Microsoft has agreed to pay $25.3 million to settle FCPA charges against subsidiaries in Hungary, Saudi Arabia, Thailand, and Turkey — the latest in a long line of cases where poor procedures to document sales discounts offered by local resellers paved the way for bribery of foreign government officials.
Microsoft will pay $16.5 million to the Securities and Exchange Commission in disgorgement and prejudgment interest; and another $8.75 million to the Justice Department as a criminal penalty. The company gets a three-year non-prosecution agreement and no compliance monitor appointed. So all in all, a pretty standard FCPA settlement as these things go in the Trump Administration.
The misconduct happened in the mid-2010s, and as usual, third parties were instrumental. A good example comes from Microsoft’s Hungary operation, so let’s take a look.
As outlined in the SEC’s settlement order, Microsoft Hungary learned in late 2013 that Hungary’s national tax agency would be soliciting bids for new software in February 2014. The MS Hungary employees then asked senior employees on Microsoft’s global business desk for permission to offer a 27.8 percent discount to the tax agency, on top of Microsoft’s standard discount offer for government agencies.
Why give the additional discount? Hungary employees cited pressure from competitors, the customer’s sensitivity to price, and possible future sales of additional services — all without offering any evidence to support those claims. (Do you feel like you’ve heard that before? I feel like I’ve heard it before.)
Microsoft’s business desk authorized the additional discount, with the condition that the discount would expire at end of the quarter on March 31. Then the Hungarian tax agency canceled its planned project, which threw everyone into a tizzy. The general manager of MS Hungary emailed one of Microsoft’s local resellers. He told the reseller that winning the tax agency’s bid “is very important by the end of March” and pleaded, “In case you have influence, please push it!”
More back-and-forth followed between MS Hungary and the tax agency, and the tax agency “relaunched” the project six days before end of the quarter. Ultimately the bid went to the reseller who had pushed his influence, who of course held back some of that additional 27.8 percent discount. He passed along part of the difference as a bribe to Hungarian officials who relaunched the project.
More of the FCPA Same
The other scams outlined in the SEC and Justice Department complaints are also shenanigans compliance officers have heard before. In Saudi Arabia from 2012 into 2014, MS Saudi employees created a slush fund by granting larger-than-usual discounts and payments to certain resellers. Those resellers maintained the fund, and disbursed it at the direction of MS Saudi employees to cover travel expenses for Saudi Arabian government employees or gifts that included furniture and computer equipment.
In Thailand, an MS Thailand employee worked with a reseller to divert $100,000, again by offering supposed discounts on Microsoft products that would then fund training for the customers. Instead of training, however, the money went to paying for customers’ travel expenses or new technology gizmos. The reseller would send a bogus purchase order for training to one of MS Thailand’s local training vendors, and that vendor would submit a bogus invoice back to the reseller. Again, I feel like we’ve heard all this before.
Back in Hungary, Microsoft had due diligence failures. Once MS Hungary won that bid with the tax agency, the agency followed up with two service contracts — where (uh-oh) the agency requested two specific tech service vendors. One vendor was unknown to Microsoft, but MS Hungary processed the work anyway without conducting any due diligence. When some MS employees began worrying about that vendor’s competence, another MS employee shot down their concerns because the vendor “is not simply a partner; it is THE PARTNER.”
The second vendor kept things simple, and provided no services at all.
Also in Hungary, Microsoft won a bid with the country’s Education Department. As part of the project, MS Hungary subcontracted with an outside consulting firm, and the consultant involved was also an employee of the Education Department at the same time. Microsoft apparently did no due diligence on either the consulting firm or the individual consultant, who submitted timekeeping records under a false name anyway.
Once more with feeling, everyone: this is nothing compliance professionals haven’t heard before.
Focus on Internal Controls
I’ll let other people analyze the Justice Department end of this case, with discussion about voluntary self-disclosure (MS Hungary didn’t provide any) and how the criminal penalty may or may not fit with the Justice Department’s FCPA Corporate Enforcement Policy.
I want to focus on internal controls around resellers and distributors, because that’s what we see time and again in FCPA enforcement. For example, the Polycom enforcement action in December 2018 has plenty of parallels, where local agents cited “competition” again and again as reason for granting a discount. The company’s sales records were full of that one magical word.
The only problem: a local agent saying “Competition! Competition!” is not an internal control.
At the start of this year I wrote a guest post for the NAVEX Global blog about internal controls for distributors and resellers, and let me quote part of that here:
Competition can be a legitimate reason to offer a discount, but to reduce the risk of bribery, the company should demand more evidence to support the need for that discount. Each case should be documented, to capture the transaction’s unique circumstances.
Will employees and distributors still engage in corruption and deception anyway? You bet. But if they’re going to attempt corruption no matter what, essentially, you want internal controls that force them to work harder to do it.
I know that documenting policies like that are not easy to implement. But go back to that first misconduct example from Hungary. MS Hungary asked Microsoft’s global business desk for permission to offer a discount, and received that permission without any supporting documentation. Microsoft’s internal controls at the time were too weak.
The SEC’s order does praise Microsoft for “enhancing its internal accounting controls and compliance programs” since then, but doesn’t elaborate on what those enhancements are. Even if the order did, each company’s operations are unique, so effective remediation at one business won’t necessarily work at another.
One telling clue: the SEC order also says Microsoft enacted “new discount transparency and pass-through requirements” and is “developing and using data analytics to help identify high-risk transactions.”
So one path forward here is to use better technology to identify anomalies. That’s a good control, but also a detective control after something might be amiss.
As always, you also need strong policies requiring documentation, and strong internal controls to prevent a transaction from going forward until you get it.