The Securities and Exchange Commission’s (SEC) recent Foreign Corrupt Practices Act (FCPA) settlements focus on companies’ lack of sufficient anti-corruption compliance programs, which means, to the SEC, that the companies did not have adequate internal accounting controls and therefore violated the books and records provisions of the FCPA. In bringing these actions, the SEC is signaling that if it perceives that a company could have identified and prevented the conduct, then the company will be held liable. Although the SEC identifies “holes” in existing compliance programs in these actions, it appears to be applying some 20/20 hindsight to suggest that these companies truly did not have sufficient internal accounting controls. Nonetheless, companies are forewarned and should apply the lessons of these settlements in reviewing the adequacy of their own anti-corruption compliance programs.

On February 1, 2016, the SEC announced a settlement with SAP SE, a major German-based software maker. There, an SAP executive, Vincente Garcia (who pled guilty last year and is serving 22 months in jail), paid $145,000 in bribes to government officials to obtain a contract in Panama. He created a “slush fund” by falsifying forms and giving an 82% discount on software licenses to a distributor. According to the SEC, “SAP’s internal controls failed to flag Garcia’s misconduct as he easily falsified internal approval forms and disguised his bribes as discounts.” The SEC noted that “SAP had no requirements for heightened anti-corruption scrutiny for such large discounts.” The cost to SAP for this settlement (in which it neither admits nor denies the allegations) was $3.7 million in disgorgement of profits and prejudgment interest of $188,896.

The SAP action follows several 2015 settlements in which similar allegations are made. Most notable was the administrative action against a major U.S. bank for hiring the relatives of foreign officials as interns. See our earlier alert. In that case, the SEC alleged that the bank’s “system of internal accounting controls was insufficiently tailored to the corruption risks inherent in the hiring of client referrals, and therefore was inadequate to fully effectuate [its] stated policy against bribery of foreign officials.” In particular, “[s]enior managers were able to approve hires requested by foreign officials with no mechanism for review by legal or compliance staff.” Although the bank had in place an anti-corruption compliance policy, the bank’s compliance program “maintained few specific controls around the hiring of customers and relatives of customers, including foreign government officials.”

The BHP Billiton settlement raised a similar theme. In that case, the SEC alleged that Billiton “failed to devise and maintain sufficient internal controls over its global hospitality program connected to the company’s sponsorship of the 2008 Summer Olympic Games in Beijing.” Specifically, although Billiton “recognized that inviting government officials to the Olympics created a heightened risk of violating anti-corruption laws and the company’s own Guide to Business Conduct, [...] the internal controls it developed and relied upon in an effort to address this risk were insufficient.” Thus, Billiton tried to address the risk, but failed. The controls failed to prevent Billiton from inviting “government officials who were directly involved in, or in a position to influence, pending contract negotiations, efforts to obtain access rights, regulatory actions, or business dealings affecting [Billiton] in multiple countries.” Noteworthy is that only one foreign official who was in a position to influence a Billiton contract is alleged to have actually attended the Olympics. Nonetheless, although Billiton set up an elaborate anti-corruption procedure around the invitations to the Olympics, the SEC found that procedure was not good enough.

These three settlements show how aggressive the SEC has become about the strength of companies’ anti-corruption compliance programs. The above companies did not ignore their duties to comply with the FCPA – they all had developed anti-corruption compliance programs. Nonetheless, the SEC tagged them with books and records violations because it found those programs simply were not good enough. This suggests that companies should be aware of the various “deficiencies” that the SEC has identified in anti-corruption compliance programs and review their own programs to ensure that such deficiencies do not exist in their own programs.