This blog post will close my review of the Foreign Corrupt Practices Act (FCPA) enforcement action involving the Swiss pharmaceutical company Novartis AG, its Greek subsidiary Novartis Hellas S.A.C.I. (Novartis Greece) and Alcon Pte Ltd., a unit of eye-care company Alcon Inc., which agreed to pay some $347 million in fines to resolve claims. Novartis Greece and Alcon Pte, a former subsidiary of Novartis AG and current subsidiary of Alcon Inc., agreed to pay $233 million in criminal penalties to resolve the Department of Justice (DOJ) investigation into FCPA violations. Novartis AG has also agreed to pay $112 million to the US Securities and Exchange Commission (SEC) in a related matter. Today conclude with a discussion of data analytics and some of the key lessons learned.
Matt Kelly (the Coolest Guy in Compliance) not only was the first to post on the Novartis matter but he presciently raised the issue of how data analytics could be used to help detect the illegal conduct at issue. Regarding the Key Opinion Leader (KOL) bribery scheme, Kelly said in Radical Compliance, “If the marketing team can rank the company’s most promising customers (and rest assured, it can); and accounting can track the company’s spend per customer (which it should) — then clever data analytics can cross-reference those lists to see which high-value targets are getting showered with “investments.”” As usual, Kelly is spot on.
The most basic form of data analytics would have been able to determine where each of the KOLs were in the sales (or writing prescriptions) leader board. When you tie this to the ‘investment’ made in each KOL in the form of international medical conferences attended at the expense of Novartis, it would be easy to flag for further investigation. Always remember, the purpose data analytics is not to tell you the answer, it is to provide insights which can be flagged for further investigation. Also, simply because this information might well come from disparate data sets is no excuse.
The DOJ spoke directly to these issues in the 2020 Update to the Evaluation of Corporate Compliance Programs when it noted that a compliance function must have sufficient resources, to effectively undertake the requisite monitoring, documentation, and analysis; there must be sufficient subject matter expertise to “understand and identify the transactions and activities that pose a potential risk” and finally, the DOJ posed the following questions: Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
Novartis’ EXACTLY bribery scheme could also have been detected through the use of data analytics. The Phase IV was perhaps the most direct when a simple review of the forms coming back from the Greek Health Care Providers (HCPs) would have shown the uselessness of the information, the significant number of ‘cut and paste’ jobs where the same information was put into multiple patient reports and the inordinate amount of incomplete forms returned. Finally, the compliance function could monitor if there was even ever going to be a Phase IV report which apparently there was no intention of completing.
In China, where the bribery was giving equipment and supplies to HCPs while trying to disguise them as long term rentals, an analysis of the different financing terms for hospitals throughout the country or even in the same geographic region would have been a good starting place for data analytics. Such reviews could have been expanded to include HCPs credit assessments, the amount of allowances for bad debt established at inception for each HCP, compliance billing, equipment repossession, proof of delivery or installation, and completion of required training associated with equipment and products delivered. This would seem to be exactly what the DOJ wants in connection with ongoing monitoring build into each compliance program.
For Alcon in Vietnam, a review of the information from the corrupt Distributor would have been an excellent starting point. The Distributor’s P&L Analysis, “included a number of line items that concealed improper payments to HCPs, including to Vietnam State HCPs, in fiscal year (“FY”) 2013 and FY 2014, including: purported “consultant cost” of approximately $111,157 for FY 2013, purported “consultant cost” of approximately $97,000 for FY 2014, purported “HR” cost of approximately $800,000 for FY 2013, purported “HR” cost of approximately $740,000 for FY 2014, purported “administration cost” of approximately $514,000 for FY 2013, and purported “administration cost” of approximately $572,000 for FY 2014.” Each one of these line items could have been tested against similarly situated distributors in Vietnam and across the Asia-Pacific region.
The Novartis FCPA enforcement action presents several important lessons, both new and old, for the compliance professional. Going far beyond crime does not pay, is the maxim not to engage in illegal bribery and corruption when you are under a Cease and Desist Order for another set of FCPA violations. (The 2016 Novartis FCPA settlement with the SEC.) For reasons not clear, Novartis did not either uncover all the illegal conduct resolved in the 2020 settlement when it investigated the conduct which led to the 2016 resolution or knew about the conduct and made the decision not to self-disclose. This lack of self-disclosure (for whatever reason) reduced the credit given to Novartis and Alcon by 25% each. It was clear the company finally got the message as apparently its remediation was outstanding as it was not required to have a monitor. However, the recidivist conduct appears to have cost the company approximately $90,000,000 in additional fines and penalties.
The second major lesson I believe this enforcement action conveys is that a compliance function must use data analytics going forward. The straight-forward analysis I have laid out here can be used with internal company resources. While many will exclaim “what an order, we cannot go through with it”, that dysfunctional denial will no longer wash. If you cannot get access to your own corporate data, you had better be prepared to explain why and what you did to get access.
SEC Press Release
SEC Cease and Order
Alcon Pte Ltd DPA
Alcon Pte Ltd Criminal Information
Novartis Hellas S.A.C.I. DPA
Novartis Hellas S.A.C.I. Criminal Information
DOJ Press Release