Executive Summary

On October 5, 2015 the U.S. Securities and Exchange Commission ("SEC") announced it had settled an enforcement action against U.S. issuer Bristol-Myers Squibb Company ("BMS"), in which the SEC alleged violations of the internal controls and recordkeeping provisions of the Foreign Corrupt Practices Act ("FCPA").[1] Specifically, the SEC asserted that employees of BMS's majority-owned China joint venture had falsified records to conceal various types of payments and other benefits to health care providers ("HCPs") given in exchange for prescriptions and drug listings.  The SEC did not allege any violation of the FCPA's anti-bribery provisions, and BMS did not admit or deny the SEC's findings.

Under the SEC's Cease and Desist Order (the "Order"), BMS agreed to pay disgorgement of $11.442 million, prejudgment interest of $0.5 million, and a civil penalty of $2.75 million, for a total of more than $14 million. BMS also agreed to provide the SEC with three separate reports over a two-year period outlining its continued remediation efforts.

This case highlights, among other things, the importance of not only having a reasonably effective anti-corruption compliance program designed to detect potential violations, but also the importance of responding promptly and appropriately to red flags and compliance gaps detected through the program.  Moreover, BMS's remediation efforts provide a helpful road map for companies seeking to mitigate any damage caused by failures in their compliance programs.

Factual Allegations

According to the SEC, certain sales representatives at BMS's majority-owned China joint venture achieved sales by providing cash and other benefits-such as gifts, meals, travel, entertainment, and sponsorships for conferences and meetings-to HCPs in exchange for prescriptions and drug listings. BMS then falsely categorized these expenses as legitimate business expenses in its books and records.  Certain of these HCPs worked at state-owned or state-controlled hospitals or pharmacies, and therefore qualified as foreign officials under the FCPA.[2]

BMS operates in China through its subsidiary, Bristol-Myers Squibb (China) Investment Company Limited ("BMS China"). BMS China holds a 60% equity interest in Sino-American Shanghai Squibb Pharmaceuticals Limited ("SASS"), its joint venture in China, and has held operational control over that entity since 2009.  BMS China also has the right to name the President and a majority of the Board of Directors of SASS. 

In its Order, the SEC addressed three areas which raised FCPA concerns:

"Failure to Respond to Red Flags": First, according to the SEC, BMS failed to respond effectively to red flags raised by certain travel and entertainment expenses that indicated that sales representatives were providing improper benefits to HCPs in order to generate sales. Specifically, the SEC alleged that in 2009, BMS China initiated a review of certain reimbursement requests and found "non-compliant claims, fake and altered invoices and receipts, and consecutively numbered receipts."[3] In an effort to identify false or improperly documented expenses, BMS China subsequently hired a local accounting firm to conduct monthly reviews of travel, entertainment, and meeting expenses, and later took this function in-house. The results of the internal and external reviews were later provided to "management of BMS China as well as regional compliance and corporate business managers who reported directly to senior management of BMS."[4] Through this process, between 2009 and 2013, BMS China identified numerous irregularities in the documentation of travel and entertainment and events, including fake and altered records of business meetings with HCPs that had likely not occurred. Employees also admitted to submitting false claims and using funds to pay or otherwise benefit HCPs in order to secure prescription sales.  Employees cited the "open secret" that HCPs in China require "gray income" to maintain their livelihood.[5] BMS, however, did not investigate these claims.

"Compliance and Controls Environment": Second, according to the SEC, BMS was slow to implement a formal FCPA compliance program. BMS first established such a program in 2006, and first conducted compliance assessments and audits around that time. These reviews revealed weaknesses in the monitoring of payments to HCPs; a "lack of formal processes around selection and compensation of HCPs as speakers"; deficiencies in securing and documenting approval of donations/sponsorships/consulting arrangements with HCPs; and the failure to conduct post-event verification of events sponsored by sales representatives.[6] These results were provided to both senior management at BMS China and to members of BMS's global compliance department.  In addition, annual audits of BMS China-reported to the Audit Committee and senior management at BMS-identified gaps in internal controls, citing a "lack of effective controls and documentation relating to interactions with HCPs and the monitoring of potential inappropriate payments to HCPs."[7] Despite receiving reports of these findings, BMS China's senior management did not timely remediate these weaknesses and continued to expend minimal resources on compliance. Indeed, there was no dedicated BMS China compliance officer until 2008; there was no permanent compliance position in China until 2010; and, until 2012, the corporate compliance officer responsible for the Asia-Pacific region was based in the U.S. and rarely traveled to China.  Moreover, when BMS China implemented mandatory anti-bribery training in late 2009, 67% of employees in China failed to complete the training by the deadline. 

"Internal Documents Reveal Improper Benefits Provided to HCPs": Third, internal documents reviewed by the SEC revealed that sales representatives used "funds derived from travel and expense claims to make cash payments to HCPs and to provide gifts, meals, entertainment, and travel to HCPs in order to induce them to prescribe products sold and marketed by BMS China."[8In emails and other documents, employees described plans to increase prescription sales using these methods as "activity plans," "action plans," and plans for "investments."[8] In one email from 2013 quoted by the SEC, a sales representative explained that a former "director of the infectious diseases department was extremely clear when I took over:  'No money, no prescription.'"[9] According to the SEC, other documents identified correlations between the value of the benefits given to HCPs and the volume of sales expected. The SEC also noted that some sales representatives tried to increase sales by hosting cash promotions and events for pharmacy employees.

The SEC's Books and Records and Internal Accounting Controls Charges

The SEC alleged that BMS violated Section 13(b)(2)(A) of the Exchange Act, 15 U.S.C. § 78(b)(2)(A), by falsely recording in its books and records, "as advertising and promotional expenses, cash payments and expenses for gifts, meals, travel, entertainment, speaker fees, and sponsorships for conferences and meetings provided to foreign officials."

The SEC also alleged that BMS violated Section 13(b)(2)(B) of the Exchange Act, 15 U.S.C. § 78m(b)(2)(B), by "failing to devise and maintain a system of internal accounting controls relating to payments and benefits provided by sales representatives" to foreign officials at state-owned hospitals and pharmacies in China.[11] The SEC cited BMS's numerous audits since 2009, which indicated that BMS lacked internal controls sufficient to reasonably assure that funds advanced and reimbursed to BMS China employees were used for appropriate and authorized purposes.

BMS's Remedial Efforts

The SEC credited BMS with "implement[ing] significant measures" to enhance anti-bribery and compliance programs and internal controls as they relate to interactions with HCPs.[12]

First, BMS took substantial steps to enhance controls. Among other actions, they required a 100% pre-reimbursement review of all expense claims; implemented an accounting system designed to track each expense claim, including request, approval, and payment; retained a third-party vendor to conduct checks without notice at events for HCPs hosted by sales representatives; implemented enhanced due diligence procedures for third-party agents; established monitoring systems for speaker fees and third-party events; and incorporated risk assessments based on data analytics.

Second, BMS took specific steps to prevent recurrences of past violations by targeting violating employees. They terminated over ninety employees and disciplined nearly ninety additional employees who had failed to follow or supervise in accordance with compliance policies. This included replacing certain BMS China officers to "enhance 'tone at the top' and a culture of compliance" in China.[13] BMS also revised the compensation structure for BMS China employees by reducing incentive-based compensation for sales and distribution. Finally, BMS eliminated all gifts to HCPs.

Resolution

BMS agreed to pay disgorgement of $11.442 million, which, according to the SEC, represented "profits gained as a result" of the offending conduct; prejudgment interest of $0.5 million; and a civil penalty of $2.75 million.[14] The SEC did not explain the basis for its conclusion that BMS profited in the amount of $11.442 million through its violations of the FCPA's accounting provisions, but this amount is modest relative to the $300 million increase in net sales in China that BMS enjoyed between 2009 and 2014.  BMS also agreed to issue reports to the SEC on the status of its remediation and compliance measures three times over the next two years.

Key Takeaways and Analysis

The SEC's Cease and Desist Order against BMS is significant for several reasons:

First, this Order serves as a reminder that a U.S. issuer can be held responsible for the conduct of its foreign joint venture. Where-as here-an issuer owns 50% or more of a joint venture, the issuer can be held directly responsible for ensuring that the foreign joint venture abides by the books and records requirements and maintains an adequate system of internal controls.[15]

Second, the Order highlights the importance of a robust anti-corruption compliance program. BMS China's compliance shortcomings provide a laundry list of errors to avoid: The compliance process did not track payments to HCPs and did not enforce controls on the documentation of reimbursements. BMS China employees failed to participate in required anti-corruption training. Managers failed to act on explicit reports of false reimbursements from both compliance and an external auditor, even when terminated employees directly reported bribery to the BMS China President. And BMS China delayed placing a compliance officer on the ground in China for years. That said, the SEC considered as a mitigating factor BMS's subsequent efforts to put a robust compliance program in place.[16] BMS's remediation efforts stand out as an example to other issuers addressing failures of internal controls and compliance programs: If you identify potential deficiencies, they should be reviewed, and remediated, as appropriate.

Third, the Order serves as a reminder of the importance of not just having an anti-corruption compliance program designed to detect potential violations, but also of promptly and appropriately responding to red flags and compliance gaps identified in the course of monitoring. Merely establishing a compliance process is insufficient to protect against liability if the company does not respond to, and adequately investigate, reports of potential violations. Some of the types of red flags that might warrant further investigation include, for example: vague expense claims; expense claims that lack adequate documentation; large or irregular expenses; payments made to an account that looks suspicious; approval processes that were bypassed; and large or unusual gift-giving, meals, entertainment, or travel. 

Finally, the settlement also serves as a reminder about the importance of carefully crafted gift, travel, and entertainment policies. The FCPA allows reasonable, modest gift-giving to government officials when nothing is sought in return.  In order to avoid crossing the line from such permissible to impermissible giving of benefits, best practices suggest that an issuer might want to establish a policy that carefully controls client expenses and gift-giving activities by, for example, requiring that such activities be open and transparent; requiring legal and/or compliance pre-approval; imposing aggregate limits to ensure that enterprise-wide expenditures and expenditures over time remain reasonable and modest; requiring accurate recording of such expenditures in the issuer's books and records, including sufficient detail regarding the identity of the recipient, the recipient´s employer, whether the recipient is a public official, and the purpose of the expense; and ensuring that gifts and other client expenses are permitted under local law.  Additionally, there should be ongoing monitoring and oversight‎ of these policies to ensure compliance and satisfy enforcement expectations.