SECThe Foreign Corrupt Practices Act (FCPA) enforcement journey, which began last summer with the guilty plea of Vicente Garcia for the payment of bribes to obtain contracts in Panama for his employer, SAP International, ended this week with the release of the Securities and Exchange Commission (SEC) civil action against the parent of SAP International, SAP SE, a German company. The case was concluded via a Cease and Desist Order (the “Order”). The fine was a relatively small $3.7MM with prejudgment interest of another $188K.

The facts were straightforward, which Garcia had previously admitted to in his guilty plea and sentencing hearing last December. He circumvented SAP internal controls to create a slush fund from which to pay bribes. To do so, he had to actively evade an internal compliance system that had stopped him from hiring a corrupt agent to facilitate the bribe payments. Frustrated by the success of the SAP compliance function to stop his initial bribery scheme, he then turned to using a previously approved distributor to facilitate the payment. He did so through giving this distributor an extra ordinary discount. The corrupt distributor then sold the SAP products to the Panamanian government at full price and used the price difference to fund the bribes to the corrupt government officials. This led to a $14.5MM sale to the distributor with $3.7MM in profits to SAP. Hence, the amount of profit disgorgement.

The bribery scheme is a clear lesson for any company that utilizes a distribution model in the sale chain. Bill Athanas, a partner in Waller Lansden Dortch & Davis LLP, has articulated a risk management technique for this type of bribery scheme, which he has called Distributor Authorization Request (DAR) and it provides a framework to help provide a business justification for any such discount, assess/manage and document any discount offered to a distributor. 

It begins with a DAR template, which is designed to capture the particulars of a given request and allows for an informed decision about whether it should be granted. Because the specifics of a particular DAR are critical to evaluating its legitimacy, it is expected that the employee submitting the DAR will provide details about how the request originated as well as an explanation in the business justification for the elevated discount. In addition, the DAR template should be designed so as to identify gaps in compliance that may otherwise go undetected.

The next step is that channels should be created to evaluate DARs. The precise structure of that system will depend on several factors, but ideally the goal should be to allow for tiered levels of approval. Athanas believes that three levels of approval are sufficient, but can be expanded or contracted as necessary. The key is the greater the discount contemplated, the more scrutiny the DAR should receive. The goal is to ensure that all DARs are vetted in an appropriately thorough fashion without negatively impacting the company’s ability to function efficiently.

Once the information gathering, review and approval processes are formulated, there must be a system in place to track, record and evaluate information relating to DARs, both approved and denied. The documentation of the total number of DARs allows companies to more accurately determine where and why discounts are increasing, whether the standard discount range should be raised or lowered, and gauge the level of commitment to compliance within the company. This information, in turn, leaves these companies better equipped to respond to government inquiries down the road.

Yet in addition to the DAR risk management technique advocated by Athanas is more robust transaction monitoring in your compliance program going forward. As noted in the Order, one of the remedial measures engaged in by SAP after the bribery and corruption was detected was that the company “audited all recent public sector Latin American transactions, regardless of Garcia’s involvement, to analyze partner profit margin data especially in comparison to discounts so that any trends could be spotted and high profit margin transactions could be identified for further investigation and review.”

This is the type of transaction monitoring which a Chief Compliance Officer (CCO) or compliance practitioner traditionally does not engage in on a pro-active basis. However this is clearly the direction that US regulators want to see companies moving towards as compliance programs evolve.

Here a couple of questions would seem relevant. What happened? and How do you know? In answering these questions, it is clearly important that there should be an understanding of the business cause of significant sales and that there could be other issues involved in the situation that may require consideration by the compliance practitioner. While a company would usually only consider an analysis of variations at the level at which the sales increase was material, this was not the path taken by SAP in their post-incident investigation. Moreover, such a sales increase would most probably be material for the Panama region and certainly for the employee in question.

Once the appropriate level is determined, direct questions should be asked and answered at that level. Explanations of a sales increase as being the result of the appointment of a new head of business development or a more aggressive sales manager should not simply be taken at face value. Questions such as what techniques were used; what was the marketing spend; how much was spent on discounts to distributors; etc., might help to get at the true underlying reason for a spike in sales. Further, a company should review its findings over subsequent periods for confirmation. So, for example, if a sales increase legitimately appears to be due to the efforts of a new person in the territory or region, is that same increase sustained in later periods? The answer to such a question might identify red flags indicating the need for further review.

A final lesson to be considered is when you have an employee like Garcia. Is he a rogue employee? Does rogue mean his behavior is only sociopathic so that he appears to operating within the rules? Or were there clear signs that greater scrutiny needed to put in place? What about his clear attempt to bring in a corrupt agent, at the last minute of a deal to facilitate it? This is a clear red flag and was not approved by SAP compliance. Does this put the company on notice that an employee is not only willing to go beyond the rules but also engage in illegal conduct down the road? How many passes does such an employee get before they are shown the door?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016