Categories
Daily Compliance News

Daily Compliance News: February 15, 2024 – The Lock The Doors Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • Elon Musk says Delaware has ‘locked the doors’. (Reuters)
  • OECD at 25.  (The Hill)
  • The SEC is bracing for litigation over climate change regs. (WSJ)
  • $130MM paid to creditors in the Mozambique Tuna Bond corruption scandal. (Spotlight on Corruption)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Compliance Into the Weeds

Compliance into The Weeds: Down The Rabbit Hole on SEC Enforcement Waivers

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt go down a rabbit hole regarding the SEC waiving penalties for messaging app violations.

The Securities and Exchange Commission (SEC) has been making headlines for its crackdown on broker dealers who violate record-keeping rules by using off-channel messaging apps like WhatsApp or Snapchat. This has led to hefty fines, yet the SEC has been granting waivers to these same firms, allowing them to continue operating in the securities world. This paradoxical approach has raised eyebrows, including those of Tom Fox and Matt Kelly. Fox finds the SEC’s actions both curious and concerning. He believes that if a waiver program exists, it should be publicly announced and the reasons for granting waivers should be transparent to ensure appropriate scrutiny. Kelly, on the other hand, expresses surprise and disappointment at the lack of transparency from the SEC, suggesting that the waiver program and its reasons should be made clear to the public. Find out more in this fascinating edition of Compliance into the Weeds.

Key Highlights:

  • SEC Sanctions for Off-Channel Messaging Violations
  • SEC Enforcement and Waivers for Internal Violations
  • Cracking down on Off Channel Communications
  • The Need for Public Announcements in SEC Enforcement

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Solar Winds Under GDPR: Corporate Responsibility and Risks in Data Protection

The General Data Protection Regulation (GDPR) has significantly changed how organizations handle data protection and privacy. It emphasizes the importance of transparency and honesty in disclosing data breaches and vulnerabilities. In a recent episode of the podcast Life with GDPR, Tom Fox and Jonathan Armstrong from Cordery Compliance discussed the topic of corporate responsibility and risks in data protection, with a particular focus on the SolarWinds case.

To recap, in late 2023, the SEC filed a lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, bringing the issue of executive liability in cybersecurity disclosures to the forefront. The lawsuit raised important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries under US securities law.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware in the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to access the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focused on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures formed the basis of the SEC’s allegations.

The SEC complaint alleged that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

Beyond this SEC enforcement action, there were other implications as well. One key takeaway from the episode is the pressure on corporate leaders, including CISOs, Data Protection Officers, and Compliance Officers, to disclose data breaches promptly. While GDPR offers some protection to Data Protection Officers, they are not entirely exempt from liabilities. The SolarWinds case serves as a reminder of the need for specific and timely disclosure of breaches and the importance of addressing system vulnerabilities.

The risks associated with data breaches are not limited to regulatory fines. Litigation risks are a significant concern for organizations, with shareholders and whistleblowers potentially seeking legal action. The episode highlights the importance of transparency and not misrepresenting information to regulators. Misrepresentations can lead to severe consequences for individuals in positions of responsibility within corporations.

Budget constraints can also hinder the timely fixing of vulnerabilities, ultimately leading to breaches. Organizations need to take proactive measures to identify and address vulnerabilities promptly. Realistic resource assessments are crucial to ensuring that adequate resources are allocated to data protection efforts. Additionally, having adequate insurance protection, such as Directors and Officers (D&O) insurance, can help protect individuals in positions of responsibility from potential liabilities.

The episode also emphasizes the need for organizations to consider the impact on their stock exchange filings when deciding whether to disclose a data breach. The decision to admit a violation of a stock exchange can be challenging and depends on factors such as materiality. Organizations need to assign a dedicated team to consider these factors, mainly when engaged in transactions like mergers and acquisitions or fundraising.

Transparency and honesty are key principles in data protection and privacy. Audit reports and investigation findings must be acted upon promptly to address vulnerabilities. Emails and other forms of communication can serve as evidence in legal proceedings, highlighting the importance of careful communication within organizations.

The potential for litigation is significant in data breach cases. Shareholders may seek legal action if they believe the value of their stock has been affected. Whistleblowers, incentivized by various jurisdictions, may also come forward with information. This highlights the need for organizations to maintain a culture of transparency and integrity and for individuals to review their remuneration packages to avoid conflicts of interest.

In conclusion, GDPR, corporate responsibility, and risks in data protection are interconnected. Organizations must prioritize transparency, honesty, and timely disclosure of breaches and vulnerabilities. Proactive measures, realistic resource assessments, and adequate insurance protection are crucial to mitigating risks. By considering the impact on stock exchange filings and maintaining a culture of integrity, organizations can navigate the challenges associated with data protection and privacy in the GDPR era.

Categories
Blog

Pre-taliation Protection Extends to Third Parties

The Securities and Exchange Commission (SEC) has been cracking down on companies that engage in pre-taliation, imposing increasing fines. This was evident in the recent case of JP Morgan,  which faced an $18 million sanction for including a pre-taliation clause in their contracts. This enforcement action highlighted companies’ importance in addressing pre-taliation risk by implementing contract language that protects individuals’ rights to report misconduct. Matt Kelly and I recently had the chance to take a deep dive into the decision in a recent episode of Compliance into the Weeds.

Corey Schuster, co-chief of the Asset Management Unit in the SEC Division of Enforcement, said in an SEC Press Release, “Whether retail or otherwise, must be free to report complaints to the SEC without interference. Those drafting or using confidentiality agreements must ensure that they do not include provisions impeding potential whistleblowers.” Gurbir Grewal, Director of the SEC Enforcement Division, added,  “Whether in your employment contracts, settlement agreements or elsewhere, you simply cannot include provisions that prevent individuals from contacting the SEC with evidence of wrongdoing.” Matt noted in his blog post on the case, “SEC enforcement against pre-taliation is not exactly news, since the agency has been filing such cases since 2016 — but until now, those enforcement actions have always been about companies using pre-taliation clauses in contracts with employees. Now we have our first case over pre-taliation against customers — and it came with the biggest pre-taliation fine we’ve ever seen.”

Pre-taliation occurs when a company restricts individuals from speaking out about corporate misconduct to regulators. While previous pre-taliation cases primarily focused on restrictions placed on employees, the JP Morgan securities case marked a significant shift. For the first time, the SEC sanctioned a company for imposing a pre-taliation clause on customers. This expands the range of individuals who may fall victim to pre-taliation and underscores the need for companies to be vigilant in their compliance efforts.

Companies must understand that pre-taliation clauses are problematic, regardless of whether they are included in employment contracts, settlement agreements, or elsewhere. The SEC has clarified that provisions preventing individuals from contacting the SEC with evidence of wrongdoing are unacceptable. Compliance officers must conduct regulatory assessments to understand applicable laws and review contracts for problematic language.

The fines imposed by the SEC for pre-taliation cases have been increasing over time. In the case of JP Morgan securities, the $18 million sanction was the largest fine ever seen for a simple fix. The remediation action required in these cases is relatively straightforward: companies must delete the problematic language from their agreements and inform anyone who signed the old language that they are free to report misconduct to the SEC or any other regulator. While the mechanics of executing this remediation may be challenging for large organizations with contracts stored in different data warehouses, the basic idea remains the same.

It is worth noting that in most pre-taliation cases, companies rarely enforce the pre-taliation clauses. They often become an afterthought, and it is only years later that companies realize their mistake and attempt to rectify it. The SEC’s message is clear: companies must proactively identify and correct problematic language in their contracts to avoid facing significant fines.

The CBRE pre-taliation enforcement action serves as an example of effective remediation practices. CBRE swiftly identified and corrected problematic clauses, updated its code of conduct, and provided training on SEC rules to its compliance team. This proactive approach helped them avoid more severe penalties and garnered praise from the SEC. Here, Kelly noted,

  • Within one month of learning about the SEC investigation, revising all its U.S. severance agreement templates to assure compliance was followed by an audit of similar agreements worldwide, reviewing some 300 templates used by CBRE affiliates in 54 countries.
  • We are updating the CBRE Code of Conduct to add new language against pre-taliation.
  • Training more than 50 members of the compliance team globally on the Rule 21F-17 language added to all relevant templates;
  • They were undertaking a mandatory re-certification process, where more than 100,000 employees worldwide certified that they had reviewed the updated Code of Conduct and attested to their understanding that they were always free to bring concerns to regulators without any advanced notice to CBRE.

Compliance officers face the challenge of balancing various factors when addressing pre-taliation risk. They must consider the impact of state laws, federal whistleblower protection laws, and securities laws that may apply to their company. Conducting a regulatory assessment and thoroughly reviewing contracts can help identify potential areas of concern.

In conclusion, the SEC’s increasing fines for company pre-taliation highlight the importance of compliance and the need for companies to address pre-taliation risk. Companies must eliminate pre-taliation clauses from their contracts and ensure individuals can report misconduct to regulators. Companies can mitigate the risk of facing significant fines and reputational damage by taking proactive measures and conducting thorough assessments.

Categories
Life with GDPR

Life With GDPR: Episode 104 – Solar Winds and Your Mother – Tell The Truth

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. In this episode, they look at the continued fallout from the Solar Winds data breach.

In the complex world of data protection, the General Data Protection Regulation (GDPR) has placed a spotlight on the importance of transparency, honesty, and corporate responsibility. Experts Tom Fox and Jonathan Armstrong bring their unique perspectives to this topic, shaped by their extensive experience in compliance and data protection. Fox emphasizes the potential legal consequences for corporate leaders who fail to disclose vulnerabilities or engage in dishonest practices, while Armstrong highlights the increasing pressure on individuals and corporations to disclose data breaches, with regulators focusing more on individual liability. Both stress the importance of transparency, the potential for litigation, and the role of whistleblowers.

Join Fox and Armstrong as they delve deeper into these issues on this episode of the Life with GDPR podcast.

Key Takeaways:

  • The Importance of Truthfulness in GDPR
  • The Importance of Transparency in Data Breaches
  • Legal risks in data breaches and cybersecurity
  • The Impact of Budget Constraints on Vulnerability Fixes

 Resources:

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here. Check out the Cordery Data Breach Academy here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Compliance Into the Weeds

Compliance Into The Weeds: Pre-Taliation is Illegal as to All

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the recent SEC enforcement action for pre-taliation against JPMorgan and what it means for whistleblower programs going forward.

The Securities and Exchange Commission (SEC) has been ramping up fines for companies found guilty of retaliation, as evidenced by the recent JP Morgan securities case, which resulted in an $18 million sanction. This development underscores the importance of compliance and the need for companies to protect individuals’ rights to report misconduct. Tom views this as a significant shift, expanding the range of individuals who may be affected by retaliation claims. He predicts a broader legal discussion and increased protection for those who bring claims related to misconduct. Matt emphasizes the need for companies to be proactive in preventing retaliation. He points out that enforcement has been increasing since 2016 and that companies should already be aware that they cannot restrict employees from reporting wrongdoing to the SEC. Join Tom Fox and Matt Kelly as they delve deeper into this topic on the Compliance into the Weeds podcast.

Key Highlights:

  • The underlying facts
  • Expanding Retaliation Risk in Corporate Settings
  • Retaliation Clauses and Whistleblower Protection
  • CBRE’s Swift Remediation Efforts and SEC Settlement

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 21 – Managing Your Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation, and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area that the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

1. Have a strategic approach to third-party risk management.

2. Rank third parties based upon a variety of factors, including compliance and business performance, length of relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.

3. Managing the relationship is where the real work begins.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – The Third Party Risk Management Process

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

The SAP FCPA Enforcement Action-Part 5: Lessons Learned

We conclude our series on the initial Foreign Corrupt Practices Act (FCPA) enforcement action. It involved the German software giant SAP. While the conduct which led to the enforcement action occurred for a lengthy period of time and was literally worldwide in scope, the response by SAP is to be both noted and commended. The hard and impressive work that SAP did during the pendency of the investigation and enforcement action led to a very favorable result for the company in the reduced amount of its assessed fine and penalty as well as the fact that no monitor was mandated by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC). Today, in our final post, we review key lessons learned from the SAP enforcement action.

Remediation

SAP did an excellent job in its remedial efforts. Whether SAP realized as a recidivist of the dire straits it was in after the publicity in South Africa around is corruption or some other reason, the company made major steps to create an effective, operationalized compliance program which met the requirement of the Hallmarks of an Effective Compliance Program as laid out in the 2020 FCPA Resource Guide, 2nd edition.

The remedial actions by SAP can be grouped as follows.

  1. Root Cause, Risk Assessment and Gap Analysis. Here the company conducted a root cause analysis of the underlying conduct then remediating those root causes, conducted a gap analysis of internal controls, remediating those found lacking; and then performed a comprehensive risk assessment focusing on high-risk areas and controls around payment processes, using the information obtained to enhance its compliance risk assessment process;
  2. Enhancement of Compliance. Here the company significantly increasing the budget, resources, and expertise devoted to compliance; restructuring its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership; enhanced its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties; enhanced its reporting, investigations and consequence management processes;
  3. Change in sales models. On the external sales side, SAP eliminated its third-party sales commission model globally, and prohibiting all sales commissions for public sector contracts in high-risk markets and enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk;
  4. Data Analytics. Here SAP expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally; and comprehensively used data analytics in its risk assessments.

Data Analytics

The references to data analytics and data driven compliance warrant additional consideration. SAP not only did incorporate data analytics into its third-party program but also expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally. The SEC Order also noted that SAP had implemented data analytics to identify and review high- risk transactions and third-party controls. The SAP DPA follows the Albemarle FCPA settlement by noting that data analytics is now used by SAP to measure the compliance program’s effectiveness. This language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions access to all company data; this is the second time it has been called out in a FCPA settlement agreement in this manner. Additionally, it appears that by using data analytics, SAP was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation; thereby avoiding a monitor.

Holdbacks

Next was the holdback actions engaged in by SAP. The DPA noted, SAP withheld bonuses totaling $109,141 during the course of its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation, or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

Self-Disclosure

While this factor was not present in the SAP enforcement action, the message sent by the DOJ could not be clearer on not simply the expectation of the DOJ for self-disclosure but also the very clear and demonstrable benefits of self-disclosure. Under the Corporate Enforcement Policy, SAP’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines fine range. Its actions as a criminal recidivist, resulted in it not receiving a reduction of at least 50% and up to 75% from the low end of the U.S.S.G. fine range but rather at 40% from above the low end. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. It’s failure to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy. The DOJ’s message could not be any clearer.

Extensive Cooperation

There were also lessons to be garnered from SAP’s cooperation with the DOJ. While there was no mention of the super duper, extra-credit giving extensive remediation which Kenneth Polite discussed last year; when SAP began to cooperate, it moved to extensively cooperate. The DPA noted SAP “immediately beginning to cooperate after South African investigative reports made public allegations of the South Africa-related misconduct in 2017 and providing regular, prompt, and detailed updates to the Fraud Section and the Office regarding factual information obtained through its own internal investigation, which allowed the government to preserve and obtain evidence as part of its independent investigation…” Most interestingly, the DPA reported that SAP imaged “the phones of relevant custodians at the beginning of the Company’s internal investigation, thus preserving relevant and highly probative business communications sent on mobile messaging applications.” This is clear instruction around messaging apps in FCPA enforcement actions.

Resources

SEC Order

DOJ DPA

Categories
Blog

The SAP FCPA Enforcement Action-Part 3: The Comeback

This week we are taking a deep dive into the SAP Foreign Corrupt Practices Act (FCPA) enforcement action. In it, SAP agreed to pay the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) approximately $222 million in penalties and disgorgement. SAP also entered into a three-year Deferred Prosecution Agreement (DPA) with the DOJ. Given the multi-year (2014-2022) length of the various bribery and corruption schemes and worldwide geographic scope, the amounts paid in bribes and benefits garnered by SAP from their corruption; one might charitably wonder how SAP was able to reap such a positive outcome of only a fine and penalty totaling $222 million. We will explore that question today.

Extensive Cooperation

The starting point for this analysis is the DOJ DPA. The first key point to note is there was no self-disclosure by SAP. As the DPA noted, SAP only began to cooperate after investigative reports were made public in 2017 in South Africa about SAP’s bribery and corruption program. However from this point forward SAP moved to extensively cooperate. The DAP noted SAP “immediately beginning to cooperate after South African investigative reports made public allegations of the South Africa-related misconduct in 2017 and providing regular, prompt, and detailed updates to the Fraud Section and the Office regarding factual information obtained through its own internal investigation, which allowed the government to preserve and obtain evidence as part of its independent investigation…”

This cooperation included producing relevant documents and other information to the Fraud Section “from multiple foreign countries expeditiously, while navigating foreign data privacy and related laws;” SAP “voluntarily making Company officers and employees available for interviews;”  and took “significant affirmative steps to facilitate interviews while addressing witness security concerns”; interestingly SAP was required to resolve potential deconfliction issues between the its own internal investigation and the investigation being conducted by the DOJ. The company promptly collected, analyzed, and organized “voluminous information, including complex financial information.” It translated “voluminous foreign language documents to facilitate and expedite review by the Fraud Section and the Office.” Most interestingly, the DPA repored that SAP imaged “the phones of relevant custodians at the beginning of the Company’s internal investigation, thus preserving relevant and highly probative business communications sent on mobile messaging applications.”

The Remediation

The DPA reported extensive remediation by SAP as well and the information provided in the DPA is instructive for every compliance professional. The DPA noted that SAP engaged in the following remedial steps.

  1. Conducted a root cause analysis of the underlying conduct then remediating those root causes through enhancement of its compliance program;
  2. Conducted a gap analysis of internal controls, remediating those found lacking;
  3. Undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process”;
  4. SAP documented its use of a “comprehensive operational and compliance data” into its risk assessments;
  5. SAP eliminating “its third-party sales commission model globally, and prohibiting all sales commissions for public sector contracts in high-risk markets”;
  6. “Significantly increasing the budget, resources, and expertise devoted to compliance;”
  7. Restructuring its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership;
  8. Enhanced its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties;
  9. Enhancing its reporting, investigations and consequence management processes;
  10. Adjusting compensation incentives to align with compliance objectives and reduce corruption risk;
  11. Enhanced and expanding compliance monitoring and audit programs, planning, and resources, including developing a well-resourced team devoted to audits of third-party partners and suppliers;
  12. Expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally; and
  13. Disciplined “any and all” employees involved in the misconduct.

Obviously, SAP engaged in a wide range of remedial actions. It all started with a root cause analysis. Root Cause analysis was enshrined in the FCPA Resource Guide, 2nd edition as one of the Hallmarks of an Effective Compliance Program. It stated, “The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigation’s structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.”

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches. This SAP did during its remediation phase.

Equally of interest are the references to data analytics and data driven compliance. SAP not only did so around its third-party program but also expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally. The SEC Order also noted that SAP had implemented data analytics to identify and review high- risk transactions and third-party controls. The SAP DPA follows the Albemarle FCPA settlement by noting that data analytics is now used by SAP to measure the compliance program’s effectiveness. This language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions access to all company data; this is the second time it has been called out in a settlement agreement in this manner. Additionally, it appears that by using data analytics, SAP was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation; thereby avoiding a monitor.

Next was the holdback/clawback actions engaged in by SAP. The DPA noted, SAP withheld bonuses totaling $109,141 during the course of its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation, or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

Finally, the DOJ related that SAP had enhanced and has committed to continuing to enhance its compliance program and internal controls, including ensuring that its compliance program satisfied the minimum elements set forth in Attachment C to DPA. Based upon all these factors, including SAP’s remediation and the state of its compliance program, and the Company’s agreement to report to the Fraud Section and the Office as set forth in Attachment D to this Agreement, the DOJ “determined that an independent compliance monitor was unnecessary.”

All-in-all a great result by and for SAP for which the company and its compliance team should take great credit in going forward.

Resources

SEC Order

DOJ DPA

Join us tomorrow where we consider fine and penalties.