- FCPA Professor - http://fcpaprofessor.com -

Issues To Consider From The SAP Enforcement Action

Coming in at a “mere” $3.9 million settlement, this week’s SAP enforcement action [1] will not make anyone’s list of “significant” enforcement actions.

Yet, as highlighted in this post, the enforcement action raises several significant (and alarming) issues.

Sole Actor

In the minds of some, rogue employees are figments of the corporate apologists imagination and no enforcement action has ever been based on the conduct of just one individual.

This has always been an off-target observation and the SAP action is yet another example of a company being the victim of a rogue employee (technically the individual was not even an employee of SAP, but rather a subsidiary company).

As stated by the SEC, SAP has 272 subsidiaries, its business is conducted through a network of more than 11,500 partners that provide an additional workforce of 280,000 individuals. The SAP enforcement action was based on the conduct of Vicente Garcia and set forth below in pertinent part is what the SEC found.

Ineffective Internal Controls?

Notwithstanding the above, in the perfect hindsight driven, would have, could have, should have world in which the SEC’s resides, the SEC states that SAP’s “deficient internal controls” “allowed” Garcia to engage in the improper conduct.

When analyzing whether SAP had “reasonable” internal controls (the statutory standard after all) consider the following SEC statements.

Based on the above SEC findings, the SAP enforcement joins prior FCPA enforcement actions against Oracle [2] and H-P [3] (also technology companies) as being truly alarming. (See this prior [4] post highlighting how the former Assistant Chief of the DOJ’s FCPA Unit blasted various aspect of SEC FCPA enforcement including in the Oracle action – observations which equally apply to the SAP action).

What makes the enforcement actions alarming is not only the key statutory language of “reasonable,” but also prior SEC enforcement agency guidance. As highlighted numerous times on these pages, the most extensive SEC FCPA guidance states as follows.

“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly. Barring, of course, the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”

No-Charged Bribery Disgorgment

The SAP enforcement action is the latest example of the SEC ordering disgorgement even though the offending company was not charged with violating the FCPA’s anti-bribery provisions.

As highlighted in this [5] previous post, so-called no-charged bribery disgorgement is troubling.

Among others, Paul Berger (here [6]) (a former Associate Director of the SEC Division of Enforcement) has stated that “settlements invoking disgorgement but charging no primary anti-bribery violations push the law’s boundaries, as disgorgement is predicated on the common-sense notion that an actual, jurisdictionally-cognizable bribe was paid to procure the revenue identified by the SEC in its complaint.” Berger noted that such “no-charged bribery disgorgement settlements appear designed to inflict punishment rather than achieve the goals of equity.”