DOJ and SEC Jointly Release Resource Guide to the U.S. Foreign Corrupt Practices Act

On November 14, 2012, two Federal agencies, who have jurisdiction over the U.S. Foreign Corrupt Practices Act, jointly released a very useful and comprehensive Resource Guide to this very detailed, complex and often misunderstood law.  The nearly 120-page document represents the joint efforts of the Criminal Division of the U.S. Department of Justice and the Enforcement Division of the U.S. Securities and Exchange Commission.

A copy of the Resource Guide is available for download, free of charge, at www.justice.gov/criminal/fraud/fepa and www.sec.gov/spotlight/fepa.shtml.

You may be asking yourself how a law entitled the Foreign Corrupt Practices Act could potentially apply to your business, even if you have no active or regular international business operations.  The answer is that the law potentially reaches all issuers of securities in the United States, “domestic concerns,” and even foreign companies who have securities listed in a United States market.

The FCPA prohibits payments that are intended to induce or influence a foreign official to use their position to assist in obtaining, retaining, or directing business.  Very few of us have had contact with a foreign official as we would commonly understand.  The term “foreign official” can encompass a broader range of individuals than you may expect, particularly in countries where many aspects of business are governmental or quasi-governmental.

It is the broad manner in which each of the relevant terms and requirements are interpreted that makes the FCPA so dangerous.  It is possible to step into a violation without even knowing it.  For example, the government considers individuals who you may never expect to be “foreign officials.”  For example, in certain countries, hospitals are publicly run, so your engagement with a hospital administrator, purchasing agent, or other hospital representative may actually be an engagement with a foreign official.

This is only one of the many examples of how the FCPA may apply to your business even if you do not consider yourself to be an international company or having an engagement with foreign officials.

We recommend that all of our clients consider the potential implications of the FCPA on their businesses.  Ruder Ware continually assist clients with FCPA compliance issues.  We have assembled a multidisciplinary team of attorneys, include one who is Certified in Corporate Compliance and Ethics and are available to assist you with FCPA or other regulatory compliance issues.

Anti-Bribery and Corruption Risk Assessment

Compliance risk assessment is continuing a trend toward priority for companies that have global operations.  The trend toward systematic compliance programs spans across all industries.  The priority, scope, frequency, and level of sophistication of compliance activities are growing in response to the expansion of governmental focus on bribery, fraud, and corruption.

The United States has had laws on the books governing fraud, bribery, and other corrupt practices for many years but is now taking a much more aggressive approach toward enforcement.  Other countries are also expanding their enforcement.  Many, including China, the United Kingdom, and Russia, have adopted new laws addressing bribery and corruption.  The laws of each country must be considered when operating globally.  All have somewhat different requirements, all which must be considered when structuring and operating global compliance programs.

Period risk assessment of corruption and bribery law compliance has now become industry standard.  Companies that have substantial operations must assess corruption and bribery risk on an ongoing basis.  Assessments should be performed in a systematic way based upon prioritization of risks.  The ongoing assessment of risk should also include the adoption of corrective action to address areas that are determined to present significant risk, where existing process or policies are not adequate, or where violations may have already occurred.

Risk assessment also serves a didactic element.  The process itself reinforces attention on the compliance process, the company’s commitment to compliance and the issues involved with the specific area of risk that is being assessed.

Compliance is best viewed as a process rather than a set of policies.  The process is circular and never-ending.  One state is built upon the previous.  The end result resumes the process.  Conceptually at least, the process begins with identification of risk.  Various risk areas can then be assessed, scored, and prioritized based upon the affect on the organization.

Prioritized risk can then be assessed through appropriate means which may include controls, monitoring or auditing.  Depending on the risk involved, external auditing or further assessment may be appropriate.  Deficiencies in controls can be identified and a “gap analysis” can be performed.  This leads to an appropriate corrective action being taken to address any identified gaps.  Corrective actions may include the adoption of policies and procedures, disciplinary actions, self reporting, subject area training, and other appropriate activities given all of the facts and circumstances.

The compliance program establishes the process in which assessment takes place.  The program establishes the ground rules for the assessment and remediation of risk.  The program helps assure that the process sis uniform and systematic.

Some of the elements that should be included in assessing risks under the anti-bribery and corruption laws of various countries will be covered in subsequent posts.
John Fisher is a certified in corporate compliance and ethics (CCEP) and is an attorney with the Ruder Ware law firm.

Role of the Board of Directors in Corporate Integrity

I just reviewed the referenced piece that covers the Board’s role in compliance issues. Wall Street Journal Article On Board Role In Compliance.   This piece echoes many of the points that I make in my presentations on this issue.  (You can access my Blue Paper on this issue here:  Board Compliance Role Blue Paper)

Practical steps that the Board an take to fulfill its compliance oversight responsibilities are laid out in the attached and in my presentation material as well.  this piece is focused on practical steps the board can take to foster a culture of integrity.

The Board is ultimately responsible for assuring that compliance is taking place and a atmosphere and culture of compliance exists.  Boards need to take these obligations seriously and proactively address compliance issues.

Compliance Issues When Using Third Parties

Global Compliance 

Third party actions taken on your behalf are to a significant extent as much as your responsibility as actions taken by your employees.  As such, it is necessary for all parties involved at every level of the transportation and relocation industry to establish effective processes to govern and direct appropriate activities that are conducted on their behalf.

Expectation is that you know the identity of third parties, that you have a process in place to screen third parties, and that you retain control over the activities that they conduct on your behalf.

Your concerns should be raised and special care taken in cases where you do not know who you are doing business with, you use geographically dispersed contractors, you work in different cultures (particularly high risk cultures), and

Know Who You Do Business With

Maintain a database of third parties who you do business with.  The database should include information on the applicable contractor and the process that was followed to conduct due diligence.

Risk Assessment of Third Parties

You should have a system in place to identify the third parties who present the most risk.  Risk factors may include geographic high risk areas (Transparency International Competition index).

Incorporate Due Diligence

Adopt a process for selection of third party contractors based on risk.  Your system should categorize the level of risk that is presented by each subcontractor.

Written Contracts

Written contracts that set forth expectations and standards for third parties must be put in place.

Responsible Individual

One individual with your organization should be designated as being responsible for managing the third party

Be Guided by Red Flags

You should create a list of “red flags” that will alert you to existence of facts that suggest that there may be a higher degree of risk with a specific subcontractor.

The  as amended by the International Anti-bribery and Fair Competition Act of 1998 (collectively, “FCPA”) was enacted to prohibit bribes and other illegal payments to officials of a foreign government, public international organization or foreign political party by American companies and by foreign persons present in the United States to obtain or retain business or to secure any improper advantage. The FCPA is part of the Securities and Exchange Act of 1934 and contains provisions concerning record keeping and accounting as well as penalties for violations.

The accounting provisions require companies to keep detailed books, records and accounts accurately reflecting corporate payments and transactions. They also require such companies to institute and maintain internal accounting control systems that would assure management’s control over the company’s assets. The prohibited payments (antibribery) provisions are designed to prohibit U.S. citizens and companies and foreign persons present in the United States from using the mails or any instrumentality of interstate commerce corruptly in furtherance of an offer, payment or promise to pay or give anything of value to officials of a foreign government, public international  organization or foreign political party, or (with knowledge or belief that it will go to someone in any such class of recipients) to any person for purposes of influencing official acts (including failures to act) in order to assist in obtaining or retaining business or to  secure any improper advantage.

Creating a Compliance Program That is Right for Your Organization

An important part of developing an effective compliance program is to make the program scalable and effective for the operations of the specific provider.  In some ways, creating compliance program for a large health system is the easiest because you have the resources and breadth of operations to recommend everything; also known as the “kitchen sink” model.  The real art in my opinion comes when developing programs for smaller hospitals, physician groups and other organizations that do not have the resources to “do it all.”  Taking an overbroad approach to compliance with smaller organizations can actually create additional risk because you are creating a “roadmap” of items that are not being done and which you will never have the resources to complete.

Our job as compliance attorneys is to recommend systems that are workable within the resources and specific risk areas that are relevant to the provider.  This takes a level of judgment that is not necessary where the size and resources of the organization permit the “kitchen sink” approach to be taken.

The development of compliance programs for smaller organizations take a surgical approach.  Care must be taken to develop systems for identifying the risk areas that are specific to the organization.  Risks should be scored and prioritized and the results of this process should be included into a plan to accomplish audits, reviews or monitoring of the various identified risk areas.  Small organizations cannot hit every risk area during every budgeting cycle.  A longer term approach is called for with the most urgent risks requiring closer and faster review.  This all ties into the budgeting process.  The work plan needs to be adequately budgeted.  The size of the organization will have an effect on the amount that is budgeted for compliance.

The point of a compliance program is not that every problem area will be found.  It is most important that a logical system be developed that prioritizes risk and addresses risk areas in a logical fashion.  The other side of the coin is that a substantial organization should not hide behind lack of resources for not addressing significant risk areas.  A small physician practice is at one end of the spectrum.  A hospital system with several facilities, attached physician network, and an array of ancillary services would have little excuse for not allocating sufficient budget amounts to compliance to enable the organization to meet its compliance needs.

Issues of scalability also come into the general structure of the compliance program.  A small physician practice will not have the resources to hire a chief compliance officer.  Rather, a small practice might designate a partner or administrator as a “compliance responsible individual.”  On the other hand, a substantial hospital system should implement a robust structure including a full-time chief compliance officer, a compliance committee and compliance staff.  The compliance officer should not serve a dual role in positions that create an inherent conflict of interest such as general counsel, chief financial officer or chief operating officer.

Issues of scope and scalability are at the center of most compliance efforts.  These issues require careful and judiciously made decisions.  These decisions are important and must be faced by providers of all size, from the smallest medical practice through the largest health system as mandatory affective compliance programs become a requirement.

Mandatory Compliance Programs for Health Care Providers

Compliance programs were made mandatory for all providers as a condition of participation in the Medicare program under the patient protection and affordable care act of 2010. With the recent Supreme Court decision upholding the affordable care act,  any uncertainty as to whether the mandatory compliance programs will become a reality has been lifted.

The affordable care act also required the CMS to promulgate regulations that establish the core elements for providers and suppliers to meet with respect to the mandatory compliance programs. CMS is authorized to determine the timing and core elements of the required compliance programs. The first industry segment that are required to adopt compliance programs are nursing facilities which must comply with mandatory compliance program requirements by March 23, 2013. However, CMS missed it statutory deadline (March 23, 2012) for promulgating detailed regulations to guide nursing facilities in the creation of compliance programs. It is expected that these regulations as well as the requirements for other providers will be forthcoming soon now that the Supreme Court has upheld the Affordable Care Act.

The Office of Inspector General has in the past issue compliance program guidance for various industry segments.  We can expect at least some of these requirements to be part of the regulatory clarification coming from CMS under its authority to enforce mandatory compliance programs. We can also expect additional requirements to be added based upon a parallel recent promulgation from CMS that is applicable to Medicare advantage managed-care plans and prescription drug part D plan entities. Although not directly applicable to organizations other than Medicare Advantage Programs and Part D prescription drug programs, the regulatory proposals are instructive of the current thinking of CMS with respect to required elements of compliance programs.

Some key elements of the recent regulatory proposal which were not included in previous OIG compliance program guidance include:

•  A strong recommendation that there be standardized process for the governing body to review the compliance program documents at least annually. Current guidance is much more permissive and only suggests periodic reviews. The new regulations would require a complete effectiveness review and a detailed “gap analysis” to the Board of Directors on an at least an annual basis.
• More details concerning distribution of standards of conduct and policies and procedures to new employees. The new proposed regulations required distribution of these materials within 90 days of initial hire and at least annually thereafter.  Distribution of policies and procedures will be an “obligation” rather than simply a “suggestion” once the new proposed regulations are finalized.
•  The proposed regulations contain the clearest statement to date from CMS that “dual role” compliance officers, where the compliance officer is also the CFO, CEO or General Counsel, present a built-in conflict of interest and are not permitted. This has been a controversial topic in the past as many organizations still maintain their general counsel as their compliance officer. If the recent proposed regulations are any indication, many “dual role” compliance officers will be the way of the past. It appears that it will still be permissible for divisional  managers, such as quality assurance managers, to act in a dual role. However, operational management will not be permitted to act in his rules. This clearly includes CFOs, COOs and General Counsel who are specifically mentioned in the proposed regulations

There are many additional details that are contained in the most recent proposed regulations. There’s every indication that these proposed regulations are a foreshadowing of the eventual requirements that CMS will release under the mandatory compliance program authority that will be applicable to other providers such as nursing homes, physician groups, hospice, DME providers and other health care providers.

In view of these pending requirements and in light of the apparent expansion of compliance program requirements that is being hinted at by CMS,  providers should conduct an effectiveness review of their compliance programs now and begin the ongoing process of conducting such reviews on an at least an annual basis.  Reviews should be conducted with the requirements of the new proposed regulations in mind.

Small organizations, such as physician practices and smaller healthcare organizations should begin immediately to implement scalable compliance program structures that are focused on the specific risk areas that affect their organizations and begin to create an infrastructure for an effective compliance program.

 Organizations who still have their General Counsel, CFO, or COO acting as their compliance officer should begin to set the stage to undo that structure.  A separate office of Chief Compliance Officer should be created and separately budgeted.  The CCO should have autonomy from other operational offices and should have direct access to the Board of Directors, a Compliance Committee and the CEO.  This issue can be politically difficult within an organization and should be addressed soon rather than later.  Ultimately, this is an issue that must be firmly addressed by the Board of Directors under its responsibility to oversee the compliance program.

OIG Video Series – Effective Compliance Program Development

The Office of Inspector General (“OIG”) has released a series of videos relating to compliance issues.  Recent videos cover compliance program/type and basic elements of compliance programs.  Access OIG Compliance Videos

Recent OIG advice includes:

• Foster a culture of compliance
• Devote adequate resources to compliance
• Create useful policies and procedures
• Train your staff
  • Offer training often
  • Be creative with training to foster interest
  • Stay current on compliance issues
  • Promote communication
    • Be visible within your organization
    • Communicate the hotline
    • Communicate and reinforce non-retaliation for making complaints
    • Take appropriate corrective action
• Team approach to investigations
  • Investigate to resolution
  • Create appropriate corrective action
  • Use results to improve compliance process
• Conduct regular audits
• Determine risk areas
  • Coding
  • Contracts
  • Quality of care
  • Review compliance program regularly

 Access OIG Compliance Videos

Compliance Program Development and Effectiveness Review

We have made a major firm committment to our compliance practice.  Health care attorney John Fisher recently obtained national certification in health care compliance through the Health Care Compliance Association.  We have assembled a team attorneys with various legal backgrounds, including health law, employment law, non-profit tax law and other areas to complement Mr. Fisher’s focus on compliance issues faced by health care providers.

We provide compliance program development and review services to hospitals, individual physicians and group practices, dental groups, chiropractic groups, home health agencies, skilled nursing facilities, durable medical equipment suppliers, ambulance providers, therapy clinics, ambulatory surgery centers, and behavioral health care providers.  We assist providers in conducting internal audits, internal investigations, compliance program gap analysis and effectiveness reviews. We have also assisted providers who are the subject of reviews by institutions where they may be employed or have staff privileges.

Examples of some of our compliance program related involvement in the health care area include:

• Conducting effectiveness reviews and making suggestions for enhancements to existing compliance programs.
• Working with governing bodies to develop initial compliance programs.
• Advising compliance officers and governance with respect to ongoing monitoring and auditing.
• Assisting providers to conduct internal audits and assessments.
• Assisting providers to focus on specific risk areas that may affect their practices.
• Assisting providers in the reacting to compliance reports including investigations and corrective action plan development.
• Conducting detailed compliance related research in the course of acquisitions of other providers.
• Creating programs that leverage existing resources and expertise into an enterprise management system addressed at compliance issues.
• Compliance Programs Are An Essential Element of Health Care Operations

Effective compliance programs have become an essential element of an effective regulatory risk reduction program.  The importance of compliance programs have been repeatedly emphasised by government officials over the past decade.  Recently, Marilyn Tavenner, Acting Administrator of the Centers for Medicare & Medicaid Services (CMS) released a brief article on the CMS Blog emphasizing the use of “predictive modeling” technologies to identify specific providers that warrant further investigation.  The Acting Administrator touts that predictive modeling has already identified 2,500 leads for further investigation, 600 preliminary law enforcement cases, and 400 direct interviews with providers that have taken place due to the use of predictive modeling.

The 2012 Office of Inspector General Annual Work Plan also referred to new methods and programs to detect potential billing anomolies.  The OIG states that it will be using data matching programs to identify not only providers who are at a high risk of having incorrect billings, but also providers who have low risk.  The OIG claims that it will be examining both types of providers to determine the impact that compliance program operations have on the accuracy of billings.  This is alarming because it means that the OIG will be eamining the operations of compliance programs who show low risk of billing anomolies.

The Coming of Mandatory Compliance Programs

The PPACA created the concept of mandatory compliance programs for most providers.  Nursing homes are first on the list and must certify that they have an effective compliance program by 2013.  We are expecting additional regulations on what constitutes and effecive compliance progam as well as specific timelines defining when other provider types will be required to adopt compliance programs as a condition of participation in the Medicare and Medicaid programs.

Compliance Programs – One Size Does Not Fit All

The OIG Guidance on Compliance Programs as well as the Federal Sentencing Guidelines make it clear that one size does not fit all when it comes to compliance program development.  An effective compliance program needs to be strategically developed based on identification of the risk factors that are specific to the size and nature of the organization.  It is not prudent to simply copy the policies of another organization and adopt them as your own.  You should create a structure as well as topical policies that reflect the nature of your particular organization; sometimes right down to the personalities that are involved in the various aspects of your operations.

There are certain core principals that will be common to all compliance programs.  However, your program should be appropriately scaled to the size and resources of your organization.  I am not suggesting that you fail to allocate sufficient resources to compliance.  Decisions regarding allocation of resources are difficult but must be addressed.  At the same time, you do not want to develop policies that you will never have the resources to appropriately follow.  This carries the risk of creating a “Roadmap” that demonstrators to investigators the things that you are NOT doing.  Policies that you do not follows are argueably worse than having no policies at all; at least in some areas.