Foreign Corrupt Practices Act (FCPA) Compliance:
- What are some important FCPA compliance keys for health industry companies?
- How should compliance professionals deal with those issues from a real world compliance perspective?
1. Spot the Foreign Official: FCPA enforcement agencies have taken the position that many individual employees in foreign state-owned health care establishments qualify as foreign government officials. Thus, a doctor, pharmacy director, or lab director in a state-owned hospital or lab who has discretion over spending decisions may well be a foreign official under the statute.
This exponentially multiplies the risk of an FCPA violation for U.S. companies dealing with those individuals because payments, gifts, lavish meals or other entertainment, reimbursement of certain travel expenses, and other exchanges between your company’s personnel and these officials may be illegal if they are made in exchange for a decision to give business to your company or to keep existing business.
Companies that sell to the health care industry or, in fact, into any state-owned (or partially state-owned) enterprises (e.g. oil and gas, tobacco, alcohol, and many business sectors in China where government ownership is prevalent) need to conduct tailored training for sales personnel and others in contact with such foreign officials regarding the risks they can create for the company. For example, a widespread practice in China is the holiday time distribution of “red envelopes” of cash to business contacts. Your company needs a plan regarding this practice (and many others) and training for those on the front lines so that they can effectively spot areas of risk.
2. FCPA Training: While it may appear counterintuitive, for most companies, it is not worth investing significant time in training employees regarding the specifics of the FCPA. Training that is loaded with references to specific sections of the FCPA, and the limited exceptions and defenses to prosecution, may be useful for your attorneys and compliance professionals, but your company doesn’t need an army of half-trained compliance officers arguing about whether a particular gift or travel arrangement qualifies under an FCPA exception.
Rather, what most companies need is to keep it simple by building awareness that payments and gifts to foreign government officials raise potential FCPA issues and need to be cleared with compliance experts in advance of the payment or gift being given.
Train your front line employees to spot potential danger issues and report those up the line to your compliance specialists and/or general counsel’s office for review before they act. This creates a workable compliance environment with employees focused on what they do best. The sales force sells and then gets help from the compliance folks, who keep them out of trouble.
3. Keeping Senior Officers Out of Jail: FCPA enforcement cases recently have focused on criminal prosecution of individual senior company officials. Compliance personnel need to protect the company and those officials by ensuring that senior officials of the company understand the particular risks they face.
A fifteen minute training course that alerts these officials to the dangers involved in knowing about and approving a practice of paying bribes or giving gifts to foreign officials in exchange for business can be a critical compliance tool.
Senior officials also need to be reminded about the risks that can be created by the use of local intermediaries. That consultant, sales agent, distributor, joint venture partner or other intermediary with “unique access” hired to help get the deal done with the government or with the state-owned enterprise is a source of serious potential FCPA issues.
Your company’s senior people need to ensure that proper due diligence is conducted in selecting appropriate intermediaries and they and your attorneys need to ensure that the risk of a potential FCPA violation and responsibility for ensuring that such a violation does not take place is properly allocated in written agreements with these intermediaries.
4. Facts for Your Power Point Presentation to Senior Officials — FCPA prosecutions are now a top enforcement priority for the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC). In the first twenty years after the enactment of the FCPA, the government prosecuted 17 companies. Between 1998 and 2008, more than 50 companies were prosecuted. Enforcement activity has increased even more over the past few years. According to a senior Justice Department official, approximately 110 FCPA investigations are currently open.
In addition to prosecutions, “voluntary” investigations and other internal reviews of FCPA matters are increasing. For example:
- a. Eli Lilly reported that the SEC and DOJ have asked the company to “voluntarily provide” additional information regarding company operations of Lilly affiliates “in a number of . . . countries.” These requests follow SEC subpoenas that Lilly previously received regarding an investigation of FCPA compliance by Polish subsidiaries of pharmaceutical companies. Lilly reported that it is cooperating with the government’s investigation.
- b. AstraZeneca is also apparently are under investigation: In an SEC filing dated March 17, 2009, AstraZeneca reported that it received a letter from the SEC in October 2006 requesting documents regarding its business activities in Croatia, Russia, and Slovakia, particularly documents concerning any payments to doctors or government officials. The SEC also sought information about AstraZeneca’s internal accounting controls. AstraZeneca’s filing indicated that the investigation is still under way.
- c. Bristol-Meyers Squibb also appears to be under investigation: In an SEC filing dated February 20, 2009, Bristol-Myers Squibb reported that it is cooperating with the SEC and German authorities in an investigation involving potential violations of the FCPA and German law. The investigation pertains at least in part to the company’s German subsidiaries and its employees and agents.
- What are some fundamental export compliance keys for health industry companies?
- How should compliance professionals deal with those from a real world compliance perspective?
1. Unique Issues: Medical device and pharmaceutical companies face compliance issues that are common to all exporting companies, but they face issues that are unique to the industry. For example, medical devices and medicine are some of the few types of products that may be shipped to countries subject to U.S. economic sanctions (e.g. Cuba, Iran, Sudan) under export licenses. Most other products are not eligible for export licenses. As a result, many health industry companies deal regularly with sanctioned countries, whereas, many other industries have simplified their export compliance systems by not dealing with sanctioned countries from the U.S. or from foreign subsidiaries.
2. Overly Generic Export Compliance Systems: Many compliance programs are too generic. The company issues a one paragraph policy in its corporate compliance policy indicating that it will comply with export regulations, and leaves it at that. Someone in the shipping department or in logistics is ostensibly in charge of supervising an export compliance program, but that person doesn’t really have time to focus on the issues because they have another job (or three) to do, especially after recent layoffs.
Companies with that kind of a compliance approach (and there are many out there), are taking an increasingly serious gamble because penalties for ‘plain vanilla’ export violations have gone from $11,000 in 2005, to $50,000 in 2006, and on up to $250,000 in October 2007 (or twice the value of the shipment if that is higher). In all but a few circumstances, the $250,000 penalty level is now retroactive for violations that occurred (typically) during the last five years covered by the applicable statute of limitations.
(One truism is that where there is one export violation, there are many shipments during the prior five years lurking behind it. And each shipment is a new violation. When you start multiplying potential violations by $250,000 over five years, the numbers start to add up quickly.)
Moreover, these are strict liability violations where there is no need to show that the company had “knowledge” of a violation or that it was “willful.” When the government can show knowledge, they have been more and more interested in the criminal prosecution of senior executives ever since DOJ created a national task force on export controls and started a serious training program for local Assistant U.S. Attorneys regarding how to prosecute individuals and companies for these crimes.
The problem with generic export compliance programs that just barely touch the surface of the controls is that most companies using this approach have not evaluated whether their exports subject them to the risk of a violation. These companies just assume or hope they are not violating the law. Given the number of recent criminal and civil cases and the increasing penalties being assessed, these are dangerous assumptions.
3. How Should We Start Implementing an Effective Export Compliance System?: An effective export compliance system does not have to be overly-complicated or involve a lot of legal jargon jammed into a heavy Export Control Binder that winds up collecting dust on a shelf. In fact, an effective export management system is laser focused on specific high risk compliance issues.
Such a program identifies precisely where the company is most liable to see an export enforcement action. The key to identifying this risk and building an appropriate, tailored compliance system is to focus first on product classification. It is simply amazing how many companies export products, software, and technology from the U.S. without really knowing precisely how those items are classified on relevant U.S. export control lists.
One of the problems is that U.S. controls are complex. Several agencies are involved and each has its own regulations. Moreover, the regulations for sanctioned countries differ country by country, so the rules for selling (or not selling) products to Iran are different than the rules for Cuba, Sudan, and Syria (for example). Some companies get overwhelmed by this complexity and “punt” with a generic policy or they build an overly-complex system that can’t really be implemented effectively. Both of these approaches create unnecessary risk.
Returning to our classification theme, to build an effective system, before a company exports from the U.S., they should know how their company’s products are classified for export. Fortunately, many medical devices and pharmaceutical products are classified EAR99 (which means they don’t need export licenses for most destinations), but not all are. Moreover, there is too much focus by most companies on the classification of end products and not enough on software, technology (the “know how” needed to develop, produce and use products and software) and “non-core” items.
4. What are Export Controls on Technology All About?: Entire sections of the classification regulations are devoted to controlling exports of certain technologies, but many companies that have compliance systems are so focused on product controls that they simply ignore the technology control issues.
Frankly, the technology controls are harder to enforce, since the agencies charged with spotting export violations are hard-pressed to track the contents of attachments to emails, the subjects of telephone conversations, the contents of express mail packages, and the other media that carry technology exports. Thus, there is somewhat less risk of an enforcement action related to technology.
Technology controls are also harder for companies to police internally than product controls because compliance depends to a significant degree on training engineers and others who may handle controlled technologies to spot situations where technology might require an export license before it is sent abroad. Still, the technology export controls are on the books and they have been enforced, including in the tricky “deemed export” area that involves releases of controlled technologies to foreign nationals in the United States.
If your company has employees in the U.S. on work visas such as H1 and L visas, or employs students or former students using F or J visas, or has other foreign national employees without green cards or U.S. citizenship, you need to understand that exports of controlled technology to them may require an export license.
5. What Risks Are Associated with “Non-Core” Exports?: By non-core exports, I mean items companies use or own that are not their day-to-day product exports. Perhaps your company makes widgets and you know what your widget product and technology classifiation is under the export rules.
But what is the export classification of that machine tool (or that mixer, or that precursor chemical) in plant three used to manufacture widgets? You say you shipped that machine tool to a sister facility in China when that production line moved? Did the shipment need an export license? You don’t know? Oh. What about spare parts shipments? If your company has not carefully classified the products it is exporting according to the applicable regulations, your company is taking risks it does not recognize.
6. Fixing Our Export Classification Compliance Gap: To respond to this classification issue and make fundamental export risks (or the lack thereof) explicit, one of the fundamental documents every exporter needs to compile is a product classification table or matrix that documents product, software, and technology classifications for core and non-core products.
Products must be evaluated against the language in the relevant control lists and assigned classification numbers (primarily Export Control Classification Numbers (ECCN) under 15 C.F.R. Part 744 Supplement 1, or Munitions List categories under 22 C.F.R. Part 120 et seq. for military items, although there are other considerations). In the last several months, the Commerce Department set up a webpage that links to volunteer companies’ classification systems. Some of these listings are good examples of export classification systems: http://www.bis.doc.gov/commodityclassificationpage.htm.
Even if every product your company currently exports winds up classified as EAR99 (no license required), the next product developed might not be. So in addition to a product matrix classifying existing products, your company needs a line on its product development checklist that requires coordination with the export compliance team to classify new products and ensure that new items are included on the export classification matrix.
There are any number of surprises on the control lists. Certain chemicals (including some quite common chemicals), diesel engines, many ball bearings, sensors, valves, pumps, software with encryption, computer chips and boards, and on and on, need export licenses for shipment outside the U.S. Once you have established a current product, software, and technology export classification matrix, establishing the rest of an export compliance program is easy.
Eric McClafferty is an export compliance and international trade regulation partner at Kelley Drye & Warren LLP in Washington DC.
He helps companies classify their products, establish export compliance systems, and deal with export enforcement matters, among other tasks.
Eric recently was appointed to the U.S. Department of Commerce Materials Technical Advisory Committee. He can be reached at emcclafferty [at] kelleydrye [dot] com or by telephone at (202) 342-8841.