Co-authored with Lisa LeCointe-Cephas, Executive Director, Head of Global Investigations, Merck & Co., Inc

The use of outsourced services in various industries continues to rise. And for life sciences companies, this makes compliant use of third parties an essential area of focus. It’s a focus for DOJ, too, which updated its compliance programs guidance in April 2019.

Using third-party partners – including agents, consultants, and distributors – is on the rise among life sciences companies seeking to deliver innovative products and services, while controlling costs in a fast-paced global market. Partnering with third parties in clinical trials, the regulatory approval process, and marketing and sales functions, among other roles, provides significant value to life sciences companies and their patients. However, working with third parties brings compliance risks.

Many of the publicly reported U.S. Foreign Corrupt Practices Act (FCPA) cases investigated by the U.S. Department of Justice (DOJ) involve third parties. In recognition of this and that strong, effective compliance programs can mitigate bribery and corruption-related risks, DOJ issued guidance in 2015 on the evaluation of corporate compliance programs. It also created a new compliance counsel position in the Criminal Division’s Fraud Section to evaluate compliance programs of companies under investigation, although the position was phased out in later years as Department lawyers developed expertise in the area.

Evaluation of Corporate Compliance Programs – before and after the update

The original guidance included questions every company should ask in determining whether its compliance program is well designed, effectively implemented, and workable. They are helpful for the proactive design, continuing assessment, and improvement of compliance programs aimed at avoiding bribery and corruption laws.

DOJ focused on the need to perform due diligence on third-party partners’ reputations and activities, conduct periodic training and audits, engage in other appropriate means to monitor, and “detect particular types of misconduct most likely to occur in a particular corporation’s line of business.”

Updated guidance

DOJ updated the guidance in April 2019. It added questions companies should ask when assessing their compliance programs. Several are aimed at third-party relationships and appropriate controls and management of the relationships. These include:

  • How does the company ensure there is an appropriate business rationale for engaging a third-party partner?
  • If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties?
  • Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past?
  • Does the company keep track of third parties that do not pass the company’s due diligence or that are terminated, and does the company take steps to ensure that those third parties are not rehired at a later date?
  • If third parties were involved in misconduct, were red flags identified from the due diligence or after hiring the third party, and how were they resolved?

It is fair to assume DOJ FCPA investigations since the initial guidance informed these questions. And it is clear, from at least the first two questions, that many of those investigations centered on the business purpose and need for use of third-party entities. The updated guidance also emphasizes a company’s need to institute effective measures to regularly audit and evaluate its continued engagement with problem third parties. The new questions highlight the importance of companies’ internal investigation and resolution processes, particular to the extent they consider and evaluate the actions of third parties that act on their behalf.

Third-party risk issues in emerging markets

For life sciences companies, the risks often play out in emerging markets, such as in China. Working with third parties in China, for example, can generate compliance risks in several ways. First, under the Chinese health care legal framework, using a Chinese distributor and/or a Chinese import and export company is required by law when selling certain products (such as vaccines) or certain classified, high-value medical devices. This requirement gives rise to the need for multinational manufacturers to engage third parties for promotional and procurement negotiations with health care providers.

Most multinational companies have in place third-party due diligence processes to vet distributors before engaging their services. However, there could still be dead zones when the third parties engage customers individually. Indeed, a third party could, without the company knowing, make improper or illicit payments to affect the procurement results. Such risks are higher when the third parties are one-time sales agents or “spot dealers.” Their qualifications, relationships with government officials, business capacity, and reputation are typically harder to vet.

Second, new drugs have to pass Chinese clinical trials before they can be sold on the market. To successfully execute the clinical trial process and obtain regulatory approval, in addition to working with the government, ethics committees, and investigators (i.e., doctors), a manufacturer is also likely to hire third-party agents. Examples include clinical research assistants or coordinators to support the clinical trials by ensuring, among other things, sufficient patients are enrolled and the study performs at a good pace.

Third, companies also face compliance risks working with third parties, such as consultants, who provide intangible services. For instance, companies in China may hire consultants to obtain permits or promote a business generally. If such consultants have close government ties, charge by success fees, or the company does not monitor gifts and hospitalities, they could also trigger a risk of derivative liability for the manufacturer.

Practical guidance for compliance officers

DOJ’s updated guidance affirms the importance of managing third-party relationships and provides practical guidance – in the form of questions compliance officers should ask – on how life sciences companies can improve internal controls to detect third-party misconduct and manage third-party relationships more effectively. Justifying and confirming the business purpose and rationale for arrangements with third parties is a new area of particular focus by DOJ. Companies should be mindful that they may have to justify the engagement and any ongoing relationship with third-party partners.