How to Avoid an Independent Compliance Monitor: Lessons From the SAP Settlement

Aerial view of water and dock covered in shipping containers

This week, SAP SE (SAP), the German-based software company, agreed to pay over $200 million to resolve investigations by the US Department of Justice (DOJ) and US Securities and Exchange Commission (SEC) into violations of the Foreign Corruption Practices Act (FCPA).

Off

SAP entered into a three-year deferred prosecution agreement, will pay a criminal penalty over $118 million, and agreed to forfeit more than $103 million. Unlike other recent FCPA resolutions, however, SAP was not required to retain an independent compliance monitor.

The Allegations Highlight Risks in Using Third-Party Intermediaries and Consultants

According to the government, “SAP paid bribes to officials at state-owned enterprises in South Africa and Indonesia to obtain valuable government business.” SAP allegedly provided cash payments, political contributions, and luxury goods to foreign officials. In South Africa, the government asserts that SAP’s agents engaged in a bribery scheme for approximately four years and falsified SAP’s books, records, and accounts in order to gain improper advantages with South African government departments. SAP also allegedly engaged agents in a bribery scheme in Indonesia. The SEC further claimed that SAP employed third-party intermediaries and consultants to pay bribes in South Africa, Malawi, Kenya, Tanzania, Ghana, Indonesia, and Azerbaijan. The SEC alleged the bribes were inaccurately recorded as proper business expenses in its books and records, even though certain intermediaries could not show that they provided the services for which they had been contracted.

Controls on Paper but Not in Practice

The SEC contends that SAP had policies and procedures for working with third parties during the years that it was engaged in the bribery schemes. Specifically, the procedures required employees to conduct due diligence and ensure that third parties were not government officials or employees, political candidates, or officers or employees of any public international organization (among other relationships addressed by the due diligence). Moreover, for all business development partners, SAP required that all sales commissions contracts had to be in writing and clearly defined the services to be provided and payment terms. SAP even required additional approvals where agreements required non-standard terms.

Despite the written policies and procedures, the SEC found that SAP did not have entity-level controls over its operations in South Africa and Indonesia, among other locations, and that it lacked internal account controls sufficient to detect or prevent bribe payments that were inaccurately recorded as legitimate commissions or expenses. Specifically, SAP did not implement payment approval controls to sufficiently ensure that services were actually rendered and expenses were incurred before issuing payments to third parties.

Finally, the SEC noted that while SAP had adopted an anti-corruption policy, it had not implemented adequate formal monitoring or controls to ensure employees in certain regions followed the policies in practice.

How Did SAP Avoid a Compliance Monitor?

Although the government did not explicitly explain why it did not require SAP to retain an independent compliance monitor, the resolution emphasizes SAP’s cooperation and highlights concrete actions SAP took aligned with the DOJ’s latest guidance on compliance programs.

Preserving communications on messaging applications: SAP imaged phones of relevant custodians at the beginning of the investigation and preserved business communications sent on mobile messaging applications. SAP’s cooperation follows the DOJ’s memorandum from September 2022, which cautioned that “[h]ow companies address the use of personal devices and third-party messaging platforms can impact a prosecutor’s evaluation of the effectiveness of a corporation’s compliance program, as well as the assessment of a corporation’s cooperation during a criminal investigation.”
Clawbacks: The company also withheld nearly $110,000 in bonuses during its internal investigation from employees who were engaged in the suspected wrongdoing. This action resulted in a reduction of SAP’s criminal penalty and aligns with the DOJ’s recent focus on using corporate compensation structures to promote compliance.
Root cause analysis, tailored remediation, and structural changes: It appears that SAP conducted a root cause analysis of the underlying conduct and took corresponding actions to enhance its compliance program. Among the changes highlighted by the government, SAP eliminated its third-party sales commission model globally and prohibited all sales commission for public sector contracts in high-risk markets.
Data analytics: According to the government, SAP expanded its data analytics capabilities to cover 150 countries, including all high-risk territories around the globe. The government has been stressing the importance of using data to monitor and test policies, controls, and tractions. In fact, in a November 2023 speech, the Acting Assistant Attorney General also emphasized that the DOJ is now using data analytics to proactively identify potential incidents of foreign bribery and initiate FCPA investigations.
Bolstering the Ethics and Compliance offices’ authority and stature: In line with the government’s guidance on corporate compliance programs, the company increased the budget, resources, and expertise in its Offices of Ethics and Compliance, which it also restructured. The government stressed that SAP took steps to ensure the function had adequate stature, independence, autonomy, and access to executive leadership.
Risk assessments: SAP was also credited for conducting a comprehensive risk assessment focusing on high-risk areas and its payment controls. It also took steps to improve its regular compliance risk assessment process.

SAP’s significant cooperation and thoughtful remedial efforts likely helped it avoid the imposition of an independent compliance monitor. The company took specific actions to enhance its compliance program and responded to the government’s most recent guidance on compliance controls and how to support it during an investigation. It also invested additional resources in its compliance function and made structural changes to its business operations designed to mitigate against corruption risks.

The ArentFox Schiff team has extensive experience with advising companies on best practices for their compliance programs. Peter V. B. Unger served as a monitor on several World Bank corruption-related settlements, and with the assistance of the co-authors, recently served as counsel to the monitor on a large four-year international DOJ and SEC FCPA monitorship. We can help you develop uniquely tailored compliance enhancements and, if necessary, demonstrate how they work in practice to the government or other stakeholders.