Third parties serve a critical function to multinational life sciences companies (“MNCs”) internationally. MNCs rely on third parties for various functions, including distribution, sales and market acquisition, customs clearance, import/export processes, and license/permit applications. Local third parties can enable MNCs to access established infrastructures and resources that would otherwise be unavailable or too costly for MNCs to build locally, especially when first entering a local market. Frequently, third parties’ experience with local regulators and relationships with local businesses are critical to establishing and expanding an MNC’s business, particularly in markets where government procedures are less transparent.
Simultaneously, third-party risk is generally considered the most significant anti-corruption risk faced by companies, since under the FCPA and U.K. Bribery Act (and an increasing number of jurisdictions globally), a company can be held liable for the actions of its third parties. This is especially true in the life sciences and health care industries, where reliance on third parties, many of which have only rudimentary internal controls in place, can be substantial. Without adequate screening and supervision, MNCs could face substantial liability arising from third-party misconduct.
Legal and Regulatory Developments
Recent legislative and regulatory developments in various Asian countries and Brazil signal rising regulatory focus on third-party misconduct, increasingly in line with treatment of third parties under the FCPA and U.K. Bribery Act. In the past few years, India, Thailand, Malaysia, Vietnam, China and Brazil have all passed or revised their anti-corruption legislations to hold companies and/or individuals liable for bribes paid or offered by third parties on their behalf:
- India – In July 2018, India passed an amendment to the Prevention of Corruption Act, its primary anti-corruption legislation, which expressly states that individuals and companies can be held liable for bribes paid or offered by third parties on their behalf.
- Thailand – Also in July 2018, Thailand passed a new anti-corruption law, Act Supplementing the Constitution Relating to the Prevention and Suppression of Corruption, under which companies can be liable for bribes provided to government officials by an “associated person” (including agents).
- Malaysia – In April 2018, the Malaysian Parliament passed the Malaysian Anti-Corruption Commission Amendment Act, which, among other things, imposes corporate liability for corrupt acts taken by “persons associated” with a corporation (defined as a person who “performs services for and on behalf of the commercial organization”).
- Vietnam – The New Penal Code, which became effective in January 2018, criminalizes the act of “brokering” bribery, which refers to bribery by an intermediary. The provision applies directly to the private sector.
- China – In late 2017, China amended one of its key sources of anti-corruption law, the Anti-Unfair Competition Law. While historically, the legislation did not address third-party liability directly, the amendment, entering into effect in January 2018, expressly prohibits indirect bribery through third parties.
- Brazil – In January 2014, Brazil’s Clean Company Act 2014 (“CCA”) (Law No. 12,846) took effect and holds companies responsible for the corrupt acts of their employees and third parties acting on their behalf. Notably, the CCA introduces strict liability for those offenses, meaning a company can be held accountable for corrupt acts even if it can prove that it lacks a corrupt intent and has put in place adequate internal control procedures.
These legislative developments align with recent FCPA enforcement actions in the life sciences space, which reflect a continued focus on MNCs’ oversight of interactions between their subsidiaries and third parties.
For example, in March 2019, Germany’s Fresenius Medical Care (FMC) paid the Securities and Exchange Commission (the “SEC”) more than $231 million to settle charges alleging that its Chinese subsidiary paid over $6.4 million in inappropriate bonuses to health care providers (“HCPs”) working at state-owned health care institutions. The SEC specifically noted that various payments were made via a third-party agent, until an internal audit raised concerns that the agent could not provide proof of services rendered. Many of these payments were then inaccurately recorded in FMC’s books as promotional expenses or marketing fees.
Similarly, in September 2018, a Paris-based pharmaceutical company agreed to pay the SEC more than $25 million to resolve charges that the company’s Kazakhstani and the Middle Eastern subsidiaries made corrupt payments to win business. The SEC noted the company’s reliance on local distributors to provide product sale and distribution networks and as agents to fulfill public tenders, and the distributors’ deep involvement in the bribery schemes, often in collusion with managers of the company’s local subsidiaries.
Additionally, in September 2017, a U.S. diagnostic manufacturer settled charges with the SEC over allegations that its subsidiaries in India and Colombia used third parties to make improper payments to government officials. According to the SEC, in Colombia, the payments were disguised as consulting fees paid by its local distributor, and in India, as an inflated sales commissions to the local distributor.
Relatedly, in January 2017, a U.S. medical device manufacturer paid millions to the SEC to resolve FCPA charges for alleged improper payments made to doctors in Brazil through third-party agents engaged by its Brazilian subsidiary. In this case, the SEC highlighted the fact that the subsidiary conducted all sales through sub-distributors and other third parties, who in turn used inflated commissions or discounts from the subsidiary to finance improper payments to doctors. According to the SEC, the subsidiary reimbursed the third parties for services never rendered and inaccurately recorded the payments as commissions, discounts, consulting fees, and other legitimate business expenses.
Risk Mitigation Strategies – Third-Party Due Diligence
To mitigate third-party risk, appropriate screening and monitoring is key. MNCs can leverage various strategies, as described below.
Pre-Engagement Due Diligence: Conduct risk-based due diligence on third parties. MNCs can assess risk based on various factors including the third party’s industry, jurisdiction, business model, historical compliance record, system of internal controls, the size of the contemplated relationship, and whether the third party will engage with government entities on the MNC’s behalf. Depending on the risk profile, diligence may include adverse media searches, sanctions checks, and debarment checks against government payer databases for health care and life sciences products. MNCs may also consider third-party reputational assessments, interviews with key personnel at the third party, or compliance due diligence questionnaires designed to help understand the third party’s approach to compliance and its historical compliance record. Regardless of the risk profile, of critical importance to any engagement is ensuring the existence of a business rationale to support use of the third party. Any pre-engagement due diligence process should require an explanation and assessment of the business rationale.
Tailor Due Diligence to Specific Risk: MNCs should tailor safeguards against corrupt practices to the specific risks in their respective business and markets. These risks are subject to market updates and regulatory developments. In different markets, an MNC may have a different level of reliance on various types of third parties such as customs brokers, suppliers, travel agencies, bidding agents, distributors/sub-distributors, and contract sales organizations. Consequently, due diligence strategy should consider the particular risks associated with each type of third party (e.g., fictitious/inflated service fees, unreasonable discounts, resistance to compliance enhancements or implementation, and/or inferior compliance culture). To ensure due diligence resources appropriately focus on the most significant risks, MNCs should periodically evaluate which third parties pose the greatest compliance risks to the company.
Appropriate Oversight of Screening Process: Integrity of internal screening processes is critical. MNCs should maintain appropriate review and approval matrixes/processes and ensure that internal stakeholders with approval authority are different from those proposing the relationship. If proposed third parties are frequently flagged as high-risk, MNCs should also consider potential conflicts of interest between the internal proponents of the relationship and the proposed third parties.
Pay Attention to Red Flags: Companies should be vigilant about potential red flags during due diligence and throughout the life of the engagement with the third party, and ask additional questions as appropriate. Red flags might include instances where the third party:
- Has little experience in the industry but claims to “know the right people.”
- Is recommended by a government official, or is related to a government official or key decision-maker at an end-customer.
- Lacks transparency, or obscures or refuses to disclose its owners, partners, or principals.
- Refuses to provide supporting documentation for services rendered or insists on blanket invoicing (e.g., without detailed breakdown of services)
- Requests to structure transactions to evade standard recordkeeping (e.g., paying funds under cover of a side letter).
- Demands excessive or unusually high commissions or cash payments.
- Requests unusual payment arrangements (e.g., ill-defined or last-minute payments, payments to offshore accounts or through third parties).
Documentary Protections, Invoicing, and Records: MNCs can further mitigate risk through documentary protections and by maintaining appropriate written records. For example, all engagements should be formalized through a written agreement, which details the contemplated payment arrangements and services the third party will provide. If possible, agreements should include appropriate compliance representations referring to applicable anti-corruption, anti-money laundering, and economic sanctions laws, as well as audit clauses. Relatedly, MNCs should require third parties to provide invoicing that includes a detailed description of services provided, fees, and payment terms, and maintain records of all supporting documentation.
Post-engagement Due Diligence/Monitoring: While pre-engagement due diligence is critical, it is equally important to conduct periodic risk-based monitoring of third parties on an ongoing basis. Efforts could include the following:
- Request annual compliance certifications from third parties.
- Set expiration dates for diligence files, and update diligence periodically as a condition to renew a third-party relationship.
- Adjust degree of scrutiny as market conditions change and problematic activities are detected.
- Provide clear guidance to third parties regarding the company’s expectations of compliance. Depending on the nature of the relationship and related risk, MNCs may choose to make company compliance policies available to third parties and to provide periodic training.
- Conduct risk-based monitoring, including exercising audit rights where appropriate.
- Use feedback from monitoring processes to strengthen MNCs’ internal controls.
Appropriate Record-keeping: MNCs should retain appropriate documentation for each step taken in the due diligence process and third-party relationship. This helps build a defensible diligence record, and provides the basis for future business decisions, audit work and analysis for compliance improvements.
The extent of MNCs’ reliance on third parties, particularly in higher risk jurisdictions, exposes health care and life sciences companies to significant risk from an anti-corruption perspective. In light of increasing legislative and regulatory focus on third parties in various jurisdictions, and regulators’ continued interest in MNCs’ interactions with third parties, MNCs should remain vigilant. Taking steps to ensure appropriate screening and monitoring processes are in place will help control and mitigate third-party risk and lay the right foundation for effective oversight.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.