I. Legal Consequences of an Inadequate Compliance Program
Multinational companies continue to face intense enforcement scrutiny related to their global compliance practices by oversight authorities worldwide. These companies rely heavily on local regulatory developments, evolving statutory structures such as the Foreign Corrupt Practices Act (“FCPA”) and UK Bribery Act, and trends raised by Deferred Prosecution Agreements (“DPAs”) and enforcement settlements for guidance on implementing an effective global compliance program. As recent U.S. settlements involving Orthofix, Teva Pharmaceuticals, and Olympus indicate, domestic companies that fail to adequately train, monitor, and audit compliance for ex-U.S. operations are particularly subject to intense scrutiny—each of these companies recently entered into DPAs related to FCPA allegations and settled with the U.S. Department of Justice (“DOJ”) or Securities Exchange Commission (“SEC”) for amounts ranging from $6 million (Orthofix) to $646 million (Olympus). In each case, the government found that compliance program implementation, oversight, and training were insufficient to prevent improper (and even overtly corrupt) conduct.1 Moreover, in the case of Teva, the DOJ found that compliance personnel were “unable or unwilling” to implement its anti-corruption programs, and for Olympus, the DOJ criticized the lack of an anti-corruption “tone at the top.” Accordingly, the DOJ and SEC are requiring health care companies conducting ex-U.S. operations to do more than just “check the boxes” in establishing a compliance program—an effective compliance program requires on-the-ground and executive commitment. The most effective programs establish institutional commitment at the very outset and require ongoing monitoring and continuous updates. Companies that internally identify and self-report (when appropriate) material non-compliance with applicable legal mandates can significantly decrease the risk of regulator-imposed compliance counsel or monitorships, mitigate the threat of substantial monetary penalties, and potentially avoid other adverse consequences, such as exclusion from U.S.-based health care programs, disqualification from government contracts, and widespread reputational harm.
II. Globalizing Your Compliance Program
Organizations implementing effective global compliance programs face particular challenges in navigating disparate regulatory regimes in the numerous jurisdictions in which they may operate. Maintaining and updating regional or country-specific policies and program oversight procedures requires substantial resources and continuous updates. Faced with these challenges, some multinational companies implement uniform global compliance policies that may include requirements that are more or less restrictive than local laws. Others develop policies that identify areas of regulatory overlap and apply some consistent standards globally, and then supplement with country-specific guidance that accounts for variation in local law.2 To account for the disparate requirements in the various jurisdictions in which a company may operate, global organizations can develop analytic tools in order to identify and prioritize high-risk areas based upon locality. From there, global organizations can target these items for improvement through heightened training and monitoring programs. High-risk topics for global organizations to consider monitoring may include T&E; third-party due diligence; interactions with government entities; interactions with health care professionals; grants, donations, and sponsorships; and free product and price concessions.3
The DOJ has recently offered guidance relevant to an increasingly globalized market and the unique compliance requirements associated with multinational business operations in its 2017 Evaluation of Corporate Compliance Programs guidance.4 The guidance emphasizes key elements and controls applicable to global compliance program operations, such as accessibility of policies and procedures, whether a company provides “gatekeepers” (persons with payment authority in applicable jurisdictions) clear guidance and training, and how the company uses incentives to promote ethical conduct. In addition, confidential reporting, risk assessment, auditing and control testing are emphasized as integral compliance processes. The U.S. Department of Health and Human Services, Office of the Inspector General (“OIG”) has also issued compliance guidance applicable to health care and life sciences companies, which may be useful to companies in these sectors.5
All of the traditional “seven elements” of compliance programs should be designed to meet evolving global requirements, such as policies and procedures; oversight; employee and third-party screening; training and communication; auditing, monitoring and internal reporting; disciplinary actions and incentives; and investigations and remediation.6 When developing training programs, companies should tailor presentations and materials to the roles of its workforce members, and policies and training should be presented in local languages and in person, to the extent possible, with real-world examples. Regulatory oversight bodies consistently demand that compliance programs evolve to meet developing statutory structures and industry standards, identify risks through internal monitoring, and promptly implement effective corrective action plans. Specific local requirements, such as meal or gift limits, are often best built into localized standard operating procedures and should be tied to other systems (i.e., expense control systems) in order to both facilitate with compliance tracking efforts and, to the extent possible, act as a stop-gap for instances of non-compliance. For example, companies operating in South Korea and Brazil require specific focus and robust monitoring for recently enacted laws imposing spending restrictions more burdensome than under the FCPA: South Korea’s “Kim Young-ran Act” sets a much lower threshold for improper payments to public officials than the FCPA and includes a broader definition of public officials, and Brazil’s “Clean Companies Act” applies strict liability to interactions with public officials.
Establishing effective communications and audit processes between headquarters and regional business lines are essential for establishing accountability within global organizations. A centralized audit process is germane to an effective business model—multinational companies are advised, however, to consider implementing periodic audits as close to the ground as possible as well, to monitor training effectiveness and implementation. Single-country and even regional audits substantially increase the likelihood of identifying instances of noncompliance. Throughout the process, multinational companies should maintain strong communication channels so that if the company identifies a risk at the local level, headquarters can assess whether the problem exists elsewhere at the regional level or across multiple business lines, and can then continue to target these risks through updated training and monitoring initiatives.
Health care companies and institutions must be proactive in their review of the specific requirements associated with cross-jurisdictional operations and deployment of institutional and local oversight mechanisms. Such efforts will help meet the evolving expectations of regulatory and enforcement agencies to operate a risk-based, global compliance program.