German software giant SAP is paying $220 million and implementing a raft of reforms to settle FCPA violations in seven countries, in a case with lessons about the importance of internal audits to root out misconduct and about structural reforms regulators want to see to prevent repeat offenses.
The Justice Department and Securities and Exchange Commission announced the settlement on Wednesday. In addition to the fine, SAP also entered into a three-year deferred-prosecution agreement. This is SAP’s second run-in with the Foreign Corrupt Practices Act; the company previously settled FCPA charges with the SEC in 2016, disgorging $3.7 million in ill-gotten gains from a corruption scheme in Panama. SAP also settled a sanctions violation case in 2021.
The violations this time around spanned the Eastern Hemisphere, from South Africa to Azerbaijan to Indonesia, with several other East African nations in between. The misconduct happened in the 2010s, and as we so often see, it involved executives at SAP subsidiaries conspiring with third-party intermediaries.
The SEC’s settlement order provides several useful examples of how the misconduct happened, so let’s start there. The first stop on our world tour is South Africa.
According to the SEC, SAP South Africa worked with numerous third-party intermediaries to funnel bribes to government officials there. The company recorded the payments as legitimate business expenses in SAP’s books, even though some intermediaries couldn’t show that they provided the services they had been contracted to provide.
For example, in 2014 SAP South Africa closed on a $4.4 million deal with Transnet, a state-owned rail and logistics company. Along the way, SAP hired a well-connected South African tech company (unnamed in the order, alas) purportedly to help broker the deal in exchange for a 10 percent commission.
In reality, however, “there is no record of [the intermediary] ever being present at meetings with Transnet, nor does [the intermediary] appear to have a credible IT background or experience,” as the SEC order states. A few days after the deal closed, the tech company extended $562,000 to “an individual known to be involved in making bribe payments.” (Was that, like, on the person’s LinkedIn profile or something?)
SAP’s other South Africa misadventures follow a similar path. The company paid intermediaries to help close deals — a $1 million commission here, $1.6 million commission there, a few fully paid trips to take South African officials on a trip to New York in the middle — and all the while, the intermediaries contributed no substantive advice or other work on the actual deals.
Where Was Internal Audit?
I’m glad you asked that question, because in this instance internal audit was on the case at least some of the time. For example, SAP performed an audit of another intermediary that received $1 million in 2015 for a separate deal with Transnet. During that audit, the intermediary “failed to provide evidence of any services performed.”
That’s good, but unfortunately it’s the only mention of internal audit anywhere in the SEC settlement order. (The Justice Department hasn’t yet published the deferred-prosecution agreement or other documents related to the case.) Even that lone mention of internal audit, however, points to an important lesson in this case: the importance of internal controls that generate evidence so that good conduct can be verified or bad conduct will stick out like a sore thumb.
That is, throughout the multiple years that these FCPA violations occurred, SAP did have internal policies and procedures meant to root out potential misconduct. Those policies and procedures generally looked solid on paper. For example, employees were required to perform due diligence on all third parties, and the third party could have no family connections to SAP customers or to foreign government officials. All third parties working on sales commissions had to have those terms put in writing, including services provided and payment terms; and all SAP subsidiaries had to use a model contract with third parties drafted by SAP headquarters. The local subsidiary’s legal department, compliance officer, managing directors, and financial officer all had to approve said contract.
So what went wrong? According to the SEC, executives at those SAP subsidiaries violated their own policies, working with the intermediaries to put the corrupt payments in government officials’ pockets. Because the payments were made by third parties acting outside of SAP’s own systems, SAP lacks sufficient records to determine the full scope of the bribery schemes. As the SEC phrased it, “SAP lacked entity-level controls over SAP South Africa, SAP Africa, SAP Indonesia, and SAP Azerbaijan because of the lack of oversight over personnel in those jurisdictions.”
In the ideal world, an empowered internal audit team, working in full cooperation with management and the board, would be able to raise concerns about weaknesses in entity-level controls. Then you could drive change for more rigorous oversight of subsidiary personnel and more expansive accounting controls that could intercept payments to third parties that are really just one step away from a corrupt official’s pocket.
A Word on SAP Remediation
Let’s shift gears to the Justice Department. SAP did not win any credit for voluntary self-disclosure because local media in South Africa exposed the misconduct first. It did win credit for its cooperation in the investigation, which included all the usual steps such as translating foreign-language documents, making company executives available for interviews, document production, and so forth.
What’s more interesting is the remediation SAP undertook. Most notably, SAP eliminated its third-party sales commission model globally, and prohibited all sales commissions for public-sector contracts in high-risk markets.
That’s yet another example of the structural changes that companies are making to resolve corporate misconduct issues with the Justice Department. We’ve seen similar moves in the recent past, such as last year’s settlement with Albemarle Corp. where the company eliminated resellers and distributors in favor of a direct-sales model worldwide. The Justice Department has pushed for structural changes in other types of misconduct, too, such as forcing companies to divest certain product lines that were involved in price-fixing schemes.
By the way, if all this talk about rogue subsidiaries and sketchy sales commissions to intermediaries sounds familiar, that’s because it’s the same sort of misconduct that tripped up Embraer back in 2016, when it paid $205 million to settle FCPA charges. I know a handful of compliance officers who have ended commission-based payments to third parties just as a best practice, and apparently SAP is now on that train too.
We can do more analysis of the SAP case in future posts, since there’s a lot more worth studying here. For now, we have our first FCPA enforcement action of 2024 — and wow, it’s a big one.