code of conduct and all local policies/SOPs.
3 Based on a global survey of 300 senior-level executives working for multinational businesses in North America, EMEA, Asia Pacific and Latin America, in the health care, life sciences, asset management, banking, private equity and technology sectors (the “Risky Business Survey”), health care and life sciences companies identify regulation/compliance (62%), intellectual property (26%) and anti-money laundering (24%) and sanctions/export controls (24%) as high-risk topics for which they are least prepared, and therefore may require strengthened monitoring programs. More information available here.
4 Evaluation of Corporate Compliance Programs, February 2017, Department of Justice, available here.
5 Measuring Compliance Program Effectiveness: A Resource Guide, March 27, 2017, Department of Health and Human Services, Office of Inspector General (OIG), pp. 24-31. While the OIG’s compliance guidance includes similar themes present in the 2017 DOJ guidance, it provides more targeted, tactical content governing domestic conduct.
6 See United States Sentencing Commission, Guidelines Manual, 18 U.S.C.A. §8B2.1 (November 1, 2016).