Justice Department Provides More Guidance on FCPA Compliance
On April 8, 2011, Johnson & Johnson settled criminal FCPA allegations and agreed to “pay a $21.4 million penalty to resolve criminal FCPA charges with the DOJ and $48.6 million in disgorgement and prejudgment interest to settle the SEC’s civil charges.”
As part of the settlement, Johnson & Johnson agreed to a Deferred Prosecution Agreement (DPA) which included two important attachments outlining compliance requirements. DOJ’s detailed guidance should be carefully examined by all companies designing and implementing anti-corruption compliance programs.
DOJ divided its compliance guidance into two attachments – minimum requirements and enhanced requirements. For companies, the minimum requirements should be implemented. The enhanced requirements provide excellent guidance for those companies involved in global markets, especially in high risk areas. However, the enhanced requirements should be carefully weighed – i.e. the benefits versus the costs.
The minimum requirements include:
Basic Compliance Requirements
1. A clearly articulated corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable counterparts (collectively, the “anticorruption laws”).
2. Promulgation of compliance standards and procedures designed to reduce the prospect of violations of the anticorruption laws and J&J’s compliance code. These standards and procedures shall apply to all directors, officers, and employees and, where necessary and appropriate, outside parties acting on behalf of J&J in a foreign jurisdiction, including but not limited to, agents, consultants, representatives, distributors, teaming partners, and joint venture partners (collectively, “agents and business partners”);
3. The assignment of responsibility to one or more senior corporate executives of J&J for the implementation and oversight of compliance with policies, standards, and procedures regarding the anticorruption laws. Such corporate official(s) shall have the authority to report matters directly to J&J’s Board of Directors or any appropriate committee of the Board of Directors;
4. Mechanisms designed to ensure that the policies, standards, and procedures of J&J regarding the anticorruption laws are effectively communicated to all directors, officers, employees, and, where appropriate, agents and business partners. These mechanisms shall include: (a) periodic training for all directors, officers, and employees, and, where necessary and appropriate, agents and business partners; and (b) annual certifications by all such directors, officers, and employees, and, where necessary and appropriate, agents, and business partners, certifying compliance with the training requirements;
5. An effective system for reporting suspected criminal conduct and/or violations of the compliance policies, standards, and procedures regarding the anticorruption laws for directors, officers, employees, and, where necessary and appropriate, agents and business partners;
6. Appropriate disciplinary procedures to address, among other things, violations of the anticorruption laws and J&J’s compliance code by J&J’s directors, officers, and employees;
7. Appropriate due diligence requirements pertaining to the retention and oversight of agents and business partners;
8. Standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anti-corruption representations and undertakings relating to compliance with the anti-corruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anticorruption laws, and regulations or representations and undertakings related to such matters; and
9. Periodic testing of the compliance code, standards, and procedures designed to evaluate their effectiveness in detecting and reducing violations of anticorruption laws and J&J’s compliance code.
Enhanced Compliance Requirements
In addition to the basic compliance requirements, DOJ imposed additional “enhanced” requirements on Johnson & Johnson. These enhanced requirements include:
1. Compliance Department – A senior executive will serve as the Chief Compliance Officer (CCO) and shall report to the Audit Committee of the Board. There shall be heads of compliance within each business sector and corporate function. There shall be a Global Compliance Leadership Team which reports to the CCO.
2. Gifts, Hospitality and Travel – Gifts are limited to those in “modest” value and appropriate under the circumstances. Hospitality and travel is limited to reasonably priced meals, accommodations and incidental expenses and should be a part of education programs, training, business meetings or conferences. Hospitality and travel are limited to the officials not others.
3. Complaints and Reports – In addition to maintaining a mechanism for making reports, the company shall create a “Sensitive Issue Triage Committee” to review and respond to any such FCPA issues as may arise.
4. Risk Assessments and Audits – The company will conduct risk assessment in markets where it has customers who are foreign governments. The company will annually conduct FCPA audits for a minimum of five operating companies who are in high risk markets and after the initial audit every three years for any such operating entity. These audits shall include, at a minimum: (1) onsite visits by auditors and where appropriate legal and compliance personnel; (2) review of payments to health care providers; (3) creation of action plans from these audits; and (4) review of the books and records of distributors and agents.
5. Acquisitions – To the extent possible, conduct a pre-acquisition FCPA audit of any acquisition target and after acquisition a full FCPA audit within 18 months and training of all relevant personnel and business representatives within one year of acquisition.
6. Relationships with Third Parties – The company shall conduct a thorough due diligence of all third party representatives including: (1) a review of the qualifications and business reputation of the third party; (2) written rationale for the use of the third party; and (3) a review of the FCPA risk areas. Due diligence is to be conducted by a local business and compliance representative and elevated for review if Red Flags appear or as appropriate. Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.
7. Training – Annual training to all directors, officers and employees who could “present corruption risk” to the company. The company shall provide enhanced and more in-depth training to those involved in company sponsored FCPA audits or those on the company acquisition team. Last, the company shall provide training to “relevant third parties acting on the companies behalf” at least every three years.
8. Annual Certifications – The company shall implement a system of certifications from “each of J&J’s corporate-level functions, divisions, and business units in each foreign country confirming that their local standard operating procedures adequately implement J&J’s anticorruption policies and procedures, including training requirements, and that they are not aware of any FCPA or other corruption issues that have not already been reported to corporate compliance.”