Navigating third-party risks in pharma and life sciences

There are more than enough cliches to describe people who have many different things to concentrate on simultaneously—juggling, plate-spinning and whack-a-mole come to mind. Tired analogies aside, compliance leads at pharmaceutical and life sciences companies have one of the least navigable jobs in our field. Sitting at the intersection of both general and specific laws and regulations, and with a huge reliance on third parties, life sciences companies need to have third-party compliance programmes that take into account the full range of risks they face.

This all comes at – need it be said again – an extraordinary time: the complexity and uncertainty surrounding the COVID-19 pandemic has presented an array of operational issues with third-party compliance. Among these, the fact that life sciences companies have not been able to conduct essential site visits of third parties has been a source of particular stress, according to Control Risks’ survey respondents.

HCPs: risks from several directions

Much of regulatory scrutiny as it relates to third parties is driven by the interaction of life sciences companies with healthcare professionals (HCPs). In the US, The Physician Payments Sunshine Act – more commonly known simply as the Sunshine Act – mandates that life sciences companies must report any payments or other transfers of value made to HCPs. This obligation, which requires clear visibility over the full array of third-party relationships that might have an HCP touchpoint, combined with the need to establish the good standing of any HCP a company already knows is in the mix, is fraught with challenges. Control Risks’ survey responses reflect this. The life sciences professionals we consulted considered HCPs to be second only to distributors as the riskiest type of third-party relationship – and they are well advised to do so. Centralised, easily accessible online databases to confirm that an HCP’s licence is in good standing are few and far between, even in the US, Canada, Japan and the EU Five (Footnote: Germany, Spain, France, Italy and, somewhat ironically, the UK), where the majority of pharma-dollars are spent. Companies offering HCP verification services almost exclusively limit their services to the US and UK for this reason.

In other cases, life sciences companies’ compliance departments need to establish that there are no HCPs associated with a third party. There are few things that keep a pharma company’s compliance officer awake at night more than the fear of a payment to a non-governmental or charitable organisation with an HCP connection that ultimately violates the Sunshine Act on the grounds of failing to report such a transaction. A best effort at due diligence must be made.

Major market players have hitherto offered mostly a generic product to meet sector-wide risk considerations, with internal legal and compliance departments left to go the final mile in covering sector-specific risk concerns, whether it’s carrying out time-consuming research into potential HCP connections or undertaking the task of confirming HCP licences and specialties. As providers look to show their familiarity with life sciences sector-specific pain points, a strong value proposition for under-resourced compliance departments is complementing existing due diligence methodologies with research aimed at establishing HCP connections to third-parties and incorporating medical-related litigation database searches.

PAPs and charities

Grants, sponsorships, and donations to independent charitable organisations have also historically represented an enhanced area of risk for pharmaceutical and biotechnology companies.

Over the past several years, we have seen an increase in government investigations and settlements in the US related to the practice of pharmaceutical companies donating to independent charities that provide financial assistance with out-of-pocket drug costs to patients. Specifically, these government investigations and settlements have examined whether donations to independent charity patient assistance programmes (PAPs) violate the federal Anti-Kickback Statute. In the largest settlement, United Therapeutics agreed to pay a USD 210m fine to settle allegations of kickbacks and FCPA violations related to its activities with PAPs. Very recently, Teva Pharmaceuticals and Regeneron Pharmaceuticals joined a long list of pharmaceutical companies under investigation by the US Department of Justice for alleged improprieties related to PAPs. In addition to having proper internal controls in place to manage interaction with PAPs, a company must conduct thorough due diligence prior to engaging with the PAP. This should cover the PAP’s structure, ownership, identification of disease funds and eligible recipients, as well as other information necessary to ensure that the company can work with PAPs while maintaining independence.

Risks surrounding donations and charitable organisations for life sciences companies also extend well beyond their interactions with PAPs. It is common practice for a life sciences company to provide financial assistance to not-for-profit organisations for their operations or for a specific event. As with PAPs, here it is also crucial to conduct thorough due diligence on the not-for-profit organisation, including determining whether any HCPs are part of this organisation or are part of its board, prior to providing any funds. In many countries, HCPs who are also politically exposed or serving as government officials play important roles in these organisations, and frequently hold a board position. This presents elevated risks for potential violations of FCPA, UK Bribery Act or other anti-corruption laws and regulations.

Conclusion

There are general risks that affect every sector, but pharma and life sciences stands apart due to the sheer variety of third parties, including some, like HCPs, PAPs and charitable organisations, with very specific risks, as we have discussed. Furthermore, the high level of interaction with politically exposed persons and the overall reliance on third parties to grow business exposes life sciences companies to wide-ranging and acute risks faced by companies in no other industry, except perhaps defence and aerospace.

That being said, life sciences companies can successfully navigate these myriad risks. A risk-based approach is a good start, but without a sophisticated way to rate relative third-party risks, it can leave compliance programmes open to unexpected pitfalls. Companies should strengthen their compliance and resilience structures by combining their risk-based approach with a robust third-party due diligence programme that accounts for sector-specific concerns and the different risk posed by each type of third party. Doing so will help ensure that compliance departments and business units work in tandem and understand each other’s motivations and obligations, and be prepared to act quickly and assertively when any transgressions or issues of concern are discovered.