Oracle Hit 2nd Time on FCPA Violations

The Securities and Exchange Commission has sanctioned Oracle for violations of the FCPA, the software giant’s second such incident in 10 years and one that provides a chance for the rest of us to talk about recidivist FCPA offenders. 

What happened? In one sense, the usual. Throughout the 2010s, Oracle subsidiaries in India, Turkey, and the United Arab Emirates used sham discount schemes and marketing reimbursement plans to create slush funds, which they then used to pay bribes in violation of the FCPA. That’s nothing we haven’t heard before in corporate compliance; only the specific countries involved seem to change from one case to the next.

On the other hand, this is Oracle’s second FCPA settlement involving slush funds. The first happened in 2012, when Oracle’s India subsidiary (OK, maybe the specific countries involved don’t change so much after all) was found to have created slush funds by selling software licenses to distributors and then having those distributors “park” some of those proceeds in secret accounts off Oracles’ real books.

A recidivist FCPA offender! Isn’t that supposed to set off alarm bells, since the Justice Department recently vowed to take harsher action against recidivists? Perhaps we’ll have to wait and see. The Justice Department only spoke for itself when it talked about recidivist offenders, and the department has not announced any action against Oracle for this latest lapse so far. 

Plus, while the SEC did mention Oracle’s second-time offender in a press release — not much more was made of that fact. Yes, Oracle will pay $23 million to settle the case, including $15 million in monetary penalties. (In contrast, Oracle paid only $2 million in its first case a decade ago.) Beyond that, however, Oracle did not receive any additional punishment such as an “independent compliance consultant” (read: compliance monitor). Heck, the company even walked away with “neither confirms nor denies the findings” as we see in so many other SEC enforcement cases. 

The Slush Fund Scheme

As detailed in the SEC settlement order, the slush fund scheme ran from 2014 to 2019. At first glance, Oracle seemed to have a compliance program in place. The company did have a system of indirect sales, where Oracle worked with various resellers and distributors in overseas markets. Those resellers and distributors first had to go through a globally operated due diligence process, and Oracle’s subsidiaries could only work with those resellers and distributors that had already gone through the due diligence process. Moreover, Oracle subsidiaries could not work with any parties that had been removed from that pre-approved partner network.

That seems like a good procedure, but the failure arose from Oracle’s policies. An employee was only supposed to request a discount from a product’s list price for a legitimate business reason. Oracle used a three-tier system for approving discount requests above designated amounts, and for the highest level of discounts, approvals had to come from Oracle HQ in California itself. But, according to the SEC order, while Oracle policy mandated that all discount requests be supported by accurate information and Oracle reviewers could request documentary support, Oracle policy didn’t require documentary support for the discounts — even at the highest level.

So essentially, subsidiary employees requested unnecessarily large discounts, which were approved, and then the employees worked with complicit resellers and distributors to divert that money into the slush funds. (The complicit third parties kept a portion of the slush funds for themselves.) The funds, which employees informally called “wallets,” paid for travel and entertainment for end-use customers. In one instance, UAE employees covered the costs for government officials to attend an Oracle tech conference (in violation of Oracle policies).

A procedure nobly conceived, undone by a poorly designed policy. We’ve written about “discounts” without proper documentation rules many times before in FCPA enforcement. We probably will again in the future. 

We also had a good old-fashioned junket for foreign government officials that arose from Oracle’s Turkey office in 2018. The sales manager for Oracle Turkey entertained a government minister while bidding on a project to provide emergency call services for Turkey (“the 112 project”). The sales manager arranged a week-long trip to California for four Turkish officials, ostensibly to meet senior Oracle executives at HQ. That meeting actually lasted all of 15 minutes. The rest of the week, the sales rep entertained the Turkish officials with trips to Napa Valley and a theme park in Los Angeles. 

That was 2018, people; and Oracle’s second brush with FCPA violations. Sigh.

Program Improvements Were Made

As a second-time offender, the SEC did frown on Oracle’s behavior more strongly. Still, Oracle won credit for numerous steps the company took to remediate its compliance program once the issues came to light. (And how did they come to light, exactly? The settlement order doesn’t say.)

First, Oracle provided extensive cooperation. The order also listed 12 distinct remediation actions, including:

  • Firing employees, including senior managers, involved in the misconduct;
  • Terminating the resellers and distributors involved in the scheme;
  • Creating and staffing 15 new compliance roles, at both the Oracle headquarters and at overseas offices;
  • Enhancing audit functions;
  • Introducing measures “to improve the level of expertise and quality of its partner network” and substantially reducing the number of partners in the network; 
  • Implementing data analytics for the compliance program;
  • Revamping the training and communications provided to employees about ethics, compliance, and anti-corruption efforts. 

We still don’t know whether the Justice Department will add its own enforcement action against Oracle for this behavior. We do know that under the guidelines announced by deputy attorney general Lisa Monaco earlier this month, Oracle’s original FCPA enforcement action shouldn’t count against the company too much. Monaco said in her speech that any civil enforcement action that happened more than five years ago “will be accorded less weight.” 

How much less weight? Perhaps no weight at all? We’ll see.

Leave a Comment

You must be logged in to post a comment.