WEBVTT 1 00:00:00.330 --> 00:00:04.980 Suparna Goswami: Hi, I'm Suparna Goswami, Associate Editor with Information Security Media 2 00:00:04.980 --> 00:00:10.650 Group. I have the pleasure of speaking with Thomas Fox who is an expert in compliance risk governance 3 00:00:10.680 --> 00:00:16.230 and corporate governance. He's also the author of several books on compliance including The Year in 4 00:00:16.230 --> 00:00:22.140 Corporate FCPA Enforcement: Pardoning and Profit. We will talk about the hot topic going on in the 5 00:00:22.140 --> 00:00:27.060 compliance space now - drugmaker, Novartis agreeing to pay over a billion dollars for 6 00:00:27.060 --> 00:00:30.690 fraudulent and corrupt practices. So Tom, welcome to the discussion today. 7 00:00:31.560 --> 00:00:33.210 Thomas Fox: Thank you. It's my pleasure to be with you. 8 00:00:34.530 --> 00:00:38.940 Suparna Goswami: Tom, my first question to you is just to give some context to our audience. Please 9 00:00:38.940 --> 00:00:43.740 tell our audience briefly a bit about yourself and your work in the anti-fraud space. 10 00:00:44.860 --> 00:00:51.010 Thomas Fox: I've been working in the anti-corruption, anti-fraud, risk space now for a 11 00:00:51.010 --> 00:00:58.300 little over 10 years. I began in this space as an in house lawyer, general counsel and compliance 12 00:00:58.300 --> 00:01:06.490 officer. I later moved outside to my own private practice, and now I write extensively around fraud 13 00:01:06.490 --> 00:01:09.010 and anti-corruption issues literally across the globe. 14 00:01:10.260 --> 00:01:15.330 Suparna Goswami: Great. So, Tom coming back to the Novartis topic. In our previous conversation, you 15 00:01:15.330 --> 00:01:21.540 had mentioned that some of the schemes used by notice in Greece have several important aspects of 16 00:01:21.540 --> 00:01:26.400 compliance for patients. What are some important kickbacks for compliance professionals from this 17 00:01:26.400 --> 00:01:27.000 incident? 18 00:01:27.780 --> 00:01:32.760 Thomas Fox: So if I could give a little background in to the Novartis worldwide corruption action, 19 00:01:33.090 --> 00:01:38.730 literally in the space of five days, the United States Department of Justice and Securities and 20 00:01:38.730 --> 00:01:45.180 Exchange Commission announced two enforcement actions against Novartis. One was for violations 21 00:01:45.180 --> 00:01:51.150 of the Foreign Corrupt Practices Act, which applies outside of the United States. A second was 22 00:01:51.150 --> 00:01:56.970 for violations of what's called the False Claims Act that was inside the United States. Some of the 23 00:01:56.970 --> 00:02:01.950 bribery schemes were similar but some were different. Every compliance practitioner should 24 00:02:01.950 --> 00:02:07.860 study both of these actions because although as you mentioned, it was over a billion dollars in 25 00:02:07.860 --> 00:02:15.780 fines. There were some very key bribery schemes used that I don't think we have seen before. And 26 00:02:15.960 --> 00:02:21.570 compliance practitioners can always learn from other companies, missteps around anti-fraud and 27 00:02:21.570 --> 00:02:22.440 anti-corruption. 28 00:02:24.420 --> 00:02:29.490 Suparna Goswami: Right, so what are some of these important take backs according to for the 29 00:02:29.490 --> 00:02:30.480 practitioners out there? 30 00:02:31.320 --> 00:02:36.390 Thomas Fox: Sure. So if I could start outside the United States with the violations of Foreign 31 00:02:36.390 --> 00:02:43.530 Corrupt Practices Act, there was a couple of schemes that we saw we haven't previously seen, 32 00:02:43.860 --> 00:02:50.100 but in Greece was the country where most of the corrupt actions and fraudulent actions occurred. 33 00:02:50.400 --> 00:02:58.380 And here we saw three key bribery schemes. One was to pay doctors to go to international conferences. 34 00:02:58.950 --> 00:03:08.280 These payments, were Around $7,000 US per trip, first class travel first class hotels, attended 35 00:03:08.280 --> 00:03:14.370 conferences, sometimes they would speak sometimes not. That was number one, number two. And I found 36 00:03:14.370 --> 00:03:20.610 this very interesting in the era of social media, where we have the term influencers. And I'm sure, 37 00:03:20.730 --> 00:03:25.050 just as in the United States, we have the Kardashians and others in India, you would have 38 00:03:25.050 --> 00:03:32.460 key influencers in social media. Well here Novartis identified key influencers in the 39 00:03:32.460 --> 00:03:39.810 healthcare industry. So doctors, hospitals, medical commentators and others that had a lot of 40 00:03:39.810 --> 00:03:45.990 influence. And they specifically targeted those individuals that were payments made to those 41 00:03:45.990 --> 00:03:53.280 individuals and they were also sent to key international conferences, but here the payments 42 00:03:53.280 --> 00:04:02.730 were even more or higher than with the regular doctor. So we saw payments $9,000 to $10,000 per 43 00:04:02.730 --> 00:04:09.570 trip for the key influencers. And the third one is one if I could maybe take a little more time to 44 00:04:09.570 --> 00:04:15.750 talk about because it has several interesting aspects. And this was, it's called the exactly 45 00:04:15.750 --> 00:04:22.980 scheme. And what Novartis was doing was testing a new pharmaceutical product. And then they would 46 00:04:22.980 --> 00:04:30.000 test it internally, then they would move to other forms of testing. And the final step before it is 47 00:04:30.000 --> 00:04:37.560 approved for use is called phase four. And in phase four, test subjects, physicians would 48 00:04:37.560 --> 00:04:43.380 actually prescribe the medicine on a test basis to their own patients, and then they would report the 49 00:04:43.380 --> 00:04:51.120 results. And it was a wide variety of information, that information plus the effects of the drugs on 50 00:04:51.120 --> 00:04:56.730 the patients would then all be literally written down in a form and sent to Novartis. And you have 51 00:04:56.730 --> 00:05:02.430 thousands of these so they're trying to get as much information as you Can't help. And that, once 52 00:05:02.430 --> 00:05:09.780 again, is absolutely appropriate, and indeed mandatory part of any drug approval process. But 53 00:05:09.780 --> 00:05:18.570 what Novartis did is somehow that phase four program more for change. And it changed into a way 54 00:05:18.600 --> 00:05:25.620 to simply pay doctors. And the Novartis sales representatives went so far as to tell the doctors 55 00:05:25.890 --> 00:05:30.300 just put anything in. And if you can't think of any information to put in the forms, we'll fill 56 00:05:30.300 --> 00:05:37.410 out the forms. And it was a way to pay the doctors for information that looked like it was valuable 57 00:05:37.410 --> 00:05:41.490 and a part of a legitimate process. The significance of that for the compliance 58 00:05:41.490 --> 00:05:48.000 practitioner is simply because you've approved a program that's legal and within the compliance of 59 00:05:48.000 --> 00:05:53.250 your own company's regulations, doesn't mean it's going to stay that way. In the military, the 60 00:05:53.250 --> 00:06:01.230 phrase is mission creep. And here we had compliance creep, because somehow this completely 61 00:06:01.260 --> 00:06:07.710 legitimate phase four, testing protocol became a mechanism by which bribes were paid to doctors. 62 00:06:07.930 --> 00:06:11.800 Suparna Goswami: So Tom some of the Novartis fraud, as you said, took place in multiple 63 00:06:11.800 --> 00:06:17.020 countries, right? So the incident shows deficiencies in the compliance program in the 64 00:06:17.020 --> 00:06:22.930 compliance function. In fact, I remember you had mentioned in a previous conversation that one of 65 00:06:22.930 --> 00:06:28.000 these schemes shows how illegible a program which might have passed as a compliance, which you just 66 00:06:28.000 --> 00:06:35.470 mentioned, morphed into something very different. So how can you have tools or programs or policies 67 00:06:35.470 --> 00:06:39.280 in place that ensures nothing like this happens? 68 00:06:39.600 --> 00:06:45.540 Thomas Fox: So let's take the key influencers or even the original program where doctors were paid 69 00:06:45.540 --> 00:06:50.880 to go to international conferences that was called the investment plan. And here a compliance 70 00:06:50.880 --> 00:06:56.310 practitioner does not need anything new or different, because if we could stay with Novartis, 71 00:06:56.370 --> 00:07:03.360 the Novartis business team and marketing team track the sales of doctors who were sent to these 72 00:07:03.360 --> 00:07:10.710 conferences. So if a doctor was a high prescribing, Novartis of Novartis's products, he 73 00:07:10.710 --> 00:07:16.470 got to go to more international conferences. Conversely, if their prescriptions dropped off, 74 00:07:16.500 --> 00:07:22.860 they didn't get to go to conferences, at least at the all expense paid trip by Novartis. So you had 75 00:07:22.860 --> 00:07:29.610 the marketing team, and the business development team tracking the doctors who were prescribing 76 00:07:29.610 --> 00:07:34.830 Novartis products at a very high amount. So that is the information that's available to every 77 00:07:34.830 --> 00:07:40.080 compliance practitioner, it's within the company. You're not going outside the company, you're not 78 00:07:40.080 --> 00:07:45.180 utilizing a new tool, you're not having to spend money to get new software. But the Novartis 79 00:07:45.180 --> 00:07:51.060 compliance function did not have access to that information. If they had they could have then said 80 00:07:51.060 --> 00:07:57.990 these are our top 10 doctors in Greece prescribing Novartis products. Let's see how many conferences 81 00:07:57.990 --> 00:08:03.510 we sent them to and if it turns out they receive literally hundreds of thousands of dollars to go 82 00:08:03.510 --> 00:08:09.150 to conferences, then you know, you have a problem and then you take a deeper dive. But the Novartis 83 00:08:09.150 --> 00:08:14.760 compliance function did not have access to that information, and was not able to do this basic 84 00:08:14.880 --> 00:08:21.990 data analytics approach of tying the high prescribing physicians to payments by the 85 00:08:21.990 --> 00:08:22.680 companies. 86 00:08:23.850 --> 00:08:27.810 Suparna Goswami: So, Tom, this is essentially the the failure of the compliance team right that they 87 00:08:27.810 --> 00:08:31.650 did not even ask for such information from the marketing team. 88 00:08:32.770 --> 00:08:37.720 Thomas Fox: Well, it's unclear to me if it was a failure of the compliance team or the compliance 89 00:08:37.720 --> 00:08:44.920 team did not have access to the data, but whatever the answer is, it led to this catastrophic fraud 90 00:08:44.920 --> 00:08:50.770 action, and that's what corruption is is fraud. So fraud action against Novartis and if I could say a 91 00:08:50.770 --> 00:08:58.210 few words about Novartis inside the United States, it was only worse. And here Novartis paid over 92 00:08:58.210 --> 00:09:05.020 $700 million fines and penalties. They defrauded the federal government from from the same, 93 00:09:05.740 --> 00:09:10.810 basically paying doctors. But in the United States, it was paying doctors not to go to 94 00:09:10.810 --> 00:09:16.480 conferences, but it was paying doctors to go to dinners. And they would allegedly have the doctor 95 00:09:16.480 --> 00:09:22.330 speak about Novartis products at the dinners, but of course they never did. And the dinners were 96 00:09:22.330 --> 00:09:28.690 supposed to be for groups of physicians, but it quickly became the doctors and their wives, or 97 00:09:28.690 --> 00:09:30.280 perhaps the doctors and their husbands. 98 00:09:31.230 --> 00:09:36.540 Suparna Goswami: What was some unique aspects of the compliance obligation placed Novartis U.S. by 99 00:09:36.540 --> 00:09:37.440 the regulators. 100 00:09:38.260 --> 00:09:44.500 Thomas Fox: So this was really interesting, because inside the United States, once again, 101 00:09:44.740 --> 00:09:52.000 because of it was a false app claim. The U.S. Office of Inspector General got involved and they 102 00:09:52.930 --> 00:09:58.810 Novartis signed a settlement agreement with them called a corporate integrity agreement or a CIA 103 00:09:59.590 --> 00:10:08.410 under the corporate integrity agreement Novartis senior management had to annually certify, excuse 104 00:10:08.410 --> 00:10:15.490 me on a quarterly basis certify that the compliance function is effective and function. 105 00:10:16.420 --> 00:10:21.940 Now, the way it works in the United States is you have a lower-level person certify that goes to 106 00:10:21.940 --> 00:10:27.280 their manager and it goes up the chain. But the person at the top of the chain is equally 107 00:10:27.280 --> 00:10:32.590 responsible, because they have to sign his or her name to it. And they are attesting that their 108 00:10:32.590 --> 00:10:40.930 program is effective. They, but the CIA or corporate integrity agreement, had a number of 109 00:10:40.930 --> 00:10:47.770 people specifically listed who had to quarterly certify it on an annual basis certify and if those 110 00:10:47.770 --> 00:10:53.380 certifications were false, those people are now subject to personal criminal liability. And that's 111 00:10:53.380 --> 00:10:56.320 a very high incentive for people to comply with the law. 112 00:10:57.940 --> 00:11:03.910 Suparna Goswami: Okay, and as I understand the U.S. corruption action was significantly larger 113 00:11:03.910 --> 00:11:05.920 than the FCPA action, right? 114 00:11:05.920 --> 00:11:06.010 Thomas Fox: Yes. 115 00:11:06.400 --> 00:11:09.040 Suparna Goswami: What was some of the compliance failures that you see? 116 00:11:10.530 --> 00:11:14.670 Thomas Fox: So the compliance failures, once again, they had the same failure. They had it, for 117 00:11:14.670 --> 00:11:23.280 instance, in Greece by not correlating the amount of money spent on the doctors who are prescribing 118 00:11:23.400 --> 00:11:31.950 Novartis products. But they also had a failure. They had a failure of oversight, that each dinner 119 00:11:32.010 --> 00:11:36.840 was supposed to be pre-approved by the compliance function. And they simply did not have enough 120 00:11:36.840 --> 00:11:42.630 people to do so. At one point, there was one compliance person at Novartis U.S. that later 121 00:11:42.630 --> 00:11:50.460 expanded to four or five, but they were getting hundreds of requests a week for the to approve 122 00:11:50.460 --> 00:11:57.060 these dinners. And then finally, after the dinners were approved, you would have auditing or testing, 123 00:11:57.210 --> 00:12:03.960 ongoing monitoring, we would call it, none of the dinners were reviewed after they occurred to see 124 00:12:03.990 --> 00:12:09.780 who was present, wives and physicians or husbands and physicians. What was the subject of the 125 00:12:09.780 --> 00:12:15.330 medical talk? Obviously, there was no paper or PowerPoint or podcast for them to look at. And 126 00:12:15.330 --> 00:12:21.870 then what was the spin, was it below the acceptable level and the the level of pre-approval 127 00:12:21.900 --> 00:12:28.740 granted to physician sees me for these dinners was $125 a person? Well, if you turn in a $3,000 128 00:12:28.740 --> 00:12:35.790 dinner tab, when you have four people at $125, you immediately know something's wrong. So there was 129 00:12:35.790 --> 00:12:44.370 no auditing after the fact to see if the people were the Novartis business persons were. 130 00:12:44.490 --> 00:12:50.550 Suparna Goswami: The final question to you, Tom. what lessons can other companies learn from this 131 00:12:50.550 --> 00:12:55.410 incident? What changes if you have to suggest a company "Okay, these are the changes that you need 132 00:12:55.410 --> 00:13:00.570 to bring in in your team." What would those be given the backdrop of the new Novartis incident? 133 00:13:02.130 --> 00:13:06.930 Thomas Fox: The biggest change I would see is the use of data analytics. And we talked about that in 134 00:13:06.930 --> 00:13:13.710 terms of the spending amount in Greece on doctors, and we talked about that, in terms of the U.S. and 135 00:13:13.710 --> 00:13:19.260 the False Claims Act, you have to be able to correlate. If someone is a customer of yours, and 136 00:13:19.260 --> 00:13:25.890 they're buying a lot of your products, you have to ask the question, why are they being fraudulently 137 00:13:25.890 --> 00:13:31.530 paid? Are they being bribed to purchase your products? Well, here, they were being bribed to 138 00:13:32.910 --> 00:13:38.790 prescribe Novartis drugs. And that's really the most basic lesson that if someone had looked at 139 00:13:38.790 --> 00:13:44.340 any data analytics, and when you tie that into what the Department of Justice has just told us, 140 00:13:44.340 --> 00:13:50.100 literally, within the past six weeks about the importance of data analytics, I think that's the 141 00:13:50.250 --> 00:13:54.450 most important message for the compliance function going forward. 142 00:13:55.140 --> 00:13:59.040 Suparna Goswami: And where do you think companies are missing the mark when it comes to leveraging 143 00:13:59.040 --> 00:14:02.520 data analytics? What are the what are some common mistakes they make? 144 00:14:03.360 --> 00:14:08.820 Thomas Fox: So the the most common mistake is that the compliance function does not have access to 145 00:14:08.820 --> 00:14:16.440 the data. Every corporation measures, who sells their products, every corporation measures, 146 00:14:16.440 --> 00:14:22.650 doctors that prescribe their drugs, every pharmaceutical company, the data is there, it's 147 00:14:22.650 --> 00:14:28.560 within the corporation's own data lake, but companies, compliance functions simply don't have 148 00:14:28.560 --> 00:14:34.350 access to that data. So the key is, and this is the Department of Justice's message is that the 149 00:14:34.350 --> 00:14:41.430 compliance function must have access to that data and then from there, then utilize that analytics 150 00:14:41.430 --> 00:14:47.190 or, or specific software tools to help analyze it. But if you don't have access to the data, it it 151 00:14:47.190 --> 00:14:48.120 all falls apart. 152 00:14:49.530 --> 00:14:53.160 Suparna Goswami: Well, thank you, Tom. Thanks for the wonderful discussion on what is and what 153 00:14:53.160 --> 00:14:56.310 companies can learn from this incident. Thank you so much. 154 00:14:56.820 --> 00:14:58.200 Thomas Fox: It's been my pleasure. Thank you. 155 00:14:58.980 --> 00:15:03.900 Suparna Goswami: You're listening to Thomas Fox, for ISMG this is Suparna. Thank you all for 156 00:15:03.900 --> 00:15:04.230 watching.