Key Takeaways from SAP’s FCPA Resolutions with DOJ and SEC

On January 10, 2024, the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC) announced settlements with SAP SE (SAP), a German software company, to resolve allegations that SAP violated the U.S. Foreign Corrupt Practices Act (FCPA) by, among other things, making improper payments to government officials in South Africa and Indonesia to secure and retain software and services contracts with government entities. 

SAP agreed to pay the DOJ and the SEC over $220 million and entered into a three-year deferred prosecution agreement (DPA) with the DOJ. The U.S. regulators coordinated their resolutions with prosecutors in South Africa.

The resolutions provide insights into how the DOJ and the SEC are enforcing the FCPA and how corporations can reduce their FCPA liability.

The DOJ DPA

The DOJ charged SAP with conspiracy to violate both the anti-bribery and the books and records provisions of the FCPA. The DOJ found that between 2013 and 2018, SAP and its subsidiaries in South Africa and Indonesia paid bribes directly and through third-party intermediaries to government officials in South Africa and Indonesia to obtain improper business advantages. SAP and its co-conspirators provided the government officials with cash payments, political contributions, electronic money transfers, and luxury goods. For example, the DPA states that in connection with a contract with the South Africa Department of Water and Sanitation (DWS), SAP approved a bribe of approximately $215,800 to a DWS official through an intermediary. The DOJ found that SAP had conducted only limited due diligence of the intermediary, and a subsequent review by SAP determined that the intermediary had no financial statements and no tax returns for employees. Relatedly, the DOJ also found that SAP created false records regarding bribes paid through third parties in South Africa and that those false records were subsequently reflected in SAP's filings with the SEC. According to the DOJ, SAP's schemes in South Africa resulted in over $103 million in profits to the company.

Under the DPA, SAP agreed to pay a criminal penalty of $118.8 million and an administrative forfeiture of over $103 million. The DOJ agreed to credit up to $55.1 million toward the criminal penalty any payments SAP makes to resolve related investigations by authorities in South Africa. Pursuant to its Pilot Program Regarding Compensation Incentives and Clawbacks, the DOJ also reduced the criminal penalty by $109,141—the amount of compensation that SAP withheld from employees involved in the misconduct.

The criminal penalty reflects a 40% reduction off the tenth percentile above the low end of the otherwise appliable U.S. Sentencing Guidelines (U.S.S.G.) fine range. SAP did not voluntarily disclose the misconduct, but the DOJ provided both cooperation and remediation credit to SAP because SAP, among other things, (i) immediately cooperated with the DOJ, (ii) produced and, as appropriate, translated relevant documents and information, "while navigating foreign data privacy laws," (iii) made employees available for interviews, (iv) imaged relevant custodians' personal cell phones at the outset of its internal investigation to collect any off-channel communications, (v) eliminated its third-party sales commission model globally, (vi) increased its compliance program's budget and resources, (vii) adjusted compensation incentives to align with compliance objectives, (viii) expanded its data-analytics capabilities, and (ix) disciplined all employees involved in the misconduct. In deciding on the penalty, the DOJ also considered SAP's prior history, which included a non-prosecution agreement with the DOJ's National Security Division and administrative agreements with the Departments of Commerce and Treasury regarding export law violations, and a 2016 resolution with the SEC regarding alleged FCPA violations in Panama.

The SEC Order

The SEC found that (i) from at least 2014 through 2018, SAP employed third-party intermediaries to make improper payments to government officials to obtain and retain business not only in South Africa and Indonesia but also in Ghana, Kenya, Malawi, and Tanzania; (ii) in 2022, an employee of SAP's subsidiary in Azerbaijan provided improper gifts to a government official; and (iii) SAP failed to make and keep accurate books and records and maintain a sufficient system of internal accounting controls. According to the SEC, SAP recorded the bribes as legitimate business expenses on its books and records. Notably, the SEC Order states that SAP's subsidiary in Indonesia worked with a reseller "known for a pattern of corrupt business dealings" to pay bribes to government officials and that employees of the subsidiary discussed the bribery schemes with employees of the reseller using third-party messaging applications.

Although SAP did not admit liability, it agreed to pay disgorgement of over $85 million and prejudgment interest of $13 million. The SEC provided SAP with a disgorgement offset of up to approximately $59 million for any payments SAP makes to the South African government in parallel proceedings.

Key Takeaways

Based on the resolutions, companies and attorneys should consider the following in deciding how to respond to government FCPA investigations and in designing compliance programs and conducting internal investigations:

• DOJ did not treat SAP harshly for its prior misconduct. Under the DOJ's Corporate Enforcement and Voluntary Self-Disclosure Policy (Policy), if a company did not voluntarily disclose but fully cooperated and timely and appropriately remediated, as SAP did here, the company "will receive up to a 50% reduction off of the low end of the U.S.S.G. fine range, except in the case of a criminal recidivist, in which case the reduction of up to 50% will generally not be from the low end of the U.S.S.G. fine range." Here, SAP received a 40% reduction off the tenth percentile above the low end of the otherwise applicable fine range, despite having multiple prior government resolutions, including a 2016 agreement with the SEC to resolve alleged FCPA violations. The DPA therefore shows that even a company with a history of misconduct—or at least a history of misconduct not involving a DOJ FCPA resolution—can receive a significant fine reduction under the DOJ's Policy.    
• DOJ's broad interpretation of the Clawbacks Pilot Program. Although the program expressly covers only previously awarded compensation that was clawed back, the DOJ provided credit to SAP for withholding bonuses to employees involved in the misconduct.  
• Growth of cross-border cooperation. The DOJ and the SEC coordinated their resolutions with South African authorities. We expect them to continue cooperating with foreign authorities on FCPA matters. In November 2023, the Acting Assistant Attorney General stated that the DOJ is "regularly working with a large number of foreign law enforcement partners across the full range of our investigations and engagements" and announced the creation of the Corporate Anti-Bribery Initiative, which will focus on foreign partnerships to fight corruption.
• Third-party messaging applications. The resolutions make clear that (i) companies can more effectively conduct internal investigations if they collect employees' business-related communications on third-party messaging applications, and (ii) regulators expect companies to promptly collect and produce such communications.
• Importance of vetting third parties. Companies should diligently vet third parties involved in transactions with foreign government customers to reduce FCPA risk.