The Securities and Exchange Commission has served up its first FCPA enforcement action of the year, an $8.8 million slap against Cardinal Health for failing to address bribery risks caused by a cosmetics business Cardinal ran in China.
What happened? In November 2010, Cardinal entered the Chinese market by acquiring the Chinese subsidiaries of an established pharmaceutical distribution company. Part of that business was an arrangement where Cardinal China held the profits of its distribution customers on its own books; and then made payments from those accounts to other parties as directed by the distribution customers.
We’ll pause here to let compliance professionals everywhere say, “Oh, hell to the no. They didn’t, did they?”
Actually, Cardinal China did terminate most of those accounts, partly because executives knew that processing the marketing expenses of third parties through Cardinal’s own books and records carried FCPA risks. Good, right?
Except Cardinal China kept one such arrangement with a European cosmetics firm. Cardinal China was the formal employer of 2,400 cosmetics workers, where it managed HR and administrative services for everyone, but those people still reported to the European firm for day-to-day supervision.
Most of the employees were cosmeticians who worked in retail stores, but roughly 100 were sales, marketing, or management employees. The sales and marketing employees were responsible for closing new deals — and they could still direct payments to be made from one of those sketchy accounts Cardinal maintained.
Go ahead, groan. We’ll wait.
Although Cardinal determined that other marketing accounts should be terminated because of their significant FCPA-related compliance risks, Cardinal inaccurately assessed the risks of the arrangements with the dermocosmetic company as minimal.
You can guess the rest from here. Those cosmetics employees used those marketing payments to bribe executives of state-owned retail businesses. Said improper payments continued from 2010 through 2016, when an internal audit uncovered the shenanigans and Cardinal subsequently alerted the SEC.
Failure in FCPA Command and Control
Your first instinct might be to assume Cardinal blundered in assessing the risks of its third party: that European cosmetics firm. That may be true. The facts detailed in the SEC order, however, also suggest another, larger failure. Consider this:
Cardinal determined that Cardinal China’s practice of administering marketing accounts for its suppliers created excessive FCPA-compliance risks… By July 2011, Cardinal directed Cardinal China to wind down all of its pharmaceutical marketing accounts due to these risks. Nevertheless, Cardinal China continued to administer marketing accounts for certain large suppliers for several years.
So the FCPA risk wasn’t in this specific Cardinal China customer using those marketing accounts. The risk was in allowing such accounts to exist at all.
And yet, Cardinal China did allow those accounts to continue operating for years, even as it closed marketing accounts for other customers (an Italian firm in 2012; a British one in 2013) precisely because those customers were suspected of using the accounts for improper payments.
The true failure here was a command-and-control breakdown. Senior executives at Cardinal’s U.S. headquarters told Cardinal China to end its practice of operating those marketing accounts, and Cardinal China didn’t do that. Then, as the SEC complaint notes, “Despite these events, Cardinal failed to assess whether Cardinal China followed its instruction to wind down the pharmaceutical marketing accounts.”
It gets worse. At the end of 2012, Cardinal received a report from a Cardinal China employee asking about the legality of those cosmetics marketing employees and their payments. In 2014, Chinese regulators fined Cardinal China for “secret commissions” it had made to a retail business at the request of those marketing employees, which had violated Chinese anti-competition law.
So Cardinal executives knew in 2011 that they had FCPA risks in Cardinal China’s own business practices. They ordered Cardinal China to close all the sketchy marketing accounts. Then Cardinal never bothered to confirm that the accounts were closed, even as senior executives continued to see red flags waved almost in front of their faces.
‘Satisfy Prudent Officials’
That point about failure in command and control is worth elaborating because it ties so closely to the statutory language of the FCPA.
The law says a company must “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances” that transactions are executed according to management’s wishes. And what’s the definition of reasonable assurance? “Such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
The facts here fail those tests. Cardinal knew those marketing accounts were an FCPA risk, and told its subsidiary to close all of them down. Senior executives’ wishes were clear. Yet Cardinal lacked the management gumption and internal control capability to assure that its wishes were followed.
Moreover, imagine these marketing accounts in your personal life. The situation is akin to giving your kid a debit card tied to your bank account; he lets his friends load more money onto the account; and then he makes payments to other people based on what his friends tell him to do. Then you tell your kid to knock it off, and he doesn’t — and you never follow up to confirm that he did.
Does that sound like a prudent way to conduct your own affairs? Of course not. You’d be kicked out of the PTA for such sloppy parenting.
Little surprise, then, that when the SEC imposed its $8.8 million fine, $2.5 million of that amount was a civil penalty. Extra damages like that happen when you know you have a stinky FCPA risk and then ignore the minions ignoring your orders to shut it down.
To that extent, this case with Cardinal is similar to how the SEC handled Juniper Networks last year. In that case, senior Juniper executives knew bribery was happening in the company’s Russia subsidiary, told the Russians to stop, and then the subsidiary kept making improper payments for years. Juniper eventually paid an $11.7 million settlement, where $6.5 million of the amount was a civil penalty.
Sure, this settlement is chump change considering that Cardinal made $145 billion in revenue and $2 billion in operating profit last year. But we’re not here to rehash yet again the featherweight approach to FCPA penalties that the SEC takes these days.
The lesson here is that failures in command and control are what really lets an FCPA risk metastasize into a more serious problem, one that whets the SEC’s appetite to tack on penalties in addition to disgorgement.
Perhaps with specific offenses for small-dollar contracts, as we see here with Cardinal, you can keep total sanctions relatively small. But when those command and control failures exist at scale, with multiple FCPA failures around the world, those extra penalties will add up.