SAP’s Non-Monitor Monitorship
Here’s a rather odd item in the annals of FCPA enforcement: software giant SAP recently assigned one of its internal compliance employees to be the company’s “monitorship compliance officer” — for an FCPA settlement announced in January that didn’t require a compliance monitor.
This came to my attention when the SAP employee announced on LinkedIn this week that she has been promoted into that new role. Upon further research, I found a job posting SAP published last week advertising for that title. The monitorship compliance officer (I’m unclear on whether the employee snagged this role quickly or SAP is trying to fill multiple such roles) will be part of SAP’s “monitorship compliance office” and “will be expected to execute work plan tasks as per the deferred-prosecution agreement with the Department of Justice from Jan. 10, 2024.”
That DPA was a settlement where SAP paid $220 million to resolve criminal FCPA violations. It did not include a compliance monitor.
So this new role raises an obvious question. What is SAP doing here?
I asked SAP to comment on this new monitorship role, and so far the company hasn’t replied. I also want to be clear that this post isn’t meant as a swipe at the monitorship compliance officer personally. She has worked in various roles at SAP for more than 25 years and seems well-qualified for the duties SAP described in its job posting.
Rather, my point is to consider what SAP’s new monitorship role represents. It reflects how companies are responding to FCPA settlements these days, when those settlements require so much enhanced reporting to the Justice Department that the offending company might as well treat the arrangement as a monitorship anyway.
‘Compliance Reporting Requirements’
First let’s review what SAP promised to report to the Justice Department as part of its FCPA settlement. The terms were spelled out in Attachment D of the deferred-prosecution agreement, which is scheduled to run for three years.
In each year of the settlement, SAP must review, test, and update its compliance program; and send a report on those reviews to the Fraud Section of the Justice Department. The reviews must include…
- An inspection of the company’s current policies, procedures, and training materials for compliance with the FCPA and other anti-corruption laws;
- Testing of the company’s systems procedures, and internal controls, including record-keeping and internal audit procedures;
- Interviews with relevant current or former directors, officers, employees, business partners, agents, and other persons about the state of the program;
- Analyses, studies, and comprehensive testing of the compliance program.
For that first performance review, which must be done in 2024, SAP had to devise a work plan and submit that plan for Justice Department review this spring. By the end of the first year of the DPA (that is, January 2025), SAP must also submit a follow-up report describing all the activities SAP did to fulfill the terms of the work plan.
Then SAP must repeat that whole process for the second and third years of the DPA, until the agreement finally expires in January 2027. At that point, the company’s CEO and CCO (Vivianne Gordon-Pullar) are supposed to certify that the compliance program is effective.
I go into so much detail about these enhanced reporting requirements simply to show that it’s a lot of work: documentation, interviews, phone calls, report writing, and more. That sounds like a full-time job to me — so enter this monitorship compliance officer, apparently assigned to handle the work.
Is Enhanced Reporting a Monitor by Another Name?
Well, kinda sorta. When the Justice Department settled its case with SAP, the department expressly said that the enhanced compliance reporting requirements were enough to cancel any need for an independent compliance monitor:
[B]ased on the company’s remediation and the state of its compliance program, and the company’s agreement to report to the Fraud Section as set forth in Attachment D to this Agreement (Compliance Reporting Requirements), the Fraud Section determined that an independent compliance monitor was unnecessary…
Moreover, the above language isn’t unique to SAP. Multiple other FCPA settlements recently, such as the Freepoint settlement in December, the Gunvor settlement on March 1, and the Trafigura settlement on March 29, all had essentially the same arrangement: annual performance reviews and work plans, which obviated the need for a monitor. In fact, Freepoint, Gunvor, and Trafigura are all supposed to have quarterly meetings with Fraud Section prosecutors in addition to the enhanced reporting.
We should remember our Fraud Section history here. Once upon a time, back in the 2010s, the Fraud Section had pretty much one person who closely studied compliance progress reports from companies under DPAs: the section’s in-house compliance counsel, who at the time was Hui Chen. She left at the start of the Trump Administration, which never got around to filling her position. Then came the Biden Administration, which has taken a strategy of hiring more prosecutors with compliance knowledge. So now the Fraud Section has more people able to read and evaluate these compliance progress reports with a keen eye.
Given all that, are these arrangements emerging as a substitute for independent compliance monitors? All these companies would need someone on staff to be a de facto monitorship liaison anyway, gathering documents and preparing reports; the information is simply going directly to the Justice Department rather than to a monitor. (I asked the Justice Department to comment on this too; they declined.) It’s also possible that a company might hire an outside counsel to organize its documentation for enhanced compliance reporting, and you’d want someone to serve as liaison to that firm.
So perhaps SAP just had a refreshing burst of candor and called this role a monitorship liaison even without an actual compliance monitor, since that’s what the person will be doing in practice anyway. It’s a reasonable response to current FCPA enforcement practices.
I wonder if other companies will follow suit.