It has been over five years since the start of the GlaxoSmithKline case that rocked the China healthcare industry. At the time, compliance, audit and legal teams were shocked by the prevalence of integrity and corruption issues that had apparently gone unidentified, despite the widespread practice of generating slush funds through fraudulent travel expense claims.
In response, most companies revamped their compliance programs. They revised policies, focused on compliance with Chinese, as well as international law, provided training, implemented whistleblowing programs and conducted multiple investigations. They scrutinized third party providers and conducted due diligence, terminated employees for misconduct, self-reported to the U.S. Department of Justice and even self-reported to Chinese authorities. An army of auditors using data analytics and advanced monitoring were deployed.
However, despite these efforts, compliance function reform has now flat-lined, exposing companies to regulatory, financial, reputation and operational risks. In this article, we outline three symptoms of a suffering compliance function in China and offer our advice on how to stay healthy and ahead of the curve.
Academic sponsorships and charitable donations
Many companies still do not view sponsorships and donations as carrying much, if any, compliance risk. That is simply not the case.
In the past year, we have found instances where:
- Companies have made sponsorships or donations with the knowledge that some of the money is going into the pockets of officials running the academic association or charity.
- Donations are explicitly linked to decisions on whether a company’s product will be approved for sale or insurance reimbursement -- no donation, no approval.
- It is implied that not all the money is being used for academic or charitable purposes, but the transactions are not questioned because the officials of the associations and charities are key opinion leaders in a position to influence the China medical community’s view of the company.
- There is reluctance to scrutinize what the funds are used for; it is “unseemly” to ask too many questions or require performance evidence of academic associations or charities.
While there are often scientific/medical compliance protocols in place for grants and donations, integrity controls are missing or inadequate, considering the likelihood of requests for bribes and the potential regulatory impact. The heads of most established medical associations in China are prominent doctors, heads of hospitals, medical professors, etc., who also hold official titles, exposing companies to U.S. Foreign Corrupt Practices Act, UK Bribery Act, and Chinese related enforcement.
What is the best medicine? Companies need to know exactly to whom they are donating the money. In-depth due diligence should be conducted on the association or charity to understand their structure, background, ability to carry out the work that is promised and relevant political connections.
In addition, compliance personnel should go out in the field and verify the association or charity is actually using the money for what it promised – e.g. healthcare professional academic events, marketing events for the charity program, patient awareness campaigns, etc. These spot checks do not need to put pressure on the association or charity. And if they do, that should be considered a red flag.
Compliance case overloaded. Despite an increase in headcount and resources, most companies find their compliance caseload continues to be overwhelming. Improvements in compliance and monitoring mean catching more violations; and are supplemented by a dramatic increase in whistleblower activity (only likely to continue as China codified the protection and reward of whistleblowers from April 2016).
The risk here is that compliance teams will simply work faster and for more hours in the hope they will eventually tackle the problem. However, the race to close cases out can lead to missing key findings, which can leave the compliance department and entire company exposed to potential regulatory liability.
What’s the fix? When working harder and faster isn’t the solution, companies need to establish a risk-ranking approach -- a system of prioritization and ranking each case. Higher scores will be given when there is a known government or media interest in the matter, to protect the company’s license to do business and reputation. If there is a whistleblower involved, evaluate their nature and attitude. Higher scores will be given if they are making credible threats to take their allegations to the government or media, then raise the priority level of the case. Finally, cases involving issues of violence, bribery and defrauding a key stakeholder will also be allocated scores accordingly.
Dealing with extortive whistleblowers. By now, it is commonly known that whistleblowing cases have been increasing in China in the past three years and whistleblowers present unique challenges to multinational companies. But we have seen one type of whistleblower is especially disruptive -- the whistleblower who makes a demand or they will take their allegations to the government or media. Often this type of whistleblower is an employee in the process of involuntary separation from the company.
We generally view these types of whistleblowers as extortionists, abusing their status as a whistleblower to obtain a benefit from the company. Because the majority of companies do not have much experience dealing with extortionists, they do not have an established process for addressing this unique type of case. That is the wrong approach because these cases are among the highest-risk we see in a company’s compliance case load.
What’s the solution? Since these cases often involve tight deadlines and high pressure, it is advisable to game plan for them before they happen. An extortion case is essentially a crisis event, so consider repurposing applicable parts of the company’s crisis management plan to provide structure on how to deal with it. Think about the terms on which the company would be willing to engage such a whistleblower, if any. Plan how you would identify and employ surge investigative resources to cover this priority case, while continuing to handle the normal compliance case load. Planning for such cases before they occur will give the company a much better command of the situation.
This article was originally published on FCPA Blog