Once upon a time, almost a decade ago to be precise, German multinational companies were at the forefront of the global anti-corruption discourse, with Siemens AG (“Siemens”), the Germany-based global industrial manufacturer, dominating headlines and the public’s attention after it paid USD 800 million to German prosecutors and an equal USD 800 million to U.S. prosecutors to settle allegations that the company bribed government officials. Since the time of that landmark case, there have been numerous developments on the global anti-corruption stage, and other companies and other countries that have dominated the unwanted headlines once occupied by German prosecutors and Siemens.

However, in early July 2017, a German shipbuilder, ThyssenKrupp, began to garner headlines after news broke that the shipbuilder may be in trouble with the Israeli government in connection with possible corruption issues related to a EUR 1.5 billion deal. One month later, in August 2017, Fresenius Medical, a Germany-based provider of dialysis products and services, made headlines after it disclosed its ongoing cooperation with the U.S. DOJ and SEC relating to possible corruption issues. Most recently, in late September 2017, the U.K.’s Serious Fraud Office (“SFO”) reported that F.H. Bertling Ltd., the U.K. subsidiary of the Bertling Group, a German logistics services provider, and six current and former F.H. Bertling employees were convicted of conspiracy to make corrupt payments to an agent of Sonangol, the Angolan state oil company. These matters, along with a few other cases, suggest that German companies—as part of one of the world’s largest economies—may again become central to the global anti-corruption discussion. The real question will then be: “Are these companies ready for it?” And, with no sign that regulators will shift focus away from life sciences companies in the near future, German multinationals in the life sciences sector, in particular, should think about this question.

The Economic Backdrop: M&A and Other Growth Fueling Compliance Risks

Germany is Europe’s largest economy, the fourth largest economy in the world (based on 2016 gross domestic product), and a leading manufacturer and exporter of goods. Not only is Germany one of the world’s top exporters of pharmaceutical and medical technology products, but it also ranks among the top five in the global life sciences sector with respect to its outflow of foreign direct investment (“FDI”). In addition, leading German multinationals are helping drive the current trend of growth via merger and acquisition (“M&A”). In 2016, the U.S. accounted for 17.4% of total outbound volume of cross-border M&A transactions from Germany. This represented an increase in German outbound deals to the U.S. by 28.7% in terms of deal volume and 590.3% in terms of deal value, the latter largely driven by the announced acquisition of Monsanto Company by Bayer AG (compared to the previous year).

The number of completed deals in the life sciences sector, in particular, remains at a high level, globally, with the value of completed deals in the first quarter of 2017 increasing by 36% (compared to the previous quarter). For example, this year, two German multinational companies completed significant acquisitions in the life sciences sector: the global exchange of Sanofi’s animal health business for the eighteenth largest (based on 2016 global sales) pharmaceutical company’s consumer health business (transaction reportedly valued at EUR 23 billion) and Fresenius Kabi’s USD 5.1 billion acquisition of Akorn, a specialty pharmaceutical company. This is all consistent with other multinationals in the global life sciences sector that continued to choose M&A as a strategy for growth in 2017, including Cardinal Health’s USD 6 billion acquisition of three of Medtronic’s product portfolios; and Allergan’s agreement to acquire ZELTIQ Aesthetics, a medical device company, for USD 2.5 billion. For healthcare multinationals seeking to expand into new geographic regions by acquisition or other business transactions, the most popular destination was the U.S. In the first quarter of 2017, 51 pharmaceutical M&A deals were completed, with firms acquiring U.S. targets comprising the highest number.

This growth certainly appears to be welcome news and a great opportunity for German multinationals in general, and in the life sciences sector specifically. With great opportunity, however, comes a commensurate compliance and enforcement risk, especially for companies expanding into the U.S., where healthcare enforcement recoveries have long been at epic levels, or emerging markets, where the risks of corruption run deep. Whether the good news will last for German multinationals may depend, in part, on whether such companies are also “growing” their compliance programs. If the answer is “no,” German multinationals in the life sciences and other sectors must move quickly to identify and address the risks attendant with expansion by ensuring that their compliance programs are keeping pace. Failure to do so could have significant consequences for German multinationals.

U.S. Regulators: Continued Focus on Life Sciences Companies

Companies operating in the U.S. market must understand and appreciate the compliance challenges associated with operating in a highly regulated market, with prosecutors’ long history of aggressively targeting corporate crime across banking, defense, and other industries. Over the past two decades, life sciences companies, in particular, have faced a virtual onslaught of U.S. Government enforcement and have spent tens of billions of dollars in fines and penalties resulting from violations of various U.S. laws enacted to prevent and deter fraud and abuse. In recent years, such enforcement actions underscore the importance of understanding and complying with U.S. laws, such as the Anti-kickback Statute (“AKS”), False Claims Act (“FCA”), and the Foreign Corrupt Practices Act (“FCPA”), which govern interactions between life sciences companies and individuals and entities—in the U.S. and around the world.

U.S. Enforcement Mechanisms for Bribery in the U.S.: The AKS and FCA

In the U.S., the FCA is the primary statute used by regulators to bring civil and/or criminal prosecutions against life sciences companies and their employees for fraudulent practices. Notably, prior enforcement actions demonstrate that an acquirer inherits the FCA liability of the target entity. The FCA prohibits any person from knowingly presenting a false claim for payment to the federal government or knowingly making a false record or statement material to a false or fraudulent claim to the federal government. Importantly, in 2010, the U.S. Patient Protection and Affordable Care Act (“PPACA”) expanded the FCA’s reach. Specifically, the PPACA amended the AKS so that a claim that is submitted to the federal government as a result of an action that violates the AKS is considered false under the FCA. Thus, an anti-kickback violation is per se an FCA violation. The AKS prohibits offering or providing anything of value, directly or indirectly, to a healthcare professional (“HCP”) that is intended to induce someone to purchase, prescribe, endorse, or recommend a product that is reimbursed under U.S. federal or state healthcare programs.

Between 2001 and 2012, the DOJ reached resolutions with a number of U.S. subsidiaries of German life sciences companies, recovering approximately USD 796 million in fines and penalties against them.

For example, in 2001 and 2003, U.S. subsidiaries of Bayer AG agreed to pay USD 14 million and USD 251 million, respectively, to settle alleged FCA violations. The 2001 settlement resolved allegations that, since the early 1990s, Bayer falsely inflated drug prices and sold the drugs at a significant discount to HCPs, who profited from the reimbursement paid by government healthcare programs for the drug. The difference between the government payment at the inflated prices and the actual price paid by the HCP for the drug is known as the “spread;” the larger the spread on a drug, the larger the profit for the HCP, who is reimbursed by the government healthcare program. As part of the 2001 settlement, Bayer entered into a corporate integrity agreement (“CIA”) with the Office of Inspector General (“OIG”) for the Department of Health and Human Services (“HHS”). In 2003, Bayer paid USD 251 million to resolve allegations that it defrauded government healthcare programs by relabeling products sold to an organization at deeply discounted rates and then concealing the discounts to avoid paying rebates, in violation of U.S. law.

Five years later, another government enforcement action was brought against a Bayer U.S. subsidiary. In November 2008, Bayer Healthcare LLC (“Bayer HC”) agreed to pay USD 97.5 million to settle allegations that it paid kickbacks to a number of diabetic suppliers and caused those suppliers to submit false claims to a government healthcare program. The government alleged that Bayer HC engaged in a “cash-for-patient scheme,” through which the company paid diabetic suppliers to switch their patients to Bayer’s products. Allegedly, between 1998 and 2002, Bayer HC paid one supplier approximately USD 2.5 million to switch patients and disguised the payments as advertising payments. In addition, between 1998 and 2007, Bayer HC allegedly paid kickbacks of approximately $375,000 to 10 other diabetic suppliers to convert patients. As part of the settlement, Bayer HC was required to enter into a CIA.

More recently, in December 2010, four companies reached settlements with the DOJ to resolve claims that the companies violated the FCA by knowingly reporting false and inflated prices to federal healthcare programs. Two of these companies were U.S. subsidiaries of German companies, including B. Braun Medical Inc. (“Braun”), a U.S. subsidiary of pharmaceutical company B. Braun Melsungen AG. Braun agreed to pay approximately USD 14.8 million to resolve allegations that the company inflated prices for 49 products, causing Medicaid to pay more than the true cost of the products.

U.S. Enforcement Mechanisms for Bribery Outside of the U.S.: The FCPA

Similarly, U.S. enforcement agencies are combatting kickbacks abroad by flexing the extraterritorial reach of the FCPA—with twelve of the fifteen largest recoveries under the statute to date involving non-U.S. companies. Under the FCPA, the DOJ and U.S. Securities and Exchange Commission (“SEC”) can bring criminal and civil enforcement actions against certain companies for any “offer, payment, promise to pay, or authorization of the payment of any money, or . . . the giving of anything of value to” any foreign official for the purpose of influencing the official. Importantly, the DOJ and SEC have long held the view that an acquiring entity inherits the FCPA liability of the target entity; this includes historic and continuing liabilities. In addition, under the FCPA, companies can be and regularly are held liable for FCPA violations by third parties if the company knew or should have known of the improper conduct. Recent years have reflected a staggering increase in FCPA enforcement with 2016 bringing a record number of FCPA resolutions accompanied by fines and penalties totaling USD 2.43 billion, including approximately USD 610 million recovered from eight life sciences companies.

The landmark Siemens case aside, more recent developments continue to demonstrate that German multinational companies are not immune from the attention of U.S. regulators for alleged FCPA violations that occurred outside of the U.S. For example, in February 2016, one of the world’s largest technology companies, based in Germany, reached an agreement with the SEC relating to allegations that, from June 2009 to November 2013, a company executive and others engaged in a scheme to bribe three senior officials of the Panamanian government in exchange for the sale of software to the Panamanian government. The SEC alleged that the company secured four contracts from the Panamanian government, which generated USD 3.7 million in profits for the company. The company agreed to pay USD 3.9 million to resolve these allegations. In a parallel action, the DOJ criminally prosecuted the offending executive in question, who was ultimately sentenced to 22 months in prison.

In August 2017, Fresenius Medical Care, a Germany-based provider of dialysis products and services, disclosed its ongoing cooperation with the SEC and DOJ related to its voluntary disclosure of potential FCPA violations in 2014. At that time, Fresenius had disclosed only that it was undertaking an internal investigation into “certain conduct in certain countries outside the United States[;]” the internal investigation had resulted in the review and ongoing enhancement of the company’s anti-corruption compliance program, including internal controls related to international bribery laws. More than three years later, Fresenius “has substantially concluded its investigations,” “taken remedial actions including employee disciplinary actions” with respect to potentially sanctionable conduct under the FCPA, and “entered into discussions toward a possible resolution with the government agencies.”

Other European life sciences companies have been persistently scrutinized under the FCPA for international activities and conduct. In 2016 alone, Novartis AG, AstraZeneca plc, and GlaxoSmithKline plc (“GSK”) settled enforcement actions with U.S. agencies for conduct that occurred outside the U.S. In March 2016, Novartis entered into an agreement with the SEC to resolve allegations that it violated the FCPA when two China-based Novartis subsidiaries provided gifts, cash payments, and entertainment to HCPs and engaged in “pay-to-prescribe schemes to increase sales.” Under the resolution, Novartis agreed to pay USD 25 million and entered into a two-year self-monitorship. In August 2016, AstraZeneca reached a settlement with the SEC relating to allegations that AstraZeneca’s Chinese and Russian subsidiaries violated the internal controls and recordkeeping requirements of the FCPA, which allowed management and staff to engage in and conceal improper payment schemes to HCPs at state-owned and state-controlled entities in China and Russia and to local government officials in China. AstraZeneca agreed to pay USD 5.5 million to resolve these allegations. One month later, in September 2016, GSK paid the SEC USD 20 million to settle alleged FCPA violations, following its earlier resolution in China.

Prosecutors Meet Other Prosecutors: The Coordination and Resources Factor

The U.S. government certainly devotes significant resources to the investigation and prosecution of fraud and abuse in the U.S. and around the world. For example, in 2007, the Medicare Fraud Strike Force (“Strike Force”) was created to combat fraud in the “highest intensity regions.” The Strike Force, comprised of interagency teams of investigators and prosecutors, utilizes data analytics techniques to identify possible healthcare fraud “hot spots.” In 2009, the U.S. Government created the Health Care Fraud Prevention and Enforcement Team (“HEAT”), tasked with fighting federal healthcare fraud in the U.S., including investigating and prosecuting matters involving life sciences companies. In addition, the DOJ’s FCPA Unit has approximately 30 prosecutors who focus on the investigation and prosecution of the FCPA and related statutes. Despite the recent restructuring that resulted in the Strike Force reportedly being “gutted,” the recently announced partnership between the Strike Force and FCPA Unit should serve as a warning to life sciences companies that the U.S. Government remains focused on kickback violations in the U.S. healthcare sector and abroad, and that increased collaboration may lead to increased scrutiny.

Time will tell whether this partnership will result in more enforcement actions like the “unique” Olympus resolution, in which the U.S. Attorney’s Office for the District of New Jersey and the DOJ’s FCPA Unit combined forces to bring home a combined FCA and FCPA resolution to the tune of USD 646 million in March 2016. At the time, the Olympus resolution demonstrated a new strategy: the combination of these two highly effective statutes and prosecutorial teams to prosecute a life sciences company for bribery. While the industry waits to see what will come of the partnership between the Strike Force and the FCPA prosecutors, and perhaps again with U.S. Attorney’s Offices, life sciences companies operating in the U.S. should also take note that partnerships between U.S. and global regulators are on the rise.

The 2008 Siemens FCPA resolution was memorable for many reasons, including the fact that the collaboration between German and U.S. prosecutors resulted in the company paying more than USD 1.6 billion to German and U.S. regulators, collectively, to resolve the matter. Almost a decade after the Siemens case, it appears that coordination between regulators to reach “global resolutions” is increasing. For example, in October 2016, Embraer S.A., a Brazilian manufacturer and exporter of jets, reached a “global” settlement with U.S. and Brazilian prosecutors to resolve allegations that the company bribed government officials in the Dominican Republic, India, Saudi Arabia, and Mozambique in exchange for government contracts. The company was required to pay a total of USD 205.5 million to regulators in the U.S. (USD 185.5 million) and Brazil (USD 20 million). Similarly, coordination between U.S. and other regulators resulted in three genuinely “global” resolutions in December 2016. One of the resolutions involved Rolls-Royce, a British-based company, that agreed to pay approximately USD 800 million in a “global” resolution with regulators in the U.S. (USD 170 million), the U.K. (USD 599 million), and Brazil (USD 25.5 million) to settle allegations that the company bribed foreign officials in Angola, Azerbaijan, Brazil, Iraq, Kazakhstan, and Thailand in exchange for confidential information and contracts.

The Life Sciences Enforcement Zeitgeist: Takeaways for German Multinational Life Sciences Companies

1. A bribe may be the gift that keeps on giving.

The Siemens matter, which had seemingly concluded almost a decade ago, provides another valuable lesson: a settlement with regulators in one jurisdiction does not guarantee that a matter is resolved. While Siemens reached a resolution with U.S. and German regulators in 2008 for bribing executives at a state-owned Israeli electrical company (from 1999 to 2005) to win supply turbine contracts, the matter was not resolved on a global scale for the company. Rather, in May 2016—eight years later—the company was required to pay the Israeli government approximately USD 42 million for the same conduct that led to the 2008 resolution. This has become an increasing trend, with so-called “carbon copy” prosecutions being the apparent order of the day. As the saying goes, “it’s not over until it’s over.”

2. Buyer beware.

Prior FCA and FCPA enforcement actions underscore the importance of conducting effective due diligence prior to acquiring an entity, or otherwise engaging in a business combination (e.g., a joint venture). The level of diligence conducted should be tailored to address the target entity’s specific risk profile and may require additional steps in certain high-risk markets. Through this process, a company can assess and manage historic and future anti-corruption and other compliance risks that it will inherit if it goes through with the transaction. Failure to do so could result in significant consequences for the company that will dampen the positives otherwise associated with a company’s growth.

The U.S. DOJ and SEC, the U.K.’s SFO, and other global regulators have consistently emphasized the importance of conducting deal diligence and memorialized their expectation that diligence will be conducted before and after a deal. For example, the SEC and DOJ FCPA Resource Guide (“FCPA Guide”) states that a company that conducts effective due diligence on its targets “demonstrate[s] to [the] DOJ and SEC [its] commitment to compliance[, which is] taken into account when evaluating any potential enforcement action[.]” Similarly, the SFO Guidance on the U.K. Bribery Act (“SFO Guidance”) underscores the importance of diligence, stating that “thorough due diligence and risk mitigation prior to any commitment [(e.g., a merger or acquisition)] is paramount in such circumstances.” In addition, the International Organization for Standardization (“ISO”) 37001, which specifies a series of standards and measures organizations must undertake to develop anti-corruption systems to prevent, detect, and address bribery, recognizes the importance of conducting due diligence and outlines factors and considerations that will help companies determine the appropriate level of diligence. ISO 37001 states that due diligence should be conducted because it serves as a “targeted control in the prevention and detection of bribery risk, and informs the [company]’s decision on whether to postpone, discontinue, or revise” a transaction, among other things.

From an anti-corruption perspective, at a minimum, this requires conducting pre- and post-acquisition diligence that addresses not only FCPA risks, but also risks under Germany’s anti-bribery laws. For example, German multinationals should assess potential liability under the Gesetz zur Bekämpfung der Korruption im Gesundheitswesen (“Law to Combat Corruption in the Healthcare Sector”), which was passed in 2016 and criminalizes, among other things, the payment of bribes to public and private HCPs.

When vetting targets for fraud and abuse-related issues in the U.S., acquirers should conduct a similar exercise. The March 2017 HHS OIG (“2017 OIG Guide”) recommends that companies conduct diligence on their targets and other third parties. In addition, the 2017 OIG Guide also notes that one of the factors considered when measuring the effectiveness of compliance is whether the compliance officer is involved in the company’s strategic planning process and due diligence processes, which suggests that compliance should have a seat at the table when new business ventures are discussed and planned.

3. As the business evolves, so should compliance.

Once a deal is executed, or the business enterprise has otherwise evolved over the course of time, as would be expected, German multinationals would be wise to protect their investment and growth by ensuring that compliance efforts keep pace too. U.S. regulators expect that companies subject to U.S. laws will develop, implement, and maintain effective compliance programs that address risks. Once a deal is closed, this, of course, means that policies and procedures and training must be updated and that the target entity must be thoughtfully integrated into the compliance fold, among other things. In addition, acquirers may want to think about the narrative that will be told through the pre- and post-acquisition numbers. For example, if a company doubles its sales force but the number of compliance resources or the compliance budget is not increased, what will the prospects be for continued compliance? In the event of an external investigation, what message will this send to regulators?

4. Assess the (new) exposures.

As the entity changes and grows, its exposure to risks are likely to change and grow too. A compliance program that may have been effective in earlier times, such as before one or more business transactions, may become ineffective if it does not address new risks. U.S. and other regulators, such as the U.K.’s SFO, understand this and have come to expect that companies will conduct regular risk assessments to help them identify and address potential control weaknesses. For example, the FCPA Guide states that “[a]ssessment of risk is fundamental to developing a strong compliance program, and another factor [regulators] evaluate when assessing a company’s compliance program.” Similarly, one of the principals in the SFO Guidance is that an organization will “assess[] the nature and extent of its exposure to potential external risks[.]” The SFO also expects that such an assessment will be “periodic, informed, and documented.” By conducting a meaningful risk assessment, companies will be able to evaluate controls and detect weaknesses and, in the process, help bolster the companies’ compliance narrative. Too often, companies conduct a comprehensive compliance risk assessment, with a “one-and-done” approach. Unfortunately, the risks facing an organization change, and some companies do not keep pace.

5. Maintain a finger on the pulse.

The words are often spoken, but are compliance programs maintaining an effective finger on the pulse of the organization via auditing and monitoring? By regularly conducting these activities, as well as more targeted proactive reviews, with appropriate resources in a meaningful manner, the company will be able to (a) understand its evolving risk profile, (b) assess its compliance program’s effectiveness, (c) identify areas for enhancement, and (d) meet regulators’ expectations. Both the FCPA Guide and the SFO Guidance memorialize regulators’ expectation that companies will make sure “controls on paper work in practice” and “make improvements where necessary[.]” The newer ISO 37001 standard provides similar guidance. As too many companies have learned the hard way, if companies do not maintain a finger on the pulse, the effectiveness of their compliance program may be undermined. As the litany of enforcement cases should teach us, even companies with the best of intentions, having fully identified their risks, having put in place adequate front-end policies and procedures, and having fully-trained their employee base, still face significant vulnerability if they are not monitoring to affirm their good faith belief that everything is fine, and everything is working as had been planned.

The Compliance Zeitgeist Cometh

The above takeaways will help German multinationals manage risks attendant with operations in the U.S. and other high-risk markets around the world, which should be an important business goal for them. In addition, a decision made by the German Federal Court of Justice in Karlsruhe earlier this year may suggest that the U.S. regulators’ approach to compliance may be spreading to Germany. Specifically, on May 9, 2017, the court, which was ruling on a tax fraud matter, stated that a company can reduce its penalty by implementing an “effective compliance management system” “that may help prevent unlawful activity.” While the court did not issue any guidance on what constitutes an “effective compliance management system,” this ruling suggests that having an effective compliance program, generally, will be beneficial to German companies under scrutiny. This development and the recent enforcement actions against ThyssenKrup and Siemens by Israeli regulators, and Fresenius Medical, among others, by U.S. regulators, should motivate German multinationals to move quickly to assess and, if needed, enhance their compliance programs.