We continue this multipart exploration of the recent announcement of the Fresenius Medical Care AG & Co. KGaA (FMC) Foreign Corrupt Practices Act (FCPA) enforcement action. I have previously considered the numerous and varying bribery schemes used by the company to make corrupt payments and its comeback which allowed it to obtain a Non-Prosecution Agreement (NPA). In addition to the NPA, the Securities and Exchange Commission (SEC) settled its portion of this matter with a Cease and Desist  Order (Order). Today I want to explore the lessons learned for the compliance professional on investigative steps to take as well as remedial actions based upon the FMC FCPA enforcement action.

A. During the Investigation 

1. Investigative Steps

The FMC enforcement action provided enough information about the steps the company finally began to engage in after the FCPA investigation began in earnest. The steps listed in the NPA provide a roadmap that every compliance professional should study if they find their company in an investigation. However, the lessons learned are not limited to those companies which find themselves mired in a FCPA investigation. This information can also be used educate Boards of Directors and Senior Executives about what to expect during an investigation in terms of both scope and potential cost. These steps can also be used to set up an investigation protocol now which will allow you to move more nimbly and agilely for any information which comes in through an internal reporting mechanism or more vigilant internal controls you have put in place based upon the bribery schemes.

According to the NPA, FMC met the following mandates under the FCPA Corporate Enforcement Policy (Policy), including:

• conducting a thorough internal investigation;
• making regular factual presentations to the Department of Justice (DOJ);
• providing facts learned during witness interviews;
• voluntarily making foreign-based employees available for interviews in the US;
• producing documents to the DOJ from foreign countries in ways that did not implicate foreign data privacy laws;
• collecting, analyzing, and organizing voluminous evidence and information from multiple jurisdictions for the DOJ, including translating key documents; and
• disclosing conduct to the DOJ that was outside the scope of its initial voluntary self-disclosure

The Order also related that FMC “produced documents, including key document binders and translations as needed, and made current or former employees available to the Commission staff, including those who needed to travel to the United States.”

Clearly the robustness of your investigation is critical. How as a Chief Compliance Officer (CCO) are you going to insure such steps are taken? The first step is to have a triage protocol in place to quickly and accurately assess the quality of the information which comes in to you. From there you need to get the information to an appropriate level within your organization. Recall here one of the key lessons from the Cognizant Technology Solutions Corporation FCPA enforcement action, where the Board of Directors self-disclosed the FCPA violations within two weeksof being informed. Obviously, someone at the company had to get that information to the Board quickly and with sufficient specificity to enable the Board to act so quickly.

Beyond your initial intake of information, triage and internal reporting are the steps to preserve documents. Recall one of the areas where FMC was criticized in allowing certain business units to hide and then destroy documents detailing the bribery and corruption. Obviously, such actions were taken at senior levels in the business unit in question. As a CCO you should take steps to protect the data.

2. Remedial Steps

The Policy also requires extensive remediation during the pendency of any investigation. Both the NPA and the Order laid out the remedial steps taken by FMC after the illegal acts were uncovered. The NPA noted the company engaged in the following:

• At least ten employees who were involved in or failed to detect the left the company, either through termination, resignation upon after being asked to leave, or they voluntarily departure once the Company’s internal investigation began;
• The company enhanced its compliance program, controls, and anti-corruption training;
• The company terminated its business relationships with the third-party agents and distributors who participated in the illegal acts;
• Fresenius adopted heightened controls on the selection and use of third parties, to include third party due diligence; and
• The company voluntarily withdrew from participation in pending public contracts potentially related to its illegal acts;
• The Company enhanced, and has committed to continuing to enhance, its compliance program and internal controls, including by taking steps to ensure that its compliance program satisfies the minimum elements set forth in Attachment B to the NPA.

In addition to the foregoing, the Order noted that the company beefed up its compliance function through “enhancements to its internal accounting controls. FMC strengthened its global compliance organization; enhanced its policies and procedures regarding the due diligence process and the use of third parties; created positions to address potential risks; and increased training of employees on anti-bribery issues.”

In mining the FMC FCPA enforcement action, there are many nuggets for the compliance practitioner to study. The actions which allowed FMC to obtain an NPA included both assistance in the investigation and remedial actions to stop the conduct and prevent it from happening in the future. You should study these for your own compliance program as they present significant lessons for every compliance practitioner.

[View source.]