Shreya KunduSenior Associate
Juhi BahlSenior Manager
The last quarter’s Foreign Corrupt Practices Act (FCPA) enforcement included Oracle’s settlement with the United States of America (US) Securities and Exchange Commission (SEC) for improper conduct by its overseas subsidiaries, and the Brazilian airline GOL Linhas Aéreas Inteligentes S.A.’s (GOL) settlement with US and Brazilian authorities for bribing Brazilian officials to pass favourable legislation. The factual matrix in these enforcement actions included a repeat offense (in Oracle’s case) and the use of ephemeral messaging platforms towards criminal conspiracies (in GOL’s case). Notably, these elements were specifically considered by the Department of Justice (DoJ) in a September 2022 policy update titled ‘Further Revisions to Corporate Criminal Enforcement Policies’ (Policy).
The Policy outlines the DoJ’s expectations from corporations, and the factors it will consider while prosecuting companies and individual employees under various US criminal laws, including the FCPA. Specifically, the Policy details circumstances in which prior misconduct may be relevant or probative for instant misconduct. In a first-ever step for the DoJ, corporate policies governing the use of personal devices and third-party messaging platforms for work, and controls over executive compensation are listed as metrics to include in corporate compliance programs.
Examining recidivism as a factor in future FCPA enforcement
In September, Oracle settled with the SEC for violations of the FCPA by certain overseas subsidiaries, including in India. This constitutes its second FCPA settlement, as in 2012 it had settled other charges of violations of the FCPA with the SEC owing to conduct by its Indian subsidiary.
While the modus operandi and personnel involved appear to be different, both actions involved the use of sales and distribution partners in India to generate concealed funds for potential bribes to Indian government officials (Officials). The instant conduct involved sales employees awarding excessive discounts to distributors participating in a government tender for software products, based on the false rationale that the contract could not be won without a 70% discount. The tender documents however specified that only Oracle products were to be supplied – meaning that there was effectively no competition for Oracle as the ultimate supplier. This discount was not passed on to the end-user but was utilised to generate funds for payments to Officials, as well as kickbacks for the sales employees involved. Similarly, the 2012 action involved the Indian subsidiary creating excess margins for distributors, resulting in money being parked off the subsidiary’s books. The distributors eventually used such off-books funds to make unauthorised payments to phony vendors against fake invoices approved by the Indian subsidiary.
In the 2022 settlement, the SEC specifically noted that while there were legitimate reasons for Oracle to use an indirect sales model involving distributors selling to government end-users, it considered Oracle to have been cognizant since at least 2012, i.e., the previous action, that this indirect model also presented certain risks of abuse from an anti-bribery perspective – including the creation of improper slush funds. On this note, the Policy sets out general criteria, including certain objective ones, that the DoJ will consider when evaluating the history of misconduct by a corporation currently under investigation for new offenses:
- Greatest weightage is to be accorded to recent US criminal resolutions and/or prior misconduct involving the same personnel or management;
- Dated conduct covered by previous criminal resolutions agreed more than ten years before the current conduct, or civil/regulatory resolutions agreed more than five years before the instant conduct will be accorded less weight – as appreciable time is taken to reach any resolution with government authorities, this effectively means that the lookback period for the underlying conduct will be even earlier in time;
- In an M&A context, prior misconduct by an acquired entity should receive less weightage if the acquiror has integrated the target into an effective compliance program, and has taken remedial steps to address root causes of any prior misconduct including through disciplinary actions, compensation clawbacks, restitution, management restructuring, and compliance program upgrades.
Signalling controls on personal devices and third-party chat platforms as a factor in future FCPA enforcement
In September 2022, GOL entered into a USD 41 million settlement resolving a coordinated enforcement action by the DoJ, SEC, and Brazilian authorities for paying USD 3.8 million in bribes to Brazilian officials to secure the passage of tax laws financially benefiting GOL and other Brazilian airlines. While GOL is incorporated in Brazil, US authorities exercised jurisdiction by virtue of GOL being listed in the US as well as unique factual ingredients where the conspiracy towards bribe-payment was found to have been partially forwarded/transacted through US channels. One such element was that the Brazilian citizens involved communicated over an ephemeral messaging app offering end-to-end encrypted and content-expiring messages over US servers.
The settlement documents do not indicate if there were concerns of evidentiary non-availability due to the use of such apps, or whether US regulators considered the use of such apps as aggravating elements pointing towards criminal intent. On a linked note, the Policy introduces the DoJ’s expectations regarding controls companies should institute on employees using personal devices and third-party messaging platforms (Non-Business IT Assets) for business. The Policy specifically points out that these challenge companies’ ability to monitor the use of such devices and apps for misconduct and to recover relevant data from them during a subsequent investigation. It further states that “as a general rule”, a robust compliance program should (a) have effective policies governing the use of Non-Business IT Assets for work-related communications; (b) provide clear training to employees about such policies, and (c) enforce such policies if violations are identified.
Further, the DoJ has stated that going forward it will consider whether a company seeking credit for cooperating in an investigation has enforced policies empowering it to collect and provide to authorities all (non-privileged) relevant data on Non-Business IT Assets used by its employees for business. The DoJ will also release further guidance with best practices on the matter.
A key takeaway from these developments is that while future enforcement actions will need to be assessed to see how the DoJ applies such factors in practice, US regulators are very much responding to changed ways of work and communication that are a post-Covid mainstay and frequently pose evidentiary challenges in internal investigations. In the meantime, companies may benefit from re-visiting their compliance programs in light of the new expectations outlined by the DoJ in the Policy.