Economic pressures are driving many companies to increase profitability by growing their business into new markets. This is especially true of life science companies as they seek to increase sales of existing products in emerging markets; develop new products through clinical trials in countries with larger qualifying patient populations; or manufacture products in countries with lower labor or product costs.
An overseas acquisition is one way to accomplish all these goals, whether a US-based company looks to expand globally or a non-US company wants to acquire an emerging organization in the US. But the hidden risks of such a cross-border acquisition can be significant.
One area of increased concern for companies considering such an acquisition is unknown exposure to the provisions of the US Foreign Corrupt Practices Act (FCPA). FCPA contains two fundamental provisions.* First is the anti-bribery provision, which prohibits US companies from bribing foreign officials to obtain or retain business. Second are the accounting and internal control provisions that require companies with securities registered under the Securities Exchange Act of 1934 (the Act) to make and keep appropriate books and records and to maintain a system of adequate internal accounting controls. These accounting and internal control provisions are not limited to accounting for corrupt foreign payments or any other particular type of transactions.
Although the basic elements of the Act may not initially seem complex, the underlying principles can be triggered by many aspects of the business operations of a life science or medical technology company. Since the more complex aspect of the Act is understanding and evaluating the anti-bribery provision, this article will focus on areas of greater risk for life science and medical technology operations and address issues to consider when performing pre-acquisition due diligence in these industries.
Unfortunately, several industry-specific trends have put life sciences and medical technology companies squarely in the cross hairs of regulators:
- Many companies currently operate in and focus on developing global markets.
- A nationalized health system in most countries means the government is the largest customer.
- The significant use of third parties to conduct business often results in constant contact between employees or agents and government officials.
- Industry expansion continues into countries where bribery is common.
Although FCPA is not new, the enforcement of the Act has become a major focus of US regulators over the past few years. As a result, acquiring an organization with a history of improper business practices can quickly turn an otherwise attractive business opportunity into an embarrassing and costly acquisition.
Heightened enforcement of FCPA has made it more important than ever to spend adequate time assessing the business practices of target organizations. Yet, according to Ernst & Young’s 10th Global Fraud Survey, “Corruption or compliance — weighing the costs,” nearly 30% of companies that acquired a new business in the last two years “never or infrequently” considered bribery or corruption risks in the context of a potential acquisition.
Given that the provisions of FCPA are not widely or well understood, companies undertaking an overseas acquisition may be surprised to find that what they originally understood to be a well-run, profitable company actually has significant business practices that are problematic. Problems leading to noncompliance often are caused by local cultural issues—including bribery, corruption and quid pro quo arrangements that have historically become accepted practices in some countries—as well as by employees’ lack of understanding of the principles of FCPA.
All these factors suggest that companies considering an acquisition should plan to perform a rigorous pre-acquisition due diligence specifically to address FCPA compliance risk.
Risk assessment: The critical first step
FCPA due diligence is often carried out under a “top-down” methodology, beginning with a compliance risk assessment, that seeks to understand the target’s culture, organizational structure and business model. This risk assessment includes observing management’s focus on ethical business practices and the “tone at the top”: the attitudes and traditional business practices of key personnel with respect to interactions with government officials can be telling. Notably, also, behaviors and business traditions that might run afoul of US custom or be violations of FCPA are often common in certain industries or countries.
Companies in certain regulated industries, such as in the oil and gas sector and the pharmaceutical sector, have recently faced significant regulatory scrutiny for their business customs and practices related to interactions with government officials, including, in the case of pharmaceutical companies, with the many healthcare professionals or hospital administrators who are government employees. Further, certain markets are commonly perceived as having a higher risk of bribery and corruption, as evidenced by the recent and frequent consideration of Transparency International’s Corruption Perception Index in FCPA diligence planning.
Along with considering a target company’s culture, acquirers should also consider its organizational structure and business model—in particular, its existing compliance infrastructure and control environment and the company’s demonstrated effectiveness at addressing FCPA and other compliance-related risks. Prospective buyers should determine whether there is a compliance infrastructure in place at the target that includes focused training, written policies and procedures, internal auditing, monitoring and reporting and other evidence of intent with respect to FCPA and interactions with government officials.
Continuing with the top-down approach, companies engaged in a pre-acquisition risk assessment can often identify FCPA risks by taking a careful look at a company’s business model. How does the company attract and retain clients? What are the touchpoints where the company interacts with government officials? How does the company identify government officials? Who within the company is responsible for such interactions? How does the company oversee and control such interactions?
Gaining an understanding of the company’s business model may also include reviewing its accounting systems and business records. Reviewing the account structure may identify suspicious accounts used to process disbursements in violation of FCPA or to help identify suspicious transaction volume, such as excessive use of a petty cash fund.
Testing: Validating the risk assessment
After developing an understanding of the target company’s culture, organizational structure and business model, an acquirer can get a sense for the scope, magnitude and types of FCPA or other compliance-related risks that may be present. Identifying and prioritizing risks is the first step in developing a comprehensive testing program that is aligned with prioritized risks.
The goal of substantive testing is to objectively gauge whether the target’s actual business practices adhere to company policies and procedures with regard to FCPA, and to validate the accuracy of information obtained in oral interviews of company personnel. Testing procedures can range from minimally intrusive to extremely detailed and complex as dictated by the preliminary risk analysis and risk appetite of the acquirer and, increasingly, in consideration of the confluence of increased regulatory scrutiny and decreased budgets and compressed timelines.
As a result of the tremendous diversity in business practices, compliance risk profiles and acquirer needs, there is no standard template for due diligence testing. However, testing most often focuses on financial and other business records relevant to the higher-risk touchpoints with government officials.
In the pharmaceutical industry, this may include use of agents, consultants, distributors, brokers, wholesalers, freight forwarders, local counsel and other third parties. It also may include joint ventures or mutual arrangements used to facilitate access to new markets, contracts or customers. The due diligence process will identify such arrangements and try to match that list with the relevant business records to gain a detailed understanding of the services performed and the remuneration exchanged.
A variety of financial records may be relevant to substantive testing, but disbursement records and employee time and expense reports are a common focus. Disbursements are reviewed in order to identify suspect payees and amounts and to understand the nature of certain payments. Disbursements to consultants or finder’s fees are often viewed as suspicious, as are disbursements vaguely described as covering licenses or government fees. In addition to direct cash payments, testing may include disbursements made to purchase gifts or other items of value to be given as a donation either directly to or for the benefit of a government official.
A diligence program may also include reviewing the expense reports for sales executives or management to identify amounts spent for the benefit of a government official. This could identify suspect transactions such as the purchase of expensive gifts, airline tickets, reimbursement of ATM withdrawals, donations, excessive meals, travel and entertainment or other items that should be flagged for detailed review of the payment’s purpose.
Once the transaction is closed, the acquiring company has increased risk of any ongoing inappropriate activity. As a result, a thorough post-closing due diligence should be done to confirm the findings from the due diligence process. This would include:
- Further assessment of risks identified during due diligence
- Further assessment of business processes, including developing a complete understanding of all interactions with government officials
- Implementation of compliance program enhancements, including additional auditing and development of monitoring protocols
- Evaluation and revisions to FCPA training.
Growing your company through acquisition can bring many benefits to the growth of a company. Without adequate due diligence on compliance risks, however, an acquisition can also create significant unexpected risk.
The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young LLP. PC
Gregory A. Crouse and Thomas A. Gregory are partners in the Fraud Investigation & Dispute Services practice at Ernst & Young LLP. They can be reached, respectively, at Gregory.Crouse@ey.com, (202) 327-6670, and Tom.Gregory@ey.com, (404) 817-5205.