Tag: FCPA

Categories
Blog

Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from the commercial perspective, on how your organization has identified, assessed, and defined its risk profile and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality it should be done each time your risk changes. Over the past couple of years, every company’s risks changed in going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, supply chain or even potential compliance risks in the 2024 election cycle. Have you assessed each of these new paradigms for risks from the compliance perspective?

As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.

Having made clear what was risks needed to be assessed, the 2023 ECCP was focused on the methodology used in the risk assess process. It stated:

Risk Management Process—What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?

Risk-Tailored Resource Allocation—Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?

Updates and Revisions—Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?

Rick Messick, in his article, entitled, Corruption Risk Assessments: Am I Missing Something?, laid out the four steps of a risk assessment as follows:

First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued. Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurrence is developed. The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.

What should you assess? In 2011, the DOJ concluded three FCPA enforcement actions which specified factors that a company should review when making a risk assessment. The three enforcement actions, involving Alcatel-Lucent S.A., Maxwell Technologies Inc. and Tyson Foods Inc., all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practices compliance program. The Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed seven areas of risk to be assessed, which are still relevant today:

1. Where your company does business;

2. Geography-where does your Company do business;

3. Interaction with types and levels of governments;

4. Industrial sector of operations;

5. Involvement with joint ventures;

6. Licenses and permits in operations; and

7. Degree of government oversight.

The 2020 FCPA Resource Guide, 2nd edition, laid out the following approach, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

Another approach, as detailed by David Lawler in his book Frequently Asked Questions in Anti-Bribery and Corruption, is to break the risk areas into the following categories: 1) company risk, 2) country risk, 3) sector risk, 4) transaction risk, and 5) business partnership risk. He further detailed these categories as follows:

Company risk. Lawler believes this is “only to be likely to be relevant when assessing a number of different companies—either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve some of the following characteristics:

• Private companies with a close shareholder group;

• Large, diverse and complex groups with a decentralized management structure;

• An autocratic top management;

• A previous history of compliance issues; and/or

• Poor marketplace perception

Country risk. This area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. The Transparency International Corruption Perceptions Index (TI-CPI) can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.

Sector risk. These involve areas that require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:

• Extractive industries;

• Oil and gas services;

• Large scale infrastructure areas;

• Telecoms;

• Pharmaceutical, medical device and healthcare; and/or

• Financial services

Transaction risk. Lawler says this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up.” Indicia of transaction risk include:

• High reward projects;

• Involves many contractor or other third-party intermediaries; and/or

• Do not appear to have a clear legitimate object

Business partnership risk. This prong recognizes that certain manners of doing business present more corruption risk than others and may include:

• Use of third-party representatives in transactions with foreign government officials;

• A number of consortium partners or joint ventures partners; and/or

• Relationships with politically exposed persons (PEPs)

There are a number of ways you can slice and dice your basic risk assessment inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point.

Categories
Blog

The SAP FCPA Enforcement Action-Part 3: The Comeback

This week we are taking a deep dive into the SAP Foreign Corrupt Practices Act (FCPA) enforcement action. In it, SAP agreed to pay the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) approximately $222 million in penalties and disgorgement. SAP also entered into a three-year Deferred Prosecution Agreement (DPA) with the DOJ. Given the multi-year (2014-2022) length of the various bribery and corruption schemes and worldwide geographic scope, the amounts paid in bribes and benefits garnered by SAP from their corruption; one might charitably wonder how SAP was able to reap such a positive outcome of only a fine and penalty totaling $222 million. We will explore that question today.

Extensive Cooperation

The starting point for this analysis is the DOJ DPA. The first key point to note is there was no self-disclosure by SAP. As the DPA noted, SAP only began to cooperate after investigative reports were made public in 2017 in South Africa about SAP’s bribery and corruption program. However from this point forward SAP moved to extensively cooperate. The DAP noted SAP “immediately beginning to cooperate after South African investigative reports made public allegations of the South Africa-related misconduct in 2017 and providing regular, prompt, and detailed updates to the Fraud Section and the Office regarding factual information obtained through its own internal investigation, which allowed the government to preserve and obtain evidence as part of its independent investigation…”

This cooperation included producing relevant documents and other information to the Fraud Section “from multiple foreign countries expeditiously, while navigating foreign data privacy and related laws;” SAP “voluntarily making Company officers and employees available for interviews;”  and took “significant affirmative steps to facilitate interviews while addressing witness security concerns”; interestingly SAP was required to resolve potential deconfliction issues between the its own internal investigation and the investigation being conducted by the DOJ. The company promptly collected, analyzed, and organized “voluminous information, including complex financial information.” It translated “voluminous foreign language documents to facilitate and expedite review by the Fraud Section and the Office.” Most interestingly, the DPA repored that SAP imaged “the phones of relevant custodians at the beginning of the Company’s internal investigation, thus preserving relevant and highly probative business communications sent on mobile messaging applications.”

The Remediation

The DPA reported extensive remediation by SAP as well and the information provided in the DPA is instructive for every compliance professional. The DPA noted that SAP engaged in the following remedial steps.

  1. Conducted a root cause analysis of the underlying conduct then remediating those root causes through enhancement of its compliance program;
  2. Conducted a gap analysis of internal controls, remediating those found lacking;
  3. Undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process”;
  4. SAP documented its use of a “comprehensive operational and compliance data” into its risk assessments;
  5. SAP eliminating “its third-party sales commission model globally, and prohibiting all sales commissions for public sector contracts in high-risk markets”;
  6. “Significantly increasing the budget, resources, and expertise devoted to compliance;”
  7. Restructuring its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership;
  8. Enhanced its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties;
  9. Enhancing its reporting, investigations and consequence management processes;
  10. Adjusting compensation incentives to align with compliance objectives and reduce corruption risk;
  11. Enhanced and expanding compliance monitoring and audit programs, planning, and resources, including developing a well-resourced team devoted to audits of third-party partners and suppliers;
  12. Expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally; and
  13. Disciplined “any and all” employees involved in the misconduct.

Obviously, SAP engaged in a wide range of remedial actions. It all started with a root cause analysis. Root Cause analysis was enshrined in the FCPA Resource Guide, 2nd edition as one of the Hallmarks of an Effective Compliance Program. It stated, “The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigation’s structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.”

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches. This SAP did during its remediation phase.

Equally of interest are the references to data analytics and data driven compliance. SAP not only did so around its third-party program but also expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally. The SEC Order also noted that SAP had implemented data analytics to identify and review high- risk transactions and third-party controls. The SAP DPA follows the Albemarle FCPA settlement by noting that data analytics is now used by SAP to measure the compliance program’s effectiveness. This language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions access to all company data; this is the second time it has been called out in a settlement agreement in this manner. Additionally, it appears that by using data analytics, SAP was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation; thereby avoiding a monitor.

Next was the holdback/clawback actions engaged in by SAP. The DPA noted, SAP withheld bonuses totaling $109,141 during the course of its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation, or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

Finally, the DOJ related that SAP had enhanced and has committed to continuing to enhance its compliance program and internal controls, including ensuring that its compliance program satisfied the minimum elements set forth in Attachment C to DPA. Based upon all these factors, including SAP’s remediation and the state of its compliance program, and the Company’s agreement to report to the Fraud Section and the Office as set forth in Attachment D to this Agreement, the DOJ “determined that an independent compliance monitor was unnecessary.”

All-in-all a great result by and for SAP for which the company and its compliance team should take great credit in going forward.

Resources

SEC Order

DOJ DPA

Join us tomorrow where we consider fine and penalties.

Categories
Compliance Into the Weeds

Compliance Into The Weeds: The SAP Foreign Corrupt Practices Act Enforcement Action

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the recent Foreign Corrupt Practices Act (FCPA) enforcement action involving the ERP software giant SAP.

The recent $220 million fine imposed on German software giant SAP for violations of the FCPA underscores the critical role of internal audits in maintaining corporate compliance. Despite having a comprehensive FCPA compliance program, SAP’s lack of control over its subsidiaries led to bribery activities, a situation that Tom and Matt believe could have been prevented with a robust internal audit function. Fox emphasized the need for strong internal audits to identify and address issues within different parts of an organization. Similarly, Kelly underscored the importance of internal audits in identifying and rectifying control lapses. To delve deeper into this topic and understand the implications of the SAP case, join Tom Fox and Matt Kelly on this episode of Compliance into the Weeds. 

Key Highlights:

  • The bribery schemes and geographic scope
  • What is culture?
  • Third parties and corruption risks
  • The fine and penalty
  • The comeback
  • Lessons learned for the compliance professional

Resources:

Matt on Radical Compliance

Tom 

Tom on the FCPA Compliance and Ethics Blog

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

The SAP FCPA Enforcement Action-Part 2: The Box Score of Corruption

We continue our exploration of the Foreign Corrupt Practices Act (FCPA) enforcement involving the German software company, SAP. The company agreed to pay the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) approximately $222 million in penalties and disgorgement. SAP also entered into a three-year deferred prosecution agreement (DPA) with the Department of Justice imposing a $118.8 million criminal penalty and an administrative forfeiture of $103.4 million. Today we look at SAP’s compliance program requirements for third parties, the Box Score of corruption, the corrupt agents and the bribery schemes used across the globe by SAP.

The Box Score

The breadth and scope of SAP’s illegal conduct was simply stunning, literally running across the globe. For those not keeping scoring at home, I put together a Box Score of the location/entity bribed, the amount of the bribe (where reported) and the benefit obtained by SAP. Once again, it was simply stunning.

Location and Entity Where Bribe Paid Amount of Bribe Revenue Generated
South Africa-Transnet $562,215 $4.4MM
South Africa-Transnet $1MM $6.58MM
South Africa- City of Johannesburg $120K $13.16MM
South Africa-Eskom $5.18MM $28.58MM
South Africa-Dept. Water and Sanitation (DWS) $527,460 $35.4MM
Malawi Not reported $1.1MM
Tanzania-Ports Authority

 

 Not reported $828K
Ghana National Petroleum Corporation

 

 $400K $1.20MM
Indonesian Ministry of Communication and Information Technology

 

 $67,380 $268,135

 
Indonesian Ministry of Maritime Affairs and Fisheries

 

 App. $5000 $80,500
Indonesia- PT Pertamina

 

 Not reported $13K
Indonesia- Pemda DKI

 

 Not reported $383K
Indonesia- PT Angkasa Pura I

 

 Not reported $1.09MM
Indonesia- PT Angkasa Pura II

 

 Not reported $2.53MM
Azerbaijan- State Oil Company

 

 $3000 $1.6MM
Totals Reported in Settlement Docs-$7.8 Reported by DOJ-$103,369,765

SAP Policies and Procedures

SAP used third parties, monikered as Business Development Partners (“BDPs”), which were eligible to earn commissions for SAP sales on which they assisted. Moreover, as noted in the SEC Order, “SAP’s internal policies and procedures for working with third parties required employees to conduct due diligence to assess risk and ensure: (1) That a third party had no relations (as a family member) to the SAP customer or a potential customer, and (2) That the third party was not a government official, government employee, political party official or candidate, or officer or employee of any public international organization or an immediate family member of any of these. In addition, with respect to BDPs, all sales commission contracts had to be in writing and clearly define the services to be provided and the related business and payment terms.”

SAP’s internal controls went on to require its subsidiaries and employees were “to use a model agreement that included standard commission rates and to follow a standardized internal approval process, which required the involvement and approval of the local legal department or compliance officer, the subsidiary’s local managing director, and its local chief financial officer. In cases where a BDP agreement required non-standard terms, regional management had to provide additional approvals. The policy documents explicitly state that they were put into place to ensure that no relationship with a third party would be used to inappropriately influence a business decision or pay bribes to government officials.”

The Corrupt Agents

In the corruption involving the South African entity Transnet, the SEC Order noted that “SA Intermediary 1 ever being present at meetings with Transnet, nor does SA Intermediary 1 appear to have a credible IT background or experience.” Regarding another corruption agent call SA Intermediary 2, it stated, “SAP South Africa paid approximately $1 million in commission fees to SA Intermediary 2, a South African 3D printing firm despite the fact that it provided no tangible services to SAP. SAP South Africa and its employees knew about the red flags relating to SA Intermediary 2’s ownership. The former director of SA Intermediary 2 admitted that the entity had “no expertise” or skills to provide meaningful services on the Transnet deal and also said he had no knowledge of SA Intermediary 2 providing any services. During an SAP-initiated audit of SA Intermediary 2, the third party failed to provide evidence of any services performed.” Indeed the DOJ Information noted that in a 2017 review by SAP in 2017, “revealed that Intermediary 2 had no financial statements (audited or unaudited), had not filed any returns for employee tax purposes, and found no signs of activity at Intermediary 2’s claimed business address.

When it came to Eskom, the SEC Order noted, “SA Intermediary 3, a purported IT consultant on the Eskom project. SA Intermediary 3, however, never performed any services. Instead, SAP South Africa’s Managing Director instructed SAP South Africa employees to perform the consulting work in SA Intermediary 3’s stead and still paid the entity a total of $1.6 million. Notably, officials at Eskom approved these payments despite SA Intermediary 3’s absence on the project. SAP also retained SA Intermediary 2 to perform vague services on Eskom contracts dated March, 2016 and November 2016 that, as a 3D printing company, SA Intermediary 2 was unqualified to perform. Regardless, SAP South Africa paid SA Intermediary 2 a total of $5.18 million in consulting fees.”

The Bribery Schemes

The thing which struck me about the bribery schemes was that they were so pedestrian, yet they permeated SAP from 2014-2022. Yet there very pedestrian nature serves not only as a warning for companies and compliance professionals but also as a road map for compliance program monitoring, improvement and remediation. From the very start of the corruption in South Africa, SAP employees began to avoid, evade and violation SAP internal compliance requirements.

  1. South Africa

In South Africa, in addition to the bribery schemes noted in the section above, where payments were made for non-existence work or services billed by the corrupt agents, “bank records indicate that shortly after the deal closed, SA Intermediary 1 paid $562,215, characterized as “loans,” to an individual known to be involved in making bribe payments.” In SAP’s contract with the City of Johannesburg, the SEC Order noted, “In addition to these cash payments, SAP South Africa paid for trips to New York for government officials in May and September 2015, including the officials’ meals and golf outings on the trips.” The DOJ Information reported that these payments were recorded in SAP books and records as ‘sales commission payments.’ Finally, in the contract involving the DWS, the SEC Order stated, “The local business partners were paid at a 14.9% commission rate, the maximum allowed under SAP policy without approval from the Board. SAP South Africa employees engaged both BDPs at the highest commission percentage allowed, staying under the 15% commission rate so as to avoid the need to obtain higher level approvals, and authorized the payment despite the local partners’ failure to meet deliverables relating to the DWS transactions.” The DOJ Information further noted that the bribe payment was routed through a second corrupt agent, in an attempt to conceal the criminal nature of the bribe.

2. Indonesia

The SEC Order noted that in “Indonesia, Intermediary 1 used fake training invoices to issue payments that created slush funds to pay bribes. Employees at Indonesia Intermediary 1 created shell companies to generate these false expenses. Some of the false invoices generated kickback payments to employees at the Indonesia Intermediary 1, some paid for customer excursions, and others generated cash payments to government officials at state-owned entities.” Next, “Indonesia Intermediary 1 employees, paid for shopping excursions and dining for a BP3TI official and his wife during a June 2018 trip to New York City, in route to attending the 2018 SAP Sapphire Conference in Orlando, Florida.” Additionally travel expenses, gifts, meals and entertainment was paid for by the Indonesian Intermediaries.

3. Azerbaijan

Lastly, in Azerbaijan, a mid-level SAP employee provided improper gifts in December 2021 and January 2022 to multiple SOCAR officials in an effort to close the deal. The SEC Order stated, “Several SOCAR officials received gifts totaling approximately $3,000, well above SAP’s gift limit of $30. Text messages indicate that the employee was rewarding senior officials who supported, and were directly responsible for, approving the pending sale. The employee also prepared a fake Act of Acceptance between SOCAR and an SAP Azerbaijan partner, which she submitted to the SAP contract booking team on February 4, 2022. SOCAR signed the real Act of Acceptance on May 12, 2022. Evidence indicates that the employee was attempting to claim a commission on the deal before her pending promotion to SAP Azerbaijan Managing Director became effective, after which she would not be eligible to earn additional compensation from the sale.”

Once again, the thing that struck me about all these schemes is there is really nothing new, innovative or particularly novel about any of these bribery schemes. It speaks to the basic blocking and tackling which every compliance program needs to engage in at due diligence and then throughout the life cycle of the third-party relationship.

Join us tomorrow where we consider the comeback made by SAP after the investigation began.

Categories
Blog

The SAP FCPA Enforcement Action-Part 1: Introduction

The year in Foreign Corrupt Practices Act (FCPA) enforcement started off with a bang on January 10 with the announcement of a resolution of the outstanding SAP enforcement action. The bribery schemes used by SAP were massive in scope and literally worldwide in geographic area. As usual, Harry Cassin at the FCPA Blog broke the story for the compliance profession. SAP SE agreed to pay the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) approximately $222 million in penalties and disgorgement. SAP also entered into a three-year deferred prosecution agreement (DPA) with the Department of Justice imposing a $118.8 million criminal penalty and an administrative forfeiture of $103.4 million. Cassin went on to the note that the DOJ “will credit up to $55.1 million of the criminal penalty against amounts that SAP pays to resolve an investigation by law enforcement authorities in South Africa for related conduct, and up to the full forfeiture amount against disgorgement that SAP pays to the SEC or South African authorities.”

The SEC Press Release noted that the illegal actions included bribery schemes in the following countries: South Africa, Malawi, Kenya, Tanzania, Ghana, Indonesia, and Azerbaijan. SAP was held liable by the SEC based up its ownership of American Depositary Shares (ADR) shares which are listed on the New York Stock Exchange and violating the FCPA by employing third-party intermediaries and consultants from at least December 2014 through January 2022 to pay bribes to government officials to obtain business with public sector customers in the seven countries mentioned above. The SEC total fine and penalty was nearly $100 million. This figure represents disgorgement to the SEC of “$85 million plus prejudgment interest of more than $13.4 million, totaling more than $98 million, which will be offset by up to $59 million paid by SAP to the South African government in connection with its parallel investigations into the same conduct.”

What They Said

In a DOJ Press Release, Acting Assistant Attorney General for the Criminal Division, Nicole M. Argentieri said, “SAP paid bribes to officials at state-owned enterprises in South Africa and Indonesia to obtain valuable government business. Today’s resolution—our second coordinated resolution with South African authorities in just over a year—marks an important moment in our ongoing fight against foreign bribery and corruption. We look forward to continuing to strengthen our relationship with South African authorities and others around the world. This case demonstrates not only the critical importance of coordinated international efforts to combat corruption, but also how our corporate enforcement policies incentivize companies to be good corporate citizens, by cooperating with our investigations and appropriately remediating, so that we can take strong action to address misconduct.”

U.S. Attorney Jessica D. Aber for the Eastern District of Virginia also noted, “SAP has accepted responsibility for corrupt practices that hurt honest businesses engaging in global commerce,” said. “We will continue to vigorously prosecute bribery cases to protect domestic companies that follow the law while participating in the international marketplace.”

Postal Inspector in Charge of Criminal Investigations Eric Shen noted,  “When the mails are used in furtherance of a fraud or corruption scheme, borders are not an obstacle for U.S. Postal Inspectors. Postal inspectors, with our FBI law enforcement partners and Justice Department prosecutors, followed the wide-spread trail of bribes and corruption from South Africa to Indonesia. This joint effort resulted in the defendant company paying a significant criminal penalty and agreeing to long-term remedial measures.”

Assistant Director in Charge of the FBI’s Los Angeles Field Office, Donald Always added “This successful resolution against SAP is another example of the power of relationships and persistence. The sustained diligence by the prosecution team and continuous collaboration with South African law enforcement, regulators, and prosecutors identified corrupt activity in multiple countries. The FBI will continue our nonstop efforts to identify, investigate, and prosecute companies willfully engaging in corrupt activities around the world.”

Finally, Charles E. Cain, Chief of the SEC Division of Enforcement’s FCPA Unit, said in the SEC Press Release, “Our order holds SAP accountable for misconduct that spanned seven jurisdictions and persisted for several years and serves as a stark reminder of the need for global companies to be attuned to both the risks of their business and the need to maintain adequate entity-level controls over all their subsidiaries.”

Order and Information

The SEC Order found that SAP violated the FCPA by employing third-party intermediaries and consultants from at least December 2014 through January 2022 to pay bribes to government officials to obtain business with public sector customers in the seven countries mentioned above.” Additionally, “SAP inaccurately recorded the bribes as legitimate business expenses in its books and records, despite the fact that certain of the third-party intermediaries could not show that they provided the services for which they had been contracted.” Finally,  “SAP failed to implement sufficient internal accounting controls over the third parties and lacked sufficient entity-level controls over its wholly owned subsidiaries.”

The DOJ Information found that between approximately 2015 and 2018, “SAP, through certain of its agents, engaged in a scheme to bribe Indonesian officials to obtain improper business advantages for SAP in connection with various contracts between and among SAP and Indonesian departments, agencies, and instrumentalities, including the Kementerian Kelautan dan Perikanan (the Indonesian Ministry of Maritime Affairs and Fisheries) and Balai Penyedia dan Pengelola Pembiayaan Telekomunikasi dan Informatika (an Indonesian state-owned and state-controlled Telecommunications and Information Accessibility Agency).”

Given SAP’s prior SAP enforcement history, its recidivist status FCPA status,  its culture of non-compliance (at the very least), a non-prosecution agreement (NPA) from 2021 with the DOJ’s National Security Division, as well as administrative agreements with the Departments of Commerce and the Treasury relating to export law violations; one might wonder  SAP was able to receive such a superior result. Over the next several blog posts, we will be exploring that issue as well a host of others for the compliance professional. I hope you will join me over the next few blog posts.

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending January 13, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for compliance professionals, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  1. Trump took payments from China as president.  (WaPo)
  2. Clyde & Co. was fined for breaching AML. (Reuters)
  3. The world’s top 3 trading companies allegedly paid bribes.  (Bloomberg)
  4. SAP has yet another FCPA enforcement action.  (FCPA Blog)
  5. Boeing CEO says ‘this can never happen again’ (yet again). (Reuters)
  6. Gold bars are a sign of a statesman—Bob Menendez.  (NYT)
  7. When de-risking leads to more risks, or at least newer risks,.  (WSJ)
  8. Boeing is facing more fallout over the 737 MAX.  (WaPo)
  9. China ABC campaign to go after ‘ants and flies. (CNN)
  10. Singapore completes a corruption probe.  (Bloomberg)

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day here.

Connect with Tom:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Frank Orlowski on Navigating Challenges in Operating in Emerging Markets

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Frank Orlowski.

Frank Orlowski is a seasoned professional with a wealth of experience in managing emerging markets in the pharmaceutical industry, having spent over 25 years at Pfizer Pharmaceuticals. His extensive knowledge, particularly in South America, Middle East Asia, and Eastern Europe, where he faced difficulties in compliance, controls, and adhering to US accounting regulations, has shaped his perspective on managing emerging markets. Orlowski emphasizes the importance of understanding different cultures, regulations, and geopolitical issues when working in these markets. After retiring from Pfizer, he founded the Ation Advisory Group, where he leverages his expertise to assist companies in commercializing products in the life science industry. Join Tom Fox and Frank Orlowski on this episode of the FCPA Compliance Report podcast to gain more insights into managing emerging markets in the pharmaceutical industry.

Key Highlight:

  • Frank Orlowski’s Global Financial Expertise
  • Navigating Unique Obstacles in Emerging Markets
  • Navigating Cultural Differences in Emerging Market Compliance
  • Creative Employee Rewards and Engagement Strategies
  • Enhancing Healthcare Through Medtech Innovations
  • The Integrated Legal Division at Pfizer

Resources:

Frank Orlowski on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance Into The Weeds: Congress Fills a Gap – FEPA

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the Foreign Extortion Prevention Act (FEPA), a groundbreaking law that aims to combat corruption by criminalizing foreign government officials who solicit or accept bribes from US entities.

This law complements the Foreign Corrupt Practices Act (FCPA), which penalizes companies for offering bribes, and introduces new challenges and implications for anti-corruption measures. Tom views FEPA as a long-overdue measure that fills a gap in anti-corruption efforts. He agrees with Matt emphasizes that FEPA addresses a long-standing concern of anti-corruption advocates. Both Fox and Kelly anticipate further guidance from the Department of Justice on how this new law will interact with existing measures under the FCPA. Join Tom Fox and Matt Kelly as they delve deeper into this topic in the latest episode of the Compliance into the Weeds podcast.

 

Key Highlights:

  • Combating Foreign Corruption: FIFA’s Powerful Impact
  • Implications of FIFA Cooperation on FCPA Prosecution
  • Extradition Challenges in FIFA Corruption Cases
  • The Impact of the Name and Shame List

Resources:

Matt Kelly on LinkedIn

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Congress Fills a Corruption Hole: The Foreign Extortion Prevention Act (FEPA)

The compliance community has long recognized the gaping hole in the Foreign Corrupt Practices Act (FCPA). As a supply side law, it criminalizes the payment of bribes, not the demand to pay a bribe or extortion. The gap was recently filled by the Foreign Extortion Prevention Act (FEPA) which extended crucial protections to Americans working abroad and provides the Department of Justice (DOJ) with a potent new tool. By criminalizing both the giving and demanding of foreign bribes, FEPA seeks to level the playing field for American workers while fostering ethical business practices globally. FEPA represents a promising solution to protect Americans working overseas, promote fair business competition, and combat corruption on a global scale. With its potential to bring about meaningful change, FEPA is a vital step in safeguarding American values and interests in the international arena. Sam Rubenfeld, cited to Scott Greytak, the director of advocacy for Transparency International US, for the following, “FEPA is a landmark, bipartisan law that holds the potential to help root out foreign corruption at its source. It is arguably the most sweeping and consequential foreign bribery law in nearly half a century.”

This legislation fills a significant gap in anti-corruption measures and raises important questions about its implications for the enforcement of the Foreign Corrupt Practices Act (FCPA) and the cooperation expected from companies involved in bribery schemes. FEPA, part of the National Defense Authorization Act (NDAA), addresses a long-standing concern among anti-corruption advocates. While the FCPA has been effective in penalizing US companies for offering bribes to foreign officials, there has been a lack of legal mechanisms to hold foreign government officials accountable for accepting these bribes. FEPA now provides prosecutors with the means to pursue such officials.

One of the key aspects of FEPA is that it criminalizes the solicitation or acceptance of bribes by foreign government officials from US entities. This complements the FCPA, which focuses on the offering of bribes by US companies. By targeting both sides of the bribery equation, FEPA aims to create a more comprehensive and effective framework for combating corruption.

However, the implementation of FEPA is not without its challenges. One of the main challenges is the extradition of foreign officials for prosecution, particularly from countries like Russia or China. Extradition processes can be complex and time-consuming, and cooperation from foreign governments may not always be forthcoming. This poses a significant hurdle in holding foreign officials accountable under FEPA.

Another notable feature of FEPA is the introduction of a “name and shame” list. This list is intended to publicly identify, and shame foreign government officials involved in bribery schemes. While this may serve as a deterrent, it could also have unintended consequences. For instance, it may impact Transparency International’s corruption perception indexes, potentially affecting the rankings of countries and their relations with the US. Additionally, it could have implications for US companies operating in those countries, potentially straining foreign relations.

The passage of FEPA raises important considerations for compliance officers and companies. They need to assess how this new law may impact their existing controls and policies. The arrival of FEPA as a tool to combat corruption is undoubtedly a positive development. However, it is crucial to carefully evaluate the potential implications for FCPA prosecutions and the cooperation expected from companies involved in bribery cases.

Compliance officers should also consider the potential changes in the calculus for prosecutors. With FEPA in place, prosecutors may now have the legal means to pursue foreign government officials complicit in bribery schemes. This raises questions about the extent to which companies will be required to assist the DOJ in pursuing FEPA cases alongside FCPA cases. Companies may need to provide testimony and cooperate in the prosecution of foreign officials, potentially impacting the resolution of FCPA violations.

Looking ahead, it is essential for the DOJ to provide clarity on how FEPA will be utilized and what expectations companies should have when caught up in FEPA-related investigations. Transparency and guidance from the Department of Justice will help companies navigate the potential challenges and ensure compliance with the law.

The bottom line is that FEPA represents a significant step in the fight against corruption. By criminalizing the solicitation or acceptance of bribes by foreign government officials from US entities, FEPA fills a crucial gap in anti-corruption measures. However, challenges remain in extraditing foreign officials for prosecution and managing the potential consequences of the “name and shame” list. Compliance officers and companies must carefully consider the implications of FEPA on their operations and update their controls and policies accordingly. With proper guidance and cooperation, FEPA can be a powerful tool in combating corruption and promoting ethical business practices.

Penalties under FEPA include (from Transparency International)

  1. Expanding Legal Protections: FEPA amendment U.S. bribery law (18 U.S.C. § 201) to make it illegal for foreign officials to corruptly demand, seek, receive, or accept bribes under two crucial circumstances:
  • From U.S. individuals or companies.
  • From any person while within the United States, in connection with obtaining or retaining business.
  1. Stringent Penalties: Those found guilty of violating FEPA could face severe consequences, including:
  • Criminal fines of up to $250,000 or three times the value of the bribe, whichever is greater.
  • Prison sentences of up to 15 years.
  1. Transparency and Accountability: FEPA introduces a vital accountability mechanism by requiring the DOJ to publish an annual report. It will include the following:
  • It examines the scale and nature of foreign bribe demands against American companies, shedding light on the extent of the issue.
  • It evaluates the effectiveness of U.S. diplomatic efforts aimed at safeguarding American businesses from foreign bribe demands.
  • It assesses the efforts of foreign governments to prosecute individuals involved in corrupt practices against American interests.

Matt Kelly and I take a deep dive into FEPA on this week’s Compliance into the Weeds. To listen, click here.

Categories
Blog

The DOJ on the Need for Compliance Program Data Analytics

The Department of Justice (DOJ) is increasingly utilizing data analytics for proactive enforcement, signaling a significant shift in their approach to combating white-collar crime. This move reflects the recognition of data analytics as a crucial component of compliance programs, extending beyond historical reporting to transactional details and third-party interactions.

Recently, Acting Principal Deputy Assistant Attorney General Nicole M. Argentieri Delivered remarks at the 39th International Conference on the Foreign Corrupt Practices Act (FCPA). She stated, “the Criminal Division has long been an innovator in using data to enhance its investigations and prosecutions. I am proud to announce that we are taking that experience and expertise with data analysis and applying these tools to our FCPA investigations. Through investments in personnel, we have improved our ability to harness and analyze available data — both public and non-public — to identify potential wrongdoing involving foreign corruption. This approach has already generated successful FCPA investigations and prosecutions.” 

In this week’s episode of “Data Driven Compliance,” host Tom Fox and Vince Walden, discussed the importance of data analytics in the DOJ’s enforcement efforts was discussed. Matt Galvin, an expert leading the DOJ’s data analytics initiative, highlighted the proactive use of data to generate cases related to the FCPA and emphasized that this is just the beginning.

The DOJ expects companies to adopt a similar data-driven approach to compliance. Vince Walden, cited to the Argentieri speech where she stated, “just as we are upping our game when it comes to data analytics, we expect companies to do the same.” This expectation extends beyond simply tracking trainings, policies, and investigations. The DOJ’s focus is on monitoring third parties throughout the lifespan of the relationship, not just during the onboarding process.

Walden emphasized that while due diligence and background checks are essential, the real risk of fraud occurs during the actual business transactions with third parties. Therefore, companies need to go beyond initial checks and continuously monitor high-risk vendors, contract terms, and other relevant data sources. By mapping risks to data sources and implementing effective tests, companies can identify and prioritize risky transactions.

The increasing accessibility and cost-effectiveness of data analytics have made it a viable option for companies of all sizes. It can help companies demonstrate effective compliance programs, uncover hidden financial irregularities, and improve overall efficiency. The importance of continuous data analysis in compliance programs was highlighted by the Bank of America enforcement action by the Consumer Financial Protection Bureau (CFPB).

The DOJ’s use of data analytics is not limited to public data available from public companies. They are also leveraging private information, which could potentially include information obtained during investigations within specific industries. The DOJ has made significant investments in technology and resources to enhance their enforcement capabilities, taking inspiration from techniques used in the healthcare division to combat fraud.

However, implementing a data-driven compliance program comes with its own set of challenges. There is still confusion among the compliance community regarding what data analytics entails and how it should be applied. Walden stressed the need for a process-oriented approach rather than treating it as a one-time project. Data analytics should be integrated into the compliance program as a continuous business process, similar to third-party due diligence.

The DOJ’s increasing use of data analytics for proactive enforcement has far-reaching implications. Companies must recognize the importance of adopting a data-driven approach to compliance and invest in the necessary resources and technology. By doing so, they can not only meet the DOJ’s expectations but also improve the effectiveness of their compliance programs and mitigate the risk of fraud.

The DOJ’s increasing use of data analytics for proactive enforcement signifies a significant shift in their approach to combating white-collar crime. Companies must embrace this data-driven approach to compliance, continuously monitor high-risk transactions, and invest in the necessary resources and technology. By doing so, they can demonstrate effective compliance programs, uncover hidden financial irregularities, and improve overall efficiency.

For the full podcast episode, click here.