Tag: FCPA

Categories
Compliance Into the Weeds

The Oracle FCPA Enforcement Action

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we look at the recently announced SEC Foreign Corrupt Practices Act enforcement action involving Oracle. Highlights include:

  1. Recidivist behavior in some countries with similar schemes.
  2. Policy, procedure, and internal controls failures.
  3. Why no monitor.
  4. Compliance programs lessons learned.
  5. What about the DOJ?

 Resources

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

  1. Background
  2. The Schemes in Action
  3. Parking in India
  4. The Comeback and DOJ
  5. What it all means
Categories
Blog

Oracle: FCPA Recidivist Part 3 – Parking in India

This week we are exploring the 2022 Foreign Corrupt Practices Act (FCPA) enforcement action brought by the Securities and Exchange Commission (SEC) involving Oracle Corporation. As we have noted, Oracle is now a recidivist FCPA violator, having been involved with a similar enforcement action back in 2012. I thought it would instructive to review that prior enforcement action to see what the bribery schemes were, if Oracle lived up to the remediation steps it took in 2012 and what it might all mean for the 2022 enforcement action.

According to the 2012 Complaint, the scheme worked as follows: Oracle India would identify and work with the end user customers in selling products and services to them and negotiating the final price. However, the purchase order would be placed by the customer with Oracle India’s distributor. This distributor would then purchase the licenses and services directly from Oracle, and resell them to the customer at the higher price than had been negotiated by Oracle India. The difference between what the government end user paid the distributor and what the distributor paid Oracle typically is referred to as “margin” which the distributor generally retains as payment for its services. That description sounds like most distributor relationships but this was not what got Oracle into trouble.

The Bribery Scheme

As further specified in the 2012 Compliant, “certain Oracle India employees created extra margins between the end user and distributor price and directed the distributors to hold the extra margin inside funds. Oracle India’s employees made these margins large enough to ensure a side fund existed to pay third parties. At the direction of the Oracle India employees, the distributor then made payments out of the side funds to third parties, purportedly for marketing and development expenses.” The 2012 Compliant noted, “about $2.2 million in funds were improperly “parked” with the Company’s distributors.” To compound this problem, employees of Oracle India concealed the existence of this side fund from Oracle in the US and hence there was an incorrect accounting in Oracle’s books and records.

The 2012 Complaint further noted, “Oracle India’s parked funds created a risk that they potentially could be used for illicit means, such as bribery or embezzlement” and then went on to highlight such an instance which occurred in May 2006, where Oracle India secured a $3.9 million deal with India’s Ministry of Information Technology and Communications. Oracle’s distributor accepted payment from the end user for the full $3.9 million. Under the direction of Oracle India’s then Sales Director, the distributor sent approximately $2.1 million to Oracle, which Oracle booked as revenue on the transaction. Oracle India employees then directed the distributor to keep approximately $151,000 as payment for the distributor’s services. The Oracle India employees further instructed the distributor to “park” the remaining approximately $1.7 million to be used for disbursement towards “marketing development purposes.” Some two months later, an Oracle India employee provided the distributor with eight invoices for payments to third party vendors, in amounts ranging from approximately $110,000 to $396,000. These invoices were later determined to be false. Further, none of these third parties, which were just storefronts and provided no services on the deal, were on Oracle’s approved vendor list.

Failure of Internal Audit

All of the above were in violation of Oracle’s internal policies, however the 2012 Compliant specified that “Oracle lacked the proper controls to prevent its employees at Oracle India from creating and misusing the parked funds” and prior to 2009 “the Company failed to audit and compare the distributor’s margin against the end user price to ensure excess margins were not being built into the pricing structure.” Oracle failed to either (1) seek transparency in its dealing with the distributor and (2) audit third party payments made by the distributors on Oracle’s behalf” both of which would have enabled the Company to check that payments were made to appropriate recipients. Indeed, the scheme only came to Oracle’s attention during an unrelated “local tax inquiry to Oracle’s India distributor”. This sounds reminiscent of HP Germany where a routine Bavarian Provincial tax audit picked up the suspicious payments which lead to a FCPA investigation.

2012 Remedial Steps

However, even with the above listed failures of Oracle’s compliance program, the Company did take Maxim Three of McNulty’s Maxim’s to heart: What did you do to remedy it? The 2012 Complaint indicated that the person in charge of supply chain at the Indian subsidiary resigned and left the company. An internal investigation was undertaken and four employees of the Indian subsidiary who had actual knowledge of the scheme were terminated. Additionally, “Oracle took other remedial measures to address the risk and controls related to parked funds, including: conducting additional due diligence in its partner transactions in India so that Oracle had greater transparency into end user pricing in government contracts; terminating its relationship with the distributor involved in the transactions at issue; directing its distributors not to allow the creation of side funds; requiring additional representations and warranties from distributors to include the fact that no side funds exist; and enhancing training for its partners and employees to address anti-corruption policies.”

So, what exactly did “directing its distributors not to allow the creation of side funds; requiring additional representations and warranties from distributors to include the fact that no side funds exist; and enhancing training for its partners and employees to address anti-corruption policies” entail for Oracle employees and business operations going forward, leading to the 2022 enforcement action? Since the events leading to the 2012 enforcement action were centered in India, one might reasonably assume that Oracle would prioritize all of these remedial steps in India and add more focused monitoring in India to make sure the remediate steps were implemented and followed. In the case of Oracle India, apparently not.

Join me tomorrow where we explore the comeback by Oracle leading to the 2022 enforcement action and explore questions related to the Department of Justice (DOJ) and where they may stand on the Oracle matter.

Categories
Blog

Oracle: FCPA Recidivist Part 2 – Schemes in Action

Oracle Corporation now joins the ignominious group of Foreign Corrupt Practices Act (FCPA) recidivists. Last week, in a Press Release, the Securities and Exchange Commission (SEC) announced an enforcement action which required Oracle to pay more than $23 million to resolve charges that it violated the FCPA when “subsidiaries in Turkey, the United Arab Emirates (UAE), and India created and used slush funds to bribe foreign officials in return for business between 2014 and 2019.” The recidivist label comes from the sad fact that the SEC sanctioned Oracle in connection with the creation of slush funds.

In 2012, Oracle resolved charges relating to the creation of millions of dollars of side funds by Oracle India, which created the risk that those funds could be used for illicit purposes. This means we have a company using the same scheme, in the same country only two years after the resolution of another FCPA violation. Yesterday, I laid out the broad parameters of the bribery schemes so that compliance professionals could study them in detail to determine if they need to review their programs. Today, we consider the schemes as they were used in the three countries identified in the SEC Order as Turkey, UAE and India.

Turkey

According to the SEC Order, there were three types of bribery schemes in Turkey; the VAD Accounts, the 112 Project and the SSI Deals. Under the VAD Accounts, as discussed yesterday, “Oracle Turkey employees routinely used the slush funds to pay for the travel and accommodation expenses of end-user customers, including foreign officials, to attend annual technology conferences in Turkey and the United States, including Oracle’s own annual technology conference.” These slush funds “were also used to pay for the travel and accommodation expenses of foreign officials’ spouses and children, as well as for side trips to Los Angeles and Napa Valley.”

All of this means that Oracle Turkey was not only engaging in bribery and corruption during the time from the 2012 enforcement action, but carried it on for seven years after the conclusion of the 2012 enforcement action. It was also done with the full knowledge and support of the Turkey country manager. Finally, since at least 2007, it was well known that payment for the travel and accommodation expenses of foreign officials’ spouses and children, as well as payment for side trips made by foreign officials was clear FCPA violation.

112 Project involved an attempt by Oracle Turkey to win a lucrative contract with Turkey’s Ministry of Interior (“MOI”) related to the ongoing creation of an emergency call system for Turkish citizens, the “112 Project”; hence the internal Oracle terminology. 112 Project was designed to appear as a business trip to Oracle’s home office (then in California) related to Oracle’s bid on the project. However, it turned out the trip was a sham to hide boondoggle travel for four MOI officials. The alleged business meeting at the corporate headquarters lasted only 15 minutes and for the rest of the week, the Turkey Sales Representative entertained the MOI officials in Los Angeles and Napa Valley and then took them to a “theme park” (I wonder what ‘theme park’ there could be in the greater Los Angeles area?) Once again, this type of sham travel has long been identified as FCPA violative.

Finally, there were the SSI Deals. These involved the same Turkish Sales Representative as in 112 Project and directed cash bribes to officials at Turkey’s Social Security Institute (“SSI”). This corrupt sales representative had the temerity to maintain a spreadsheet tracking how much potential margin he could create from a discount request six months before he finalized a deal with the SSI in 2016. To fund the bribe payments, he used the VAR Program we previously detailed which claimed a discount was needed to beat the competition. However, the bid was a sole source bid limited to Oracle products.

In another corrupt transaction, once again the same Turkey Sales Representative used another VAR to create a slush fund for SSI officials related to a database infrastructure order. His spreadsheet showed an excessive margin of approximately $1.1 million, only a portion of which was used to purchase legitimate products such as software licenses.

UAE

Using the rather amazing code name of ‘Wallets”, Oracle UAE employees paid for the travel and accommodation expenses of end customers, including foreign officials, to attend Oracle’s annual technology conference in violation of Oracle’s internal policies. As noted in the Order, in 2018 and 2019, an Oracle UAE sales account manager paid approximately $130,000 in bribes to the State-Owned Enterprise’s (SOE) Chief Technology Officer (CTO) to obtain six different contracts over this period. The first three bribes were funded “through an excessive discount and paid through another entity (“UAE Entity”) that was not an Oracle approved VAR for public sector transactions and whose sole purpose was to make the bribe payments. For the final three deals, the UAE Entity was the actual entity that contracted with the UAE SOE despite the fact that Oracle’s deal documents represented an Oracle approved partner as the VAR for the deal.”

India

In perhaps the most incredulous scheme, Oracle India sales employees used an excessive discount scheme for a transaction which was owned by the Indian Ministry of Railways. Oracle India claimed a discount was needed based on competition but “the Indian SOE’s publicly available procurement website indicated that Oracle India faced no competition because it had mandated the use of Oracle products for the project.” Once again, a spreadsheet was made that indicated $67,000 was the “buffer” available to potentially make payments to a specific SOE official. A total of approximately $330,000 was made available for payments and another $62,000 was paid to an entity controlled by the sales employees responsible for the transaction.

Please join me tomorrow where I look back at the 2012 Oracle FCPA enforcement action to see what, if anything, Oracle learned from that sordid tale.

Categories
FCPA Compliance Report

Mike Huneke on The General Counsel Role in CCO Certification

In this episode, I visit Mike Huneke, a partner at Hughes Hubbard. We look at the role of the GC in the CCO certification requirement as first announced by Assistant Attorney General Kenneth Polite and confirmed by Deputy Attorney General Lisa Monaco.

Key areas we discuss on this podcast are:

  • What is the new CCO certification policy?
  • Why did the DOJ create the policy?
  • How has the DOJ’s thinking around recidivists evolved?
  • Reasonableness is not a factual basis.
  • Companies with full transparency are unlikely to have conflicts due to the recent changes in CCO certification.
  • What is the role of the monitor going forward?

Resources

Mike Huneke on Hughes Hubbard

What is the General Counsel’s role in CEO and CCO compliance certifications? On the FCPA Blog

Categories
Blog

Oracle: FCPA Recidivist Part 1 – Background

Oracle Corporation now joins the ignominious group of Foreign Corrupt Practices Act (FCPA) recidivists. Last week, in a Press Release, the Securities and Exchange Commission (SEC) announced an enforcement action which required Oracle to pay more than $23 million to resolve charges that it violated the FCPA when “subsidiaries in Turkey, the United Arab Emirates (UAE), and India created and used slush funds to bribe foreign officials in return for business between 2016 and 2019.” The recidivist label comes from the sad fact that the SEC “sanctioned Oracle in connection with the creation of slush funds. In 2012, Oracle resolved charges relating to the creation of millions of dollars of side funds by Oracle India, which created the risk that those funds could be used for illicit purposes.”

 As reported in the FCPA Blog, Oracle is now one of 15 FCPA recidivists out of a total of 246 FCPA enforcement cases. This gives a recidivism rate of 6.1%. Clearly recidivism is also on the mind of the Department of Justice (DOJ) in the announcement of the Monaco Doctrine and release of the Monaco Memo. Given the overall tenor of the Oracle SEC Order, it is not clear if the SEC has the same level of concern as the DOJ on repeat offenders.

According to the Order, from at least 2014 through 2019, “employees of Oracle subsidiaries based in India, Turkey, and the United Arab Emirates (collectively, the “Subsidiaries”) used discount schemes and sham marketing reimbursement payments to finance slush funds held at Oracle’s channel partners in those markets. The slush funds were used both to (i) bribe foreign officials, and/or (ii) provide other benefits such as paying for foreign officials to attend technology conferences around the world in violation of Oracle’s internal policies.” I guess those employees at the subsidiaries, and specifically those in India, did not receive the Memo about Oracle’s 2012 FCPA settlement, where they promised to institute a series of internal controls to clean up the problem.

During the period in question, Oracle used two sales models, direct and indirect. Under the direct model, Oracle transacted directly with customers who paid Oracle directly. Under the indirect method, Oracle transacted through various types of third parties including straight distributor models, value added distributors (VADs) and value added resellers (VARs). While Oracle used the indirect sales model for a variety of legitimate business reasons, such as local law requirements or to satisfy payment terms, it recognized since at least 2012 that the indirect model also presented certain risks of abuse – including the creation of improper slush funds.

Learning one lesson from the 2012 enforcement action, “Oracle utilized a global on-boarding and due diligence process for these channel partners that Oracle implemented at the regional and country levels. Oracle only permitted its subsidiaries to work with VADs or VARs who were accepted to its Oracle Partner Network (“OPN”). Similarly, Oracle prohibited its subsidiaries from conducting business with companies removed from the OPN.”

Distributor Discounts

According to its policies regarding distributors, a valid and  legitimate business reason was required to provide a discount to a distributor. Oracle used a three-tier system for approving discount requests above designated amounts, depending on the product. In the first level, Oracle at times allowed subsidiary employees to obtain approval from an approver in a subsidiary other than that of the employee seeking the discount. At the next level and for higher level of discounts, Oracle required the subsidiary employee to obtain approval from Oracle corporate headquarters. The final level was a committee which had to approve the highest levels of discount.

The weakness in the Oracle distributor discount policy was that “while Oracle policy mandated that all discount requests be supported by accurate information and Oracle reviewers could request documentary support, Oracle policy did not require documentary support for the requested discounts – even at the highest level.” The standard requests for discounts were those previously seen in the Microsoft FCPA enforcement action, including “budgetary caps at end customers or competition from other original equipment manufacturers.” As the Order noted, “Oracle Subsidiary employees were able to implement a scheme whereby larger discounts than required for legitimate business reasons were used in order to create slush funds with complicit VADs or VARs.” Naturally it allowed distributors which “profited from the scheme by keeping a portion of the excess deal margin” to create a pot of money to pay a bribe.

Marketing Reimbursements

Distributor policies also allowed Oracle sales employees at the Subsidiaries to “request purchase orders meant to reimburse VADs and VARs for certain expenses associated with marketing Oracle’s products.” Once again there was a multi-pronged approval process in place. For marketing reimbursements “under $5,000, first-level supervisors at the Subsidiaries could approve the purchase order requests without any corroborating documentation indicating that the marketing activity actually took place.” Above this $5,000 threshold, additional approvals were required with additional requirements for business justification and documentation.

With these clear and glaring internal control gaps, you can see where it all went wrong for Oracle, the Order noted that “Oracle Turkey sales employees opened purchase orders totaling approximately $115,200 to VADs and VARs in 2018 that were ostensibly for marketing purposes and were individually under this $5,000 threshold.” Yet even when the $5,000 threshold was breached and supervisory approval was required in Turkey and the UAE, “The direct supervisors of these sales employees, who were complicit in the scheme, approved the fraudulent requests.” It is not clear if Oracle compliance had visibility into marketing reimbursement protocols. Of course, the “Oracle subsidiary employees in Turkey and the United Arab Emirates requested sham marketing reimbursements to VADs and VARs as a way to increase the amount of money available in the slush funds held at certain channel partners.” These slush funds were then used to pay bribes.

Please join me tomorrow where I look at the bribery schemes in action and how Oracle was able to obtain such an outstanding resolution and their extensive and aggressive remedial actions.

Categories
Corruption, Crime and Compliance

Episode 248 – Deep Dive into the GOL Brazil FCPA Settlement

The Department of Justice and the Securities and Exchange Commission reached a $41 million settlement with GOL Linhas Aéreas Inteligentes S.A. (“GOL”) to resolve criminal and civil foreign bribery charges. GOL entered into a three-year deferred prosecution agreement (“DPA”) with the DOJ in exchange for payment of a $17 million criminal penalty. DOJ credited $1.7 million of that penalty against a $3.4 million fine that GOL agreed to pay law enforcement authorities in Brazil to resolve charges in Brazil. In a separate resolution, GOL agreed to pay the SEC $24.5 million over two years. The SEC’s initial settlement calculation was for $70 million, but it was reduced to $24.5 million based on GOL’s financial condition. Michael Volkov reviews the DOJ and SEC FCPA settlement actions in this episode.

Categories
FCPA Compliance Report

The EC Gang on the Monaco Doctrine

In this special 5 part podcast series, I am deeply diving into the Monaco Memo and analyzing it from various angles. In this episode of the FCPA Compliance Report, we have the Award-Winning Everything Compliance quartet of Jonathan Marks, Jonathan Armstrong, Karen Woody, and Tom Fox on the Monaco Memo.

1. Tom Fox looks at the Monaco Memo through the monitorship language and answers a listener’s questions about compliance programs under the Monaco Memo.

2. Karen Woody reviews the Monaco Memo, the self-disclosure angle, and investigatory considerations and ponders the role of defense counsel going forward.

3. Jonathan Marks also looks at investigatory issues under the Monaco Memo, the role of the Board of Directors, and the role of the forensic auditor under the Monaco Memo.

4. Jonathan Armstrong’s self-disclosure from a UK angle joins Karen Woody in questioning how defense counsel should move forward.

Resources

Tom 5-Part blog post series in the FCPA Compliance and Ethics Blog

1.     A Jolt for Compliance

2.     Timely Self-Disclosure

3.     Corporate Compliance Programs

4.     Monitors

5.     The Heat is On

Monaco Memo

Categories
FCPA Compliance Report

Laura Perkins on the Monaco Memo

In this special 5 part podcast series, I am deeply diving into the Monaco Memo and analyzing it from various angles. In this episode of the FCPA Compliance Report, I am joined by Hughes Hubbard partner Laura Perkins to take a deep dive into the Monaco Memo. Some of the highlights include:

  1. Determination of Monitor Need.
  2. Roadmap to proa-active compliance.
  3. Timely self-disclosure as criteria for monitorship?
  4. Monitor selection criteria.
  5. Monitor review and oversight.

 Resources

Laura Perkins on HughesHubbard.com

Tom 5-Part blog post series in the FCPA Compliance and Ethics Blog

  1. A Jolt for Compliance
  2. Timely Self-Disclosure
  3. Corporate Compliance Programs
  4. Monitors
  5. Polite Speech

Monaco Memo

Categories
Everything Compliance

Episode 105 – the Monaco Memo and Antitrust in the EU

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In 2021, Everything Compliance was honored by W3 as a top talk show in podcasting. In this episode, we have the quartet of Jonathan Marks, Jonathan Armstrong, Karen Woody, and Tom Fox on the Monaco Memo and antitrust enforcement going forward in Europe. We conclude with our fan Shout Outs and Rants section.

  1. Tom Fox looks at the Monaco Memo through the monitorship language and answers a listener’s questions about compliance programs under the Monaco Memo. He shouts out to Aaron Judge, who has a year for the ages.
  2. Karen Woody reviews the Monaco Memo, the self-disclosure angle, and investigatory considerations and ponders the role of defense counsel going forward. She shouts out to the HBO film Elvis and the movie portrayal of Presley.
  3. Jonathan Marks also looks at the Monaco Memo’s investigatory issues, the Board of Directors’ role, and the forensic auditor’s role under the Monaco Memo. He rants about compliance professionals and fraud examiners who have no idea what internal control is.
  4. Jonathan Armstrong looks at the EU communications around Facebook and antitrust enforcement and how things may change dramatically. He shouts out to King Charles III, who had a 70-year apprenticeship as the Heir Apparent to the British throne.

The members of Everything Compliance are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com.
  • Jonathan Armstrong is our UK colleague, an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com.
  • Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at marks@bakertilly.com.

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
FCPA Compliance Report

Matt Kelly on the Monaco Memo

In this special 5 part podcast series, I am deeply diving into the Monaco Memo and analyzing it from various angles. In this episode of the FCPA Compliance Report, I am joined by my Compliance into the Weeds co-host Matt Kelly for a deep dive into the weeds of the Monaco Memo. Some of the highlights include:

  1. Corporate accountability.
  2. Timeliness in turning over evidence of wrongdoing.
  3. Baby Carrots in evaluating the corporate history of misconduct.
  4. Additions to Evaluation of Corporate Compliance Programs.
  5. Tweaks to the Yates Memo formulation.
  6. Monitors and Monitorships.

 Resources

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

  1. Introduction
  2. Self-Disclosure
  3. Corporate Compliance Programs
  4. Monitors
  5. What it all means

Monaco Memo