A careful reading of the DOJ and SEC settlement documents for the SAP case will puzzle you.  I know I am scratching my head trying to make sense of the whole picture here.  There are a number of significant indicators of a change in DOJ’s tack, along with SEC’s aggressive push on third-party controls.  DOJ’s position is even more difficult to understand as explained below.

For compliance practitioners, there are a number of important points, especially for those involved in the software industry that depend on complicated third-party intermediary channels to distribute its products and secure valuable foreign government business.

To try and make sense of the SAP enforcement action, lets break down the specific lessons learned.

DOJ’s Contradictory Approach to Recidivists — DOJ has pushed two specific messages on FCPA enforcement.  First, this Administration elevated anti-corruption enforcement to a national security issue.  AS part of this effort, DOJ adopted robust changes to the Corporate Enforcement Program, targeting recidivists for aggressive treatment. 

Second, since at least late 2022, DOJ has walked back from this position by revealing in practice that it does not intend to adhere strictly to many of its policy pronouncements.  This walk-back has been accelerated by DOJ’s adoption of changes designed to encourage voluntary disclosures of potential violations.

DOJ’s walk-back began with its ABB enforcement action at the end of 2022, in which ABB, a three-time FCPA violator, earned a favorable resolution of its situation.

The SAP resolution, totaling only $220 million was far below the amount that a recidivist should have paid for its global bribery operations stretching into multiple countries.  In 2016, SAP resolved an FCPA enforcement action with the SEC for violations in Panama.  Five years later, SAP resolved a large sanctions case with DOJ for numerous violations of Iran sanctions. 

When face with SAP’s current set of bribery violations stretching into various countries, DOJ had an opportunity to speak in an aggressive voice — impose a significant penalty, impose an independent compliance monitor, and bring follow-own criminal prosecutions against major individual violators.  DOJ should have acted with a bang; instead, it closed out this case with a whimper.

Do not kid yourself — DOJ is turning its focus and pulling back.  DOJ is pulling punches and the implications of this change in strategy is not yet fully understood. 

SEC’s Digging into Third-Party Controls — The SEC’s steady enforcement record in 2023 and continuing into 2024 stands in contrast to DOJ’s wavering approach.  The SEC has continued to generate cases against companies but has not had many individual enforcement actions. 

The SAP case, however, reflects an aggressive push into holding companies accountable for violating their internal controls applicable to third-party risk management.  The SEC’s approach demonstrates a more aggressive application of internal control enforcement. 

The SEC’s settlement order outlines SAP’s internal procedures for engagement of third parties, including a requirement to conduct due diligence to assess risk and ensure: (1) That a third party had no relations (as a family member) to the SAP customer or a potential customer, and (2) That the third party was not a government official, government employee, political party official or candidate, or officer or employee of any public international organization or an immediate family member of any of these. In addition, with respect to BDPs, all sales commission contracts had to be in writing and clearly define the services to be provided and the related business and payment terms. As explained by the SEC:

SAP subsidiaries and employees were required to use a model agreement that included standard commission rates and to follow a standardized internal approval process, which required the involvement and approval of the local legal department or compliance officer, the subsidiary’s local managing director, and its local chief financial officer. In cases where a third-party agreement required non-standard terms, regional management had to provide additional approvals. The policy documents explicitly state that they were put into place to ensure that no relationship with a third party would be used to inappropriately influence a business decision or pay bribes to government officials.

Unfortunately, as explained by the SEC, SAP repeatedly failed to follow these internal control requirements governing third parties.  If a company is going to craft specific internal controls, the company has to enforce those controls or face serious enforcement risks.  SAP now stands as the poster child for this proposition.

Reminders on Gifts, Hospitality and Travel — The SEC’s enforcement action also cited SAP for a number of bribery payments made in gifts — spending $3000 when its gifts policy has a limit of $30 for gifts to foreign officials.  In addition, an SAP employee took government officials on a $10,000 shopping spree and added a luxury watch for a foreign official.  SEC’s calling out of these expenditures are important reminders on the importance of adhering to your gifts, entertainment and travel policies.