Categories
Blog

The SAP FCPA Enforcement Action-Part 4: The Fines: Self-Disclose, Self-Disclose, Self-Disclose

We continue our exploration of the SAP Foreign Corrupt Practices Act (FCPA) enforcement action. Today we go full geek in a look at the fine and penalty and most importantly what the fine and penalty communicate about what the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) want from companies embroiled in a FCPA investigation. First the numbers.

DOJ

According to the Deferred Prosecution Agreement, the criminal fine and penalty is in the amount of $63,590,859, equal to approximately 54% of the Criminal Penalty ($63,700,000), reduced by $109,141 under the Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks. Additionally, the DOJ agreed to a “credit toward the Criminal Penalty the amount paid by the Company to authorities in South Africa for violations of South African law related to the same conduct described in the Statement of Facts, up to a maximum of $55,100,000 (the “Penalty Credit Amount”).”

SEC

According to the SEC Order, “SAP acknowledges that the Commission is not imposing a civil penalty based upon the imposition of an $ 118.8 million criminal fine as part of SAP’s resolution with the United States Department of Justice.” However, SAP did agree to disgorgement in the following amount, $85,046,035 and prejudgment interest of $13,405,149, for a total payment of $98,451,184. SAP received a disgorgement offset of up to $59,455,779 based on the U.S. dollar value for any payments made or to be made to the Government of South Africa or a South African state-owned entity in any parallel proceeding against Respondent in South Africa.

The SEC Order also reported these additional fines and penalties.

  • On March 15, 2022, SAP entered into a civil settlement with the South African Special Investigating Unit and others relating to the DWS conduct described above and paid ZAR 11 344.78 million ($21.4 million), which represented reimbursement of the entire amount SAP received from DWS under the 2015 and 2016 deals with DWS.
  • On October 18, 2023, SAP entered into a settlement agreement with the South African Special Investigative Unit and others relating to the Transnet conduct described above, pursuant to which it paid ZAR 214.39 million (approximately $11.42 million based on the exchange rate on the date of payment).
  • On November 1, 2023, SAP entered into a civil settlement with the South African Special Investigating Unit and others relating to the Eskom conduct described above, pursuant to which it paid ZAR 500 million (approximately $26.63 million based on the exchange rate on the date of payment).

The bottom line, as reported by the FCPA Blog is SAP agreed to pay a $118.8 million criminal penalty to the DOJ and an administrative forfeiture of $103.4 million to the SEC. SAP has also paid approximately $59.4 million to various South African authorities, for which they received a penalty credit of $55 million from the DOJ.

Fine Calculation

Let’s start with the DOJ. The basis comes from the US Sentencing Guidelines.  From the DPA we note the following:

  1. The November 1, 2023 U.S.S.G. are applicable to this matter.
  2. Offense Level. Based upon U.S.S.G. § 2Cl.1, the total offense level is 42, calculated as follows:
  • 2Cl.l(a)(2) Base Offense Level 12
  • 2Cl.l(b)(l) More than One Bribe +2
  • § 2Cl.l(b)(2), 2Bl.l(b)(l)(M) +24

Benefit (More than $ 65,000,000)

  • 2C 1.1 (b )(3) Involvement of High-Level Public Official +4

TOTAL                                                                                      42

  1. Base Fine Based upon U.S.S.G. § 8C2.4(d), the base fine is

$ I50,000,000.

  1. Culpability Score. Based upon U.S.S.G. § 8C2.5, the culpability score is

6, calculated as follows:

  • 8C2.5(a) Base Culpability Score 5
  • 8C2.5(b )(3)(B)(i) Unit had 200 or more employees + 3

and High-Level Personnel

  • 8C2.5(g)(2) Cooperation, Acceptance -2

TOTAL                                                                                      6

Calculation of Fine Range:

Base Fine                                                                     $ I50,000,000

Multipliers                                                       1.2 (min) / 2.4 (max)

Fine Range                                     $180,000,000 to $360,000,000

The key area to noted is the highlighted line entitled “§ 8C2.5(g)(2) Cooperation, Acceptance”.

The reason this line is so critical is that it is the one area under the US Sentencing Guidelines that a company can receive a discount or at least credit for actions it has taken to reduce the multiplier and thereby reduce the overall fine range. In the Sentencing Guidelines it states,

(g)       Self-Reporting, Cooperation, and Acceptance of Responsibility 

 If more than one applies, use the greatest:

  8C2.5(g)(1) (1)       If the organization (A) prior to an imminent threat of disclosure or government investigation; and (B) within a reasonably prompt time after becoming aware of the offense, reported the offense to appropriate governmental authorities, fully cooperated in the investigation, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 5 points; or

 8C2.5(g)(2) (2)       If the organization fully cooperated in the investigation and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 2 points; or

 8C2.5(g)(3) (3)       If the organization clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 1 point.

All this means a company if company self-discloses to the DOJ, it can receive a 5-point discount off the overall multiplier. SAP did not self-disclose so it lost this discount. If SAP had self-disclosed the multiplier range would have been something like 0.7 to 1.4, making the fine range $126 million to $252 million. From there the discount under the Sentencing Guidelines led the following “The Fraud Section and the Office and the Company agree, based on the application of the Sentencing Guidelines, that the appropriate criminal penalty is $118,800,000 (the “Criminal Penalty”). This reflects a 40% discount off the 10th percentile of the Sentencing Guidelines fine range.” By my estimation, this failure to self-disclose cost SAP an additional $20,000,000 under the Sentencing Guidelines alone.

But the analysis does not end there as the overall fine and penalty is also governed by the Corporate Enforcement Policy, under which a company can garner a full declination if the following criteria are met (1) self-disclosure, (2) extensive cooperation, (3) extensive remediation, and (4) profit disgorgement. Obviously, SAP failed to meet this burden as it did not self-disclose so a full Declination was never in the cards. But the company could and did receive credit under the Corporate Enforcement Policy with a monetary penalty in the amount of $63,590,859, equal to approximately 54% of the Criminal Penalty. There was a further reduction of the overall criminal fine, reduced by $109,141 under the DOJ’s Pilot Program Regarding Compensation Incentives and Clawbacks.

Moreover, under the Corporate Enforcement Policy, SAP’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines fine range. Its actions as a criminal recidivist, resulted in it not receiving a reduction of at least 50% and up to 75% will generally not be from the low end of the U.S.S.G. fine range but rather at the 40% amount noted above. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. It’s failure to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy.

While all these numbers might be enough to make your head swim (as it did mine); the significance and why I went through it in this detail is that the DOJ is clearly sending the message that self-disclosure is the single most important thing a company can do in any FCPA investigation or enforcement action. Kenneth Polite said that when announcing the updated Corporate Enforcement Policy in January 2023; it was enshrined the new Monitor Selection Policy as the number one reason for a company not having a monitor required. I heard Fraud Section head Glenn Leon say it as well at Compliance Week 2023 in a Fireside Chat with Billy Jacobsen.

The DOJ’s message could not be any clearer. Self-disclose; Self-disclose; Self-disclose.

 Resources

SEC Order

DOJ DPA

Join us tomorrow where we conclude with lessons learned for the compliance professional.

Categories
Daily Compliance News

Daily Compliance News: January 18, 2024 – The Ditch The Polish Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Higher sanctions and penalties are coming.  (WSJ)
  • When should CEOs ditch the polish? (FT)
  • The Montana Supreme Court denies the stay of the Held ruling. (Reuters)
  • A former A&F CEO faces a criminal investigation. (BBC)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Greetings and Felicitations

Podfest Expo 2024 Speaker Series – Jennifer Navarrete on Incorporating AI into Your Podcast Production Process

In this episode of the Podfest Expo 2024 Speaker Preview Podcasts series, I visited with noted podcaster Jennifer Navarrete to discuss her presentation on incorporating AI into your podcast production process at the Podfest Expo. Some of the issues we tackle in this podcast are:

  • The integration of AI into your podcast production.
  • Why is Jennifer excited to attend the 10th anniversary of the Podfest Expo?
  • Why you should attend PodfestExpo 2024.

I’m hoping you’ll be able to join me at Podfest Expo 2024, which Podfest Global is hosting. This year’s event will be the 10th anniversary and will be held January 25–28, 2024, at the Wyndham in Orlando, Florida. The line-up of this year’s event is simply first-rate, with some of the top names in podcasting.

Podfest Expo is a community of people interested in and passionate about sharing their voice and message with the world through the powerful mediums of audio and video. We’re proud to unite as many people as possible to learn, get inspired, and grow better together.

PodfestExpo is so much more than just a mere conference. While we pride ourselves on featuring the most engaging speakers, exciting topics, and in-depth content, the thing that sets the PodfestExpo event apart from all others is the tight-knit community we’ve been building since 2013. You don’t just attend a Podfest event – you become part of the Podfest family.

Whether you’re new to podcasting or a veteran podcaster looking to innovate and improve your podcast, our easy-to-understand Conference Topics allow you to customize a daily agenda based on what you’re most interested in learning. No matter your skill level or experience, PodfestExpo 2024 has plenty to offer!

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Podfest Expo is offering a discount on the registration price. Enter the discount code, Listener.

Podfest Expo 2024 is a production of Podfest Global, which sponsors this podcast series.

Jennifer Navarrete website

Jennifer Navarrete on LinkedIn

Categories
Everything Compliance

Everything Compliance – Episode 127, The Awesome Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jonathan Armstrong, Matt Kelly, and Jay Rosen, all hosted by Tom Fox, joining us on this episode to discuss some of the topics they are watching in 2024.

  1. Matt Kelly looks at the recently enacted Foreign Extortion Prevention Act (FEPA). He rants about the SEC getting hacked around the Bitcoin ETF announcement and reminds everyone to use two-factor authentication.
  2. Tom Fox shouts out to the University of Michigan for winning the College Football National Championship.
  1. Jonathan Armstrong looks at the intersection of AI and Operational Resilience and ties it to the need for greater Board skills in these areas. He shouts out to Jay Rosen, who is in transition and would be a great addition to any compliance product or service BD team.
  1. Jay Rosen opines on the DOJ’s Expectations for Data Driven Analytics in 2024. He shouts out to Robert Kraft and the New England Patriots for paying departing coach Bill Belichick his full 2024 salary.
  1. Jonathan Marks asks, What does it mean to be on a Board in 2024? He rants about the Philadelphia Eagles.

The members of the Everything Compliance are:

  • Jay Rosen – Jay is Vice President, Business Development, Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
  • Jonathan Marks can be reached at jtmarks@gmail.com.

The host, producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 18 – Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from a commercial perspective, on how your organization has identified, assessed, and defined its risk profile, and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality, they should be done each time your risk changes. Over the past couple of years, every company’s risks have changed from going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, the supply chain, or even potential compliance risks in the 2024 election cycle? Have you assessed each of these new paradigms for risks from a compliance perspective?

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable as your starting point.

Three key takeaways:

1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.

2. The DOJ will now consider both your risk assessment methodology for identifying risks and the gathered evidence.

3. You should base your compliance program on your risk assessment.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from the commercial perspective, on how your organization has identified, assessed, and defined its risk profile and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality it should be done each time your risk changes. Over the past couple of years, every company’s risks changed in going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, supply chain or even potential compliance risks in the 2024 election cycle. Have you assessed each of these new paradigms for risks from the compliance perspective?

As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.

Having made clear what was risks needed to be assessed, the 2023 ECCP was focused on the methodology used in the risk assess process. It stated:

Risk Management Process—What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?

Risk-Tailored Resource Allocation—Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?

Updates and Revisions—Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?

Rick Messick, in his article, entitled, Corruption Risk Assessments: Am I Missing Something?, laid out the four steps of a risk assessment as follows:

First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued. Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurrence is developed. The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.

What should you assess? In 2011, the DOJ concluded three FCPA enforcement actions which specified factors that a company should review when making a risk assessment. The three enforcement actions, involving Alcatel-Lucent S.A., Maxwell Technologies Inc. and Tyson Foods Inc., all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practices compliance program. The Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed seven areas of risk to be assessed, which are still relevant today:

1. Where your company does business;

2. Geography-where does your Company do business;

3. Interaction with types and levels of governments;

4. Industrial sector of operations;

5. Involvement with joint ventures;

6. Licenses and permits in operations; and

7. Degree of government oversight.

The 2020 FCPA Resource Guide, 2nd edition, laid out the following approach, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

Another approach, as detailed by David Lawler in his book Frequently Asked Questions in Anti-Bribery and Corruption, is to break the risk areas into the following categories: 1) company risk, 2) country risk, 3) sector risk, 4) transaction risk, and 5) business partnership risk. He further detailed these categories as follows:

Company risk. Lawler believes this is “only to be likely to be relevant when assessing a number of different companies—either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve some of the following characteristics:

• Private companies with a close shareholder group;

• Large, diverse and complex groups with a decentralized management structure;

• An autocratic top management;

• A previous history of compliance issues; and/or

• Poor marketplace perception

Country risk. This area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. The Transparency International Corruption Perceptions Index (TI-CPI) can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.

Sector risk. These involve areas that require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:

• Extractive industries;

• Oil and gas services;

• Large scale infrastructure areas;

• Telecoms;

• Pharmaceutical, medical device and healthcare; and/or

• Financial services

Transaction risk. Lawler says this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up.” Indicia of transaction risk include:

• High reward projects;

• Involves many contractor or other third-party intermediaries; and/or

• Do not appear to have a clear legitimate object

Business partnership risk. This prong recognizes that certain manners of doing business present more corruption risk than others and may include:

• Use of third-party representatives in transactions with foreign government officials;

• A number of consortium partners or joint ventures partners; and/or

• Relationships with politically exposed persons (PEPs)

There are a number of ways you can slice and dice your basic risk assessment inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point.