A little-noticed portion of the “Corporate Integrity Agreement” the US Department of Health and Human Services Office of Inspector General released on November 7 with the healthcare giant, Johnson & Johnson, has the potential to cause a sea change in the way US companies build and place their compliance departments internally.
The requirement imposed on J&J mandates a clear separation between the compliance function and the general counsel or other legal office of the corporation. It arises from a global settlement resolving civil and criminal fraud charges over the company’s unlawful sale and marketing of drugs.
If the “Corporate Integrity Agreement” serves as a model for similar accords the Justice Department often signs with corporations that violate the law, including financial institutions, the structure and authority of the legal counsel at many US companies may be facing major changes in coming months and years.
Accord highlights shift to more compliance department independence
The 101-page Corporate Integrity Agreement ends a decade-long investigation into Johnson & Johnson and several subsidiaries by federal and state enforcement and regulatory agencies of illegal marketing and branding of certain drugs. The global pharma company was also alleged to have paid kickbacks to physicians and pharmacists to boost sales to patients. Most of the patients were senior citizens or children.
Last month, Johnson & Johnson signed agreements with the US Department of Justice and 45 states settling criminal and civil cases. The settlements resulted in fines and other monetary penalties of $2.2 billion by the US government and state Medicaid programs. J&J, as it is now called, was accused of violating the False Claims Act, a powerful 160-year old US law that prohibits the submission of fraudulent claims to the US government.
Agreement sets important milestone in corporate governance
The J&J agreement sets an important milestone in corporate governance by requiring that the Chief Compliance Officer be independent of, and not subordinate to, the company’s Chief Legal Officer and Chief Financial Officer. This marks a clear regulatory preference and possible wide ranging policy for companies, including financial institutions, to develop and maintain autonomous, independent and transparent compliance operations.
Federal regulators reached comparable Corporate Integrity Agreements with pharmaceutical giants, GlaxoSmithKline, in 2012, and Pfizer, in 2009, in cases arising from similar “off-label” marketing and sales. The agreements also called for the companies to name independent Chief Compliance Officers outside the scope and authority of the legal and operations functions.
As US regulators crack down, compliance gains greater autonomy
These increasingly common “CIA” agreements show how important the role of an independent compliance officer has become in the eyes of enforcement and regulatory authorities.
Equally important is the fact that the movement toward greater transparency and independence of compliance operations affects so many corporations, including those in the financial industry. A 2013 survey by PwC of more than 700 corporations in the United States found that 25% of the chief compliance officers (CCOs) reported to the general counsel, a 6% reduction from the previous year. 27% of CCOs reported directly to the CEO, while an additional 23% reported to audit committees.
The trend toward a more autonomous compliance department is significant because the placement of this in a business organization can affect the ability of the compliance officers to perform their jobs efficiently and effectively. To a certain extent, compliance officers rely on independence from business operations and other departments that potentially are more inclined to turn a blind eye to compliance concerns in their desire to drive business objectives.
‘CIA’ strengthens compliance autonomy, imposes direct reporting
Under the J&J agreement, which lasts for five years, the Chief Compliance Officer at the pharmaceutical giant must be a member of the senior management and should report directly to the CEO. Additionally, the CCO may report to the Regulatory, Compliance, and Government Affairs Committee of the Board of Directors at any time.
The agreement clearly specifies that any noncompliance responsibility of the CCO may not interfere with his or her ability to perform compliance duties. The CCO must monitor day-to-day compliance and reporting obligations and assist in the assessment of areas of company risk and oversee internal and external audits and investigations.
The CIA requires J&J to maintain two compliance officer positions, one for the main company and one for J&J affiliates. The CIA imposes ultimate compliance oversight responsibilities on the Board of Directors and requires a “North American Leadership Team” to review and oversee compliance matters related to J&J affiliates.
Along with greater independence for the compliance department, J&J must also implement a number of more detailed changes in the way it and its affiliates do business. The purpose of these changes is to bring greater control and transparency to daily operations. Among other things, the company must:
- Ensure that management staff, including senior executives and certain members of J&J’s independent board of directors, certify compliance with provisions of the CIA annually,
- Establish compliance committees in various departments,
- Create training and education programs regarding the CIA and compliance in general,
- Submit detailed annual reports about the compliance program and its operations,
- Create and implement a risk assessment and mitigation planning program,
- Produce independent review procedures,
- Report any payments to physicians,
- Develop, implement and distribute a written Code of Conduct, which will be an element in evaluating the performance of employees.
FATCA adds weight to push to reorganize compliance
The requirement imposed on J&J to maintain a clear separation between the compliance office and other business departments is especially timely as the US Foreign Account Tax Compliance Act prepares to take effect in July 2014.
The law, commonly called FATCA, requires foreign financial institutions to identify and report to the IRS US persons who maintain financial accounts and other assets offshore. FATCA also requires US financial institutions and other entities to withhold 30% of payments destined for FFIs and other entities that do not agree to identify and report information on US accountholders.
Also, under the law many non-US institutions must appoint a FATCA “Responsible Officer (RO)” who will be in charge of maintaining and implementing the FATCA compliance program. As the effective dates for many of FATCA’s key provision draw near, there is still considerable uncertainty among many US and non-US institutions about where to place the compliance function, whether under the compliance roof, operations department or with the General Counsel’s office.