Categories
Corruption, Crime and Compliance

A Deep Dive into the Oracle FCPA SEC Settlement

Oracle Corporation settled its second FCPA case in ten years. It agreed to pay the SEC $23 million to resolve allegations that its subsidiaries in Turkey, India and the United Arab Emirates maintained slush funds to bribe foreign officials. Ten years ago in 2012, Oracle paid the SEC $2 million for creating millions of dollars in off-the-books accounts at its India subsidiary. Join Michael Volkov as he takes a deep dive in the Oracle case and provides valuable lessons for managing third-party corruption risks.

  • In the SEC’s mind, Oracle is a recidivist, having its second enforcement action case in 10 years.
  • The settlement for $23 million underscored the power of the FCPA provisions, which mandate effective internal controls and accurate books and records, and can be applied to a wide range of conduct beyond foreign bribery, Michael remarks. 
  • The controls that Oracle put in place to prevent improper use of discounts and marketing reimbursements were not effective because there was a lack of compliance culture within the business.
  • The Oracle case is one that should be studied by compliance professionals, Michael believes. It reminds you to look at your own controls that surround discounting and ensure that the necessary documentation is carried out. “No matter what controls you have in place, they still have to be adhered to with a true culture of compliance underneath it as a foundation,” he adds.

 

Resources

SEC Oracle Case

Email Michael: mvolkov@volkovlaw.com

Categories
Blog

Oracle: FCPA Recidivist Part 5 – What Does It All Mean?

In this post, we conclude our exploration of the Foreign Corrupt Practices Act (FCPA) enforcement action involving the now recidivist Oracle Corporation. This enforcement action was concluded with the Securities and Exchange Commission (SEC) resulting in an Order. After having examined the background facts and bribery schemes in some details, we turn to what does it all mean for FCPA enforcement going forward and what lessons can the compliance profession draw from Oracle’s missteps.

Paper Programs Fail

One of the most prominent lessons to be garnered from this matter is that paper compliance programs Do Not Work. That may sound like perhaps the most basic truism in all of compliance but here we are in 2022, looking at a major multinational organization which had a ‘check-the-box’ compliance program around distributors and it eventually bit them in the backside.

After having its first FCPA enforcement action in 2012 involving distributors in India, where deep and unwarranted discounts were used to create a pot of slush funds to pay bribes, Oracle instituted a requirement for a ‘second set of eyes’ outside the business unit for unusual or excessive discounts. According to its policies regarding distributors, a valid and legitimate business reason was required to provide a discount to a distributor. Oracle used a three-tier system for approving discount requests above designated amounts, depending on the product. In the first level, Oracle at times allowed subsidiary employees to obtain approval from an approver in a subsidiary other than that of the employee seeking the discount. At the next level and for higher level of discounts, Oracle required the subsidiary employee to obtain approval from another geographic region and the final level (and for the highest discounts) was from someone at the Oracle corporate headquarters. So far so good.

The problem was there was no requirement for evidence of a business justification to support the requested discount. The Order noted, “Oracle reviewers could request documentary support, Oracle policy did not require documentary support for the requested discounts – even at the highest level.” A statement of why you need a discount without any supporting documents as evidence is simply that – a statement. In other words, there was no way for a higher-level approver to determine if such a request was valid or fraudulent. Ronald Reagan was on to a basic compliance concept when he intoned “Trust, but verify.” Those words still ring true as a basic requirement in any compliance program.

Data Analytics

The Oracle enforcement action emphasized why data analytics is mandatory for any current compliance program. In addition to creating slush funds through discounts to distributors, slush funds were created through fraudulent reimbursement requests for expenses associated with marketing Oracle’s products. If the request were under $5,000, business unit level supervisors at the subsidiaries could approve them without any corroborating documentation indicating that the marketing activity actually took place. In one example from the Order, it noted that an Oracle Turkey sales employees obtained such fraudulent reimbursements totaling approximately $115,200 in 2018 that were “ostensibly for marketing purposes and were individually under this $5,000 threshold.” There was apparently no one looking to see who and how often these reimbursement requests were made by any single employee or approved by any supervisor.

This is as basic a fraud scheme as one can imagine. Think of employee gift, travel and entertainment (GTE) reimbursement where anything over $100 must be preapproved. One BD type or one business unit routinely submits requests after purchases of $99.99 so no preapproval is required. The supervisor approves it, and it is automatically paid to the employee. One reimbursement at $99.99 may not raise a red flag but multiple requests should. The same concept holds true in this situation. However, no one at Oracle was looking at this bigger picture. This is where a data analytics program would pick up such anomalies and flag it for closer inspection and investigation. Oracle appears to have realized this through part of its remediation which included the implementation of a compliance data analytics program moving to proactive auditing.

Internal Control Upgrades

Putting in compliance enhancements to remediate your control failures is a key part to any FCPA enforcement resolution. In this area, there were improvements in the following capacities: (a) in distributor discounting by improving aspects of the Oracle discount approval process and increasing transparency in the product discounting process through the implementation and expansion of transactional controls; (b) in the Oracle procurement process through the increased oversight of, and controls on, the purchase requisition approval process; (c) by the removal of perverse incentives by limiting financial motivations and business courtesies available to third parties; (d) in basic gifts, travel and entertainment policies (GTE) by improving its customer registration and payment checking processes in connection with Oracle technology conferences.

Basic GTE

I cannot believe that in 2022 we are talking about companies that still do not have the most basic GTE policies in force. Since at least 2007, the Department of Justice (DOJ) made clear what was appropriate in business travel, business courtesies and business entertainment. Oracle’s 112 Project decidedly was not as it was designed to appear as a business trip to Oracle’s home office (then in California) related to Oracle’s bid on a project. However, the trip was designed to be a sham to hide boondoggle travel for four government officials. The alleged business meeting at the corporate headquarters lasted only 15 minutes and for the rest of the week, the Oracle BD folks entertained the government officials in Los Angeles and Napa Valley and then took them to a “theme park” in the greater Los Angeles area. Any travel involving government officials or any other covered persons under the FCPA should be submitted to and approved by your compliance function, including costs and the itinerary.

There was much to consider from the SEC enforcement action under the FCPA involving Oracle. We still have not heard from the DOJ. There may be more to come….

Categories
Survive and Thrive

Survive and Thrive – Gifts, Travel, and Entertainment with Thomas Fox and Kortney Nordrum

The FCPA world is littered with enforcement actions against companies for the most basic compliance failures – those around gifts, travel, and entertainment (GTE). Many compliance professionals struggle with issues from GTE: Violations can arise out of anything, from discrepancies between outbound and inbound reporting to simply relying too heavily on the manual process of maintaining spreadsheets.
As your company is considering RTW sometime in fall 2021, you know you will need to remind everyone about why GTE is so critical to compliance. How do you add in an analysis of more efficient business travel, time use, and even whether you need to travel for meetings?

Key points discussed in the episode:
✔️The Gifts, Travel, and Entertainment (GTE) Policy is foundational to a company’s values. GTE touches so many other pieces in a compliance program – COI, anti-corruption, anti-fraud, government contracting, donations/corporate giving, marketing in the healthcare space, etc. Small numbers are essential, and telling the truth about GTE reimbursement is critical to an ethical culture.
✔️Each company has different GTE rules in place – first, you have to take stock of what rules apply to your company and your sales force.
✔️ Look at who you do business with? If your customers are all state governments, that makes it easy – no gifts or entertainment, ever—however, companies operating in several markets may have varying customers. Be aware of what your customers can and cannot accept re: GTE.
✔️ In your organization, build a policy that speaks to your specific obligations. Make it clear that every single gift or entertainment expense must be documented and submitted, and nothing is off-books.
✔️ Include as many examples as possible in your policy – call out specific things that are not allowed (aka DO NOT GIVE ANYONE A FERRARI OR A HOUSE IN THE HAMPTONS…OR A CONGRESSIONAL SEAT).
✔️ Make things much more concrete and give people an idea of what’s appropriate and not appropriate. It is essential to call out cash and cash equivalents to explain better why It is NEVER okay to give cash or equivalents as GTE.
✔️ Train the heck out of the policy – both the broad workforce and the finance team that will be reviewing the invoices and the sales team that will be incurring the expenses. Walk them through expectations and what to watch out for as red flags.
✔️ Use checklists – give the team reviewing invoices a list of what to look for (good and bad) and have them do it (formally or informally) for each invoice.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.

Categories
31 Days to More Effective Compliance Programs

Internal controls for gifts, travel and entertainment


It is reasonable to expect that internal controls over gifts, travel and entertainment be designed to ensure that they satisfy the criteria as defined in company policies. These are narrow, including a definition of the dollar limit, which must not be exceeded for gifts to be permissible, coupled with some subjective criteria such as the legality of the gifts for the recipient and whether the practice is customary within the country where the gift is delivered. The question I focus on is how to enforce the policies so that employees are not free to disregard them at will?The key analysis is whether there are controls in place to enforce the policies and whether those controls are documented. There are four issues to evaluate:

  1. Is the correct level of person approving the payment/reimbursement for the gift?
  2. Are there specific controls, including signoffs, to demonstrate that the gift had a proper business purpose?
  3. Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?
  4. If controls are not followed, is that failure detected by other internal controls or the compliance protocols?

Internal controls around gifts can be used in a variety of ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation, however, by using some of the techniques suggested you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. The bottom line is good internal controls make for good business processes; if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and thereby have a better run company. 
Three key takeaways:

  1. Gifts, travel and entertainment compliance internal controls are low hanging fruit, pick them.
  2. Compliance internal controls can be both detect and prevent controls.
  3. Good compliance internal controls are good for business.