Tag: FCPA

Categories
Blog

CCO Authority and Independence

The role of the CCO has steadily grown in stature and prestige over the years. In the 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, it focused on whether the CCO held senior management status and had a direct reporting line to the Board, stating:

In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors.

This Hallmark was significantly expanded in both the 2023 ECCP and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the CCO and corporate compliance function. The 2023 ECCP has five general areas of inquiry around the CCO and corporate compliance function. (1) How does the CCO salary and stature within the organization compare to other senior executives within the company. (2) What are the experience and stature of the CCO with an organization? Does the CCO have appropriate training for the role? (3) How much autonomy does the CCO have to report to the Board of Directors? How often do the CCO meet with directors? Are members of the senior management present for these meetings with the Board of Directors or of the Audit Committee? (4) What is your structure? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? (5) Is data in your organization so siloed that the CCO does not have access to it? If so, what are you doing about it?

In the 2023 Update to the FCPA Corporate Enforcement Policy, the DOJ these factors out as follows: 1) The quality and experience of the CCO, such that they can understand and identify the transactions and activities that pose a potential risk; 2) The authority and independence of the CCO; 3) The compensation and promotion of the CCO, in view of their role, responsibilities, performance, and other appropriate factors; and 4) The reporting structure of any CCO employed or contracted by the company.

All of these factors are enhanced by the CCO Certification requirement, as announced by Kenneth Polite back in 2022. A CCO must certify the effectiveness of a compliance program after a DPA or NPA has been concluded. This requirement will only become more important moving into 2023 and beyond. In addition to CCO  Certification, the Delaware Court of Chancery’s  decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst in the case In re McDonald’s Corporation Stockholder Derivative Litigation, where for the first time, a Delaware court formally recognized the oversight duties of officers of Delaware corporations.

The court noted that the CCO has a broad scope within an organization. The court stated, “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority.” The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

Clearly the DOJ is articulating that it expects true compliance professionals, who understand the way compliance interacts with and supports the business to be in the CCO chair. The days of a law school trained CCO who cannot read a spreadsheet are consigned to the dustbin of non-compliant history. But more than simply compliance professionalism, companies must compensate and promote compliance professionals within their organization. Simply burying someone in the compliance function of a law department because they cannot cut it will no longer suffice.

The DOJ has not taken a formal position on whether a General Counsel (GC) can also be the CCO. However, the language of the FCPA Corporate Enforcement Policy and 2023 ECCP seem to signal the death knell for the dual GC/CCO role. They also signal the larger issue that the CCO should have a separate reporting line to the Board, apart from through the GC. While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the GC or reports independently, it is more concerned about whether the CCO has the voice to go to the CEO or Board of Directors directly not via the GC. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the 2023 ECCP comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.

Here are some questions you should consider in evaluating this prong. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? Who can terminate the CCO—is it the CEO, the Board Compliance Committee or does CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence.

Additional questions to consider: Who can over-rule a decision by a CCO within the organization? And who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Board Compliance Committee or some other person or group? Finally, what happens if a CCO initiates an investigation against someone he reports to or sets his salary?

Once again for the compliance professional, the FCPA Corporate Enforcement Policy and 2023 ECCP make the importance of a best practices compliance program even more critical. The DOJ is focusing more on the role, expertise and how the compliance function is treated within an organization. Pay your CCO considerably less than your GC? You may now better be able to justify that discrepancy. If you have a legal department budget of $3 million and a compliance department budget of $500,000; you are starting behind the eight-ball.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 25 – Responding to Investigative Findings

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the attention of the Board of Directors and senior management to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage, followed immediately by the proclamation, “We are an ethical company.” However, it may well be the time for a very serious reality check.

You may find yourself in a position where you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

Finally, there should be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster. First and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated and you will have lost your momentum to clean things up through a thorough remediation.

Three key takeaways:

1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.

2. Be aware of how your investigation can impact and even inform your remediation efforts.

3. Be prepared to deal with the dreaded “where else” question.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Responding to Investigative Findings

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.

You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on.  Russ Berland, Senior Counsel Data Protection Law at Johnson & Johnson Consumer Health has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

You need to explain the costs to the Board and senior management. As Berland said, you need to be upfront and candid in firmly stating, “To get to this place, this is what it’s going to cost.” Moreover, you need to be able to show how some companies paid very large amounts, not just in the eventual fine and penalty but also in other costs; such as shareholder lawsuits, claims and other post-resolution costs. Berland went on to say, “We want to show you how people have lost money by having to write big checks, because they didn’t take these allegations seriously. They actually saved money, because they didn’t have to write as big a check, because they took these allegations very seriously.” The bottom line is that your ROI here is going to be very high if you put the resources into remediation and do it well. This is easier with the information that was provided by the DOJ in the FCPA Corporate Enforcement Policy as it demonstrated how much discount a company can receive below the minimum range of the U.S. Sentencing Guidelines for remediation.

One of the most difficult parts is that the investigation is often done in a way in which the investigators want to maintain as tight a control over the information and privilege as they possibly can. The remediation requires output from the investigation to understand where the risk points and gaps are, both in the compliance program and the internal controls. There is a tension there and it needs to be structured in a way that information can be shared with those who are designing the remediation without fear of compromising the investigation.

Dan Chapman, former CCO at Parker Drilling and Cameron International and Founder of Presyse Consulting, also believes that costs must be adequately discussed to set proper expectations. These include both direct and, even more importantly, indirect costs to the company. Chapman noted, “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes largely through the time commitment of senior management because “if senior management has to commit 20% of their time, that is 20% of their time that is not going towards revenue generating, shareholder value-protecting activities.”

Yet, how can you communicate this point to somebody who has not gone through a full-blown internal investigation then coupled with a federal investigation with the DOJ and Federal Bureau of Investigation involved? Understanding that the all-encompassing nature of such an event is difficult to articulate, Chapman goes through some of his past experiences as touch points. “One example would be, during my first week on the job at previous employer, the company had a worldwide conference for all of the senior managers from around the world,” he said. “At that meeting, I asked all the senior, C-level executives, ‘Over the last few years, have you spent 5% of your time on the matter?’ They raised their hands. Then, I kept escalating it: 10%, 15%, and the hands didn’t go down until about 20%. Then I explained to them, and to the audience, ‘If you got 5%, 10% or 15% more from your senior management, where would this company be? What would it be worth? What bonuses would you have gotten?’ I think this point resonated with all of them, but there was still no great way for them or for anyone to quantify these costs. How do you quantify the absence of non-compliance? How do you quantify what could have been? How do you quantify the opportunity costs of management’s time?”

You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had a clear plan of action dictated by a policy.” The same types of arguments come into play in areas generally considered the purview of HR, i.e., recruiting and retention.

About recruiting Chapman posed the following for consideration, “Where do your new hires, especially recent college graduates, get their information about your company? They get it from the internet. If your company has been in trouble for bribery, what is one of the first things they see when they Google your company’s name? At the very top of their search results will be a news article about the wrongdoings or penalties. Now, how likely is a recent graduate to take his first job with a company that pays bribes, and, if he or she is willing, is that really the type of person you want to hire?” He also points out the negative impact of non-compliance on the retention of current employees by asking, “Ask yourself, is a good employee more or less likely to consider other job opportunities before or after she learns that her company pays bribes or may ask her to pay bribes?”

Yet even more than these types of points about employees in the organization, Chapman believes it is important to make it personal at the highest level of the organization; to make it as personal to your audience as possible. He suggests asking the Board and senior management “How would you feel about being involved in bribery? Rather than being something that’s only involving the company, your name and your reputation will be associated with it. How do you feel about being there?”

Obviously, the investigation will be critical for you to help understand what remediation your compliance program will need going forward. As Berland said, “Somebody found a way to get around your system. Maybe they colluded to overcome the internal controls. Maybe there was a group that simply wasn’t well trained, didn’t understand, or there was a group that was extremely well trained, and decided to do it anyway. But somehow, there are issues in the overall system of the executive tone, the governance, the compliance program, the internal controls, all at a meta level, which failed.”

You cannot find gaps in your compliance system until you stress test it. Viewed in this light, your compliance failures can be viewed as the ultimate stress test. Berland noted, “Well, guess what, you just got handed a stress test, and this is where the system broke down. Now you know there’s a gap. Well, absent the investigation, as painful and difficult as that is, that gap would have just been sitting there.” The investigation will raise information to you about the failures of your compliance program that you may not have known existed previously.

While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because “you’re just going off suppositions and guesses.”

He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated and you will have lost your momentum to clean things up through a thorough remediation.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 24 – Internal Reporting and Triaging of Claims

The call, email, or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into an FCPA issue for your company. As the CCO, it will be up to you to begin the process, which will determine, in many instances, how the company will respond going forward. This system has become even more important after the 2022 announcement of the Monaco Memo. Further, as the 2022 ABB FCPA resolution made clear, self-disclosing to the DOJ is the vital first step for all discounts under the Corporate Enforcement Policy to begin.

This scenario was driven home by the WPP Foreign Corrupt Practices enforcement action in 2021. Here, a whistleblower reported internally on allegations of bribery and corruption in the company’s India subsidiary. WPP turned over the investigation to an inexperienced accounting firm in India and then allowed the investigation to be controlled by the business unit management that was engaging in the bribery and corruption. The result, unsurprisingly, was no adverse findings. However, the whistleblower did not stop there and reported six more times (seven total) with an increasing amount of documentary support. Finally, the company took the allegations seriously and commissioned an internal investigation.

Three key takeaways:

1. The DOJ and SEC put special emphasis on internal reporting lines.

2. Test your hotline on a regular basis to make sure it is working.

3. Every claim should be triaged before starting an investigation.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 23 – The Investigation Protocol

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate in consultation with other groups, such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties once an allegation is made. This allows the compliance team to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Indeed, there are a variety of factors around giving credit to corporate investigations, including: Did management, the board, or committees consisting solely of outside directors oversee the review? Did company employees or outside parties perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

Three key takeaways:

1. A written protocol, created before an investigation, is a key starting point.

2. Create specific steps to follow so there will be full transparency and documentation going forward.

3. Consistency in approach is critical.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
FCPA Compliance Report

FCPA Compliance Report – Jay Rosen on SAP’s Road to FCPA Compliance

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Jay Rosen who discusses the recent FCPA enforcement action involving the software giant SAP.

Jay Rosen is a seasoned compliance professional with a deep understanding of the SAP FCPA enforcement case. His perspective on the topic of SAP’s FCPA enforcement case and the importance of cooperation and self-disclosure is shaped by his belief that self-disclosure is paramount in any FCPA investigation or enforcement action. He points out that SAP did not initially self-disclose, but began to cooperate only after investigative reports were made public in South Africa. Despite this, Rosen acknowledges SAP’s commendable efforts in providing regular, prompt, and detailed updates to the fraud section, producing relevant documents, and undertaking extensive remediation actions. He underscores the importance of conducting a root cause analysis, implementing data analytics, and enhancing compliance programs and internal controls, asserting that companies can recover if they follow these steps and use data-driven analytics to counterbalance any negative facts. Join Tom Fox and Jay Rosen as they delve deeper into this topic on this episode of the FCPA Compliance Report.

Key Highlights:

  • The facts and underlying bribery schemes
  • Lack of self-disclosure and what it means
  • Extensive cooperation
  • Extensive remediation
  • A superior result achieved

Resources:

Jay Rosen on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

The Third Party Risk Management Process

As every compliance practitioner is well aware, even in 2023, third parties still present the highest risk under the FCPA. The 2023 ECCP devotes an entire prong to third-party management. It begins with the following:

Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

1. Business Justification by Business Sponsor;

2. Questionnaire to Third-party;

3. Due Diligence on Third-party;

4. Compliance Terms and Conditions, including payment terms; and

5. Management and Oversight of Third Parties After Contract Signing.

Business Justification. The first step breaks down into two parts: business sponsor and business justification. The purpose of the business justification is to document the satisfactoriness of the business case to retain a third-party. The business justification should be included in the compliance review file assembled on every third-party at the time of initial certification and again if the third-party relationship is renewed. It is mandatory this document be filled out and completed by the business sponsor, who will be the primary contract with the third-party for the life of the business relationship.

Questionnaire. The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Resource Guide. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. This requirement is not only a key step but also a mandatory step for any third-party that desires to do work with your company. If a third-party does not want to fill out the questionnaire or will not fill it out completely; run, don’t walk, away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, most proposed agents that have done business with U.S. or U.K. companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to U.S. businesses.

Due diligence. Most compliance practitioners understand the need for a robust due diligence program to investigate third parties but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

The purpose is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from engaging in bribery and corruption on their behalf. Due diligence acts as both a procedure for anti-bribery risk assessment and a risk mitigation technique. Further, both operate as compliance internal controls.

With this due diligence, you should then perform a triage. Triage is how you determine where each third party falls in the ranking of priorities. Asha Palmer, EVP at Convercent by One Trust, has noted that: “Appropriate due diligence may vary based upon company size, transaction, and type of third party. These categories and several others may determine how you choose to design your triage process.” Some of the common factors that determine how high-risk a third-party relationship may be:

• Type of third party (bank, consultancy, reseller, etc.)

• Contract value

• Country

• Government interaction

• Industry

After you have completed Steps 1–3 you are ready to move onto to Step 4, the contract. According to the 2012 FCPA Resource Guide, additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third-party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

The contract. You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are red flags, which have appeared, these red flags must be cleared, or you must demonstrate how you will manage the risks identified. In other words, you must document that you have read, synthesized and evaluated the information garnered in the business justification, questionnaire and due diligence steps beforehand. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a “check the box” exercise.

Management of the relationship. While the work done in the four steps above are absolutely critical, if you do not manage the relationship, it can all go downhill very quickly, and you might find yourself with a potential FCPA violation. There are several different ways that you should manage your post-contract relationship. The Evaluation clearly is focused on several key components that you need to evaluate and then re-evaluate during the pendency of the relationship. Incentivizing through compensation issues, training and ongoing monitoring through oversight and auditing are all key tools that the DOJ expects you to use going forward after the contract is signed.

Categories
Blog

The SAP FCPA Enforcement Action-Part 5: Lessons Learned

We conclude our series on the initial Foreign Corrupt Practices Act (FCPA) enforcement action. It involved the German software giant SAP. While the conduct which led to the enforcement action occurred for a lengthy period of time and was literally worldwide in scope, the response by SAP is to be both noted and commended. The hard and impressive work that SAP did during the pendency of the investigation and enforcement action led to a very favorable result for the company in the reduced amount of its assessed fine and penalty as well as the fact that no monitor was mandated by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC). Today, in our final post, we review key lessons learned from the SAP enforcement action.

Remediation

SAP did an excellent job in its remedial efforts. Whether SAP realized as a recidivist of the dire straits it was in after the publicity in South Africa around is corruption or some other reason, the company made major steps to create an effective, operationalized compliance program which met the requirement of the Hallmarks of an Effective Compliance Program as laid out in the 2020 FCPA Resource Guide, 2nd edition.

The remedial actions by SAP can be grouped as follows.

  1. Root Cause, Risk Assessment and Gap Analysis. Here the company conducted a root cause analysis of the underlying conduct then remediating those root causes, conducted a gap analysis of internal controls, remediating those found lacking; and then performed a comprehensive risk assessment focusing on high-risk areas and controls around payment processes, using the information obtained to enhance its compliance risk assessment process;
  2. Enhancement of Compliance. Here the company significantly increasing the budget, resources, and expertise devoted to compliance; restructuring its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership; enhanced its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties; enhanced its reporting, investigations and consequence management processes;
  3. Change in sales models. On the external sales side, SAP eliminated its third-party sales commission model globally, and prohibiting all sales commissions for public sector contracts in high-risk markets and enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk;
  4. Data Analytics. Here SAP expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally; and comprehensively used data analytics in its risk assessments.

Data Analytics

The references to data analytics and data driven compliance warrant additional consideration. SAP not only did incorporate data analytics into its third-party program but also expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally. The SEC Order also noted that SAP had implemented data analytics to identify and review high- risk transactions and third-party controls. The SAP DPA follows the Albemarle FCPA settlement by noting that data analytics is now used by SAP to measure the compliance program’s effectiveness. This language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions access to all company data; this is the second time it has been called out in a FCPA settlement agreement in this manner. Additionally, it appears that by using data analytics, SAP was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation; thereby avoiding a monitor.

Holdbacks

Next was the holdback actions engaged in by SAP. The DPA noted, SAP withheld bonuses totaling $109,141 during the course of its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation, or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

Self-Disclosure

While this factor was not present in the SAP enforcement action, the message sent by the DOJ could not be clearer on not simply the expectation of the DOJ for self-disclosure but also the very clear and demonstrable benefits of self-disclosure. Under the Corporate Enforcement Policy, SAP’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines fine range. Its actions as a criminal recidivist, resulted in it not receiving a reduction of at least 50% and up to 75% from the low end of the U.S.S.G. fine range but rather at 40% from above the low end. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. It’s failure to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy. The DOJ’s message could not be any clearer.

Extensive Cooperation

There were also lessons to be garnered from SAP’s cooperation with the DOJ. While there was no mention of the super duper, extra-credit giving extensive remediation which Kenneth Polite discussed last year; when SAP began to cooperate, it moved to extensively cooperate. The DPA noted SAP “immediately beginning to cooperate after South African investigative reports made public allegations of the South Africa-related misconduct in 2017 and providing regular, prompt, and detailed updates to the Fraud Section and the Office regarding factual information obtained through its own internal investigation, which allowed the government to preserve and obtain evidence as part of its independent investigation…” Most interestingly, the DPA reported that SAP imaged “the phones of relevant custodians at the beginning of the Company’s internal investigation, thus preserving relevant and highly probative business communications sent on mobile messaging applications.” This is clear instruction around messaging apps in FCPA enforcement actions.

Resources

SEC Order

DOJ DPA

Categories
Blog

The SAP FCPA Enforcement Action-Part 4: The Fines: Self-Disclose, Self-Disclose, Self-Disclose

We continue our exploration of the SAP Foreign Corrupt Practices Act (FCPA) enforcement action. Today we go full geek in a look at the fine and penalty and most importantly what the fine and penalty communicate about what the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) want from companies embroiled in a FCPA investigation. First the numbers.

DOJ

According to the Deferred Prosecution Agreement, the criminal fine and penalty is in the amount of $63,590,859, equal to approximately 54% of the Criminal Penalty ($63,700,000), reduced by $109,141 under the Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks. Additionally, the DOJ agreed to a “credit toward the Criminal Penalty the amount paid by the Company to authorities in South Africa for violations of South African law related to the same conduct described in the Statement of Facts, up to a maximum of $55,100,000 (the “Penalty Credit Amount”).”

SEC

According to the SEC Order, “SAP acknowledges that the Commission is not imposing a civil penalty based upon the imposition of an $ 118.8 million criminal fine as part of SAP’s resolution with the United States Department of Justice.” However, SAP did agree to disgorgement in the following amount, $85,046,035 and prejudgment interest of $13,405,149, for a total payment of $98,451,184. SAP received a disgorgement offset of up to $59,455,779 based on the U.S. dollar value for any payments made or to be made to the Government of South Africa or a South African state-owned entity in any parallel proceeding against Respondent in South Africa.

The SEC Order also reported these additional fines and penalties.

  • On March 15, 2022, SAP entered into a civil settlement with the South African Special Investigating Unit and others relating to the DWS conduct described above and paid ZAR 11 344.78 million ($21.4 million), which represented reimbursement of the entire amount SAP received from DWS under the 2015 and 2016 deals with DWS.
  • On October 18, 2023, SAP entered into a settlement agreement with the South African Special Investigative Unit and others relating to the Transnet conduct described above, pursuant to which it paid ZAR 214.39 million (approximately $11.42 million based on the exchange rate on the date of payment).
  • On November 1, 2023, SAP entered into a civil settlement with the South African Special Investigating Unit and others relating to the Eskom conduct described above, pursuant to which it paid ZAR 500 million (approximately $26.63 million based on the exchange rate on the date of payment).

The bottom line, as reported by the FCPA Blog is SAP agreed to pay a $118.8 million criminal penalty to the DOJ and an administrative forfeiture of $103.4 million to the SEC. SAP has also paid approximately $59.4 million to various South African authorities, for which they received a penalty credit of $55 million from the DOJ.

Fine Calculation

Let’s start with the DOJ. The basis comes from the US Sentencing Guidelines.  From the DPA we note the following:

  1. The November 1, 2023 U.S.S.G. are applicable to this matter.
  2. Offense Level. Based upon U.S.S.G. § 2Cl.1, the total offense level is 42, calculated as follows:
  • 2Cl.l(a)(2) Base Offense Level 12
  • 2Cl.l(b)(l) More than One Bribe +2
  • § 2Cl.l(b)(2), 2Bl.l(b)(l)(M) +24

Benefit (More than $ 65,000,000)

  • 2C 1.1 (b )(3) Involvement of High-Level Public Official +4

TOTAL                                                                                      42

  1. Base Fine Based upon U.S.S.G. § 8C2.4(d), the base fine is

$ I50,000,000.

  1. Culpability Score. Based upon U.S.S.G. § 8C2.5, the culpability score is

6, calculated as follows:

  • 8C2.5(a) Base Culpability Score 5
  • 8C2.5(b )(3)(B)(i) Unit had 200 or more employees + 3

and High-Level Personnel

  • 8C2.5(g)(2) Cooperation, Acceptance -2

TOTAL                                                                                      6

Calculation of Fine Range:

Base Fine                                                                     $ I50,000,000

Multipliers                                                       1.2 (min) / 2.4 (max)

Fine Range                                     $180,000,000 to $360,000,000

The key area to noted is the highlighted line entitled “§ 8C2.5(g)(2) Cooperation, Acceptance”.

The reason this line is so critical is that it is the one area under the US Sentencing Guidelines that a company can receive a discount or at least credit for actions it has taken to reduce the multiplier and thereby reduce the overall fine range. In the Sentencing Guidelines it states,

(g)       Self-Reporting, Cooperation, and Acceptance of Responsibility 

 If more than one applies, use the greatest:

  8C2.5(g)(1) (1)       If the organization (A) prior to an imminent threat of disclosure or government investigation; and (B) within a reasonably prompt time after becoming aware of the offense, reported the offense to appropriate governmental authorities, fully cooperated in the investigation, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 5 points; or

 8C2.5(g)(2) (2)       If the organization fully cooperated in the investigation and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 2 points; or

 8C2.5(g)(3) (3)       If the organization clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 1 point.

All this means a company if company self-discloses to the DOJ, it can receive a 5-point discount off the overall multiplier. SAP did not self-disclose so it lost this discount. If SAP had self-disclosed the multiplier range would have been something like 0.7 to 1.4, making the fine range $126 million to $252 million. From there the discount under the Sentencing Guidelines led the following “The Fraud Section and the Office and the Company agree, based on the application of the Sentencing Guidelines, that the appropriate criminal penalty is $118,800,000 (the “Criminal Penalty”). This reflects a 40% discount off the 10th percentile of the Sentencing Guidelines fine range.” By my estimation, this failure to self-disclose cost SAP an additional $20,000,000 under the Sentencing Guidelines alone.

But the analysis does not end there as the overall fine and penalty is also governed by the Corporate Enforcement Policy, under which a company can garner a full declination if the following criteria are met (1) self-disclosure, (2) extensive cooperation, (3) extensive remediation, and (4) profit disgorgement. Obviously, SAP failed to meet this burden as it did not self-disclose so a full Declination was never in the cards. But the company could and did receive credit under the Corporate Enforcement Policy with a monetary penalty in the amount of $63,590,859, equal to approximately 54% of the Criminal Penalty. There was a further reduction of the overall criminal fine, reduced by $109,141 under the DOJ’s Pilot Program Regarding Compensation Incentives and Clawbacks.

Moreover, under the Corporate Enforcement Policy, SAP’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines fine range. Its actions as a criminal recidivist, resulted in it not receiving a reduction of at least 50% and up to 75% will generally not be from the low end of the U.S.S.G. fine range but rather at the 40% amount noted above. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. It’s failure to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy.

While all these numbers might be enough to make your head swim (as it did mine); the significance and why I went through it in this detail is that the DOJ is clearly sending the message that self-disclosure is the single most important thing a company can do in any FCPA investigation or enforcement action. Kenneth Polite said that when announcing the updated Corporate Enforcement Policy in January 2023; it was enshrined the new Monitor Selection Policy as the number one reason for a company not having a monitor required. I heard Fraud Section head Glenn Leon say it as well at Compliance Week 2023 in a Fireside Chat with Billy Jacobsen.

The DOJ’s message could not be any clearer. Self-disclose; Self-disclose; Self-disclose.

 Resources

SEC Order

DOJ DPA

Join us tomorrow where we conclude with lessons learned for the compliance professional.

Categories
Everything Compliance

Everything Compliance – Episode 127, The Awesome Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jonathan Armstrong, Matt Kelly, and Jay Rosen, all hosted by Tom Fox, joining us on this episode to discuss some of the topics they are watching in 2024.

  1. Matt Kelly looks at the recently enacted Foreign Extortion Prevention Act (FEPA). He rants about the SEC getting hacked around the Bitcoin ETF announcement and reminds everyone to use two-factor authentication.
  2. Tom Fox shouts out to the University of Michigan for winning the College Football National Championship.
  1. Jonathan Armstrong looks at the intersection of AI and Operational Resilience and ties it to the need for greater Board skills in these areas. He shouts out to Jay Rosen, who is in transition and would be a great addition to any compliance product or service BD team.
  1. Jay Rosen opines on the DOJ’s Expectations for Data Driven Analytics in 2024. He shouts out to Robert Kraft and the New England Patriots for paying departing coach Bill Belichick his full 2024 salary.
  1. Jonathan Marks asks, What does it mean to be on a Board in 2024? He rants about the Philadelphia Eagles.

The members of the Everything Compliance are:

  • Jay Rosen – Jay is Vice President, Business Development, Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
  • Jonathan Marks can be reached at jtmarks@gmail.com.

The host, producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.