Author: admin

Oracle Corporation now joins the ignominious group of Foreign Corrupt Practices Act (FCPA) recidivists. Last week, in a Press Release, the Securities and Exchange Commission (SEC) announced an enforcement action which required Oracle to pay more than $23 million to resolve charges that it violated the FCPA when “subsidiaries in Turkey, the United Arab Emirates (UAE), and India created and used slush funds to bribe foreign officials in return for business between 2016 and 2019.” The recidivist label comes from the sad fact that the SEC “sanctioned Oracle in connection with the creation of slush funds. In 2012, Oracle resolved charges relating to the creation of millions of dollars of side funds by Oracle India, which created the risk that those funds could be used for illicit purposes.”

 As reported in the FCPA Blog, Oracle is now one of 15 FCPA recidivists out of a total of 246 FCPA enforcement cases. This gives a recidivism rate of 6.1%. Clearly recidivism is also on the mind of the Department of Justice (DOJ) in the announcement of the Monaco Doctrine and release of the Monaco Memo. Given the overall tenor of the Oracle SEC Order, it is not clear if the SEC has the same level of concern as the DOJ on repeat offenders.

According to the Order, from at least 2014 through 2019, “employees of Oracle subsidiaries based in India, Turkey, and the United Arab Emirates (collectively, the “Subsidiaries”) used discount schemes and sham marketing reimbursement payments to finance slush funds held at Oracle’s channel partners in those markets. The slush funds were used both to (i) bribe foreign officials, and/or (ii) provide other benefits such as paying for foreign officials to attend technology conferences around the world in violation of Oracle’s internal policies.” I guess those employees at the subsidiaries, and specifically those in India, did not receive the Memo about Oracle’s 2012 FCPA settlement, where they promised to institute a series of internal controls to clean up the problem.

During the period in question, Oracle used two sales models, direct and indirect. Under the direct model, Oracle transacted directly with customers who paid Oracle directly. Under the indirect method, Oracle transacted through various types of third parties including straight distributor models, value added distributors (VADs) and value added resellers (VARs). While Oracle used the indirect sales model for a variety of legitimate business reasons, such as local law requirements or to satisfy payment terms, it recognized since at least 2012 that the indirect model also presented certain risks of abuse – including the creation of improper slush funds.

Learning one lesson from the 2012 enforcement action, “Oracle utilized a global on-boarding and due diligence process for these channel partners that Oracle implemented at the regional and country levels. Oracle only permitted its subsidiaries to work with VADs or VARs who were accepted to its Oracle Partner Network (“OPN”). Similarly, Oracle prohibited its subsidiaries from conducting business with companies removed from the OPN.”

Distributor Discounts

According to its policies regarding distributors, a valid and  legitimate business reason was required to provide a discount to a distributor. Oracle used a three-tier system for approving discount requests above designated amounts, depending on the product. In the first level, Oracle at times allowed subsidiary employees to obtain approval from an approver in a subsidiary other than that of the employee seeking the discount. At the next level and for higher level of discounts, Oracle required the subsidiary employee to obtain approval from Oracle corporate headquarters. The final level was a committee which had to approve the highest levels of discount.

The weakness in the Oracle distributor discount policy was that “while Oracle policy mandated that all discount requests be supported by accurate information and Oracle reviewers could request documentary support, Oracle policy did not require documentary support for the requested discounts – even at the highest level.” The standard requests for discounts were those previously seen in the Microsoft FCPA enforcement action, including “budgetary caps at end customers or competition from other original equipment manufacturers.” As the Order noted, “Oracle Subsidiary employees were able to implement a scheme whereby larger discounts than required for legitimate business reasons were used in order to create slush funds with complicit VADs or VARs.” Naturally it allowed distributors which “profited from the scheme by keeping a portion of the excess deal margin” to create a pot of money to pay a bribe.

Marketing Reimbursements

Distributor policies also allowed Oracle sales employees at the Subsidiaries to “request purchase orders meant to reimburse VADs and VARs for certain expenses associated with marketing Oracle’s products.” Once again there was a multi-pronged approval process in place. For marketing reimbursements “under $5,000, first-level supervisors at the Subsidiaries could approve the purchase order requests without any corroborating documentation indicating that the marketing activity actually took place.” Above this $5,000 threshold, additional approvals were required with additional requirements for business justification and documentation.

With these clear and glaring internal control gaps, you can see where it all went wrong for Oracle, the Order noted that “Oracle Turkey sales employees opened purchase orders totaling approximately $115,200 to VADs and VARs in 2018 that were ostensibly for marketing purposes and were individually under this $5,000 threshold.” Yet even when the $5,000 threshold was breached and supervisory approval was required in Turkey and the UAE, “The direct supervisors of these sales employees, who were complicit in the scheme, approved the fraudulent requests.” It is not clear if Oracle compliance had visibility into marketing reimbursement protocols. Of course, the “Oracle subsidiary employees in Turkey and the United Arab Emirates requested sham marketing reimbursements to VADs and VARs as a way to increase the amount of money available in the slush funds held at certain channel partners.” These slush funds were then used to pay bribes.

Please join me tomorrow where I look at the bribery schemes in action and how Oracle was able to obtain such an outstanding resolution and their extensive and aggressive remedial actions.

The risk landscape for organizations has changed significantly in the past few years. Traditional ways of identifying and mitigating risks simply do not work. They focus primarily on external threats when risks from within the organization are just as prevalent and harmful. Additionally, regulations change frequently, and it is difficult for security and compliance leaders to keep up on these changes.

The Compliance Podcast Network is therefore thrilled to have back for a limited series, the Microsoft podcast, The Uncovering Hidden Risks, which will explore the need for enterprises to quickly move to a more holistic approach to data protection and reduce their overall risk. The show will cover an array of topics, across data governance, risk management, and compliance. It will address industry trends and customer pain points.

In each episode Erica Toelle, Sr. Product Marketing Manager for Microsoft Purview, partners with a Microsoft guest host to interview a guest leader in the data governance and compliance industry. These experts have a unique and deep understanding of the challenges organizations face, and the people, processes, and technology used to address them.

We are excited to have this podcast made available to the listeners of the Compliance Podcast Network so that they may listen in to these conversations as Erica and her Microsoft colleagues discuss a range of interesting topics, ranging from trends, best practices, and real-life strategies for developing a holistic data governance and risk management program.

The Uncovering Hidden Risks podcast will launch on Wednesday, September 28^th with the first episode in the series.  

Listen to The Uncovering Hidden Risks podcast trailer below and subscribe on https://www.uncoveringhiddenrisks.com

Or you can listen and subscribe on the following platforms:

• Main show page
• Apple Podcasts
• Google Podcasts
• Spotify
• Amazon Music
• RSS Feed

Here is a preview of the first episode, posting on Wednesday, September 28th:

Transitioning to a holistic approach to data protection

Guest Bret Arsenault, CVP, CISO at Microsoft joins us on this week’s episode of Uncovering Hidden Risks to discuss how a holistic approach to data protection can deliver better results across your organization and the three steps that can get you there. Erica Toelle and Talhah Mir host this week’s episode to chat with Bret about current trends in the data protection space, what data protection issues are top of mind, and how teams should start on their data protection strategy.

Today, we conclude our exploration of the Monaco Memo by considering what all this may mean for compliance professional going forward. Department of Justice (DOJ) officials have emphasized that the changes laid out in the Monaco Memo and the requirements around Chief Compliance Officer (CCO) Certification are to empower compliance professionals. Deputy Attorney General Lisa Monaco said in the speech (Monaco Speech) announcing the Monaco Doctrine, “Companies should feel empowered to do the right thing—to invest in compliance and culture, and to step up and own up when misconduct occurs. Companies that do so will welcome the announcements today. For those who don’t, however, our Department prosecutors will be empowered, too—to hold accountable those who don’t follow the law.”

This was refined by Assistant Attorney General Kenneth A. Polite, who said in a speech (Polite Speech) after the Monaco Doctrine was announced, “in March 2022, I announced that, for all Criminal Division corporate resolutions (including guilty pleas, deferred prosecution agreements, and non-prosecution agreements), we would consider requiring both the Chief Executive Officer and the Chief Compliance Officer (CCO) to sign a certification at the end of the term of the agreement. This document certifies that the company’s compliance program is reasonably designed, implemented to detect and prevent violations of the law, and is functioning effectively. These certifications are designed to give compliance officers an additional tool that enables them to raise and address compliance issues within a company or directly with the department early and clearly. These certifications underscore our message to corporations: investing in and supporting effective compliance programs and internal controls systems is smart business and the department will take notice.”

Finally, Principal Associate Deputy Attorney General Marshall Miller said in a speech (Miller Speech), also after the announcement of the Monaco Doctrine, “I will focus on the ways those policy changes incentivize corporate responsibility and promote individual accountability – by clarifying, rethinking and standardizing policies on voluntary self-disclosure and corporate cooperation. I’ll also address how Department prosecutors are assessing some of the most challenging corporate compliance issues of the day, such as how incentive compensation systems can promote — rather than inhibit — compliance and how companies should be managing data given the proliferation of personal devices and messaging platforms that can take key communications off-system in the blink of an eye.”

However, I think many of these changes will put additional pressures on compliance programs. The new requirements for self-disclosure move beyond those announced under the FCPA Corporate Enforcement Program. The Monaco Memo stated, “it is imperative that Department prosecutors gain access to all relevant, non­privileged facts about individual misconduct swiftly and without delay.” [emphasis supplied] This in turn, puts even more pressure on internal reporting, whether through a hotline, online reporting portal, or simply an employee speaking up to a manager. That pressure means triaging, efficiently elevating and effectively investigating and evaluating the evidence developed. The clock is ticking, and a compliance professional does not know what the DOJ might already know or if a whistleblower has reported to the Securities and Exchange Commission (SEC) or another federal department or agency.

But the pressure does not end when self-disclosure occurs. The DOJ wants speed above all else in the delivery of evidence which could be used in the prosecution of individuals. Miller stated, “In building cases against culpable individuals, we have heard one consistent message from our line attorneys: delay is the prosecutor’s enemy — it can lead to a lapse of statutes of limitation, dissipation of evidence, and fading of memories. The Department will expect cooperating companies to produce hot documents or evidence in real time. [emphasis supplied] And your clients can expect that their cooperation will be evaluated with timeliness as a principal factor. Undue or intentional delay in production of documents relating to individual culpability will result in reduction or denial of cooperation credit. Where misconduct has occurred, everyone involved — from prosecutors to outside counsel to corporate leadership — should be “on the clock,” operating with a true sense of urgency.”

This requirement changes the dynamics of an investigation. Every CCO and compliance professional in such a situation must now speed up not simply their investigation process and turning over documents but their remediation efforts going forward. Of course, remediation is still an equally important part of your overall way forward to receive credit under the FCPA Corporate Enforcement Policy. A root cause analysis is also still a key component as well.

Another area for heat for the compliance professional is the new requirements for clawbacks. In the Miller Speech, he stated, “What we expect now, in 2022, is that companies will have robust and regularly deployed clawback programs. All too often we see companies scramble to dust off and implement dormant policies once they are in the crosshairs of an investigation.”

Companies should take note: compensation clawback policies matter, and those policies should be deployed regularly. A paper policy not acted upon will not move the needle — it is really no better than having no policy at all.

To up the ante, the Deputy Attorney General has instructed the Criminal Division to examine how to provide incentives for companies to clawback compensation, with particular attention to shifting the burden of corporate financial penalties away from shareholders — who frequently play no role in misconduct — onto those who bear responsibility. In addition to this stick, Miller also noted the carrot the DOJ wants to see, noting, “compensation systems to promote compliance isn’t just about clawbacks. It’s also about rewarding compliance-promoting behavior. For years, companies have designed and fine-tuned sophisticated incentive compensation systems that reward behavior that enhances profits.” She concluded, “We’ll be evaluating whether corporations are making the same types of investments in adopting and calibrating compensation systems that reward employees who promote an ethical corporate culture and mitigate compliance risk.”

The final area where the heat is on is the type of conduct which leads to the FCPA violations. Three of the criteria for determining whether a monitor will be mandated to deal with the length or pervasiveness of the conduct and whether senior management was involved; was the violation caused by the “exploitation of an inadequate compliance program or system of internal controls”; and finally, if “compliance personnel were involved or were basically negligent in failing to “appropriately escalate or respond to red flags.””

Compliance professionals should use the Monaco Doctrine, Memo, and related speeches to explain to senior management to educate C-Suite and Board leadership why and how an investment in compliance can pay off. For compliance professionals your work became much more important.

Today, we continue our exploration of the Monaco Memo by considering the sections relating to the evaluation of cooperation during the pendency of the investigation and the evaluation of a company’s compliance program at the conclusion of the resolution. These portions of the Monaco Memo should be studied intently by every compliance professional as they lay out what the Department of Justice (DOJ) will require to grant discounts under the FCPA Corporate Enforcement Policy. Today, I want to look at the provisions regarding monitors and monitorships. In many ways, they are some of the most interesting parts of the Monaco Memo.

The section on monitors and monitorships is broken down into three parts; (1) criteria for determining if a monitor is warranted; (2) criteria for selection of a monitor; and (3) monitor oversight. I am going to focus on the first prong, the criteria for determining if a monitor is warranted. You may recall the prior test to determine whether a monitor was warranted was last

articulated in the Benczkowski Memo. The test basically had an organization implement an effective compliance program and then test it. However, now there is a 10-factor test, which as Washington & Lee University, School of Law Professor Karen Woody says, greatly increases the temperature on corporations. The 10 factors are:

1. Whether the corporation voluntarily self-disclosed the underlying misconduct in a manner that satisfies the particular DOJ component’s self-disclosure policy;
2. Whether, at the time of the resolution and after a thorough risk assessment, the corporation has implemented an effective compliance program and sufficient internal controls to detect and prevent similar misconduct in the future;
3. Whether, at the time of the resolution, the corporation has adequately tested its compliance program and internal controls to demonstrate that they would likely detect and prevent similar misconduct in the future;
4. Whether the underlying criminal conduct was long-lasting or pervasive across the business organization or was approved, facilitated, or ignored by senior management, executives, or directors (including by means of a corporate culture that tolerated risky behavior or misconduct, or did not encourage open discussion and reporting of possible risks and concerns);
5. Whether the underlying criminal conduct involved the exploitation of an inadequate compliance program or system of internal controls;
6. Whether the underlying criminal conduct involved active participation of compliance personnel or the failure of compliance personnel to appropriately escalate or respond to red flags;
7. Whether the corporation took adequate investigative or remedial measures to address the underlying criminal conduct, including, where appropriate, the termination of business relationships and practices that contributed to the criminal conduct, and discipline or termination of personnel involved, including with respect to those with supervisory, management, or oversight responsibilities for the misconduct;
8. Whether, at the time of the resolution, the corporation’s risk profile has substantially changed, such that the risk of recurrence of the misconduct is minimal or nonexistent;
9. Whether the corporation faces any unique risks or compliance challenges, including with respect to the particular region or business sector in which the corporation operates or the nature of the corporation’s customers; and
10. Whether and to what extent the corporation is subject to oversight from industry regulators, or a monitor imposed by another domestic or foreign enforcement authority or regulator.

The old Benczkowski Memo test is found in factors 2 and 3. However, factor 1 is whether or not the company self-disclosed the incident(s) at issue. Moreover, factors 4-6 all related to conduct and actions when the illegal activity occurred, not after discovery and self-disclosure. Factor 4 relates to the length or pervasiveness of the conduct and whether senior management was involved. Factor 5 reviews “the exploitation of an inadequate compliance program or system of internal controls.” Factor 6, asks if compliance personnel were involved or were basically negligent in failing to “appropriately escalate or respond to red flags.” Factors 7-10 refine company actions post-reporting and do relate to actions after a company became aware such as investigations and remedial actions (factor 7), a reduction in the company’s risk profile (factor 8), or unique regulatory or business challenges (factors 9 and 10).

The Monaco Memo states, “prosecutors will not apply any general presumption against requiring an independent compliance monitor (“monitor”) as part of a corporate criminal resolution, nor will they apply any presumption in favor of imposing one.” The Monaco Memo also states, “Prosecutors should analyze and carefully assess the need for a monitor on a case­ by-case basis, using the following non-exhaustive list off actors when evaluating the necessity and potential benefits of a monitor.” Finally, the DOJ believes “compliance monitors can be an effective means of reducing the risk of further corporate misconduct and rectifying compliance lapses identified during a corporate criminal investigation.” This statement leads me to believe the DOJ is very concerned about corporate recidivism. Whatever the ultimate reasons are it does appear that, as Professor Woody noted, the heat is definitely turned up.

One thing did strike me about this list is that provides a clear roadmap for compliance professionals to use in proactive manner. You now know the precise factors the DOJ will review so you can look at them on an ongoing basis to (1) determine if your organization has issues which need to be addressed; (2) allows you to remediate before the government comes knocking or you have to self-disclose; and (3) if you use an independent third-party as a part of this proactive process, you can document compliance if you need to do so going forward if the government comes knocking independently of your self-reporting.

I hope you will join me for my next post to wrap up with some final thoughts.