FCPA, Disclosure, and Internal Controls Issues Arising in the Pharmaceutical Industry

Andrew Ceresney

Director, Division of Enforcement

Remarks at CBI's Pharmaceutical Compliance Congress in Washington D.C.

March 3, 2015

Thank you for that kind introduction.  At the outset, let me give the requisite reminder that the views I express today are my own and do not necessarily represent the views of the Commission or its staff.[1]

I am very excited to be here to discuss the SEC´s Enforcement program and some of our current priorities that are most relevant to the pharmaceutical industry.  I have tried to tailor my remarks to issues of interest to you; we cover a broad range of areas at the SEC but we certainly have a great impact on your industry.  First, I plan to address our efforts in the enforcement of the Foreign Corrupt Practices Act across the pharmaceutical industry.  We have had a number of cases in this area that I think have borne fruit in terms of increased compliance and focus on FCPA issues.  And then I´ll turn to certain disclosure and accounting issues facing the industry. 

FCPA

Pursuing FCPA violations is a critical part of our enforcement efforts.  International bribery has many nefarious impacts, including sapping investor confidence in the legitimacy of a company´s performance, undermining the accuracy of a company´s books and records and the fairness of the competitive marketplace.  Our specialized FCPA unit as well as other parts of the Enforcement Division continue to do remarkable work in this space, bringing significant and impactful cases, often in partnership with our criminal partners. 

FCPA Focus in the Pharmaceutical Sector

Now, our FCPA focus obviously covers many industries.  For example, we have conducted a recent sweep in the financial services industry that will yield a number of important cases.  But the pharma industry is one on which we have been particularly focused in recent years.  A few factors combine to make it a high-risk industry for FCPA violations.  Pharmaceutical representatives have regular contact with doctors, pharmacists, and administrators from public hospitals in foreign countries.  Those people often are classified as foreign officials for purposes of the FCPA, and they often decide what products public hospitals or pharmacies will purchase.  This influence over the awarding of contracts is true for virtually every country around the globe. 

There have been three types of misconduct that we have seen arise most often in our pharma FCPA cases.  One is "Pay-to-Prescribe"; another is bribes to get drugs on the approved list or formulary; and the third is bribes disguised as charitable contributions.  Let me discuss each of these in turn.

In "Pay-to-Prescribe" cases, we see public official doctors and public hospitals being paid bribes in exchange for prescribing certain medication, or other products such as medical devices.  Some of our cases involve simple cash payments to doctors and other medical officials.[2]  But we have also seen some more innovative schemes created for the purposes of rewarding prescribing physicians.  For example, in our 2012 action against Pfizer, subsidiaries in different countries found a variety of illicit ways to compensate doctors.[3]  In China, employees invited "high-prescribing doctors" in the Chinese government to club-like meetings that included extensive recreational and entertainment activities to reward doctors´ past product sales or prescriptions.  Pfizer China also created various "point programs" under which government doctors could accumulate points based on the number of Pfizer prescriptions they wrote.  The points were redeemed for gifts ranging from medical books to cell phones, tea sets, and reading glasses. In Croatia, Pfizer employees created a "bonus program" for Croatian doctors who were employed in senior positions in Croatian government health care institutions.  Once a doctor agreed to use Pfizer products, a percentage of the value purchased by a doctor´s institution would be funneled back to the doctor in the form of cash, international travel, or free products.  Each of these schemes violated the FCPA by routing money to foreign officials in exchange for business.

Let me turn to a second form of bribery, which is aimed at getting products on a formulary.  Of course, getting your company´s drugs on formularies is important to success in this industry.  But the FCPA requires that you do this without paying bribes, and we have taken action where companies have crossed that line.  We brought a case against Eli Lilly that included such violations.[4]  There, the company´s subsidiary in Poland made payments totaling $39,000 to a small foundation started by the head of a regional government health authority.  That official, in exchange, placed Lilly drugs on the government reimbursement list.  That action involved a variety of other FCPA violations and Eli Lilly paid $29 million to settle the matter. 

The Eli Lilly case brings me to my third point, which concerns bribes disguised as charitable contributions.  As you might know, the FCPA prohibits giving "anything of value" to a foreign official to induce an official action to obtain or retain business, and we take an expansive view of the phrase "anything of value."  The phrase clearly captures more than just cash bribes, and Eli Lilly is not the only matter where we have brought an action arising out of charitable contributions.

For example, in Stryker, we charged a medical technology company after subsidiaries in five different countries paid bribes in order to obtain or retain business.[5]  Stryker´s subsidiary in Greece made a purported donation of nearly $200,000 to a public university to fund a laboratory that was the pet project of a public hospital doctor.  In return, the doctor agreed to provide business to Stryker.  Stryker agreed to pay $13.2 million to settle these and other charges. 

Similarly, in Schering-Plough, we brought charges against the company arising out of $76,000 paid by its Polish subsidiary to a charitable foundation.[6]  The head of that foundation was also the director of a governmental body that funded the purchase of pharmaceutical products and that influenced the purchase of those products by other entities, such as hospitals.  In settling our action, Schering-Plough consented to paying a $500,000 penalty.   

The lesson is that bribes come in many shapes and sizes, and those made under the guise of charitable giving are of particular risk in the pharmaceutical industry.  So it is critical that we carefully scrutinize a wide range of unfair benefits to foreign officials when assessing compliance with the FCPA – whether it is cash, gifts, travel, entertainment, or charitable contributions.  We will continue to pursue a broad interpretation of the FCPA that addresses bribery in all forms.

Compliance Programs

The best way for a company to avoid some of the violations that I have just described is a robust FCPA compliance program.   I can´t emphasize enough the importance of such programs.  This is a message that I think has started to get through in the past 5 years. 

The best companies have adopted strong FCPA compliance programs that include compliance personnel, extensive policies and procedures, training, vendor reviews, due diligence on third-party agents, expense controls, escalation of red flags, and internal audits to review compliance.  I encourage you to look to our Resource Guide on the FCPA that we jointly published with the DOJ, to see what some of the hallmarks of an effective compliance program are.[7]  I´ll highlight just a couple.  

First, companies should perform risk assessments that take into account a host of factors listed in the guide and then place controls in these risk areas.  The pharmaceutical industry operates in virtually every country, including many high risk countries prone to corruption.  The industry also comes into contact with customs officials and may need perishable medicines and other goods cleared through customs quickly.  They may also come into contact with officials involved in licensing and inspections.  These are just a few examples of risk factors that a risk assessment should be focused on in this particular sector. 

A healthy compliance program should also include third-party agent due diligence.  In addition to using third-party agents, many pharmaceutical companies use distributors.  This creates the risk that the distributor will use their margin or spread to create a slush fund of cash that will be used to pay bribes to foreign officials.  Because of this added layer of cash flow, companies frequently improperly account for bribes as legitimate expenses.  To properly combat against these abuses, a compliance program must thoroughly vet its third-party agents to include an understanding of the business rationale for contracting with the agent.  Appropriate expense controls must also be in place to ensure that payments to third-parties are legitimate business expenses and not being used to funnel bribes to foreign officials. 

Self-Reporting and Cooperation

The existence of FCPA compliance programs place companies in the best position to detect FCPA misconduct and allow the opportunity to self-report and cooperate.  There has been a lot of discussion recently about the advisability of self-reporting FCPA misconduct to the SEC.  Let me be clear about my views – I think any company that does the calculus will realize that self-reporting is always in the company´s best interest.  Let me explain why. 

Self-reporting from individuals and entities has long been an important part of our enforcement program.  Self-reporting and cooperation allows us to detect and investigate misconduct more quickly than we otherwise could, as companies are often in a position to short circuit our investigations by quickly providing important factual information about misconduct resulting from their own internal investigations. 

In addition to the benefits we get from cooperation, however, parties are positioned to also help themselves by aggressively policing their own conduct and reporting misconduct to us.  We recognize that it is important to provide benefits for cooperation to incentivize companies to cooperate.  And we have been focused on making sure that people understand there will be such benefits.  We continue to find ways to enhance our cooperation program to encourage issuers, regulated entities, and individuals to promptly report suspected misconduct.  The Division has a wide spectrum of tools to facilitate and reward meaningful cooperation, from reduced charges and penalties, to non-prosecution or deferred prosecution agreements in instances of outstanding cooperation.  For example, we announced our first-ever non-prosecution agreement in an FCPA matter with a company that promptly reported violations and provided real-time, extensive cooperation in our investigation.[8]  And just six weeks ago, we entered into a deferred prosecution agreement with another company that self-reported misconduct.[9]

More commonly, we have reflected the cooperation in reduced penalties.  Companies that cooperate can receive smaller penalties than they otherwise would face, and in some cases of extraordinary cooperation, pay significantly less.  One recent FCPA matter in this sector illustrates the considerable benefits that can flow from coming forward and cooperating.  Our joint SEC-DOJ FCPA settlement with Bio-Rad Laboratories for $55 million reflected a substantial reduction in penalties due to the company´s considerable cooperation in our investigation.[10]  In addition to self-reporting potential violations, the company provided translations of numerous key documents, produced witnesses from foreign jurisdictions, and undertook extensive remedial actions.  There, the DOJ imposed a criminal fine of only $14 million, which was equivalent to about 40% of the disgorgement amount – a large reduction from the typical ratio of 100% of the disgorgement amount.

In fact, we have recently announced FCPA matters featuring penalties in the range of 10 percent of the disgorgement amount, an even larger discount than the case I just mentioned.[11]  And in the Goodyear case we announced last week, we imposed no penalty.[12]  In those cases, the companies received credit for doing things like self-reporting; taking speedy remedial steps; voluntarily making foreign witnesses available for interviews; and sharing real-time investigative findings, timelines, internal summaries, English language translations, and full forensic images with our staff.

The bottom line is that the benefits from cooperation are significant and tangible.  When I was a defense lawyer, I would explain to clients that by the time you become aware of the misconduct, there are only two things that you can do to improve your plight – remediate the misconduct and cooperate in the investigation.  That obviously remains my view today.  And I will add this – when we find the violations on our own, and the company chose not to self-report, the consequences are worse and the opportunity to earn significant credit for cooperation often is lost.

This risk of suffering adverse consequences from a failure to self-report is particularly acute in light of the continued success and expansion of our whistleblower program.  The SEC´s whistleblower program has changed the calculus for companies considering whether to disclose misconduct to us, knowing that a whistleblower is likely to come forward.  Companies that choose not to self-report are thus taking a huge gamble because if we learn of the misconduct through other means, including through a whistleblower, the result will be far worse. 


Disclosure and Accounting

Effective compliance programs will also help companies avoid other problems at foreign subsidiaries, including financial fraud.  So let me change gears a bit and discuss the importance of internal controls and appropriate disclosure in the context of financial reporting.  It should come as no surprise that we at the SEC view accurate financial reporting as going right to the heart of investor protection in our capital markets.  Investors deserve accurate financial and related information about companies so that they can make appropriate investing decisions.

The Importance of Internal Controls

In the years after the financial crisis, we in the Enforcement Division were very focused on the fallout of the financial crisis.  In the last couple of years, however, we have refocused on financial reporting, which historically has been an important area of activity for us.  One of the steps we took when I joined the SEC was to create a Financial Reporting and Audit Task Force.[13]  It is designed to utilize internal and external tools to find financial reporting cases that we may not otherwise have found.  It is only one of many sources of cases within the Division.  We, of course, learn of cases from restatements, from whistleblowers, from internal and external referrals, and from company self-reports, and we also have numerous entrepreneurial attorneys and accountants throughout the Division competitively searching for cases.

I am pleased to report that we have recently seen an increase in enforcement actions brought in the financial reporting area, plus significant new investigations underway.  The number of enforcement actions we brought in the financial reporting area increased by over 40% in fiscal year 2014 compared to 2013, and the number of new financial reporting investigations opened increased by about 30% in the same period.  Many of these cases are focused on issuers and their executives and financial personnel.  But we also are looking closely at gatekeepers, who play a critical role in ensuring accurate and reliable financial reporting.  In every financial reporting investigation, we look at the work of the auditors to determine whether their audits were performed in accordance with professional standards.

The last decade or so has brought many changes to financial reporting at public companies.  From my perspective, one of the most important shifts in the last 10 to 15 years has been increased attention at the highest levels of many public companies on strong internal controls. 

To my mind, and really to the minds of most people knowledgeable about financial reporting, sound internal controls are key building blocks to ensure reliable financial reporting.  Sarbanes-Oxley added important new requirements for management and auditors related to internal controls.  Sarbanes-Oxley Section 302 requires management to certify to, among other items, their responsibility for: maintaining internal controls; disclosing significant deficiencies and material weaknesses in internal controls to auditors and audit committees; and disclosing any significant changes in internal controls.  And Sarbanes-Oxley Section 404 requires management to annually assess and report on the company´s internal controls over financial reporting, and requires the company´s auditor to opine on that assessment. 

Internal control problems have been prominently featured in recent enforcement cases we have brought in the financial reporting area, even in cases without accompanying charges of fraud.   This reflects our view that adequate internal controls are the building blocks for accurate financial reporting and can prevent fraudulent activity. 

For example, we recently charged a company for having inadequate internal controls where the company recorded revenue in a particular segment without having sufficient proof of customer acceptance of the orders in question.  The company lacked appropriate written accounting policies and procedures, failed to properly train its personnel how to evaluate orders, and performed insufficient formal review of the judgment calls made by a small group of people.  These problems resulted in restatements for two quarters.  To the company´s credit, it discovered these overstatements in its year-end audit and put in place a remediation plan with the involvement of its external auditor.  Although the Commission held the company responsible for these violations, it took into consideration the company´s remediation and cooperation when determining the appropriate sanction.[14]

We have brought other cases recently where you see internal controls charges but not fraud charges.  For example, we charged a company with having inadequate internal controls in the income tax area, where the company failed to record a valuation allowance against its deferred tax assets by unreasonably relying on financial projections that were inconsistent with internal company reports.[15]  In another case, we charged a company for failure to properly recognize and report revenue from certain software license agreements it sold to customers because its internal accounting controls failed to consider information needed for determining a critical component of revenue recognition.[16]  I expect you will see similar cases in the future as we continue to look closely at the strength of internal controls.

What kinds of takeaways do we have from these cases so far?  What kinds of practice pointers for how to avoid these issues?  Well, in cases we have brought, we see controls that were not carefully designed to match the business, or that were not updated as the business changed and grew.  And we see that senior leadership was not asking the tough questions – and sometimes not even asking the easy questions.  Senior management in some cases was just not engaged in any real discussion about the controls.  As a result, employees did not properly focus on them and the firm and its shareholders are put at risk.

So my key takeaway is that senior leadership of companies should place strong emphasis on the importance of designing and implementing strong internal controls.  Senior officers need to ask questions about what they are being told about their internal controls – but perhaps more importantly, ask questions about the things that are not being reported to them.  Dropping those occasional inquiries into conversations where they won´t be expected sends a powerful message that you want these issues to be on your employees´ minds.  And what is needed is not just involvement from senior leadership but also from the audit committee.  Instead of a check-the-box mentality, it is important to use careful thought at the outset to how controls should be designed in light of a firm´s business operations.  This entails an up-front assessment of financial reporting risks, designing controls that address those risks, and ensuring that the resulting controls are well documented and communicated.  And, as the company´s business evolves and changes, management must consider whether the existing internal controls are appropriate, or need to be enhanced or changed.  Appropriate resources and attention also need to be devoted to monitoring those controls for effectiveness and making changes as needed. 

Disclosure

Now financial reporting is not just about financials.  It is also about disclosure, which is the next topic I want to address.  The goal of course must be accuracy and timeliness in sharing material information about your company.  This includes appropriate disclosure of key events, which are often disclosed on an SEC Form 8-K.

One significant type of key event that we see causing problems with disclosure in your industry is disclosures on your dealings with the FDA.  Accuracy of reporting in your dealings with the FDA is critical to getting investors the information they need.  FDA dealings and approvals are the lifeblood of your business and are so important to investment decisions.  And our cases, some of which relate to failures in this area, reflect this.

So, for example, in a recent case, we charged one medical technology company and its CEO and CFO with deficiencies in connection with disclosures related to its FDA filings.  We alleged that the defendants issued eight misleading public filings stating that the company intended to file a Premarket Approval application with the FDA for permission to sell a particular device.  In reality, the CEO and CFO had clear information showing that the company would not be able to meet its publicly stated deadlines.  The CEO and CFO eventually paid penalties of $150,000 each and were barred from serving as officers or directors of public companies, among other relief.[17]

In another action, we charged a biopharmaceutical company along with related entities and individuals with fraudulently misleading investors about the regulatory status of the company´s drug product.  We alleged that, although the FDA had placed a full hold on the company´s application to begin Phase 1 clinical trials, an officer of one of the companies in question falsely informed potential investors that Phase 2 would begin in 60-90 days and that FDA approval should come within a year, among other things.  We obtained a finding of liability through summary judgment against this particular officer, among other relief, and other portions of our case remain outstanding.[18]

The message from these cases is that you need to be completely accurate in recounting your dealings with the FDA.  So much turns on those interactions and not being straight with investors will have significant consequences.

Another case we brought sent a further message.  A medical imaging company and its CEO were charged with fraud for misleading shareholders about the FDA´s view of a device in development.  We alleged that the company had received a denial of clearance from the FDA for a particular type of medical scanner – the third such denial.  The FDA letter cited concerns about the device´s safety and efficacy – the FDA even called some sample images "useless."  However, on an investor conference call, the CEO downplayed these concerns, calling them "administrative," "not substantive," and claiming the FDA did not really have questions about the technology. 

In settling this action, the company implemented certain policies as remedial efforts and agreed to continue them for three years.  The company agreed to promptly share FDA correspondence on its website or in a form 8-K, subject to necessary redactions; to prepare a script for all shareholder conference calls that would be reviewed by at least one director, one senior officer, and outside counsel, and posted on its website; to also have all press releases reviewed by at least one director, one senior officer, and outside counsel; to have its board perform a quarterly review of its policies and procedures concerning communications with shareholders; and to have all officers and directors participate in training regarding compliance with the securities laws.[19]

Let me spend a moment on this list.  As you can see, sharing the FDA correspondence with investors eliminates many of the issues we have discussed because investors get to see the actual back and forth and judge for themselves.  This obviously isn´t practical for every item of FDA correspondence, but it is important to consider such disclosure for critical ones.  Moreover, the remedial steps to which the company agreed, including senior level engagement in investor communications, are the kinds of controls that can pay substantial dividends.  They are helpful examples of the types of things that, in our view, can head off problems before they begin.

Conclusion

I have spent my time today discussing FCPA and disclosure and accounting issues relevant to your industry.  Companies often discover FCPA violations when investigating accounting problems or when implementing internal controls, particularly expense controls, so I believe that your efforts in each of these areas can be seen as mutually reinforcing – if you put in place internal controls designed to prevent and detect FCPA violations, you can end up preventing accounting and disclosure violations, and vice versa.  Thank you for your attention, and enjoy the rest of this conference.



[1] The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or of the author´s colleagues upon the staff of the Commission.

[2] See Press Release No. 2012-50, SEC Charges Medical Device Company Biomet with Foreign Bribery (Mar. 26, 2012), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171487958; see Press Release No. 2012-25, SEC Charges Smith & Nephew PLC with Foreign Bribery (Feb. 6, 2012), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171486478.

[3] See Press Release No. 2012-152, SEC Charges Pfizer with FCPA Violations (Aug. 7, 2012), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171483696.

[4] See Press Release No. 2012-273, SEC Charges Eli Lilly and Company with FCPA Violations (Dec. 20, 2012), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171487116.

[5] See Press Release No. 2013-229, SEC Charges Stryker Corporation with FCPA Violations (Oct. 24, 2013), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370540044262.

[6] See Lit. Release No. 18740, SEC Files Settled Enforcement Action Against Schering-Plough Corporation for Foreign Corrupt Practices Act Violations (June 9, 2004), available at http://www.sec.gov/litigation/litreleases/lr18740.htm.

[7] See A Resource Guide to the U.S. Foreign Corrupt Practices Act, available at http://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf.

[8] See Press Release No. 2013-65, SEC Announces Non-Prosecution Agreement With Ralph Lauren Corporation Involving FCPA Misconduct (Apr. 22, 2013), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171514780.

[9]See Press Rel. No. 2015-13, SEC Charges Former Executive at Tampa-Based Engineering Firm With FCPA Violations; Company to Pay $3.4 Million in Deferred Prosecution Agreement (Jan. 22, 2015), available at http://www.sec.gov/news/pressrelease/2015-13.html.

[10]See Press Release No. 2014-245, SEC Charges California-Based Bio-Rad Laboratories with FCPA Violations (Nov. 3, 2014), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370543347364.

[11]See Press Rel. No. 2015-13, SEC Charges Former Executive at Tampa-Based Engineering Firm With FCPA Violations; Company to Pay $3.4 Million in Deferred Prosecution Agreement (Jan. 22, 2015), available at http://www.sec.gov/news/pressrelease/2015-13.html; Press Rel. No. 2014-240, SEC Charges Texas-Based Layne Christensen Company with FCPA Violations (Oct. 27, 2014), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370543291857.

[12]See Press Release No. 2015-38, SEC Charges Goodyear With FCPA Violations (Feb. 24, 2015), available at http://www.sec.gov/news/pressrelease/2015-38.html.

[13] See Press Release No. 2013-121, SEC Announces Enforcement Initiatives to Combat Financial Reporting and Microcap Fraud and Enhance Risk Analysis (Jul. 2, 2013), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171624975.

[14] See Sec. Exch. Act Rel. No. 73434 (Oct. 27, 2014), available at http://www.sec.gov/litigation/admin/2014/34-73434.pdf.

[15] See Sec. Exch. Act Rel. No. 73750 (Dec. 5, 2014), available at http://www.sec.gov/litigation/admin/2014/34-73750.pdf.

[16] See Press Rel. No. 2014-216, SEC Charges Arizona-Based Software Company for Inadequate Internal Accounting Controls Over Its Financial Reporting (Sept. 25, 2014), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370543042731.

[17] See Lit. Rel. No. 22950, District Court Enters Final Judgments of Permanent Injunction Against All Defendants and Orders Penny Stock and Officer and Director Bars Against Linda Grable and Allan Schwartz (March 25, 2014), available at http://www.sec.gov/litigation/litreleases/2014/lr22950.htm

[18] See Lit. Rel. No. 23114, SEC Obtains Summary Judgment Against Defendants in Securities Fraud Involving Biopharmaceutical Company (Oct. 15, 2014), available at http://www.sec.gov/litigation/litreleases/2014/lr23114.htm.

[19] See Consent, SEC v. Imaging3, Inc., et al., Case No. 2:13-cv-04616 (Dkt. No. 28) (July 25, 2014).