implementing effective third-party frameworks in the life ... · implementing effective third-party...
TRANSCRIPT
Implementing effective third-party frameworks in the life sciences industry — leading practices and challenges
Implementing effective third-party frameworks in the life sciences industry2
IntroductionThe recent enforcement environment has reinforced the risks associated with third-party intermediaries. Of the reported corruption-related cases in the recent past, more than 90% of them involved misconduct by intermediaries. This topic poses extra challenges, especially for life sciences companies, as they frequently work with large numbers of intermediaries during the entire life cycle of a drug or device (from the research and development phase through sales and distribution to pharmacovigilance), and the industry itself is highly regulated.
The US Foreign Corrupt Practices Act (FCPA) Guidance (2012), UK Bribery Act Guidance (2011), OECD Recommendation for Further Combating Bribery of Foreign Public Officials in International Business Transactions (2010), published US Department of Justice and Securities and Exchange Commission Deferred Prosecution Agreements (DPAs), Non-Prosecution Agreements (NPAs) and US Corporate Integrity Agreements (CIAs) provide guidance on transacting with and monitoring of intermediaries.
It is important to remember that an intermediary framework is only one part of a larger corporate compliance framework. It should not be viewed as a stand-alone and cumbersome process, but rather should be integrated into the overall process and culture of a life sciences company.
What is an intermediary?Intermediaries are those entities or individuals that represent a company in the marketplace or interact with other third parties on behalf of a company or relating to the company’s products. In their capacity as representatives of the company, any misconduct by an intermediary may reflect directly on the company itself.
Among others, these intermediaries can be distributors (including those who take title to the product), wholesalers, travel agents, lobbyists, consultants, contract manufacturing organizations, contract research organizations, contract sales force, joint ventures and others.
These intermediaries often interact with government officials, health care professionals or health care institutions and may expose life sciences companies to significant corruption risks. In order to assess whether a company is working with a reputable intermediary, as recommended by the various regulations and legislations previously mentioned, a company needs to have an effective intermediary framework in place.
Elements of an intermediary framework1. Due diligence The first step in any intermediary framework is the identification and retention of the intermediary. The reputation of the intermediary that is about to be retained should be of key significance to a company — as is the reason why it is to be hired and how much it will be compensated.
Risk assessmentThere are many steps that can be followed during a due diligence process. In order to design and implement a consistent and effective approach, companies should conduct a documented risk assessment process and give a risk ranking to each type of intermediary depending on the service they provide, the level of interaction they have with government officials or health care professionals, and the location in which they are based and they are expected to operate.
The FCPA Guidance and the recently published DPAs identify risk assessment as a key element of any compliance program.
Due diligence proceduresBased on the risk ranking of each category of intermediary, the due diligence procedures to be conducted may change. These procedures may include:
Implementing effective third-party frameworks in the life sciences industry 3
1. Completion of a questionnaire by the intermediary to provide background information on itself as well as answer questions around its willingness to comply with anti-corruption rules and to permit a right to audit clause in its contract
2. Completion of a questionnaire by the businessperson who wants to retain the specific intermediary to provide information on the reasons for hiring them (versus handling this service in-house) and justify the compensation to be paid
3. Completion of integrity diligence checks on publicly available information and licensed databases. Companies should consider running
these checks in local language of the countries in which the intermediary is based and/or will be providing services
4. If necessary, conducting on-site visits and interviews with key officers of the intermediary
The intermediaries ranked as medium and low risk may undergo limited procedures. However, at a minimum, basic information on each intermediary should be documented.
After the review of the relevant information obtained, specific red flags may be identified. Not all red flags mean that the company cannot work with that specific intermediary, as some of the red flags may be
false positives (for example, in Asia or the Middle East, certain names are very common, which may lead to unrelated individuals being flagged for improper activity). However, there are certain red flags that companies should consider as significant (for example, the intermediary does not agree to comply with the US FCPA or the UK Bribery Act). Depending on the resolution of the red flags, the intermediary may be retained. Either way, documentation should be completed and archived showing the results of the due diligence and the decision made in case evidence needs to be provided to a regulator in a subsequent investigation.
Due Diligence Considerations:
• Consistency and efficiency of the process: Some life sciences companies use online solutions in order to ensure that each intermediary (based on their risk rating) goes through a similar scrutiny and that the process and related documentation are traceable and reviewable.
• Identification of the department that will be responsible for the process: In many life sciences companies, the process is managed by corporate compliance but conducted by the local business.
• Privacy regulations: In certain parts of the world, due to privacy regulations, certain questions cannot be asked on the questionnaires that will be completed by the intermediary. In order to ensure the relevant laws are followed, the legal
department should be included in the creation of each version of the intermediary questionnaire.
Related to this is consideration of the anti-monopoly regulations of the countries in which the intermediary is based. Russia is one example of such countries where anti-monopoly rules may impact a company’s ability to terminate an intermediary because of due diligence concerns.
• Comprehension by the intermediary of the importance of the process: In order to ensure that the intermediary understands the questions it is answering, the life sciences company should consider translating the questionnaire into the local language of the intermediary. In addition to this, it would be important to educate the intermediary on the
completion of the questionnaire in order to minimize any issues later on in the process. Educating the intermediary may also assist in obtaining the buy-in of the intermediary for full cooperation with the process.
• Buy-in from the business: In order to make sure that the company receives timely and relevant support from the business, training sessions should be held with the business explaining the importance of these procedures prior to rollout of the process.
• Systematic controls: Internal controls should be incorporated into a company’s financial systems to ensure that intermediaries rejected as a result of this process cannot subsequently be entered into the system, bypassing the due diligence process.
Implementing effective third-party frameworks in the life sciences industry4
2. ContractingOnly after completion and approval of the due diligence should a written contract be entered into with an intermediary.
Among other clauses, the contract should include the relevant warranties and representations, which may include:
• Compliance with the relevant anti-bribery laws
• Compliance with the internal policies of the company
• A broad audit clause with access to any books and records relating to the company’s business as well as the intermediary’s compliance framework
• Agreement to provide a certification of compliance on an annual basis
• The right to terminate the agreement for breach of contract
3. TrainingIntermediaries should be trained on the company’s policies and expectations immediately after entering into a written contract. In-person training, provided to a representative of the intermediary, is the best way to conduct this training. It would then be expected that the intermediary representative would roll this training out to the relevant employees at the intermediary. The training can then be refreshed on an annual basis or as needed.
One consideration here is which intermediaries should receive the training and by which method (as in-person trainings may not always be possible, due to resources as well as the location of the intermediary). The risk categorization of the intermediaries conducted prior to this process may be used as a deciding factor.
4. MonitoringMonitoring is a significant part of an intermediary framework.
The monitoring process may include:
a) Forensic data analytics as a stand-alone monitoring activity or component of any of the following processes
b) Periodic certification of compliance and anti-corruption training
c) Periodic renewal of the due diligence and acceptance procedures
d) Special payments review, possibly using data analytics (including review of discounts, credit notes, etc.)
e) On-site reviews (exercising audit rights)
a) Forensic data analytics
The increased burden on compliance, internal audit and legal departments created by regulatory agencies’ recommendations to monitor intermediary risks, coupled with staggering increases in the volume, velocity and variety of business information available to organizations, has emphasized the need to use forensic data analytics to monitor an organization’s payments to its intermediaries — as has the need for life science companies to enhance their risk assessment process, identify potential misconduct and detect outliers before they become issues.
Companies often approach reviews of data through sampling techniques rather than analysis of the entire data universe. Review of large magnitudes of data through manual and linear processes, such as spreadsheets, has the capacity to become a difficult and unproductive activity through which companies may not be able to effectively manage their risk.
The incorporation of various analytic techniques across multiple data sources increases governance of risk and enables organizations to establish an effective intermediary framework. Additionally, a monitoring program based on data analytics helps organizations avoid unnecessary costs by transforming large and disparate data sources into actionable analyses and trends that help leadership address critical issues.
Implementing effective third-party frameworks in the life sciences industry 5
Life sciences companies are responding by integrating big data, statistical and qualitative analysis to identify issues through in-house developed solutions and management consulting models. These types of analyses often go beyond the review of single data sources, such as payment stream activity, and leverage additional data sources. For instance, effective monitoring of wholesale distributors should not only include sampling of payment activity, but also include qualitative reviews, such as price variances, profit margins, inventory, write-offs, free goods or even the country in which services are provided/to which payments are made.
Another type of analytical approach to intermediary monitoring includes the use of unstructured text fields within structured data. Keyword searches for suspicious terms conjugated with select noun, phrase and concept extraction can provide insight that is not easily obtained through other types of data attributes, such as payment amounts, dates or locations. Organizations can take these techniques further by incorporating data visualization techniques that allow users to trend outliers to quickly identify patterns of behavior and differentiate isolated incidents from systemic behaviors.
b) Periodic certification of compliance and anti-corruption training
At least on an annual basis, or as necessary, the intermediary should submit a document certifying compliance with the company’s policies as well as relevant laws and regulations.
In addition, on a regular basis, perhaps annually, the company should provide refresher training to the intermediary. All training records should be retained by both the life sciences company and the intermediary.
c) Periodic renewal of the due diligence and acceptance procedures
At least once every three years, or as needed (for example, ownership change of the intermediary), due diligence procedures should be renewed.
d) Special payments review
Many intermediaries receive their compensation in a variety of ways, including commissions, fixed salaries, credit notes, free goods or rebates, in addition to getting reimbursed for expenses incurred. Some of these payments, such as credit notes, may not be as transparent as bank transfers. Thus, it is very important to perform a review of all types of benefits provided to intermediaries on a periodic basis to ensure that they are in compliance with the contract, appear reasonable and are supported with sufficient supporting documentation.
One topic of interest during these reviews might be discounts that are given to the intermediary and their reasonableness. Distributors, for example, as part of their regular business, purchase products at a discount, which is usually set out in a written agreement. In certain situations, in order to be able to participate in a tender, for instance, the distributor may request additional discounts from the company. The justification and the documentation of these additional discounts, if they are approved, are very important. Companies should consider the frequency, amount and the nature of the end customer that will benefit from these additional discounts, prior to agreeing to them. There have been public cases in recent years where these additional discounts provided were used as improper payments to health care professionals.
Another consideration during this review may be to conduct an analysis of the number of intermediaries used to provide the same type of service in one country. Using a high number of similar intermediaries may lead to inefficiency in a company’s operations as well as raise question marks as to the purpose of their use. Data visualization techniques can be particularly helpful in conducting such reviews by plotting historical, geographical and spend-related trends.
Implementing effective third-party frameworks in the life sciences industry6
e) On-site reviews (exercising audit rights)
Merely having an audit clause in contracts with third parties is not sufficient if this right is not exercised. Exercising this clause may identify any weaknesses in the compliance or business structure of the intermediary and, just as importantly, it gives the message to the intermediary that the life sciences company takes compliance with laws and the contract very seriously.
Recently published DPAs require companies to include right-to-audit clauses in their contracts with intermediaries.
In general, due to the high risks associated with them, these reviews are conducted mostly on distributors. However, other high-risk
intermediaries may also fall under the scope of these reviews (e.g., Clinical Research Organization (CRO), travel agencies).
Length and scope of the review
Depending on the size of the intermediary, the services it provides (promotional activity, merely distribution, etc.) and the sophistication of the intermediary, these reviews can take as long as a few weeks or as short as a few days. The length of the review is also related to the period in scope. If it is a new intermediary for which a review has never been done or has come through an acquisition, companies may choose to have a longer-scope period (e.g., three years). For larger intermediaries or longer-scope periods, companies may consider the use of forensic data analytics to increase efficiency and effectiveness of the review.
On-site reviews comprise interviews and a financial review of data relating to the company’s business. The process should not only focus on the intermediary’s business relating to the life sciences company and its compliance and financial framework, but also on the existing monitoring activities performed by the life sciences company on the intermediary and their effectiveness.
An effective intermediary framework must be easily achievable, consistently applied and documented, all of which would allow for the process to be audited or scrutinized by internal or external parties, should a need arise. Based on the laws and regulations in place, companies need to remember that it is no longer nice to have an effective intermediary framework, rather a requirement to have one.
On-site review challenges include:
• The existence and the extent of the right to audit clause in the contract: The clause should be comprehensive enough to include the extent of the review that will be undertaken (e.g., not purely a financial review, but also an understanding of the compliance framework).
• Timing and methods of communication with the intermediary plays a significant role in these reviews. It is important to obtain the agreement of the intermediary for full cooperation prior to arriving on-site.
• Sophistication of the intermediary’s financial systems: It is very common for an intermediary to have only one financial system and lack of segregation between its records relating to its different customers. As a result, reliance on the information provided by the intermediary would be limited as it cannot be verified independently. One way companies can get around this is by putting a clause in contracts requiring the intermediary to segregate its books and records relating to the specific company.
• Local regulations of the country in which the intermediary is located are very important. Russia, for example, as also mentioned above, has very strict anti-monopoly laws, which, based on recent published cases, might prohibit including certain clauses in contracts. Accordingly, legal advice should be obtained while working in different regulations.
• Frequently, intermediaries raise confidentiality concerns around providing documentation as they also work with other life sciences companies. As a result, these reviews are usually conducted by a team of external consultants with experience in this field.
Implementing effective third-party frameworks in the life sciences industry 7
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
About EY’s Fraud Investigation & Dispute ServicesDealing with complex issues of fraud, regulatory compliance and business disputes can detract from efforts to succeed. Better management of fraud risk and compliance exposure is a critical business priority — no matter what the industry sector is. With our more than 3,200 fraud investigation and dispute professionals around the world, we assemble the right multidisciplinary and culturally aligned team to work with you and your legal advisors. We work to give you the benefit of our broad sector experience, our deep subject matter knowledge and the latest insights from our work worldwide.
© 2015 EYGM Limited. All Rights Reserved.
EYG No. AU3136
BMC Agency GA 0044_01903
ED None
In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.
ey.com