On September 15, 2022, the Securities and Exchange Commission (SEC), along with the U.S. Department of Justice (DOJ), announced settled charges in parallel investigations against GOL Linhas Aéreas Inteligentes (GOL), Brazil’s second-largest airline. On September 27, 2022, the SEC announced settled charges against Oracle Corporation (Oracle), an information technology company. Both companies were charged with violating the anti-bribery, books and records, and internal accounting controls provisions of the Foreign Corrupt Practices Act (FCPA). These settlements demonstrate that FCPA enforcement continues to be a priority for the SEC and the DOJ. It is critically important for corporations to have an effective system of internal accounting controls and a rigorous anti-corruption program that integrates relevant aspects of those controls.
The SEC charged GOL with violating the FCPA’s anti-bribery, books and records, and internal accounting controls provisions, while the DOJ charged GOL with conspiracy to violate the FCPA’s anti-bribery and books and records provisions. According to the SEC’s cease and desist order (GOL Order) and GOL’s admissions in a deferred prosecution agreement (DPA) with the DOJ, GOL conspired to pay over $3 million to Brazilian officials in 2012 and 2013 to secure the passage of two pieces of favorable legislation. These laws reduced payroll and aviation fuel taxes, saving GOL approximately $51.84 million.
According to the DPA and SEC order, GOL entered into contracts with third parties for the purpose of generating and concealing the funds needed to perpetrate multiple payments to various government officials. A member of GOL’s Board of Directors paid bribes through two companies controlled by a Brazilian legislator, and funneled payments through other companies associated with other officials. These payments were recorded as legitimate business expenses in GOL’s books, characterized as expenses for advertisement as well as other services which were never provided. As the SEC noted: “The insufficiency and ineffectiveness of the internal accounting controls resulted in a procurement process that relied primarily on the [GOL] Director for authorization and verification of these services with little oversight or review. [GOL’s] internal accounting controls were also not adequately designed to reflect its corporate policy against making improper payments to government officials.”
To resolve the foreign bribery investigations, GOL entered into a three-year DPA with the DOJ and settled a cease and desist proceeding with the SEC. he DOJ and GOL agreed in the DPA that the appropriate criminal penalty was $87 million, but that amount was reduced to $17 million based on GOL’s inability to pay the full $87 million. The DOJ also agreed to credit $1.7 million of a penalty that GOL was to pay authorities in Brazil.
The SEC directed GOL to pay $70 million in disgorgement and prejudgment interest but simultaneously waived all except $24.5 million of that amount based on GOL’s financial condition. The SEC did not impose a civil penalty on GOL because of the criminal penalty already assessed by the DOJ.
The DOJ and the SEC indicated that they gave credit to GOL for its remedial efforts and cooperation with their investigations. According to the government, GOL’s cooperation included timely providing the facts obtained through the company’s internal investigation, interviewing witnesses, conducting background checks, testing over 2,000 transactions, translating documents, and making its management available to SEC staff in the United States. GOL’s remedial efforts included conducting a comprehensive risk assessment, re-evaluating and redesigning its anti-corruption compliance program, creating a new risk and compliance department with a new chief compliance officer, and terminating its relationship with third parties involved in the misconduct.
The SEC similarly found that Oracle violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA because from 2014 to 2019, employees of the company’s subsidiaries in India, Turkey and the United Arab Emirates (UAE) used funds financed through Oracle’s discount and marketing reimbursement programs to bribe foreign officials in return for business.
According to the SEC, Oracle allowed employees at its subsidiaries to request discounts from product price lists only for legitimate business reasons such as end customer budget caps or competition from other manufacturers. Although the policy allowed discount reviewers to ask for supporting documentation, it did not require documentary support for requested discounts. Oracle policies further allowed employees at company subsidiaries to request purchase orders meant to reimburse third-party distributors and resellers for expenses associated with marketing Oracle products. However, first-level subsidiary supervisors could approve reimbursements under $5,000 without requiring corroborating documentation indicating that any marketing activity actually occurred. The SEC found that Oracle subsidiary employees used excessive discounts and “sham” marketing reimbursements requests to create “slush funds” variously held by distributors and resellers. According to the SEC, Oracle subsidiaries in India, Turkey and the UAE used these funds to bribe government officials in order to obtain favorable contracts. In Turkey, the funds were also used to pay for travel and accommodation for end-customers, including government officials, to attend technology conferences. The funds were similarly used to pay for the travel and accommodation expenses of foreign officials’ spouses and children, as well as for side trips to Los Angeles and Napa Valley.
Without admitting or denying the SEC’s findings, Oracle agreed to pay a monetary penalty of $15 million and disgorge approximately $7.9 million. In determining to settle with Oracle, the SEC also considered that Oracle self-reported unrelated conduct, undertook remedial action, and cooperated with SEC staff. The SEC noted, for instance, that “Oracle’s cooperation included sharing facts developed in the course of its own internal investigations, voluntarily providing translations of key documents, and facilitating the staff’s requests to interview current and former employees of Oracle’s foreign subsidiaries.” The SEC further noted 13 remedial steps Oracle undertook, e.g., terminating employees, distributors and resellers involved in the misconduct; strengthening and expanding its global compliance, risk and control functions, including the creation of over 15 new positions and teams at headquarters and globally; improving aspects of its discount approval process and increasing transparency in the product discounting process through implementation and expansion of transaction controls; increasing oversight and controls over the purchase requisition approval process; limiting financial incentives and business courtesies to third parties, particularly in public sector transactions; improving customer registration and payment checking processes; enhancing proactive audit functions; introducing measures to improve the quality of its partner network and reducing the number of partners in its network; enhancing the procedures for engaging third parties, including the due diligence processes; implementing a compliance data analytics program; and enhancing training and communications provided to employees and third parties regarding anti-corruption, internal controls and other compliance issues. The SEC also noted that in 2012, Oracle agreed to pay a $2 million penalty to settle a prior SEC action alleging that the company violated the books and records and internal accounting controls provisions of the FCPA.
- In both matters, weak internal accounting controls allowed for the aggregation of off-book funds that were used to pay bribes and provide other benefits to government officials all in violation of the FCPA. Thus, it is crucial for public companies to have strong and effective internal accounting controls and a robust anti-corruption program that integrates pertinent aspects of those internal controls as well as policies and procedures designed to effectively detect and deter violations of anti-corruption laws including the FCPA.
- In press releases accompanying the orders, the SEC’s FCPA Unit Chief emphasized that internal accounting controls must exist throughout the entirety of a company’s operations and at all levels of the organization.
- Strong corporate anti-corruption programs should be developed taking into account periodic risk assessments evaluating the particularized circumstances of the company and its business including, geographic organization, interactions with government officials, industrial sectors of operations, potential client base and business partners, use of third-party agents, gifts, expenses, donations, involvement in joint ventures, importance of licenses and permits in the company’s operations, government oversight and inspection, and goods and personnel passing through customs and immigration. The DOJ required GOL to undertake such risk assessments pursuant to the DPA.
- Corporations evaluating and strengthening their internal accounting controls and anti-corruption policies should carefully consider the remedial action undertaken by GOL and Oracle as described in the SEC orders. At the recent SEC Speaks conference, Sanjay Wadhwa, Deputy Director of Enforcement, noted that, when a firm agrees to implement improvements and the SEC order maps out those improvements, it provides a guide for other firms to follow.
- Other factors for companies to consider when evaluating their internal accounting controls and anti-corruption policies include, but are not limited to, implanting effective supervision of the anti-corruption program by personnel with an appropriate level of seniority and independence, providing officers, directors, employees, and, where appropriate, agents and other third parties with anti-corruption training; requiring documentation to support approval of expenditures; performing initial and periodic due diligence on agents, distributors, and other third parties such as joint venture partners; and establishing an internal reporting mechanism (confidential when possible) for potential violations of anti-corruption laws, policies or procedures.
- Companies providing anti-corruption training should also consider whether such training should be offered in languages other than English for some personnel.