FCPA Problem Starts Small, Is Ignored, Grows Bigger

Some FCPA cases reveal massive issues built into the fabric of a company’s foreign sales operations. Airbus, for example, didn’t get to $2 billion in sanctions by accident. Others expose smaller problems that were ignored and allowed to grow like weeds into more substantial ones. Cardinal Health, sued by the SEC in a settled administrative order on Friday, is one of those.

What Happened (according to the SEC)

The following are allegations, not proven facts. But the SEC says this happened: Once upon a time in 2010, Cardinal Health bought the Chinese subsidiaries of a pharmaceutical distribution company and called these entities “Cardinal China”. Cardinal China also maintained on its own books financial accounts that some distribution customers used to fund their operations and marketing efforts in China. After the acquisition, though, Cardinal Health told Cardinal China to terminate these marketing accounts partly because of the FCPA-related compliance risks associated with channeling third-party marketing expenses through its own books and records. Cardinal China terminated most of the accounts, but Cardinal Health didn’t follow up to see whether they did or didn’t. This fact will obviously come back to haunt the players later in this story.

Indeed, despite these risks Cardinal China continued operating marketing accounts for a European supplier of over-the-counter cosmetic products until 2016. Cardinal China also formally employed about 2,400 employees for the cosmetic company under an administrative and HR services agreement. Most of these employees were beauty assistants and supervisors working in retail stores, but about 100 were sales, marketing, management, and back office employees.

Because Cardinal China received a distribution margin from the sales of the cosmetic company’s products, it profited from successful marketing efforts, including through improper payments made from the marketing accounts if those ever happened. Meanwhile, because they were on another computer system, Cardinal China couldn’t see these marketing employees’ emails. (!!!) And from 2013 through 2016, Cardinal China authorized and paid more than $250 million (also !!!) from the marketing accounts.

Despite all of this, Cardinal assessed the risk of these arrangements as minimal, and so didn’t subject the marketing employees to its full internal accounting controls, such as providing anti-bribery training, or overseeing any of their interactions with third parties in China.

It may not surprise you to learn that Cardinal China, at the request of the marketing employees, regularly made payments from the marketing accounts that were improperly redirected to government-employed healthcare providers and employees of Chinese state-owned retailers to promote product sales. These payments took varied forms, including cash, luxury goods, gift cards, and travel.

The marketing employees were able to disguise these payments by channeling funds through complicit third-party vendors and by characterizing transactions with healthcare providers as payments to printing companies for “production fees”. Reimbursements for high-value gifts were based on fake or incomplete documentation. Of course they were.

The Red Flags Start Waving

Naturally, the SEC’s order points to a number of red flags that did not spark a lot of action from Cardinal Health:

• Dec. 2012 – Cardinal gets a report from a Cardinal China employee that (1) questions the legality of the marketing accounts and the marketing employees and (2) recommends that Cardinal China hire an external auditor to assess its business arrangement with the cosmetic company.

• Sept. 2014 – Cardinal China is fined by the Shanghai Administration of Industry and Commerce, basically for commercial bribery at the cosmetic company’s request in violation of Chinese unfair competition law.

• July 2015 – After learning that the marketing employees had recently used the marketing accounts to purchase smart phones for undisclosed reasons, an email exchange including Cardinal China’s President acknowledges that the gap in controls at the cosmetic company had created an “enormous compliance risk” for Cardinal China.

Even with all of those red flags, neither Cardinal nor Cardinal China took steps to enhance the controls associated with the marketing account or marketing employees until 2016.

For what it’s worth, Cardinal did self-report these issues to the SEC in December 2016, about six months after an internal audit revealed them.

On Friday, Cardinal Health, the parent company, consented to the SEC’s order requiring the company to cease and desist from committing violations of the FCPA’s books and records and internal accounting controls provisions and to pay $5.4 million in disgorgement, $916,887 in prejudgment interest, and a civil penalty of $2.5 million.

Some Lessons

I don’t know. Sometimes the lessons from these cases seem obvious. But here are three for you:

1. Don’t take on exposure you can’t control. Cardinal China had these marketing accounts on its own books, and Cardinal rightly recognized them as potential problems early on. But without confirming that the marketing accounts were closed, it couldn’t shed exposure for activity going on in those accounts that were hidden from view. They were actually on another email system that compliance could not review. If you’re going to take on the potential liability, at least make it liability you can limit and control.

2. Follow up on your instructions. By the way, if you tell a division or subsidiary to do a thing that could limit the parent’s liability, make sure it does the thing. Cardinal did rightly recognize Cardinal China’s marketing accounts as problems early on, but didn’t bother making sure they had all been terminated. For significant instructions, compliance should give itself a notice for some weeks down the road to follow up and be sure the instructions have been followed. With $250 million going through the cosmetic company’s marketing accounts, this instruction was significant.

3. If you know you have a compliance problem, solve it. Cardinal China’s most senior executives wrung their hands in July 2015 about the compliance gap they had in the cosmetic company’s marketing accounts. But then they didn’t do anything about it! Cardinal China’s vice president of compliance called the accounts “an enormous compliance risk”. If you have one of these, be sure it gets handled one way or another.