Last month, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) jointly announced an enforcement action for violations of the Foreign Corrupt Practices Act (FCPA) against a former executive of the SAP International Inc. for bribery and corruption to procure government contracts in Panama.
Vicente Garcia, 65, of Miami, pled guilty to a one-count information charging him with conspiracy to violate the anti-bribery provisions of the FCPA.
While sentencing is scheduled for December 16, 2015, he agreed to a monetary fine and penalty for his SEC violations. It included disgorgement of $85,965, which is the total amount of kickbacks he received, plus prejudgment interest of $6,430 for a total of $92,395.
A deeper look at the dark side of global business
The bribery scheme lasted from 2009-2013. Garcia sought a multi-million dollar contract to provide a Panamanian state agency with a technology upgrade package.
Garcia admitted that he conspired with others, including advisors and consultants to SAP, to pay bribes to two Panamanian government officials, as well as to the agent of a third government official, with the understanding that a portion of the money would be paid to the third official.
Garcia used sham contracts and false invoices to disguise the bribes. Most interestingly, according to the DOJ Press Release, “Garcia further admitted that he believed paying such bribes was necessary to secure both the initial contract and additional Panamanian government contracts.”
The bribery scheme netted the Panamanian SAP channel ops partner at least one contract valued at $14.5MM.
The SEC Press Release further specified some of the conduct Garcia engaged which violates the FCPA. It reported “circumvented SAP’s internal controls by submitting various approval forms to SAP that falsified the reasons for the excessive discounts to the local partner.”
Garcia used both his “SAP e-mail account and his personal e-mail account to communicate details of the bribery scheme and even identify the government officials and intended monetary amounts.”
Garcia also conveyed part of the bribery scheme through old-fashioned mail, when he sent “a letter on SAP letterhead detailing fictional meetings in Mexico as requested by the official in order to justify a trip there on false pretenses.”
While there has been no criminal or civil action involving Garcia’s employer, SAP International, a US based subsidiary of the German headquartered parent, SAP SE; such action could well occur.
A wake up call for the tech sector
Even at this point, with no DOJ or SEC action against SAP, there are several lessons for compliance practitioners.
First for any company in the tech sector, this enforcement action should serve as a double shot of espresso to give you a wake-up call.
While the first shot came back in 2014 with the HP FCPA enforcement action, this matter continues what is the clear trend that a tech sector sweep is going on regarding potential FCPA violations.
This is the same pattern used by the DOJ in prior industry sweeps through the energy and pharmaceutical sectors. Once the DOJ figures out how the industry conducts its business, it uses that model to investigate other companies going forward.
The message is more than that the tech sector is not immune from FCPA investigations or enforcement actions. It is that if you are in this space, you need to prepare now for the government to come knocking.
Be proactive in your third party management to avoid corruption
Next is the continuing issue of third parties as the leading source of FCPA violations. In the Garcia case, he employed consultants to facilitate the bribery scheme.
According to the FCPA Blog, “Garcia conspired with SAP advisors and consultants to bribe two Panamanian government officials, and the agent of a third official on the understanding that some money go to the official.”
This means that you need to get a handle on the third parties your company is using, both on the sales side of your business and those third parties which contract to do work with your company through the supply chain.
I advocate a full review of the five steps in the life-cycle of third party management.
These five steps are:
1. Business justification
2. Questionnaire to third party
3. Due diligence and evaluation
5. Management of the relationship after contracting
Not only should you review each of these steps to ascertain that any third parties you employee have gone through the process, but also document the process and your review. If you do not have full documentation, you cannot prove to a regulator you are in compliance with the FCPA.
Identify risk sooner rather than later
The next step is to update your risk assessment. This enforcement action makes clear that even a relatively small business opportunity can lead to a catastrophic failure of your compliance regime.
Do you know where you are doing business in addition to how you are doing business, whether through direct sales by employees or through third parties?
If you have not done a risk assessment in the past 12 months, I would suggest that you retain a reputable outside counsel or consulting firm to do so sooner rather later.
Take a stand against bribery from the top down
Finally, you need to bring this matter to the attention of your Board of Directors or Audit Committee of the Board.
Every significant FCPA enforcement action is an opportunity to engage the Board and influence the time, resources and attention they will give to your compliance program.
Each case presents its own unique of facts and gives you the opportunity to educate the Board about the need for an appropriate tone from the top.
Remember the DOJ had said Garcia believed it was “necessary to secure both the initial contract and additional Panamanian government contracts.” Your message to the Board should be that there is never a situation where a company representative feels like it is ‘necessary’ to pay bribes.
The tone against bribery starts with a Board and flows to the company’s senior management. They must communicate the message down to the middle and below that bribery and corruption to do business will not be tolerated.
Know when to walk away, know when to run
There is almost always a manner in which to do business which does not violate the FCPA. But if you cannot do business in a country or with a government official without paying a bribe, employees need to know that it is not only right and proper to step away but that is what the company expect from them going forward.
I do not think we have seen the end of the Garcia matter as there may well be other enforcement actions, which come out of this matter. You should use this opportunity to put these lessons learned into practice in your company.
Does your business have any initiatives in place that could prevent a similar situation?