Five Important Lessons for Compliance Officers from the Oracle FCPA Settlement

Oh, recidivists.

If you’ve already been fined for bribery, don’t do it again! Alas, for Oracle, history has repeated itself with a second series of FCPA violations. The facts, as laid out in the SEC Order, are pretty fascinating.

But more important are the lessons that can be learned to ensure our programs better prevent and detect bribery and misconduct.

Let’s jump in!

Lesson 1: Require Documentation for Deep Discounts to Distributors

 

Oracle had what appeared to be a good series of controls for approving unusually high discounts to distributors.

A three-tiered system was employed for approving discount requests above certain amounts. For the highest level of discount, Oracle required subsidiary employees to obtain approval from a designated approver at Oracle’s U.S. headquarters. However, while the Oracle policy stated that all requests must be supported by accurate information, there was no requirement to provide any documentation backing up the request.

What happened?

Predictably, several requests were approved without documentation, leading to the creation of slush funds for bribes to government officials and the provision of lavish travel.

For instance, a representative of Oracle’s Turkish subsidiary requested an excessive discount by claiming the Ministry of the Interior had budgetary restraints and that Oracle Turkey was facing stiff competition from other original equipment manufacturers in the bid. The discount was approved without documentation. In reality, in its tender, the Ministry had required that any bidders responding to the tender offer include Oracle products in their bid.

The lesson for compliance officers is that for deep or unusual discounts, require documentation proving the business case for the exceptional grant. Keep these documents in a central repository for a proper audit trail. Not doing so invites abuse.

Lesson 2: Use Audits, Reports, Data Analytics, and/or Artificial Intelligence to Catch Multiple Reimbursement Requests Just Under the Threshold for Review

 

At many companies, requests for any sort of reimbursement require a receipt or other documentation. Heck – getting lunch or parking reimbursed without a receipt can be downright impossible.

But that wasn’t true at Oracle for reimbursements for marketing activities, some of which never happened but were paid for anyway. If the purchase order from a subsidiary was for under $5,000, first-level supervisors could approve the purchase order without requesting any corroborating documentation or receipts.

Oracle Turkey took advantage of this gap. Turkish sales employees opened purchase orders totalling over $115,000 – each individually under the $5,000 threshold – which were used for bribes. For those of us not good at math, that’s at least 23 separate purchase orders without documentation for the same activities.

The lesson for compliance officers is that we must find ways of detecting multiple reimbursement requests below thresholds of approval going to the same third party.

➡️ Learn about the reporting capacities of your gifts and hospitality, AP, or expense reimbursement software to see how these payments can be captured.

➡️ Perform audits using sampling.

➡️ Use data analytics capacities built into the software or provided by a third-party application to help you find these types of purchase orders or requests for reimbursement.

➡️ Also, require documentation for all such requests. A simple receipt will do.

Lesson 3: Beware of Paying for Travel – Even to Your Company’s Conference!

 

This one surprised me!

The SEC resolution noted in two places – both in the description of the violations in Turkey and in the UAE – that the improper travel included trips to the Oracle company conference.

To be fair, in neither case was the company conference the sole improper travel. There were plenty of other violations of gifts and hospitality norms. One trip was especially egregious. Four Turkish Ministry of Interior officials were sent on a week-long trip to California, ostensibly to visit Oracle headquarters. They did visit Oracle headquarters – for approximately twenty minutes. The rest of the week was spent in LA, Napa, and at a theme park.

The kicker? The trip took place during May…and the contract with the Ministry of Interior was awarded to Oracle on May 31.

The other violations named by the SEC included the usual suspects – travel and accommodations for foreign officials’ spouses and children, along with side trips to tourist destinations that that had nothing to do with work.

What’s the lesson for compliance officers? Make sure your gifts, hospitality, and travel policy:

➡️ Prohibits entertainment of spouses and children

➡️ Requires pre-approval for gifts, hospitality and travel for government officials

➡️ Disallows anything less than di minimis gifts, hospitality, or entertainment during RFP or contract negotiation.

In addition, for higher-risk travel (e.g., for government officials), request a copy of the itinerary. If you see only 20 minutes of business-related activity, follow up quickly.

Part of Oracle’s remediation includes “improving its customer registration and payment checking processes and making other enhancements in connection with annual technology conferences.” Make sure you do the same.

Lesson 4: For High-Risk Transactions – Review Public Records of RFPs

 

A particularly interesting part of the Oracle fact pattern relates to publicly-available records. In two of the country fact patterns, public records showed that Oracle products were either required in the tender response or were already chosen despite requests for discounts from the subsidiary employees stating otherwise.

In India, a sales employee used an excessive discount scheme in connection with a transaction with a transportation company whose majority owner was the Indian Ministry of Railroads. The salesperson requested a 70% discount on the software component of the deal, citing intense competition. According to the SEC, “…the Indian [state-owned entity’s] publicly available procurement website indicated that Oracle India faced no competition because it had mandated the use of Oracle products for the project.”

For a deal with Turkey’s government-owned Social Security Institute, the Oracle sales representative falsely claimed that a significant discount was necessary due to intense competition from other original equipment manufacturers. However, in public procurement records that were available at the time, the RFP required Oracle products to fulfill the tender, precluding competition from other providers.

The lesson for compliance officers is that (1) if deep/unusual discounts are being requested in (2) responses to public tenders, then it is best to review the publicly-available information about the tender request. Of course, it isn’t reasonable to review all public tenders. Rather, for those that have publicly-available information when exceptional discounts are requested, it’s worth checking out the potential deal in more detail.

Lesson 5: Check the Payees in High-Risk Deals

 

According to the SEC, in the Oracle India deal, “$330,000 was funneled to an entity with a reputation for paying [state-owned entity] officials and another $62,000 was paid to an entity controlled by the sales employee responsible for the transaction.” Wait – the entity was owned by the Oracle sales employee responsible for the internal transaction?

For higher-risk transactions, it’s critical to perform deep due diligence on the reputation and ownership of entities being paid as intermediaries or as beneficiaries of the deals. Please note that this advice is for high-risk transactions. If the lessons given from this case study were applied to all entities, the compliance program would swallow the company whole and it wouldn’t be able to operate. Risk-based due diligence is critically important.

 

So there we have it – five critical lessons from Oracle’s second foray into resolution with the government for FCPA violations. The SEC Order includes a lengthy paragraph on Oracle’s remediation efforts, which include terminating the culpable actors, inserting new controls, strengthening and expanding its global compliance function, and creating 15 new positions and teams at headquarters to strengthen compliance. Their good work was rewarded with reduced fines and penalties.

It’s always better (and usually easier!) to learn from someone else’s mistakes. Let’s take these lessons to heart to improve our programs now.

If you enjoyed this breakdown of Oracle, you might like my take on The Explosive Twitter Meltdown

Kristy Grant-Hart

CEO of Spark Compliance Consulting

Kristy Grant-Hart is the founder and CEO of Spark Compliance.

She’s a renowned expert at transforming compliance departments into in-demand business assets.