Oracle Corporation, the American technology giant, agreed to pay the U.S. Securities and Exchange Commission (“SEC”) $22.9 million as the result of the investigation to resolve charges within the scope of the violation of the Foreign Corrupt Practices Act (“FCPA”). As alleged, Oracle violated the FCPA in Turkey, India, and the United Arab Emirates by creating and using slush funds to bribe foreign officials in return for business. This is Oracle’s second blunder with the SEC. Previously, again in 2012, Oracle paid a $2 million civil penalty to the SEC aiming to settle FCPA charges arising from a slush fund in India.
The SEC charged the company with violating the FCPA’s anti-bribery, books and records, and internal accounting controls provisions. According to the allegations, during 2009-2019, Oracle Turkey created slush funds to (i) bribe foreign officials, and/or (ii) provide other benefits to foreign officials and their families such as covering their travel expenses all around the world. As alleged, Oracle Turkey employees routinely used the slush funds to pay for the travel and accommodation expenses of end-user customers, including foreign officials, to attend annual technology conferences in Turkey and the United States.
Oracle Turkey employees created these slush funds by making exorbitant discounts over the product’s pricing list, and reimbursement payments to resellers and distributors.
The crucial part is that the high-level management in Turkey is alleged as knew, condoned, and involved the corrupt practices.
Inadequate Internal Controls, Documentation, and Monitoring
According to Oracle’s policies, employees were only supposed to request discounts over a product’s list price for legitimate business reasons, such as competition with other bidders or budgetary caps of customers. Oracle used a three-tier system for approving an employee’s discount requests above their previously specified amounts and depending on the product. Depending on the product and the amount of the discount, the subsidiary employees requesting such discounts take approval from an approver in the subsidiary, and, for the highest level of discounts, from an approver in Oracle headquarters.
However, while Oracle's policy requires all discount requests to be supported with the right information, and Oracle approvers were authorized to request documentation to support these requests, Oracle's policy did not enforce employees to provide necessary documentation such as proof of business need and activity before the approver review and did not implement a system for such review, even for the highest amounted discounts requested.
Deficient structuring of policies; poor and inadequate review, approval, and monitoring of discount and reimbursement requests; ignorance of documentation requirements such as proof of activity and business purposes, are the main answer to how Oracle led a way to employees to abuse the lack of controls and some of the underlying reasons why its compliance and monitoring was inadequate. Documentation requirements, especially proof of legitimate business reason and proof of activity are the two crucial but also ignored requirements requested under company policies, which also creates a common dispute between the compliance functions, who are generally accused of complicating all the sales and marketing processes, and sales teams.
Involvement of Third Parties
Oracle used both a direct sales model, in which Oracle directly transacts with customers, and the customers pay Oracle; in the indirect sales model, Oracle transacts through various types of distributors, and resellers, including value-added distributors and value-added resellers. Oracle used the indirect sales model for various legitimate business reasons, such as local law requirements.
Oracle utilized a global onboarding and due diligence process both at the regional and country levels for the choice and monitoring of channel partners. Oracle only permitted its subsidiaries to work with the partners who were accepted in its system and prohibited its subsidiaries to conduct business with firms removed from its system.
Oracle employees were allowed to request purchase orders to reimburse resellers' and distributors’ certain expenses associated with marketing. Oracle subsidiaries in Turkey and the United Arab Emirates have demanded poor marketing repayments to distributors and resellers as a way to increase the amount of money in slush funds. The direct supervisors of these salespeople who are alleged as directly involved in this scheme have confirmed their fraudulent purchase requests.
These explanations indicate the need for efficient and ongoing internal control mechanisms for third-party relationships, money flows, and internal approval processes in order to prevent any abuse of trust and unethical practices.
When Wrong Risk-based Approval System Causes Abuse and Misconduct
In Oracle’s approval system, as long as the purchase orders were under $5,000, first-level supervisors at the subsidiaries could approve the purchase order requests without any proving documentation indicating that the marketing activity actually took place. However, Oracle Turkey sales employees made purchase orders totaling approximately $115,200 in 2018, which they were individually under this $5,000 threshold.
Not requiring a documented request, expanded approval, or due diligence is a very common practice in companies for transactions that they see no or low risk according to their monetary values. The information and due diligence requests before third-party engagements or payments are generally not welcomed if the amount to be paid is lower than certain specified limits. However, this is a great example of how small amounts of payments can be held to create a high amount of bribe funds.
Self-Reporting, Cooperation, and Immediate Remediation as the Reason for Remission
While determining to accept Oracle’s offer, the SEC considered Oracle’s self-reporting the conduct, taking immediate actions, and cooperating with the commission staff during the investigation. Oracle was conducting an internal investigation since 2019 for the relevant misconduct. The SEC states that Oracle’s cooperation includes sharing facts developed in the course of its own internal investigations, voluntarily providing translations of key documents, and facilitating the staff’s requests to interview current and former employees of Oracle’s foreign subsidiaries.
Oracle's remediation includes; terminating the contracts of senior regional managers and other employees involved in the misconduct, termination of distributor and reseller contracts involved in the misconduct, global creation of new Risk and Compliance positions and teams, and implementation of the Compliance Data Analysis Program. Also, the abovementioned remediation includes increasing supervision and transparency of the procurement requests in the approval process, limiting financial incentives and business relationships offered to third parties, especially in public sector transactions, and improving proactive audit functions.
Oracle case is not only crucial because it represents the importance of third-party risk management and internal controls, but it also directly points out almost the most common in-house conflicts during the approval and de facto compliance monitoring of activities. Using the determination of monetary limits as a risk-based system can only serve the goal if it is structured efficiently. For example, Oracle’s approval system of discount and purchase orders could be structured as requesting the documentation of activities and proof of execution in all requests regardless of the amount; and requesting expanded due diligence for the requests over a certain limit. Removing the basis line and fundamental requirements can never be a “risk-based” model, but only a willful ignorance. In addition to that, the case also shows that third parties were not efficiently monitored after the onboarding process. It must be emphasized in all third-party risk management procedures that monitoring third-party relationships as long as the relationship goes on is as important as conducting due diligence before onboarding.
After all, still, Oracle’s internal controls allowed them to detect the misconduct at a point, and strong, efficient, and immediate handling of the internal investigation and immediate remediations helped them to sign a great settlement when the amount and duration of misconduct is considered.
To address the points that all multinational companies may face within the scope of the SEC’s Oracle investigation and settlement, companies shall not only effectively implement compliance policies but also must be able to avoid breaches by not neglecting internal controls and accounting supervision within the company. Proper operation of these control mechanisms will be the ultimate preventive factor against bribery and corruption. If not, it will be inevitable for companies to be subjected to not only remediations but also severe financial penalties arising from the breach of anti corruption laws.
Kemal Altuğ Özgün