Enforcers

'The New Gatekeepers: Private Firms as Public Enforcers' by Rory Van Loo in Virginia Law Review (Forthcoming) comments

 The world’s largest businesses must routinely police other businesses. By public mandate, Facebook reviews app developers’ privacy safeguards, Citibank audits call centers for deceptive sales practices, and Exxon reviews offshore oil platforms’ environmental standards. Scholars have devoted significant attention to how policy makers deploy other private enforcers, such as certification bodies, accountants, lawyers, and other periphery “gatekeepers.” However, the literature has yet to explore the emerging regulatory conscription of large firms at the center of the economy. 

This Article examines the rise of the enforcer-firm through case studies of the industries that are home to the most valuable companies: technology, banking, oil, and pharmaceuticals. Over the past two decades, administrative agencies have used legal rules, guidance documents, and court orders to mandate that private firms in these and other industries perform the duties of a public regulator. More specifically, firms must write rules in their contracts that reserve the right to inspect third parties. When they find violations, they must pressure or punish the wrongdoer. 

This new form of governance has important intellectual and policy implications. It imposes more of a public duty on private firms and gives resource-strapped regulators promising tools. If designed poorly, however, the enforcer-firm will create an expansive area of unaccountable authority. Any comprehensive account of the firm or regulation must give a prominent role to the administrative state’s newest gatekeepers.

In discussing the FDA and 'Big Pharma'  Van Loo states

Pharmaceutical companies manufacture drugs but contract with other companies for “processing, packaging, holding, or testing.” The FDA has the most explicit third-party monitoring expectations of the four case studies. Rulemaking, guidance statements, and warning letters have communicated its policy. 

One FDA rule states that in every pharmaceutical company there “shall be a quality control unit . . . responsible for approving or rejecting drug products manufactured, processed, packed, or held under contract by another company.”  Monitoring the output is not, however, enough. The company must also directly monitor inputs used by the contractor, including ingredients and materials. After specifying the contractor’s internal compliance systems, the manufacturer should conduct audits.  Thus, the pharmaceutical company must oversee contractors’ organizational processes, inputs and outputs.  

The FDA places responsibility for third-party activities at the top of the regulated entity. In its formal rules on liability for tainted products, the agency states that it “regards extramural facilities as an extension of the manufacturer’s own facility.”  It reiterated this point in its post-inspection warning letters.  In other words, the pharmaceutical company is responsible for the third-party contractor’s activities as if they were one company. In guidance documents, the agency clarified that it was addressing “the relationship between owners and contract facilities". 

Contractual arrangements cannot shield pharmaceutical companies from liability. In one warning letter, the FDA told Pfizer, the largest pharmaceutical company in the world, "You are responsible for combination products you produce as a contract facility, regardless of agreements in place with [your customer] or with any of your suppliers". 

The FDA does not, however, rely solely on Pfizer to regulate the company’s independent contractors. The FDA still routinely inspects and brings enforcement actions directly against those third parties. For instance, in one warning letter to an independent manufacturer, the FDA wrote, “You and your customer, Pfizer, have a quality agreement regarding the manufacture of drug products. You are responsible for the quality of drugs you produce as a contract facility, regardless of agreements in place . . . .” 

Pfizer implemented the FDA’s organizational advice into its internal processes. It routinely monitors suppliers through audits, inspections, and review of systems. Supplier agreements reflect these review procedures, and when Pfizer recognises a violation it can de-list the offender from its list of "qualified" suppliers or it can report the violation to the FDA.