Johnson & Johnson Deferred Prosecution Agreement-Part II: Compliance Program Best Practices

Yesterday we reviewed the background facts of the Johnson & Johnson (J&J) Deferred Prosecution Agreement (DPA) and the issue of self-reporting. In this posting we will review some of specific compliance program best practices which Johnson & Johnson agreed to implement.

I. Attachment C

As with other DPA's entered into by the Department of Justice (DOJ) since, at least, last summer, Attachment C to the DPA sets out the minimum best practice Foreign Corrupt Practices Act (FCPA) compliance program. Attachment C lists nine factors, set out below, which Johnson & Johnson agreed to implement or modify their existing compliance program:

1. A clearly articulated corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable counterparts (collectively, the "anticorruption laws").

2. Promulgation of compliance standards and procedures designed to reduce the prospect of violations of the anticorruption laws and J&J's compliance code. These standards and procedures shall apply to all directors, officers, and employees and, where necessary and appropriate, outside parties acting on behalf of J&J in a foreign jurisdiction, including but not limited to, agents, consultants, representatives, distributors, teaming partners, and joint venture partners (collectively, "agents and business partners");

3. The assignment of responsibility to one or more senior corporate executives of J&J for the implementation and oversight of compliance with policies, standards, and procedures regarding the anticorruption laws. Such corporate official(s) shall have the authority to report matters directly to J&J's Board of Directors or any appropriate committee of the Board of Directors;

4. Mechanisms designed to ensure that the policies, standards, and procedures of J&J regarding the anticorruption laws are effectively communicated to all directors, officers, employees, and, where appropriate, agents and business partners. These mechanisms shall include: (a) periodic training for all directors, officers, and employees, and, where necessary and appropriate, agents and business partners; and (b) annual certifications by all such directors, officers, and employees, and, where necessary and appropriate, agents, and business partners, certifying compliance with the training requirements;

5. An effective system for reporting suspected criminal conduct and/or violations of the compliance policies, standards, and procedures regarding the anticorruption laws for directors, officers, employees, and, where necessary and appropriate, agents and business partners;

6. Appropriate disciplinary procedures to address, among other things, violations of the anticorruption laws and J&J's compliance code by J&J's directors, officers, and employees;

7. Appropriate due diligence requirements pertaining to the retention and oversight of agents and business partners;

8. Standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anti-corruption representations and undertakings relating to compliance with the anti-corruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anticorruption laws, and regulations or representations and undertakings related to such matters; and

9. Periodic testing of the compliance code, standards, and procedures designed to evaluate their effectiveness in detecting and reducing violations of anticorruption laws and J&J's compliance code.

II.     Attachment D-Enhanced Compliance Obligations

The nine points will not be unfamiliar to the FCPA compliance practitioner. These points are recognized to be in most 'good to best' compliance programs. However, the Johnson &  Johnson DPA goes much further by adding an Attachment D, entitled "Enhanced Compliance Obligations" which is designed to be in addition to, and to build upon, the commitments made by Johnson & Johnson in Attachment C. These enhanced obligations include the following:

1. Compliance Department - A senior executive will serve as the Chief Compliance Officer (CCO) and shall report to the Audit Committee of the Board. There shall be heads of compliance within each business sector and corporate function. There shall be a Global Compliance Leadership Team which reports to the CCO.
2. Gifts, Hospitality and Travel - Gifts are limited to those in "modest" value and appropriate under the circumstances. Hospitality and travel is limited to reasonably priced meals, accommodations and incidental expenses and should be a part of education programs, training, business meetings or conferences. Hospitality and travel are limited to the officials not others.
3. Complaints and Reports - In addition to maintaining a mechanism for making reports, the company shall create a "Sensitive Issue Triage Committee" to review and respond to any such FCPA issues as may arise.
4. Risk Assessments and Audits - The company will conduct risk assessment in markets where it has customers who are foreign governments. The company will annually conduct FCPA audits for a minimum of five operating companies who are in high risk markets and after the initial audit every three years for any such operating entity. These audits shall include, at a minimum: (1) onsite visits by auditors and where appropriate legal and compliance personnel; (2) review of payments to health care providers; (3) creation of action plans from these audits; and (4) review of the books and records of distributors and agents.
5. Acquisitions - To the extent possible, conduct a pre-acquisition FCPA audit of any acquisition target and after acquisition a full FCPA audit within 18 months and training of all relevant personnel and business representatives within one year of acquisition.
6. Relationships with Third Parties - The company shall conduct a thorough due diligence of all third party representatives including: (1) a review of the qualifications and business reputation of the third party; (2) written rationale for the use of the third party; and (3) a review of the FCPA risk areas. Due diligence is to be conducted by a local business and compliance representative and elevated for review if Red Flags appear or as appropriate. Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.
7. Training - Annual training to all directors, officers and employees who could "present corruption risk" to the company. The company shall provide enhanced and more in-depth training to those involved in company sponsored FCPA audits or those on the company acquisition team. Last, the company shall provide training to "relevant third parties acting on the companies behalf" at least every three years.
8. Annual Certifications - The company shall implement a system of certifications from "each of J&J's corporate-level functions, divisions, and business units in each foreign country confirming that their local standard operating procedures adequately implement J&J's anticorruption policies and procedures, including training requirements, and that they are not aware of any FCPA or other corruption issues that have not already been reported to corporate compliance."

This Attachment D "Enhanced Compliance Obligations" is an excellent road map for the FCPA practitioner in which to establish, enhance, or simply review a FCPA compliance program. The Johnson & Johnson DPA demonstrates that a company's commitment to ongoing FCPA remediation and program enhancement will help it reduce its overall FCPA liability in a case with facts as bad as those presented in this matter. We commend the DOJ for presenting such detailed information for those in the compliance field and hope that they will learn from the lessons of Johnson & Johnson.

Visit the FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

For more information about LexisNexis products and solutions connect with us through our corporate site.