Coming in at a “mere” $3.9 million settlement, this week’s SAP enforcement action will not make anyone’s list of “significant” enforcement actions.

Yet, as highlighted in this post, the enforcement action raises several significant (and alarming) issues.

Sole Actor

In the minds of some, rogue employees are figments of the corporate apologists imagination and no enforcement action has ever been based on the conduct of just one individual.

This has always been an off-target observation and the SAP action is yet another example of a company being the victim of a rogue employee (technically the individual was not even an employee of SAP, but rather a subsidiary company).

As stated by the SEC, SAP has 272 subsidiaries, its business is conducted through a network of more than 11,500 partners that provide an additional workforce of 280,000 individuals. The SAP enforcement action was based on the conduct of Vicente Garcia and set forth below in pertinent part is what the SEC found.

• Garcia “created a slush fund” that was used to pay the bribes and kickbacks
• Garcia “concealed his scheme from others at SAP”
• Garcia “circumvented SAP’s internal controls”
• Garcia “justified the excessive discounting by falsifying SAP’s internal approval forms”
• Garcia “self-profited through kickbacks”
• Garcia used his “personal e-mail” in connection with the scheme
• All of Garcia’s accomplices were “others outside of SAP” (a term used by the SEC multiple times)

Ineffective Internal Controls?

Notwithstanding the above, in the perfect hindsight driven, would have, could have, should have world in which the SEC’s resides, the SEC states that SAP’s “deficient internal controls” “allowed” Garcia to engage in the improper conduct.

When analyzing whether SAP had “reasonable” internal controls (the statutory standard after all) consider the following SEC statements.

• “In June 2009, SAP conducted an internal investigation and found that Garcia violated its internal Code of Business Conduct when he invited an executive of Petroleos Mexicanos (“PEMEX”), the Mexican national oil company, to an SAP marketing event at the Monaco Grand Prix. SAP did not find any attempt to improperly influence any government official in connection with the 2008 PEMEX sale. As a result of the internal investigation, SAP revised its policies prohibiting government officials or employees from attending any “hospitality” event, which it defined as any event where business constitutes less than 80% of the event.”

• “One of the four contracts was a software license sale to the Panamanian social security agency, which was initially proposed to be a direct sale with the assistance of local partners. In order to facilitate the bribery scheme, the existing partners were replaced with a new local Panamanian partner. This last-minute change, and other red flags, triggered an SAP compliance review which resulted in SAP rejecting Garcia’s request to pay a commission to the local partner. Therefore, Garcia and others began looking for other ways to advance the bribery scheme. Finally, in the fall of 2010, Garcia finalized an indirect sale of the software license to the agency through the local partner, who, with Garcia’s assistance, ultimately sought and obtained an 82% discount on SAP’s sale price to the local partner. Garcia caused various approval forms to be submitted that misstated the reasons for the large discount. Garcia stated that the discounts were necessary to compete with other software companies in establishing a relationship with the government of Panama when, in fact, the discounts were necessary to fund and pay bribes to government officials. Garcia and others planned to sell SAP software to the local partner at an 82% discount, who in turn would sell the software at significantly higher prices to the Panamanian government and use part of the profits from the sale to pay bribes.

• The underlying activity which SAP was faulted for in the enforcement action – large customer discounts – was something “SAP routinely” provided to “local partners for legitimate reasons.”

Based on the above SEC findings, the SAP enforcement joins prior FCPA enforcement actions against Oracle and H-P (also technology companies) as being truly alarming. (See this prior post highlighting how the former Assistant Chief of the DOJ’s FCPA Unit blasted various aspect of SEC FCPA enforcement including in the Oracle action – observations which equally apply to the SAP action).

What makes the enforcement actions alarming is not only the key statutory language of “reasonable,” but also prior SEC enforcement agency guidance. As highlighted numerous times on these pages, the most extensive SEC FCPA guidance states as follows.

“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly. Barring, of course, the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”

No-Charged Bribery Disgorgment

The SAP enforcement action is the latest example of the SEC ordering disgorgement even though the offending company was not charged with violating the FCPA’s anti-bribery provisions.

As highlighted in this previous post, so-called no-charged bribery disgorgement is troubling.

Among others, Paul Berger (here) (a former Associate Director of the SEC Division of Enforcement) has stated that “settlements invoking disgorgement but charging no primary anti-bribery violations push the law’s boundaries, as disgorgement is predicated on the common-sense notion that an actual, jurisdictionally-cognizable bribe was paid to procure the revenue identified by the SEC in its complaint.” Berger noted that such “no-charged bribery disgorgement settlements appear designed to inflict punishment rather than achieve the goals of equity.”