DSCSA Makes M&A More Complex/Risky/Costly

When companies are thinking about merging or acquiring (M&A) other companies, or product lines from other companies, they typically engage in a process known as “due diligence” to discover any hidden risks that might come along with the action.  In the pharma industry the risks are huge, so this activity is intense and costly.  Discovery of larger risks than expected can result in the abandonment of the M&A plan, or can result in the adjustment of the price—usually downward.  Now that pharma supply chain companies in the US are required to retain detailed transaction information about every purchase and sale of prescription drugs for six years, and must respond to verification requests over the life of the product, due diligence is now more complex and risky, and so it is more important than ever.

Earlier this year McKesson was the target of some really nasty news articles about their business practices prior to 2011.  Nowhere in the articles I read was there any mention of the fact that, when the problems occurred, McKesson didn’t even own the business unit involved.  In fact, the odds are, once McKesson acquired that business, they cleaned it up.  But because acquiring a company means you also acquire their history, “McKesson” was held to blame in the press.  Hopefully the price McKesson paid for that business unit accommodated its dirty past, but from my observation (admittedly distant), McKesson acquiring that business was a net gain for patients and American society as a whole.  It appears that they set things right as soon as they were in control.  The only reason I raise that example is to highlight how important it is to discover the true risks the target companies may pose to the future entity, if the M&A were to be completed.

Now that the Drug Supply Chain Security Act (DSCSA) requires all members of the pharma supply chain to generate and retain for six years, standardized transaction data, M&A due diligence had better include at least some analysis of that data (see “DSCSA: A Closer Look At The Six-Year Record-Keeping Requirement”).  Companies that are sloppy at their DSCSA compliance may be hiding non-compliance risks that can blow up down the road if the product is ever involved in an investigation.  Missing data could result in a recall or other enforcement action by the FDA or state regulators.

But the risks do not end with missing transaction data.  Once wholesale distributors begin needing to request verification at the standardized numerical identifier (SNI) level from drug manufacturers on November 27, 2019, careless record-keeping could be exposed rapidly (see “DSCSA: Saleable Returns Verification”).  Drug manufacturers are required to begin keeping records of the unique identifiers they apply to their products as soon as they begin introducing that product into the supply chain, so they can respond properly to those verification requests in the future.  If all they did was put the proper DSCSA barcode with a unique SNI on their product, but failed to keep records of that (or lost the records afterward), they will be in trouble as soon as the verification requests start rolling in (see “What’s So Hard About Unique Identifier Verification?”).  You don’t want to acquire a company or product that doesn’t have complete serialization records.  You will be forced to respond “not verified” to every verification request that you don’t have a record of, but no one is required to submit verification requests until that date next year so everything might seem fine right now (see “DSCSA Red Light Green Light: Verification Responses”).

When acquiring just a subset of a company—like, just one product line—I have not heard of any consensus over how the historical data will be handled during and after the acquisition.  The DSCSA does not provide any guidance on who will be held responsible for verification of production, or the shipping and receiving transaction history that occurred prior to the acquisition.  In theory, it may be possible for the acquirer to leave that responsibility with the original owner of the product.  But odds are, just like the historical problems faced by McKesson in my kick-off example, the acquirer will have to acquire all of the historical DSCSA production and shipping transaction data as part of the company or product acquisition.  That would mean all requests for verification of product that was produced prior to the acquisition, would have to be responded to by the acquirer, even though they were not actually responsible for making or shipping the product at that time.  If any problems are found, they would be responsible for them.

Even if the original company kept all of their DSCSA-mandated records meticulously, when the acquisition closes, that data will probably need to be copied to the acquirer’s system so it can either be integrated with their existing data, or at least held in their own systems.  Either way, verification requests will continue to come in throughout the time the data is being moved, and the manufacturer must respond within 24 hours, according to the DSCSA, but within less than one second, according to the needs of the wholesale distributors (see “DSCSA: Saleable Returns Verification”).

Going forward, mergers and acquisitions of drug manufacturers are going to be more complex and more risky than they have in the past.  That means they will be more costly.  Companies doing due diligence in advance of M&A need to keep this in mind.