One dreaded outcome from a regulatory investigation is the appointment of an independent compliance monitor. Now two recent corporate misconduct settlements demonstrate how puzzling regulators’ decisions about compliance monitors can be — because for the life of me, I can’t figure out why one company received a monitor while the other didn’t.
The cases involve SAP, which did not receive a monitor for extensive FCPA violations in the 2010s; and eBay, which did receive a monitor for a 2019 incident where senior executives encouraged eBay’s in-house security team to harass two online critics of the company. Both cases were egregious, although in starkly different ways. So why did eBay receive a monitor but not SAP?
Let’s first review why the Justice Department appoints independent compliance monitors in the first place. The purpose of a compliance monitor is to do just what the name implies: to monitor the company’s performance after a settlement, and see how well the company is or isn’t living up to the terms of the deal. Straight from the Justice Department’s policy on the selection of compliance monitors:
Independent corporate monitors can be a … beneficial means of assessing a business organization’s compliance with the terms of a corporate criminal resolution, whether a DPA, NPA, or plea agreement. Monitors can also be an effective means of reducing the risk of recurrence of the misconduct and compliance lapses that gave rise to the underlying corporate criminal resolution.
In other words, a compliance monitor serves as the eyes and ears of the Justice Department, to assess how well the company’s reforms — changes to policy, procedures, personnel, and culture — take root at the company, and reduce the chance that company will violate the law again.
Now let’s consider that goal of a compliance monitor, compared to the FCPA violations of SAP (which didn’t get a monitor) and the stalking violations at eBay (which did).
Different Types of Misconduct
Start with SAP’s misconduct. Multiple subsidiary business units ignored the anti-corruption policies and procedures adopted by SAP’s corporate headquarters and engaged in bribery with sketchy intermediaries. When internal audit identified evidence of suspected bribery in 2015, no follow-up action seems to have happened. This was SAP’s second FCPA violation in 10 years, and its second criminal resolution in three years. (SAP settled a sanctions violations case in 2021 with a non-prosecution agreement.)
The Securities and Exchange Commission summed up SAP’s troubles by saying that the company “lacked sufficient entity-level controls” over its rogue subsidiaries. That’s a polite way of saying SAP leadership couldn’t impose its will upon those subsidiaries, such as through centralized controls, strong internal audits and anti-fraud procedures, and controls to prevent abuse of management override.
That sounds like a deep and pervasive corporate culture problem to me. And while I’m glad that SAP is taking the necessary steps to correct that dysfunction, I’m not wrong to be skeptical given its past behavior.
Now consider eBay’s misconduct. In 2019, the then-CEO and one of his top lieutenants were consumed with hatred for two online critics of the company. They directed seven employees in eBay’s security team to harass the critics, who did so by stalking the victims in person and terrorizing them with deliveries such as live insects, a bloody pig mask, and a book on how to survive the death of your spouse.
This all happened within a brief period in 2019. The then-CEO was ousted from the company for poor performance, and his top lieutenant subsequently fired. The seven employees were all charged, convicted, and so far six have been sentenced to prison or home confinement. The former CEO and the lieutenant are both facing civil lawsuits from the victims.
eBay, meanwhile, engaged in extensive compliance reforms too, such as beginning remediation before the local U.S. attorney even started his investigation and creating a new chief ethics officer role.
That all sounds like eBay suffered one very specific incident of misconduct, arguably worse than an FCPA violation because senior leaders used the company’s resources to persecute two specific individuals. But it does not sound like a deep and pervasive corporate culture problem. It sounds like a whacko CEO, a lickspittle lieutenant, and a bunch of corporate security bullies who all went too far and then got their much-deserved comeuppance.
So that behavior gets the monitor, but not SAP?
How Monitors Get Chosen
OK, back to that Justice Department guidance on the selection of monitors. It includes 10 factors that prosecutors should consider when deciding whether a compliance monitor is appropriate. Several of those factors stand out, including:
Whether, at the time of the resolution, the corporation’s risk profile has substantially changed, such that the risk of recurrence of the misconduct is minimal or nonexistent;
So, has the risk profile of SAP substantially changed? It was working in high-risk jurisdictions at the time of FCPA offense, it’s working in those markets today, and it will keep working in those markets in the future. Yes, the company has implemented some smart measures to reduce the chance of corruption payments, but does the risk fall all the way to “minimal or nonexistent”?
On the other hand, eBay’s risk for harassing online critics was driven by specific people pursuing a specific goal, rather than by its business model. Those people are gone. The company also implemented extensive reforms, just like SAP implemented reforms for its own problems. So wouldn’t eBay’s chance of repeat stalking misconduct be even lower than SAP’s chance of repeat FCPA violations?
And another monitor factor:
Whether the underlying criminal conduct was long-lasting or pervasive across the business organization or was approved, facilitated, or ignored by senior management, executives, or directors;
Well, SAP’s misconduct lasted for years (throughout the 2010s, including after a civil FCPA resolution in 2016) and happened across South Africa, East Africa, Indonesia, and Azerbaijan. On the other hand, eBay’s misconduct was certainly approved by senior management, who talked numerous times about wanting to “take down” the online critic. So by this factor, both companies deserved a monitor.
And one more just for fun:
Whether the underlying criminal conduct involved the exploitation of an inadequate compliance program or system of internal controls;
SAP clearly meets that standard: the SEC expressly faulted the company for its inadequate internal controls and entity-level controls. On the other hand, the spiteful actors at eBay didn’t exploit the company’s internal controls at all to do their dirty work, and I’m not sure they “exploited” an inadequate compliance program as much as they just operated outside it for a single vindictive episode.
And yet, eBay gets the compliance monitor but SAP doesn’t. Am I the only one confused here?
The Brass Tacks
At this point let’s drop the pretense and state the obvious. Compliance monitors are not only a vehicle for the Justice Department to confirm that a company will live up to its settlement agreement. Monitors are also one tool among many in the Justice Department’s toolkit that it can use to inflict an appropriate amount of pain on corporate offenders.
And that’s what keeps recurring to me as I study SAP and eBay together. SAP paid a substantial criminal penalty ($118.8 million) to settle a rather routine criminal offense for large companies. eBay paid only $3 million for conduct far more shocking — but that’s because $3 million is the maximum penalty allowed by statute for eBay’s misconduct.
So to what extent did eBay get a compliance monitor to compensate for that limited criminal penalty? To what extent did SAP avoid a monitor because the Justice Department could obtain a much larger criminal penalty from it?
This all seems backwards to me. eBay probably doesn’t need a monitor, but it did deserve a larger criminal penalty; it’s a shame federal statutes don’t allow for that. SAP probably could benefit from a monitor, given its recidivist past and its risk profile, but didn’t need a large criminal penalty, because regulators already had disgorgement of ill-gotten profits and penalties only hurt shareholders.
So if our ultimate goal is to make corporations do better in the future, is any of this the right way to go about it?