We can all use a refresher course in FCPA compliance issues from time to time, and the Securities and Exchange Commission served up precisely that last week with its $21.4 million enforcement action against Alexion Pharmaceuticals.
Alexion is a mid-sized pharmaceutical firm based in Boston, primarily selling Soliris, a drug used to treat several rare blood diseases. The company started selling Soliris in 2007, and within a few years was selling in countries including in Turkey, Russia, Brazil, and Columbia, where its FCPA troubles took place.
So what happened? As detailed in the SEC settlement order, corporate executives in all four countries engaged in various deceptions from 2010 through 2015, funneling improper payments to doctors and healthcare officials so they would spend more on Soliris. False invoices, incomplete documentation, sketchy third parties that did the dirty work of getting the bribes into officials’ hands — all the scams we’ve dissected in many prior FCPA enforcement cases.
By 2015 regulators were onto Alexion’s schemes. The SEC order doesn’t say how regulators came to be aware of the misconduct, such as whether the company disclosed its misdeeds voluntarily. But from then forward, Alexion did cooperate with the investigation and boosted its compliance efforts substantially.
The result: a cease-and-desist order from the SEC that includes $17.9 million in disgorgement and interest, plus $3.5 million in penalties. The Justice Department also declined to bring any criminal case against the company, according to a disclosure Alexion made earlier this year.
That’s the outline of the case against Alexion, at least — and like I said, at a cursory level, it’s nothing compliance officers haven’t seen before. Dig deeper, however, and several illuminating points about internal control emerge.
Internal Control & FCPA Visibility
Start with some of the facts that happened in Turkey. Executives there had hired a consultant to help with sales, who was selected “in significant part due to the consultant’s connections to top Ministry of Health officials.” Alexion paid the consultant $1.3 million, who passed along a portion of that sum to Turkish health officials in the form of cash, meals, gifts, and so forth. The Health Ministry then began buying more of Soliris.
To cover up those bribes, Alexion executives asked another vendor to pay the consultant, and then submit falsified invoices to Alexion for reimbursement. The executives even directed that the description of the consultant’s expenses should be written in pencil, so the description of the expenses could easily be changed or concealed.
Alexion also played loose with documentation the consultant had to provide. As the SEC order says —
The consultant provided little or no explanation for many expenses, and failed to provide independent documentation for most of the purported expenses. Expense documentation that was submitted often sought reimbursement for large, vague expenses (e.g., categorized only as “other expense”).
All of this reminds us of the actual fraud that happens with FCPA violations of internal control: participants are trying to deceive others about the nature of sales figures, rather than the amounts.
That is, an FPCA violation isn’t about telling investors the company made $100 when actually it only made $50. FCPA violations are about telling investors the company made $100 through hard work and good products, when actually it made $100 by bribing someone to buy the product.
That’s an important point to remember because it dictates the type of internal controls you need to implement to reduce FCPA risk. The challenge isn’t about confirming how much money is or isn’t company coffers; it’s about understanding what the company did to get that money into company coffers in the first place.
So certainly Alexion could have implemented more demanding policies for documentation of consultants’ expenses; and implemented more rigorous independent reviews of that documentation to confirm its legitimacy. It also could have stepped up oversight of local executives, since they engaged in deliberate violations of the law. Either they didn’t know what they were doing was wrong (more training); or they did know and violated the law anyway (more discipline).
Another Example on Visibility
Alexion’s misconduct in Russia is also worth a close look. There, executives bribed certain doctors who worked closely with regional health ministries. Alexion funneled more than $1 million to the doctors, who then made favorable recommendations about Soliris to government officials who controlled healthcare budgets and purchases.
One such doctor was identified as “Physician A.” As the SEC order says—
Certain Alexion Russia managers prioritized strengthening Alexion Russia’s relationship with Physician A because Physician A was the chair of a committee that made recommendations concerning the allocation of rare disease funds in one region of Russia… Alexion Russia made honoraria and research payments to Physician A in significant part to influence the regional budget and standards in favor of Soliris.
Consider what that paragraph really tells us. Clearly Alexion did perform due diligence on Physician A, because the executives knew he had influence with the Health Ministry. But they did not then tie the results of that due diligence to stronger oversight of spending with Physician A. They did not tie due diligence to internal accounting controls.
This Russia example teases out the back half of due diligence: after you determine who the third party is and the risks he or she poses, you need to apply appropriate oversight of interactions with that party.
It’s easy to talk about a risk-based approach to due diligence and internal controls; compliance professionals toss around those phrases all the time. This example shows us what those words mean in practice — by showing us what a failure to put them into practice actually looks like.
Visibility and FCPA Compliance
Both examples above show us what FCPA internal controls need to do: bring visibility into financial transactions, so management understands what it sees and can then govern those transactions appropriately. That’s what keeps a company on the right side of the Securities and Exchange Commission.
In Turkey, Alexion had weak policies and procedures around documentation, so senior executives couldn’t confirm what the company was actually paying for. In Russia, Alexion performed enough due diligence to know its third parties, but didn’t follow through with appropriate internal controls to assure that those third parties were handled properly.
When we talk about building effective systems of internal control, those are the issues we’re trying to tame. Lack of transparency into financial transactions, which leaves you with an inability to control those transactions.
How a compliance officer might tame them — finding the correct blend of policies, training, data analytics, IT systems and so forth, bundled into a cost-effective compliance program — is fodder for other posts, white papers, and whole books. But the theme in all those materials will always arc back that fundamental: transparency that empowers control.