This post highlighted the SEC’s recent $22.9 million Foreign Corrupt Practices Act enforcement action against Oracle based on subsidiary conduct in Turkey, the United Arab Emirates, and India.
It was the second time in the past approximate decade that Oracle has resolved an FCPA enforcement action (see here). The first time Oracle resolved an FCPA enforcement action, this post was titled “The Dilution Of FCPA Enforcement Has Reached A New Level With The SEC’s Enforcement Action Against Oracle.”
The second FCPA enforcement action against Oracle this week was just as diluted – an issue apparent when actually reading the SEC’s findings.
The basic findings are as follows.
Oracle used both a direct and indirect sales model in various countries.
Under the direct model, Oracle transacted directly with customers, and the customers paid Oracle directly.
The indirect model was used by Oracle for a variety of legitimate business reasons, such as local law requirements or to satisfy payment terms.
Under the indirect model, Oracle transacted through various types of distributors, including value-added distributors (VADS) and value-added resellers (VARs).
Oracle had various compliance policies and procedures in place relevant to the indirect model. For instance, Oracle utilized a global on-boarding and due diligence process for these channel partners that Oracle implemented at the regional and country levels. In addition, Oracle only permitted its subsidiaries to work with VADs or VARs who were accepted to its Oracle Partner Network (OPN). Similarly, Oracle prohibited its subsidiaries from conducting business with companies removed from the OPN.
Let’s pause here for a moment.
You can “bet the farm” that the SEC would have found Oracle deficient from an internal controls standpoint if Oracle did not have these compliance policies and procedures in place relevant to its indirect sales model. But Oracle did have these compliance policies and procedures in place.
Back to the findings.
According to Oracle’s policies, an employee was only supposed to request a discount from a product’s list price for a legitimate business reason.
Oracle used a three-tier system for approving discount requests above designated amounts, depending on the product.
Depending on the amount of the discount, Oracle at times required subsidiary employees to obtain approval from an approver in a subsidiary other than that of the employee seeking the discount.
For the highest level of discounts, Oracle required the subsidiary employee to obtain approval from an Oracle headquarters designated approver. Typical discount justifications referred to budgetary caps at end customers or competition from other original equipment manufacturers.
Let’s again pause here for a moment.
You can “bet the farm” that the SEC would have found Oracle deficient from an internal controls standpoint if Oracle did not have these additional compliance policies and procedures in place. But Oracle did.
Back to the findings.
Pursuant to Oracle policies, subsidiary sales employees could request purchase orders meant to reimburse VADs and VARs for certain expenses associated with marketing Oracle’s products.
The policies established different levels of approval depending on the amount of the purchase order. Even for purchase orders under $5,000, first-level supervisors at the subsidiary had to approve the purchase order.
Let’s again pause.
You can “bet the farm” that the SEC would have found Oracle deficient from an internal controls standpoint if Oracle did not have these additional compliance policies and procedures in place. But Oracle did.
Back to the findings.
Employees at Oracle’s subsidiary in Turkey used both excessive discounts and sham marketing reimbursement payments to create off-book slush funds – not at Oracle – but at two VADs.
In requesting a non-standard discount, a subsidiary employee lied to Oracle headquarters personnel in the U.S. who approved of the discount.
In another instance, the same subsidiary employee lied to Oracle headquarters personnel in the U.S. who approved of the discount.
The SEC specifically acknowledged that the Oracle Turkey employees “used the accounts for purposes that were prohibited under Oracle’s internal policies.”
Certain Oracle UAE sales employees used both excessive discounts and marketing reimbursement payments to maintain slush funds – once again not at Oracle – but at VARs.
In certain instances, the VAR was not an Oracle approved VAR for public sector transactions.
Certain Oracle India sales employees used excessive discounts with a transportation company – a majority of which was owned by the Indian Ministry of Railways.
Because of the size of this deal, an Oracle employee based in France had to approve of the request, but once again the subsidiary employee lied in seeking the approval request.
Based on the above, the SEC found that Oracle violated the FCPA’s anti-bribery provisions, books and records and internal controls provisions.
What exactly did Oracle Corp. (the issuer) do wrong?
As stated by the SEC in summary fashion, Oracle policy did not require documentary support for the requested discounts and “as a result, Oracle Subsidiary employees were able to implement a scheme whereby larger discounts than required for legitimate business reasons were used in order to create slush funds with complicit VADs or VARs.” In addition, first-level supervisors at subsidiaries could approve marketing reimbursement purchase order requests “without any corroborating documentation indicating that the marketing activity actually took place.”
It is one thing to hold Oracle Corp. liable for books and records and internal controls violations based on the above findings.
But anti-bribery violations based on the above findings?
It is black letter law that legal liability does not ordinarily hop, skip, and jump around around a corporate organization because separate legal entities (including even those within the same corporate hierarchy) are not automatically liable for the legal liability of other entities (whether that liability arises in tort, contract or the FCPA). However, if one entity is merely the “alter ego” of another entity, the other entity may be exposed to legal liability based on the conduct of the “alter ego.”
The SEC at least seemed to recognize this issue as the beginning of the Oracle administrative order stated:
“During the Relevant Period, Oracle exercised control over its subsidiaries. Oracle’s legal, audit, and compliance functions were centrally coordinated from its U.S. headquarters within the United States and implemented on a regional basis. Additionally, Oracle consolidated the Subsidiaries’ financial statements into Oracle’s financial statements.
The employees of Oracle’s subsidiaries reported up to the parent company through lines of business (“LOB”). LOB heads set the financial and business targets for their respective LOB by region or territory, not by country or subsidiary. Consistent with the LOB structure, certain employees in Oracle’s organization moved between Oracle subsidiaries to perform different roles or even while performing the same role.”
However, it is unlikely that such findings – if contested – would have established anti-bribery legal liability for Oracle Corp.
As the Supreme Court stated in 2014 in Daimler v. Bauman (see here for the prior post), the “alter ego” standard is not met just because a subsidiary engages in conduct or performs services that are important to the parent.
The post Another Diluted Oracle Enforcement Action appeared first on FCPA Professor.