The FCPA in 2020: New compliance requirements shake industries, and severe punishment for broken controls

As I look back over the FCPA developments from 2020, one thing stands out: the DOJ and SEC continue to demand robust compliance controls. In some cases, the agencies reinforced long-standing expectations, and severely punished companies that strayed from them –something old. In other cases, the agencies used enforcement actions to stake out new compliance requirements, causing entire industries to reevaluate their existing anti-corruption programs – something new.

The mammoth enforcement action against Goldman Sachs epitomizes the “something old” category. Although the facts in the Goldman settlements are complex, the compliance takeaways are actually rather straightforward. Goldman allegedly strayed from two long-standing core compliance expectations: (i) prevent the use of unauthorized third parties, and (ii) impose robust safeguards on payments to foreign government entities.

As most readers know by now, a handful of Goldman employees – including Tim Leissner and Roger Ng – allegedly worked with a third party named Jho Low to funnel bribes to foreign officials in Malaysia and Abu Dhabi. The purpose of the bribes was to help Goldman secure lucrative contracts to act as an arranger and underwriter for bonds issued by 1MDB, the now defunct Malaysian government investment fund. Goldman never had a formal relationship with Low.

Nevertheless, the DOJ and SEC point out that Goldman personnel in compliance and control positions suspected Mr. Low’s involvement in the 1MDB relationship or knew Low attended meetings between Goldman and 1MDB personnel, but they failed to adequately look into the matter. Indeed, on several occasions, individuals in compliance and management roles at Goldman asked Messrs. Leissner and Ng point blank whether Jho Low was working on Goldman’s behalf and accepted their denials at face value, without further inquiry or independent verification. Appropriate due diligence on Jho Low would likely have revealed a number of significant red flags.

The DOJ and SEC also found fault with Goldman Sach’s controls over the substantial payments it rendered to 1MDB. Over a span of 11 months, Goldman purchased bonds issued by 1MDB to finance the acquisition of two Malaysian energy companies and to fund a joint venture with an Abu Dhabi state-owned entity. During those 11 months, Goldman made payments to 1MDB in excess of $6 billion dollars. There is, of course, nothing in the FCPA that prohibits companies from entering into bona fide commercial transactions with governments or with state-owned entities such as 1MDB.

Indeed, the DOJ and SEC pointed out in both editions of the Resource Guide that the FCPA “prohibits payments to foreign officials, not to foreign governments” (emphasis as original). However, the agencies have for many years admonished companies rendering payments to foreign governments to ensure that the size of the payments are reasonable and to take steps to prevent the funds from being siphoned off for corrupt purposes. In other words, companies should impose controls over payments to foreign governments to ensure they are being made and used, as intended, for legitimate purposes.

Unfortunately for Goldman Sachs, the enforcement agencies found that the firm’s controls over its substantial payments to 1MDB were not up to snuff. Among other things, the agencies found that: (i) Goldman’s payments to 1MDB exceeded the values of the underlying transactions, which should have alerted the company that some of the money would be diverted for improper purposes, (ii) Goldman structured subsequent bond purchases from 1MDB despite the fact that a portion of the proceeds from the first bond issuance remained unspent, which undermined the business justification for the subsequent deals, and (iii) Goldman did not implement appropriate controls to verify that 1MDB actually used the bond proceeds for their stated purpose. These issues allowed corrupt officials working with Messrs. Leissner, Ng, and Low to divert over $2.7 billion of Goldman’s payments from 1MDB accounts to line their own pockets.

The DOJ and SEC broke new ground in their enforcement actions against Novartis. While the enforcement agencies have long scrutinized life sciences companies and their interactions with non-U.S. health care professionals (HCPs), the Novartis settlement zeroed in on how companies design and conduct clinical studies. Specifically, the DOJ and SEC found that Novartis personnel devised and funded clinical studies not for legitimate scientific or research purposes, but for promotional purposes and to reward non-U.S. HCPs that prescribed Novartis products. The fact that Novartis did not detect and prevent these activities indicated that it lacked sufficient internal controls.

Among other things, the agencies found that: (i) there was no transparency within Novartis regarding the planning, design, and execution of clinical studies, (ii) Novartis did not have a process for ensuring that clinical trials were not promotional in nature, (iii) compliance and audit personnel had no insight into budgets and spending for clinical studies, and (iv) Novartis’ sales personnel – rather than scientific and research staff – selected the HCPs who were invited to participate in clinical studies.

The DOJ and SEC have made it clear that companies in the life sciences industry must expand their internal controls over the design and implementation of clinical trials that involve non-U.S. HCPs. This means that compliance professionals and internal audit must have insight into, understand the scientific bases for, and confirm the veracity of such studies. This is a tall order for an industry already burdened with substantial compliance obligations.

In sum, FCPA enforcement in 2020 was something old, and something new. The DOJ and SEC reminded us of the dangers of running afoul of long standing expectations, and warned us to be ever watchful for new areas of risk and liability.

——

In my first live webinar of the new year, I’ll examine these and other major FCPA developments from 2020, and explain the practical compliance lessons that companies should take from last year’s record-setting enforcement actions and policy developments, and what they can do to avoid trouble in the future.