January 17, 2024 - On January 10, 2024, SAP SE (“SAP”), a global software company based in Germany, agreed to pay over $220 million to resolve investigations by the U.S. Department of Justice (“DOJ”) and the Securities and Exchange Commission (“SEC”) into violations of the Foreign Corrupt Practices Act (“FCPA”). According to the DOJ and the SEC, from approximately 2015 to 2018, SAP, through third-party intermediaries, engaged in various schemes to pay bribes to foreign government officials to obtain and retain business in South Africa, Indonesia, Malawi, Kenya, Tanzania, Ghana, and Azerbaijan.

Summary of Conduct and Resolutions

As detailed in the resolution papers, in South Africa, SAP’s wholly owned subsidiary (“SAP South Africa”) retained several intermediaries, many with a reputation for corrupt practices, and paid those intermediaries millions of dollars in commissions. SAP South Africa recorded the payments to these intermediaries as legitimate business expenses, even though most of the intermediaries could not show that they provided the services for which they had been contracted. During the investigation, the former director of one of the intermediary companies admitted that the intermediary company had “no expertise” or skills to provide services on the relevant deal and that he had no knowledge of the intermediary company providing any actual services. Per the SEC Order, among other methods, SAP South Africa employed a strategy of paying intermediaries a 14.9% commission rate to avoid the higher-level scrutiny triggered by a 15% rate.

SAP’s Indonesian subsidiary also retained an intermediary known for paying bribes and for other corrupt business practices. On behalf of SAP Indonesia, the intermediary created shell companies to generate fake expenses, and used SAP Indonesia’s reimbursements for those expenses to create slush funds to pay bribes, sponsor customer excursions, and generate kickbacks for the intermediary. SAP Indonesia’s misconduct was documented by photographs and videos showing cash payments made to foreign officials and WhatsApp messages evidencing the schemes.

The SEC Order details several other similar schemes involving third parties by SAP Africa through several countries in Africa and SAP Azerbaijan in Azerbaijan.

Under the three-year deferred prosecution agreement (“DPA”) with the DOJ, SAP will pay a criminal penalty of $118.8 million and forfeit approximately $103.4 million. The criminal penalty reflects a forty percent discount off the bottom of the otherwise-applicable Sentencing Guidelines fine range. The DOJ will credit up to $55.1 million of the criminal penalty against amounts that SAP pays to resolve an investigation by South African authorities. It will also credit up to the full forfeiture amount against disgorgement SAP pays to the SEC or South African authorities.

In its settlement with the SEC, SAP agreed to pay disgorgement and prejudgment interest of $98,451,184. SAP will receive a disgorgement offset of up to $59,455,779 for payments made to the Government of South Africa or a South African state-owned entity as part of a parallel proceeding in South Africa. The SEC did not impose a civil penalty in light of the criminal penalty SAP will pay under the DPA.

Both the DOJ and the SEC cited SAP’s substantial cooperation and timely remediation efforts after discovering the misconduct. SAP’s cooperation included, among other efforts: (i) resolving potential deconfliction issues between its internal investigation and that of the DOJ, (ii) translating foreign language documents to facilitate the DOJ’s review, (iii) imaging the phones of relevant custodians at the beginning of its internal investigation, capturing relevant information such as data in messaging applications, and (iv) making current or former employees available to both agencies. SAP’s remediation efforts were also robust and included: (i) terminating employees and third parties responsible for the misconduct, (ii) eliminating its third-party sales commission model and prohibiting sales commissions for SAP employees on public sector contracts in high-risk markets, (iii) implementing data analytics to identify and review high-risk transactions and third-party controls, (iv) revising compensation incentives for employees, (v) increasing compliance trainings, (vi) establishing an enhanced whistleblower platform, and (vii) increasing the budget, resources, and expertise of it compliance and ethics offices.

Three Thoughts:

  1. Surprise, Surprise: Third Parties still present FCPA risk. The SAP resolutions are just the latest in a long, long line of enforcement actions demonstrating that third parties, especially those involved in business development and sales roles, present perhaps the single greatest FCPA risk for companies in the international market. Companies utilizing these types of third parties must have thorough onboarding and monitoring controls in place. Based on the description in the DPA and SEC Order, SAP clearly did not. Several of the third parties involved in the misconduct had a known history of engaging in corrupt business practices but were still retained. The DOJ and SEC noted that when due diligence was conducted at onboarding, it was limited and ineffective. For example, although SAP conducted limited due diligence on a South African intermediary in 2015, a subsequent review revealed that its diligence was significantly lacking – the intermediary had no financial statements, no tax returns, and its stated address showed no signs of business activity, all red flags that should have been identified in the original due diligence process. In another instance, SAP suspended a third party after learning that it was paying bribes to government officials, then reengaged the third party that same year despite the continuing presence of red flags. SAP also failed to properly monitor these third parties after they were engaged. For example, SAP failed to implement payment controls to ensure that services were actually rendered before issuing payments to third parties.
  2. Emphasis on timely preservation of potentially relevant evidence. SAP received significant credit for its extensive cooperation with the DOJ and SEC. Among other things, the DOJ noted specifically that SAP had imaged the phones of relevant custodians at the beginning of its internal investigation, which helped to preserve communications on messaging applications (including WhatsApp, which was mentioned on multiple occasions in the DPA and SEC Order). Sometimes lost in the discussion about the use of ephemeral messaging applications is that many companies are struggling with how to control and police the use of messaging applications for business communications in general, whether ephemeral or not. Whether or not policies are in place, the reality is that the use of these applications is widespread in the international business world. The credit received by SAP for its efforts to preserve this data highlights the importance of collecting this potentially relevant data in a forensically sound manner from the outset of an investigation.
  3. Meaningful remediation to the rescue. As noted above, SAP’s extensive and timely remediation efforts helped to mitigate the consequences of its misconduct. Along with a host of other remedial acts, SAP’s decisions to eliminate its third-party sales commission model globally and prohibit all sales commissions for public sector contracts in high-risk markets served SAP well. This is the second time in just a few months that the DOJ has noted positively a company’s decision to change its business practices to reduce risks. In its September 2023 non-prosecution agreement with Albemarle Corporation, the DOJ cited positively Albemarle’s decision to transform its business model to reduce corruption risk. While efforts to enhance compliance programs and increase training have now become more or less expected, meaningful efforts to reduce corruption risks in other ways will continue to earn companies credit. SAP also withheld over $100,000 in bonuses from employees who were involved in the misconduct either directly or in a supervisory capacity, qualifying SAP for a dollar-for-dollar fine reduction in the amount of the withheld bonuses under the Criminal Division’s March 2023 Compensation Incentives and Clawbacks Pilot Program. Following the credit given to Albemarle for their decision to withhold bonuses, companies are now two for two in getting dollar-for-dollar credit by withholding bonuses from potential wrongdoers—a noteworthy start for companies considering efforts to avail themselves of the benefits of the Pilot Program.