Archive for the ‘Internal Controls’ Category

Issues To Consider From The SAP Enforcement Action

Wednesday, February 3rd, 2016

IssuesComing in at a “mere” $3.9 million settlement, this week’s SAP enforcement action will not make anyone’s list of “significant” enforcement actions.

Yet, as highlighted in this post, the enforcement action raises several significant (and alarming) issues.

Sole Actor

In the minds of some, rogue employees are figments of the corporate apologists imagination and no enforcement action has ever been based on the conduct of just one individual.

This has always been an off-target observation and the SAP action is yet another example of a company being the victim of a rogue employee (technically the individual was not even an employee of SAP, but rather a subsidiary company).

As stated by the SEC, SAP has 272 subsidiaries, its business is conducted through a network of more than 11,500 partners that provide an additional workforce of 280,000 individuals. The SAP enforcement action was based on the conduct of Vicente Garcia and set forth below in pertinent part is what the SEC found.

  • Garcia “created a slush fund” that was used to pay the bribes and kickbacks
  • Garcia “concealed his scheme from others at SAP”
  • Garcia “circumvented SAP’s internal controls”
  • Garcia “justified the excessive discounting by falsifying SAP’s internal approval forms”
  • Garcia “self-profited through kickbacks”
  • Garcia used his “personal e-mail” in connection with the scheme
  • All of Garcia’s accomplices were “others outside of SAP” (a term used by the SEC multiple times)

Ineffective Internal Controls?

Notwithstanding the above, in the perfect hindsight driven, would have, could have, should have world in which the SEC’s resides, the SEC states that SAP’s “deficient internal controls” “allowed” Garcia to engage in the improper conduct.

When analyzing whether SAP had “reasonable” internal controls (the statutory standard after all) consider the following SEC statements.

  • “In June 2009, SAP conducted an internal investigation and found that Garcia violated its internal Code of Business Conduct when he invited an executive of Petroleos Mexicanos (“PEMEX”), the Mexican national oil company, to an SAP marketing event at the Monaco Grand Prix. SAP did not find any attempt to improperly influence any government official in connection with the 2008 PEMEX sale. As a result of the internal investigation, SAP revised its policies prohibiting government officials or employees from attending any “hospitality” event, which it defined as any event where business constitutes less than 80% of the event.”
  • “One of the four contracts was a software license sale to the Panamanian social security agency, which was initially proposed to be a direct sale with the assistance of local partners. In order to facilitate the bribery scheme, the existing partners were replaced with a new local Panamanian partner. This last-minute change, and other red flags, triggered an SAP compliance review which resulted in SAP rejecting Garcia’s request to pay a commission to the local partner. Therefore, Garcia and others began looking for other ways to advance the bribery scheme. Finally, in the fall of 2010, Garcia finalized an indirect sale of the software license to the agency through the local partner, who, with Garcia’s assistance, ultimately sought and obtained an 82% discount on SAP’s sale price to the local partner. Garcia caused various approval forms to be submitted that misstated the reasons for the large discount. Garcia stated that the discounts were necessary to compete with other software companies in establishing a relationship with the government of Panama when, in fact, the discounts were necessary to fund and pay bribes to government officials. Garcia and others planned to sell SAP software to the local partner at an 82% discount, who in turn would sell the software at significantly higher prices to the Panamanian government and use part of the profits from the sale to pay bribes.
  • The underlying activity which SAP was faulted for in the enforcement action – large customer discounts – was something “SAP routinely” provided to “local partners for legitimate reasons.”

Based on the above SEC findings, the SAP enforcement joins prior FCPA enforcement actions against Oracle and H-P (also technology companies) as being truly alarming. (See this prior post highlighting how the former Assistant Chief of the DOJ’s FCPA Unit blasted various aspect of SEC FCPA enforcement including in the Oracle action – observations which equally apply to the SAP action).

What makes the enforcement actions alarming is not only the key statutory language of “reasonable,” but also prior SEC enforcement agency guidance. As highlighted numerous times on these pages, the most extensive SEC FCPA guidance states as follows.

“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly. Barring, of course, the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”

No-Charged Bribery Disgorgment

The SAP enforcement action is the latest example of the SEC ordering disgorgement even though the offending company was not charged with violating the FCPA’s anti-bribery provisions.

As highlighted in this previous post, so-called no-charged bribery disgorgement is troubling.

Among others, Paul Berger (here) (a former Associate Director of the SEC Division of Enforcement) has stated that “settlements invoking disgorgement but charging no primary anti-bribery violations push the law’s boundaries, as disgorgement is predicated on the common-sense notion that an actual, jurisdictionally-cognizable bribe was paid to procure the revenue identified by the SEC in its complaint.” Berger noted that such “no-charged bribery disgorgement settlements appear designed to inflict punishment rather than achieve the goals of equity.”

Same Alleged Legal Violations, Yet Materially Different Sanctions

Monday, September 28th, 2015

inconistentA basic rule of law principle is consistency.

In other words, the same legal violation ought to be sanctioned in the same way.

When the same legal violation is sanctioned in materially different ways, trust and confidence in law enforcement agencies is diminished.

The Foreign Corrupt Practices Act has always been a law much broader than its name suggests.   The anti-bribery provisions are just one prong of the FCPA.

Indeed, most FCPA enforcement actions do not involve allegations of foreign bribery, but rather violations of the FCPA’s generic books and records and internal controls provisions. These provisions generally provide that issuers shall: (i) maintain books and records which, in reasonable detail, accurately and fairly reflect issuer transactions and disposition of assets (the books and records provisions); and (ii) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are properly authorized, recorded, and accounted for by the issuer (the internal controls provisions).

For lack of a better term, let’s call such actions “non-FCPA FCPA enforcement actions.” By one estimate, since the FCPA’s enactment in 1977, there have been approximately 1,200 “non-FCPA FCPA enforcement actions.”

Such actions are not dissected in the FCPA space and do not appear on the DOJ or SEC’s FCPA websites (here and here). Yet such actions are deserving of analysis because they highlight a troubling aspect of FCPA enforcement: that being how the same alleged legal violations are sanctioned in materially different ways.

For instance, the SEC recently announced an enforcement action against Stein Mart for materially misstating its pre-tax income, including almost 30% in one quarter. According to the SEC:

“Stein Mart’s internal accounting controls over [...] markdowns were inadequate.  For example – until at least the middle of 2011–the decision to characterize a markdown [a certain way] resided solely with Stein Mart’s merchandising department, which did not understand the impact that Stein Mart’s markdowns could have on inventory valuation accounting. As a reflection of the company’s inadequate internal accounting controls surrounding [...] markdowns, Stein Mart’s chief financial officer, who was hired in 2009, did not learn of Stein Mart’s treatment of [...] markdowns until the summer of 2011.”

According to the SEC’s order, Stein Mart also had inadequate internal accounting controls in the areas of software assets, credit card liabilities, and other inventory-related issues.

Based on the above findings, the SEC charged, among other things, violations of the FCPA’s books and records and internal controls provisions and ordered the company to pay a $800,000 civil penalty.

The SEC also recently announced an enforcement action against MusclePharm Corp. for failing to implement internal accounting controls for perks and other areas where the company committed accounting and disclosure violations.  According to the SEC:

[Approximately] half-million dollars’ worth of perks [were] bestowed upon its executives, including approximately $244,000 paid to CEO Brad Pyatt related to automobiles, apparel, meals, golf club memberships, and his personal tax and legal services.  Even after the company began an internal review of undisclosed executive perks and then-audit committee chair Donald Prosser became directly involved in the process, MusclePharm continued filing financial statements that failed to disclose private jet use, vehicles, and golf club memberships for its executives.


While the company focused on revenue growth, it failed to establish sufficient internal controls and keep proper books and records. As a result, between 2010 and 2013,  engaged in a series of accounting and disclosure failures that resulted in the company filing materially false and misleading filings with the Commission from 2010 through July 2014. Specifically, as described further below, [MusclePharm] failed to disclose perquisite compensation to its executive officers, failed to disclose related party transactions, failed to disclose bankruptcies of its executive officers, and committed other financial statement, accounting, and disclosure failures.

Because [MusclePharm] improperly recorded and/or reported its perquisites, related parties, revenue, losses on settlement of accounts payable, sponsorship commitments, manufacturing concentration, leases, and international sales, its books, records and accounts did not, in reasonable detail, accurately and fairly reflect its transactions and dispositions of assets. In addition, [MusclePharm] failed to implement internal accounting controls relating to its perquisites, related parties, revenue, losses on settlement of accounts payable, sponsorship commitments, manufacturing concentration, leases, and international sales, which were sufficient to provide reasonable assurances that transactions were recorded as necessary to permit the preparation of financial statements in conformity with GAAP and to maintain the accountability of assets.”

Based on the above findings, the SEC charged, among other things, violations of the FCPA’s books and records and internal controls provisions and ordered the company to pay a $700,000 civil penalty.

Against the above backdrop, consider the recent $25 million FCPA enforcement action against BHP Billiton in which the SEC found that the company violated the FCPA’s books and records and internal controls provisions because it had “insufficient internal controls over [its] Olympic hospitality program.”

Also consider the recent $12 million FCPA enforcement action against Mead Johnson in which the SEC found that the company violated the FCPA’s books and records and internal controls provisions because a subsidiary’s “records were incomplete and did not reflect that a portion of Distributor Allowance was being used contrary to Mead Johnson’s policies” and because the company “failed to devise and maintain an adequate system of internal controls” concerning distributor allowances.

Also consider the recent $16 million FCPA enforcement action against Goodyear in which the SEC found that the company violated the FCPA’s books and records and internal controls provisions because certain alleged improper expenditures were “falsely recorded as legitimate business expenses” on subsidiary books and records and the company “failed to devise and maintain sufficient accounting controls to prevent and detect” the expenditures.

Did the conduct at issue in BHP Billiton, Mead Johnson, and Goodyear involve (liked in Stein Mart and MusclePharm) a material misstatement of income or lack of controls over core financial reporting issues at the parent company?

Most certainly not.

Yet, the settlement amounts in BHP Billiton, Mead Johnson, and Goodyear far exceeded the settlement amounts in the Stein Mart and MusclePharm enforcement actions even though all of the enforcement actions alleged the exact same legal violations.

The end result is an obvious lack of consistency and transparency.

The SEC has some explaining to do and owes the legal and compliance community an explanation for why FCPA books and records and internal controls violations are not sanctioned in similar ways.

Issues To Consider From The Mead Johnson Enforcement Action

Monday, August 3rd, 2015

IssuesThis recent post highlighted the SEC FCPA enforcement action against Mead Johnson Nutrition Company.

This post continues the analysis by highlighting various issues to consider from the enforcement action. In sum, the short enforcement action contains several troubling issues that should cause alarm.


Imagine a Foreign Corrupt Practices Act enforcement action without one single meaningful factual allegation against the corporate defendant resolving the action.

You don’t have to imagine. All you have to do is read the slim administrative cease and desist order against Mead Johnson.

The action was based on alleged conduct in China engaged in by Mead Johnson Nutrition (China) Co., Ltd. There was no finding, inference or suggestion in the SEC’s order that anyone associated with Mead Johnson, the issuer resolving the enforcement action, had knowledge of, participated in, or acquiesced in the improper conduct.

Rather, the order merely states the perfuctory finding that “Mead Johnson China’s books and records were consolidated into Mead Johnson’s books and records, thereby causing Mead Johnson’s consolidated books and records to be inaccurate” together with the conclusory legal finding that “Mead Johnson failed to devise and maintain an adequate system of internal accounting controls over Mead Johnson China’s operations sufficient to prevent and detect the improper payments that occurred over a period of years.”

Invoking a Standard That Does Not Even Exist In the FCPA

Relevant to the above conclusory legal finding, the SEC’s finding that issuers must devise and maintain internal controls “sufficient to prevent and detect” improper payments does not even exist in the FCPA.

As previously highlighted in this article ( “Why You Should Be Alarmed By the ADM FCPA Enforcement Action”)  and subsequently in connection with other recent SEC enforcement actions, invocation of a ‘‘failure to prevent or detect’’ internal controls standard is alarming because such a standard does not even exist in the FCPA and is inconsistent with actual legal authority. Just as important, such a standard is inconsistent with enforcement agency guidance relevant to the internal-controls provisions.

The internal-controls provisions are specifically qualified through concepts of reasonableness and good faith. This statutory standard is consistent with congressional intent in enacting the provisions. Relevant legislative history states: ”

“While management should observe every reasonable prudence in satisfying the objectives called for [in the books-and-records and internal-controls provisions], . . . management must necessarily estimate and evaluate the cost/benefit relationships to the steps to be taken in fulfillment of its responsibilities . . . . The size of the business, diversity of operations, degree of centralization of financial and operating management, amount of contact by top management with day-to-day operations, and numerous other circumstances are factors which management must consider in establishing and maintaining an internal accounting controls system.”

As highlighted here, the only judicial decision to directly address the substance of the internal-controls provisions states, in pertinent part, as follows:

“The definition of accounting controls does comprehend reasonable, but not absolute, assurances that the objectives expressed in it will be accomplished by the system. The concept of ‘‘reasonable assurances’’ contained in [the internal control provisions] recognizes that the costs of internal controls should not exceed the benefits expected to be derived. It does not appear that either the SEC or Congress, which adopted the SEC’s recommendations, intended that the statute should require that each affected issuer install a fail-safe accounting control system at all costs. It appears that Congress was fully cognizant of the cost-effective considerations which confront companies as they consider the institution of accounting controls and of the subjective elements which may lead reasonable individuals to arrive at different conclusions. Congress has demanded only that judgment be exercised in applying the standard of reasonableness.”

In addition, various courts have held—in the context of civil derivative actions in which shareholders seek to hold company directors liable for breach of fiduciary duties due to the company’s alleged FCPA violations— that just because improper conduct allegedly occurred somewhere within a corporate hierarchy does not mean that internal controls must have been deficient.

The ‘‘failure to prevent and detect’ standard is also alarming when measured against the enforcement agencies’ own guidance concerning the internal controls provisions.  As highlighted here, the SEC’s most extensive guidance on the internal controls provisions states, in pertinent part, as follows:

“The accounting provisions’ principal objective is to reaching knowing or reckless conduct.”

“Inherent in this concept [of reasonableness] is a toleration of deviations from the absolute. One measure of the reasonableness of a system relates to whether the expected benefits from improving it would be significantly greater than the anticipated costs of doing so. Thousands of dollars ordinarily should not be spent conserving hundreds. Further, not every procedure which may be individually cost-justifiable need be implemented; the Act allows a range of reasonable judgments.”

“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly. Barring, of course, the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”

Internal Controls – Which Is It?

Another trouble featuring of the Mead Johnson enforcement action is that the SEC makes contradictory findings regarding Mead Johnson’s internal controls.

On the one hand, the SEC finds:

“Mead Johnson has established internal policies to comport with the FCPA and local laws, and to prevent related illegal and unethical conduct. Mead Johnson’s internal policies include prohibitions against providing improper payments and gifts to HCPs that would influence their recommendation of Mead Johnson’s products.”
The use of the Distributor Allowance to improperly compensate HCPs was contrary to management’s authorization and Mead Johnson’s internal policies.”

Yet on the other hand, the SEC order contains the following conclusory legal finding:

“Mead Johnson failed to devise and maintain an adequate system of internal accounting controls over Mead Johnson China’s operations sufficient to prevent and detect the improper payments that occurred over a period of years.”

The Simplicity of But For

Numerous prior posts (see here along with embedded posts therein) have examined the simplicity of but for allegations or findings in FCPA enforcement actions (i.e. but for the alleged improper payments, the company would not have obtained or retained the alleged business at issue).

The Mead Johnson enforcement action contains such a simplistic finding as the SEC stated that Mead Johnson China “made improper payments to certain health care professionals (“HCPs”) at state-owned hospitals in China to recommend Mead Johnson’s nutrition products to, and provide information about, expectant and new mothers.” (emphasis added).

The but for inference is that without the alleged improper payments, the HCP’s would not have recommended Mead Johnson’s nutrition products.

Such a finding is fanciful.

Mead Johnson’s products (and those of other Western companies) are market leaders in China for the simple fact that “foreign infant formula became preferred by Chinese consumers after a milk scandal in 2008 in which domestic [Chinese] manufacturers mixed melamine with their infant formula products.  Six infants died of severe kidney damage and an estimated 300,000 babies suffered painful kidney stones, causing Chinese customers to lose confidence in domestic [Chinese] infant formula products.” (See here and here).

Alarming Language from the SEC

As troubling as the above issues are, the most alarming aspect of the short Mead Johnson enforcement action is the seeming suggestion by the SEC that issuers have an obligation to self-report internal investigation results that do not find evidence of FCPA violations.

By way of background, the SEC’s order states that in 2011 “Mead Johnson received an allegation of possible violations of the FCPA in connection with the Distributor Allowance in China. In response, Mead Johnson conducted an internal investigation, but failed to find evidence that Distributor Allowance funds were being used to make improper payments to HCPs. Thereafter, Mead Johnson China discontinued Distributor Allowance funding to reduce the likelihood of improper payments to HCPs, and discontinued all practices related to compensating HCPs by 2013.” (Emphasis Added).

Even though the SEC noted that Mead Johnson’s internal investigation failed to find evidence of FCPA violations, the SEC’s order next states: “Mead Johnson did not initially self-report the 2011 allegation of potential FCPA violations and did not thereafter promptly disclose the existence of this allegation in response to the Commission’s inquiry into this matter.” Subsequently, the SEC’s order similarly states: “Despite not self-reporting the 2011 allegation of potential FCPA violations or promptly disclosing the existence of this allegation in response to the Commission’s inquiry into this matter, Mead Johnson subsequently provided extensive and thorough cooperation.”

Perhaps it was merely inartful language, but if the SEC’s position is that issuers have an obligation to self-report internal investigation results that do not find evidence of FCPA violations, then such a position is truly alarming and without any legal support.


Contrary to this report, Mead Johnson did not first disclose its FCPA scrutiny “early last year” but rather in October 2013 (see this prior post).

Nevertheless, the time between public disclosure and the enforcement action was less than two years, an unusually speedy resolution given that the norm in FCPA inquiries is often 2-4 years with several examples in the 5-7 year range.


The SEC Frequently Alleges Or Finds Only Books And Records And Internal Controls Violations In FCPA Enforcement Actions

Thursday, June 11th, 2015

SECThis recent post highlighted critical commentary regarding the recent BHP Billiton enforcement action.

One theme from much of the commentary was that the BHP action was somehow unique in charging (or finding as the case may be since it was an SEC administrative action) books and records and internal controls violations in the absence of anti-bribery violations.

More broadly, some FCPA commentators have suggested (here and here) that the SEC is placing a new emphasis on internal controls in the absence of anti-bribery violations.

However, the enforcement approach in BHP Billiton was hardly unique and more broadly the SEC has long charged or found books and records and internal controls violation in the absence of anti-bribery violations or findings.

Set forth below are numerous instances over the past five years in which the SEC has alleged or found only books and records and internal controls violations in Foreign Corrupt Practices Act enforcement actions.  (All actions can be found on the SEC’s FCPA website).



In other words 3 of 7 (43%) corporate SEC FCPA enforcement actions in 2014 did not allege or find anti-bribery violations.


Philips Electronics

In other words, 3 of 8 (38%) corporate SEC FCPA enforcement actions did not allege or find anti-bribery violations.



In other words, 4 of 8 (50%) corporate SEC FCPA enforcement actions did not allege of find anti-bribery violations.


Watts Water
Rockwell Automation
Ball Corp

In other words 8 of 13 (62%) corporate SEC FCPA enforcement actions did not allege or find anti-bribery violations.


Veraz Networks
General Electric

In other words, 3 of 19 (16%) corporate SEC FCPA enforcement actions did not allege or find anti-bribery violations.  (Note 2010 enforcement statistics are impacted by the 7 related Panalpina enforcement actions.  If one counts these related actions as one, 3 of 12 (25%) corporate SEC FCPA enforcement actions did not allege or find anti-bribery violations).

So prominent is SEC FCPA enforcement actions without anti-bribery violations or findings that the term non-bribery charged disgorgement has been part of the FCPA vocabulary for years.  (See here).

BHP Billiton Enforcement Action Generates Much Critical Commentary

Thursday, June 4th, 2015

Thumbs Down2FCPA Inc. is an active group of writers.

Thus it was no surprise that the recent BHP Billiton enforcement action generated much commentary.

The May 20th enforcement action was previously highlighted here and here and this post highlights other commentary regarding the BHP Billiton enforcement action.

Prior to highlighting the commentary – much of it is consistent with my prior criticisms of the enforcement action linked above –  a few observations.

While the BHP Billiton action is problematic on a number of levels, it does not dilute FCPA enforcement as much as the even more problematic 2012 Oracle enforcement action.

A general theme in much of the below commentary is that the enforcement action lacked anti-bribery charges because there was no quid pro quo relationship between the hospitality payments or offers of payments and BHP Billition’s business.

In the minds of some, this lack of quid pro quo is the reason for the lack of SEC anti-bribery charges.

I disagree.

For starters, as noted in certain of the commentary, the SEC did allege “payments to foreign officials to support their attendance at Olympic events at the very time BHPB had pending business before those officials or others over whom they may have had influence.”

More importantly, the lack of anti-bribery charges against BHP Billiton (a foreign issuer) would seem to be based on the fact that the required U.S. jurisdictional nexus for such charges was lacking.

Another general theme in much of the below commentary is that the BHP action is somehow unique in charging (or finding as the case may be since it was an SEC administrative action) books and records and internal controls violations in the absence of anti-bribery violations.

As will be highlighted in a future post, the enforcement approach in BHP Billiton was hardly unique.  The SEC often charges or finds books and records and internal controls violations in the absence of anti-bribery charges or findings.  Point taken that often the reasons are opaque, but the charges or findings in BHP are hardly unique.

To the commentary.


The always informative Debevoise & Plimpton FCPA Update stated in pertinent part:

“Although the BHPB settlement involves a smaller penalty than some other recent resolutions, it may well turn out to be one of the more notable FCPA resolutions in several years. This is because the case addresses issues of recurring concern to multinational corporations that have long been sought out as sponsors of – or, at least, purchasers of hospitality packages for – marquee sporting events.

As good corporate citizens, these firms have come to view the purchase of tickets and hospitality packages as part of the collaboration with host entities managing such events, including national governments. This is an integral element of brand management and corporate strategy. In the course of such collaboration, these companies also receive due credit for making the event a successful interlude during which governments, business, and society at large, pause to celebrate the endeavor of sport. Yet the very process of supporting such an event leads to the inevitable question of “whom may we invite?” From there, the issue of anti-bribery compliance becomes a central issue for in-house compliance personnel.

The BHPB resolution likely will lead U.S. issuers choosing to provide hospitality of this kind to expend significant additional time, resources, and money devising and maintaining controls suggested by the resolution. Even though the settlement lacks the force of law, it will no doubt raise considerable pressure on companies to exercise even greater care if inviting foreign officials to such events, and may cause some firms subject to the books and records and internal controls provisions of the FCPA, i.e., those subject to SEC jurisdiction, to reconsider altogether this practice.


The bottom line for compliance professionals and in-house counsel is that – despite statements by enforcement officials that the issues of greatest concern to them are those arising out of the “big bribe” – travel, hospitality, and entertainment remain front and center in many cases and, particularly for the SEC, can provide the basis for substantial settlements.”


As in all settled FCPA matters, the terms of the BHPB resolution are the product of negotiation designed to serve the immediate interests of the parties in resolving a pending matter, and not the broader interest in definitively clarifying the law. And, at the end of the day, and after years of investigation, this particular resolution appeared to have yielded, at most, violations of lower severity than those that have led to larger settlements. It is notable that the Cease-and-Desist Order identified only four individuals out of 176 “foreign officials” invited to the Olympics who were involved with or in a position to influence pending matters involving BHPB. Of those four, only one official attended the Olympics. In these circumstances, it is no surprise that the DOJ did not take action.

But even for one of the smaller FCPA cases on its docket, the SEC could have provided more useful guidance in a compliance area where government officials and the courts alike (the latter at least in domestic bribery cases) have long stated that companies should have substantial leeway – provided that no quid pro quo arrangements inhere. Because of the ambiguities in the BHPB settlement, issuers will now inevitably need to exercise even greater caution when inviting “foreign officials” (including employees of state-owned enterprises) to events like this one.

The Cease-and-Desist Order may not have found this practice to violate the FCPA’s anti-bribery provisions. But the SEC has set a high bar for any company extending hospitality to foreign officials in terms of necessary internal controls, requiring independent review of almost every decision, potentially exacting accuracy and specificity for documentation, special training, and other procedures.”


This Steptoe & Johnson publication is titled “Does SEC’s Enforcement Action Against BHP Billiton Take the FCPA’s Accounting Provisions To Far?” In pertinent part it states:

“This settlement … represents one of the most aggressive uses by the SEC to date of its accounting, and particularly its internal controls, authorities in an FCPA context.  Instead of being predicated on specific questionable payments, the factual basis of the charges was that the company recognized the risk that improper quid pro quo arrangements could develop in connection with the hospitality program, and that such risks were not appropriately managed by the company’s program, including through the manner in which they were documented in company compliance approval tracking forms.

This settlement raises significant questions regarding the manner in which SEC enforcement of the FCPA’s accounting provisions continues to evolve.  As regular consumers of SEC FCPA enforcement actions will know, in recent years, leadership of the SEC’s FCPA Unit has consistently asserted that it views an effective FCPA compliance program as essential to satisfying the FCPA’s legal requirement to “devise and maintain a system of internal accounting controls sufficient …” to ensure that “transactions are executed in accordance with management’s general or specific authorization”, and related tracking requirements.

The charges in this settlement take that position – which has not been litigated – a step further.  They appear to raise the prospect that companies could be charged with violations of the FCPA’s accounting provisions where their compliance programs do not maintain all elements of what the SEC would deem an effective compliance program – even where no underlying bribery (or at least payment arrangements suggesting some kind of improper quid pro quo, for example), has taken place.

The case also suggests that programs in the areas of hospitality and sponsorship – common and recurring areas of activity for many companies – may face enhanced scrutiny for systemic adequacy from a regulatory point of view, at least where larger amounts are involved.  Such a position – if the SEC indeed intends to pursue enforcement actions on this basis as a matter of enforcement policy – would significantly expand the scope of risks facing US issuers with appreciable FCPA/anti-corruption risks to their business.


This settlement represents one of the most expansive assertions of the SEC’s authority under the FCPA’s accounting provisions in its enforcement practice to date.  While the elements of both books-and-records and internal control violations do not require an underlying anti-bribery provision violation, as noted above, the SEC has typically brought books-and-records and internal controls charges against companies where there has been at least some suggestion of specific improper quid pro quo arrangements in connection with the payments in question. Consequently, the second-guessing of the adequacy of the company’s compliance procedures for BHP Billiton’s hospitality program is stunning: it imposes legal liability, a $25 million civil penalty, and ongoing compliance obligations on a company simply for the failure to address and manage risks in a way the SEC deems adequate. In addition to straying even further from the text of 15 U.S.C. 78m(b)(2)(A) and (B) than the SEC already had, this settlement represents some of the most prescriptive statements regarding specific compliance program practices SEC has made in the FCPA context.

As a result, many companies will understandably be very uneasy about the direction of the SEC’s enforcement program after this settlement and the sufficiency of their efforts to meet it.   Very few companies’ compliance programs comprehensively address all anti-corruption risks that a company faces, and most companies’ programs will have process or procedure gaps of which they may or may not be aware.  This settlement thus raises the question whether simply the existence of FCPA risks not effectively eliminated by a company’s compliance program – but not necessarily resulting in anti-bribery provision violations either – may nevertheless be subject to enforcement action.  Specific to the sponsorship, hospitality and gifts and entertainment area, it also raises the question of whether business entertainment for the purposes of relationship building – a necessary activity in most, if not all businesses – will raise enforcement risks when it nevertheless does not rise to the level of a specific, prohibited quid pro quo arrangement and is not undertaken in connection with other business activities.  Companies that engage in event sponsorships for other than purely altruistic reasons may be particularly challenged to manage these “group events” – even those that treat state enterprises and government officials on the same footing as private customers – in a way that meets enforcement expectations.  But if significant benefits are involved, then the message from this settlement is clearly that such differential risk management is expected.

As with many SEC resolutions, the settlement documents provide no insight into how the fine was calculated.  The settlement also continues a recent trend of the SEC to require post-settlement compliance reporting on the part of the company.

Whether this settlement represents the beginning of a trend, or an isolated occurrence representing a negotiated resolution in connection with difficult facts, remains to be seen.  This settlement highlights in particular, however, that companies should consider whether their compliance programs effectively address their most significant risks and review their associated processes and procedures accordingly.”


This Paul Weiss alert states in pertinent part:

“In addition to the record-setting civil fine, BHPB is notable as a significant expansion of the SEC’s use of the FCPA’s accounting provisions in cases where the SEC believes an issuer’s compliance program creates the potential for bribery, even if bribery has not actually occurred or cannot be established. BHPB raises the very real prospect that issuers may face charges under the FCPA’s accounting provisions—even when there is no evidence of a quid pro quo, corrupt intent, or any improperly awarded business or government action—if the SEC is not satisfied that the issuer’s internal accounting controls and anti-corruption compliance program are sufficient to adequately manage corruption risks.”


“The SEC’s enforcement action against BHPB is significant for at least four reasons.

First, this settlement represents a rare example of the SEC bringing internal accounting controls and books and records charges in a case where it neither alleges actual bribery of a foreign official, nor suggests that such bribery took place but could not be charged for jurisdictional or other reasons.

Historically, the SEC has tended to charge issuers with violating the accounting provisions of the FCPA as a supplement to—rather than a substitute for—a bribery charge. In the exceptional cases where the accounting provisions alone have been charged, there is ordinarily some indication that improper payments were offered in exchange for a business benefit—in other words, that bribery had in fact occurred even if not charged. SEC precedent for bringing charges under the accounting provisions without an indication of actual underlying bribery seems to have its roots in a 2012 settled enforcement action against Oracle Corporation (“Oracle”). In Oracle, the SEC alleged that employees of an Oracle subsidiary in India secretly “parked” proceeds from sales to the Indian government for potential future use. The SEC did not claim that the Oracle subsidiary made corrupt payments to government officials, but did allege that the parked proceeds created “the potential for bribery or embezzlement,” and that Oracle lacked proper internal controls in light of that potential.

Here, it appears that the SEC was unable to show that BHPB’s business hospitality entertainment program was accompanied by any corrupt motive or involved a quid pro quo. This outcome is consistent with the proposition—well established in the domestic bribery context—that giving things of value to government officials for the purpose of building relationships or buying generalized goodwill is permissible. The BHPB enforcement action thus suggests that the Oracle case may not be an outlier in charging FCPA violations in the absence of an allegation of actual bribery, as some expert commentators have suggested, but perhaps the beginning of a new frontier in FCPA enforcement.

Second, even if it is tenable as a general legal matter to charge a standalone internal accounting controls violation based solely on the SEC’s subjective assessment of the adequacy of an issuer’s anti-corruption compliance program, the BHPB settlement represents an expansive application of the accounting provisions.6 Indeed, the SEC’s Order acknowledges that BHPB devised and maintained multiple internal controls to prevent corruption. For example, BHPB adopted a written Guide to Business Conduct; the President of each business line was given responsibility for ensuring compliance with that Guide; all business line Presidents certified annually that they had read and understood the Guide, confirmed that their direct reports did the same, and discussed compliance with their direct reports; BHPB established a Global Ethics Panel whose remit involved advising business leaders on compliance with the Guide and other business ethics issues; and BHPB’s compliance was overseen by a centralized Legal Department. In addition, BHPB instituted internal controls intended to address the particular corruption risks arising from the Olympics Hospitality Program, including creating detailed internal application forms aimed at addressing corruption risk, a senior business manager approval process, and a role for the Global Ethics Panel in assessing the invitation process that included reviewing a sample of the hospitality application forms.

To be sure, the SEC’s Order notes the absence of a centralized compliance group, and BHPB confirmed that it had “no independent compliance function” in its release announcing the end of the U.S. government investigations. However, more than any objective deficiency with BHPB’s compliance structure, the SEC’s internal accounting controls charge appears to rest on highly specific criticisms of the internal forms used to evaluate individual hospitality applications and the related compliance process. While giving things of value for purposes of relationship building is permissible and does not constitute bribery, it appears that the SEC may intend to use the FCPA’s internal accounting controls provisions to penalize any perceived shortcomings in companies’ efforts to scrutinize such activities.

Third, the SEC’s books and records charge reflects an aggressive, but not necessarily new, interpretation of Section 13(b)(2)(A), which requires issuers to make and keep books and records that “accurately and fairly reflect the transactions and dispositions of the assets of the issuer.” The SEC’s position raises important questions of statutory interpretation and public policy. There is nothing in the language of the books and records provision to suggest that it encompasses purely internal application forms completed for the purpose of approving gifts and entertainment expenditures. If the SEC can charge a books and records violation for any alleged inaccuracy in any internal paperwork, it will impose an enormous compliance burden that even the most sophisticated and well-resourced companies may struggle to satisfy.

Finally, the imposition of a $25 million civil fine and year of compliance reporting to the SEC is remarkable for a case in which there was no actual bribery, much less a bribery charge, no allegation of any quid pro quo or improper business benefit, and complete cooperation and full remediation. It is also noteworthy that the SEC has consistently reaffirmed its authority to seek disgorgement in enforcement actions brought under the internal controls or books and records provisions, but did not seek any disgorgement here. And despite the record-setting fine against BHPB, the SEC’s Order sheds no light on how such a fine was calculated. Moreover, although the SEC’s press release acknowledged the assistance of the Department of Justice’s Fraud Section, the Federal Bureau of Investigation, and the Australian Federal Police, no criminal charges to date have been brought.”


This Willkie Farr alert states in pertinent part:

“The BHPB settlement represents an aggressive stance by U.S. regulators with regard to providing entertainment and hospitality to government officials. As part of BHPB’s 2008 Summer Olympic Games sponsorship activities, the company invited people from all around the world. BHPB recognized the anticorruption risks potentially associated with such entertainment and tried to take precautions in advance of inviting government officials to the Summer Games by using a specifically designed “Olympic-specific internal approval process” to vet the company’s invitations. However, the SEC determined BHPB’s efforts fell short. In particular, the SEC noted that (1) BHPB did not require an independent legal or compliance review of hospitality applications; (2) some hospitality applications were not accurate or complete; (3) although BHPB had an annual Guide to Business Conduct review and certification process, as well as general compliance training, it did not have specific training on how to fill out the hospitality forms for the Olympic entertainment or evaluate applications under the company’s existing policies; (4) BHPB did not institute a process to update or reassess the appropriateness of invitations if conditions changed; and (5) the review process did not coordinate or assess whether an invitee from one CSG was involved in the business dealings of other CSGs. The SEC order does not allege that BHBP provided entertainment as part of a quid pro quo arrangement or allege a violation of the FCPA’s antibribery provisions. The order does not state how the SEC arrived at the civil monetary penalty of $25 million, a seemingly harsh penalty based on the facts alleged in the order.”