Lessons From J&J's $70 Million FCPA Settlement

Companies searching for guidance on good Foreign Corrupt Practices Act compliance can learn a thing or two from the Johnson & Johnson case—not only about what the company did right, but where it went wrong, too.

The pharmaceutical and healthcare giant agreed to pay a total of $70 million in a settlement with the Justice Department announced on April 8: $21.4 in criminal penalties, along with $48.6 million in disgorgement and other fines. The settlement stemmed from J&J's admission in 2007 that its British subsidiary DePuy Inc. had paid bribes to government officials in Greece, Romania and Poland since 1998. Michael Dormer, the J&J executive who was responsible for oversight of DePuy, resigned from the company in 2007.

The Justice Department acknowledged the company's “significant assistance in the industry-wide investigation,” among other points, as a reason for imposing a reduced criminal fine, in its statement announcing the payment. By comparison with some other recent FCPA settlements, J&J got off easy. Swiss logistics company Panalpina agreed in November to pay a $81.8 million penalty; Daimler AG paid a $185 million fine last April.

And, yet again, a U.S. company paid the consequences for reckless actions of a foreign subsidiary. “The most challenging part of any compliance program is extending it to overseas subsidiaries,” says Richard Cassin, founder of Cassin Law. “The case represents a failure of oversight and that seems to be a common theme in several enforcement actions recently. For example, it popped up in the IBM enforcement action.” IBM settled an FCPA suit with the Securities and Exchange Commission for $10 million in March, for bribery committed by its operations in Korea and China.

“J&J is sort of a classic case, where possibly they might have gotten too comfortable, and were not critical enough about what their process was,” says Jonathan Marks, the fraud, ethics, and anti-corruption practice leader at auditing firm Crowe Horwath. “Companies think, ‘Now that we've built our compliance program, we don't have to do anything else,' but monitoring is also critical to stay on top of things.”

Many firms don't seem to understand what their potential risks are, Marks says. “A lot of companies think that just because they don't have operations outside of the United States, that they aren't subject to the Foreign Corrupt Practices Act, because they don't understand what their supply chain looks like,” he says. “The biggest thing is that people don't understand that the risk assessment process drives your compliance program, and not the other way around.”

Marks has gone so far as to develop a “13-step program” to walk companies through development of a proper FCPA compliance program. (See box at right.) His points generally align with the Justice Department's recommendations for what a proper compliance program should look like, which prosecutors included in the settlement they reached with Panalpina, says Doug Tween, a partner with Baker & McKenzie who represented Panalpina.

The Justice Department also appears to have inserted compliance program recommendations into the J&J settlement as well, says Mike Koehler, a law professor at Butler University who maintains a blog about FCPA issues.

“I'm not surprised to see any FCPA cases arising out of China, India, Latin America, or West Africa, because those are all very challenging jurisdictions for companies that are subject to the FCPA.”

—Doug Tween,

Partner,

Baker & McKenzie

Specifically, the Justice Department requires J&J to perform risk assessments and audits of its compliance program—something not typically seen in FCPA deferred-prosecution agreements, Koehler says. “I find this Attachment D in the so-called ‘enhanced compliance obligations' rather unusual, given that the Department of Justice said earlier in the agreement that J&J had, in almost all cases, an effective FCPA compliance policy in the first place,” he says. “This further demonstrates the increased enforcement agency expectation—and some would call it ‘meddling' in corporate affairs—post-enforcement action.”

The J&J case is just the latest example in a string of vigorous enforcement actions on FCPA violations. “If you talk to general counsel, you'll probably see that anti-bribery is their biggest risk area today; it's really hard for companies to navigate, especially in certain parts of the world,” Tween says.  “A majority of the cases that the government prosecuted recently have involved payments made through intermediaries, as opposed to direct. So there is an expectation that a substantial amount of third-party due diligence has to be done before a company can safely rely on any agent to do its business.”

The other major FCPA compliance risk for companies right now is in joint ventures and M&A, Tween says. These risks are also dependent on location: some places are more high-risk than others. “I'm not surprised to see any FCPA cases arising out of China, India, Latin America, or West Africa, because those are all very challenging jurisdictions for companies that are subject to the FCPA,” he says.

Compliance expectations are especially high now, given that regulators are taking more aggressive actions, Tween says. “It's no secret that the DoJ  bulked up the FCPA unit very significantly last year; they doubled or tripled the number of prosecutors that they have, and that's clearly going to lead to a lot more cases,” he says. Indeed, the Justice Department's criminal division imposed a record $1 billion in FCPA enforcement fines in 2010. 

Compliance Audits?

The biggest lesson of the Johnson & Johnson agreement is that the Justice Department may now require audits on internal compliance—which a lot of companies do not do, says Ryan McConnell, a partner at the law firm Haynes Boone. One thing holding them back: cost. “These audits could range from $30,000 to $250,000 easily,” he says.

13-Step FCPA Plan

Corporate oversight is indeed a part of the “13-Step FCPA Compliance Action Plan” developed by Jonathan Marks, a partner at auditing firm Crowe Horwath:

1.Assist in obtaining top-level commitment and establishing a tone from the top.

2.Perform a corruption and bribery risk assessment.

3.Improve internal controls.

4.Structure and define roles and responsibilities.

5.Evaluate risk-based third-party due diligence.

6.Develop clear, practical, current, and accessible policies and procedures.

7.Document a detailed multiyear implementation plan.

8.Define appropriate disciplinary procedures.

9.Monitor and review.

10.Train on an ongoing basis.

11.Establish a violation reporting system.

12.Review ancillary risk mitigation procedures.

13.Complete independent compliance program testing annually.

—Jonathan Marks, Crowe Horwath.

The price depends on how involved the audit is: Do you hire a forensic accountant to help out to ask for their standpoint on the books and records? Do you just have lawyers come out and talk to people? Do you do training with outside counsel?

Despite the cost, audits are the only way you know if your compliance program is working, McConnell says. “Some companies think, ‘We don't have a problem, so why do we need to spend money on that?' But you don't know if you have a problem until you go look,” he says.

Some speculate that with heightened enforcement action and modernized compliance programs, cases like J&J will eventually disappear. “In some ways, it's curious that we're still hearing about large-scale bribery in U.S. public corporations that occurred over long periods of time because compliance has changed a lot over the last few years,” says Cassin. “In the intervening years between 1998 and 2007, Johnson & Johnson probably improved their program substantially, which led to the self-reporting in 2007. And to be fair, that was four years ago already.”