The U.S. Securities and Exchange Commission (SEC) announced settled charges today requiring Oracle Corporation to pay more than $23 million to resolve charges that it violated provisions of the Foreign Corrupt Practices Act (FCPA). The charges are related to Oracle subsidiaries in Turkey, the United Arab Emirates (UAE), and India creating and using slush funds to bribe foreign officials in return for business, from 2009-2019.
This one is interesting on many levels, for one this isn’t the first time that Oracle got sanctioned by the SEC for FCPA violations. The SEC previously sanctioned Oracle in 2012 in connection with the creation of slush funds. Oracle India had at the time secretly set aside millions of dollars off the company’s books that were eventually used to make unauthorized payments to phony vendors in India.
For two, Oracle had a strong compliance policy and even regional legal, audit, and compliance functions located in the UAE implementing the US program for the region during the time of misconduct.
So what exactly happened for Oracle to become a recidivist in the same region?
Let us first analyze the misconduct.
The Sales Model
According to the SEC Order documents, Oracle used at the time both a direct and indirect sales
model.
The direct model consisted of Oracle transacting directly with customers, and the customers paid Oracle directly.
The indirect model, consisted of Oracle transacting through various types of distributors, including value added distributors (“VADs”) and value added resellers (“VARs”). The indirect model is what is most frequently used in the region by multinationals for very legitimate reasons, usually compliance with local Agencies Laws or to satisfy payment terms.
Oracle did use a global on-boarding and due diligence process for these distributors that Oracle implemented at the regional and country levels. Oracle only permitted its subsidiaries to work with VADs or VARs who were accepted to its Oracle Partner Network (“OPN”). Similarly, Oracle prohibited its subsidiaries from conducting business with companies removed from the OPN.
Drawing from its 2012 experience with the SEC, Oracle understood quite well that the indirect sales model presented certain risks of abuse – including the creation of improper slush funds.
So far, it sounds like a sound risk-based compliance approach. So where does it go wrong? In order to dissect the misconduct here, we first need to understand which corruption schemes were used.
Improper Use of Discounts
It is customary for employees at sales offices in the region to request from their HQ a discount from a product’s list price to extend to the regional distributors.
Oracle policies covered such eventuality. According to its policies, an Oracle employee could only request a discount from a product’s list price for a legitimate business reason. Typical justifications for such discounts referred to budgetary caps at end customers or competition from other original equipment manufacturers.
To approve such discounts, Oracle used a three-tier system for approving discount requests above designated amounts, depending on the product.
Depending on the amount of the discount, Oracle at times required subsidiary employees to obtain approval from an approver in a subsidiary other than that of the employee seeking the discount.
For the highest level of discounts, Oracle required the subsidiary employee to obtain approval from an Oracle headquarters designated approver.
However, while Oracle policy was clear that all discount requests be supported by accurate information and Oracle reviewers could request documentary support, Oracle policy did not require documentary support for the requested discounts – even at the highest level.
Herein Oracle subsidiary employees were able to cook up a scheme where they would request larger discounts than required for legitimate business reasons, and used the monies to create slush funds with complicit VADs or VARs. The distributors profited from the scheme by keeping a portion of the excess deal margin.
Improper Use of Marketing Reimbursements
It is customary for regional sales offices to reimburse distributors for certain expenses associated with marketing activities.
Oracle allowed its sales employees at the subsidiaries to request purchase orders meant to reimburse VADs and VARs for certain expenses associated with marketing Oracle’s products.
As long as the purchase orders were under $5,000, first-level supervisors at the Subsidiaries could approve the purchase order requests without any corroborating documentation indicating that the marketing activity actually took place.
Oracle subsidiary employees based in Turkey and the UAE seized that opportunity to request sham marketing reimbursements to VADs and VARs as a way to increase the amount of money available in the slush funds held at certain channel partners.
The direct supervisors of these sales employees, who were complicit in the scheme, approved the
fraudulent requests.
So now that we understand how the schemes worked, let’s take a closer look at the culture of bribery that took place locally.
Improper Conduct at Oracle UAE
The Corrupt UAE Deals
In 2018 and 2019, an Oracle UAE sales account manager of a UAE state-owned entity “SOE” ( I wonder which one) paid approximately $130,000 in bribes to the SOE’s Chief Technology Officer in return for six different contracts over the same period.
The first three bribes were funded with the assistance of two complicit VARs through an excessive discount and paid through another UAE entity (again I wonder which one, why aren’t you mentioning names of UAE entities, USA?).
That UAE entity was not an Oracle approved VAR for public sector transactions and its sole purpose was to make the bribe payments.
For the final three deals, the UAE Entity “not approved by Oracle” was the actual entity that contracted with the UAE SOE despite the fact that Oracle’s deal documents represented an Oracle approved partner as the VAR for the deal.
This does raise interesting questions about the legal verification of VARs before they end up in contracts…Although the SEC is not elaborating further on this scheme , the first question that comes to mind, is how do you bypass that global onboarding and due diligence process without concern being raised by the regional legal, compliance and audit? Was the local UAE management complicit?
The VAR “Wallets”
From at least 2014 to 2019, certain Oracle UAE sales employees used both excessive discounts and marketing reimbursement payments to maintain slush funds at VARs.
In some instances, the sales people referred to slush funds that they maintained over
a period of time at a specific VAR as a “wallet.”
Oracle UAE sales employees directed the VARs how to spend the funds, and used the wallets to pay for the travel and accommodation expenses of end customers, including foreign officials, to attend Oracle’s annual technology conference although Oracle’s internal policies clearly prohibit this misconduct.
Improper Conduct at Oracle Turkey
The VAD Accounts
From 2009 – 2019, Oracle Turkey used both excessive discounts and sham
marketing reimbursement payments to create off-book slush funds at its two VADs.
Internally, Oracle Turkey sales employees referred to the slush accounts as “havuz” which means “pool” or “kumbara,” which means “moneybox,” and used the accounts for purposes that
were prohibited under Oracle’s internal policies.
Oracle Turkey employees routinely used the slush funds to pay for the travel and accommodation expenses of end-user customers, including foreign officials, to attend annual technology conferences in Turkey and the United States, including Oracle’s own annual technology conference. In some instances, these funds were also used to pay for the travel and accommodation expenses of foreign officials’ spouses and children, as well as for side trips to Los Angeles and Napa Valley.
Oracle Turkey employees used these slush funds for roughly a decade with the blessings of the local management, including the country leader, knew of and condoned the practice.
The 112 Project
In May 2018, Oracle Turkey was attempting to win a lucrative contract with Turkey’s Ministry of Interior (“MOI”) for the ongoing creation of an emergency call system in Turkey (“112 Project”), for which Oracle Turkey had previously provided services.
The sales account manager for the MOI with the knowledge of the then-country leader, sought to improperly influence relevant officials and planned a week-long trip to California for four MOI officials that was likely paid for with funds from a VAD account. Ostensibly, the purpose of the trip was for the MOI officials to attend a meeting at Oracle’s headquarters in
California with a senior Oracle executive. But the meeting at Oracle’s headquarters only lasted approximately fifteen to twenty minutes.
During the rest of the week, the Turkey
Sales Representative entertained the MOI officials in Los Angeles and Napa Valley and took them to a theme park (Disneyworld?).
Sure enough, following that very hospitable hospitality, on May 31, 2018, Oracle received a large follow-on order related to the 112 Project.
In order to fund the MOI officials’ leisure trip, the Turkey Sales Representative needed to request a non-standard discount. Accordingly, the Turkey Sales Representative requested an excessive discount for the 112 Project by claiming the MOI had budgetary restraints and that Oracle Turkey was facing stiff competition from other original equipment manufacturers.
Oracle headquarters personnel in the United States relied on the Turkey Sales Representative’s claim of competition when it approved the discount, but they did not require proof. In reality, the MOI did not conduct a competitive bidding process for this contract. Instead, the MOI required any bidders that responded to the tender offer to include Oracle products in their bid.
Oracle Deals with SSI
The same prolific Turkey Sales Representative involved with the 112 Project also
facilitated cash bribes to officials at Turkey’s Social Security Institute (“SSI”).
According to a spreadsheet the Turkey Sales Representative maintained, the Sales Representative was tracking how much potential margin he could create from a discount request six months before he finalized a deal with the SSI in 2016.
Then, three months before he closed the deal, the Turkey Sales Representative met with an intermediary for the SSI officials. The subject of the meeting calendar request read: “Those who think big are meeting up.” (Funny, you have to applaud the bold visionary here, but on a serious note, you get an acute sense of who is initiating the bribe situation, the bribe giver rather than the receiver)
So in order to cook up the bribes, the Sales Representative again falsely claimed he needed a significant discount due to intense competition from other original equipment manufacturers. An Oracle employee located in the U.S. approved the discount due to the deal’s size. As before, no additional documentary support for the justification was required. The Sales Representative used the excess margin to increase the amount of money kept in a slush fund maintained by the VAD for the 2016 deal.
However, instead of intense competition, Turkey’s public procurement records that were available at the time indicated that the SSI required Oracle products to fulfill the tender, which precluded competition from other original equipment manufacturers. (This is an interesting point to note for companies, financial institutions, and government agencies who often claim that their IT procurement suppliers are limited, and often favor one supplier).
In 2017, emboldened by his exploits under the benevolent eye of his local management, the same Turkey Sales Representative used a VAR to create a slush fund for SSI officials related to another deal.
This time it concerned a database infrastructure order (“Turkey VAR”). As with the other examples, a significant discount was approved by Oracle headquarters personnel in the United States without documentary support. A spreadsheet maintained by the Turkey Sales Representative shows an excessive margin of approximately $1.1 million, only a portion of which was used to purchase legitimate products such as software licenses.
The Turkey VAR only kept a nominal amount for itself and while following instructions from the Sales Representative, the Turkey VAR passed the majority of the funds to other entities, including an entity controlled by the Intermediary. The Intermediary-controlled entity that was responsible for providing the cash bribes to SSI officials received at least $185,605.
Everyone is getting his cut in the bribery chain, and the Sales Rep + Country manager probably got a generous bonus, but the SEC order did not detail that part.
Improper Conduct at Oracle India
In 2019, Oracle India sales employees also used an excessive discount scheme in connection with a transaction with a transportation company, a majority of which was owned by the Indian Ministry of Railways (“Indian SOE”).
The sales employees working on the deal, citing intense competition from other original equipment
manufacturers, claimed the deal would be lost without a 70% discount on the software
component of the deal. Due to the size of the discount, Oracle required an employee based
in France to approve the request.
The Oracle designee provided approval for the discount without requiring the sales employee to provide further documentary support for the request.
In fact, the Indian SOE’s publicly available procurement website indicated that Oracle India faced no competition because it had mandated the use of Oracle products for the project.
One of the sales employees involved in the transaction maintained a spreadsheet that indicated $67,000 was the “buffer” available to potentially make payments to a specific Indian SOE official.
A total of approximately $330,000 was funneled to an entity with a reputation for paying SOE officials and another $62,000 was paid to an entity controlled by the sales employees responsible for the transaction. Same question comes to mind: how do you approve payment to an entity with questionable reputation, especially when Oracle India was the entity responsible for the original misconduct in 2012?
Unfortunately, the SEC order does not shed further light on the matter, so we will have to do with the provided.
Penalties and Remediation
Without admitting or denying the SEC’s findings, Oracle agreed to cease and desist from committing violations of the anti-bribery, books and records, and internal accounting controls provisions of the FCPA and to pay approximately $8 million in disgorgement and a $15 million penalty. Sounds a little light for a recidivist, but the SEC is justifying that the disgorgement and prejudgment interest ordered is consistent with equitable principles, does not exceed Oracle’s net profits from its violations.
Oracle’s cooperation and remedial efforts were however substantial to be fair, and included, self-reporting certain unrelated conduct, remedial acts it undertook, and cooperation afforded the SEC.
Oracle’s remediation included:
(i) terminating senior regional managers and other employees involved in the misconduct and separating from employees with supervisory responsibilities over the misconduct;
(ii) terminating distributors and resellers involved in the misconduct;
(iii) strengthening and expanding its global compliance, risk, and control functions, including the creation of over 15 new positions and teams at headquarters and globally;
(iv) improving aspects of its discount approval process and increasing transparency in the product
discounting process through the implementation and expansion of transactional controls;
(v) increasing oversight of, and controls on, the purchase requisition approval process;
(vi) limiting financial incentives and business courtesies available to third parties, particularly in public
sector transactions;
(vii) improving its customer registration and payment checking processes and making other enhancements in connection with annual technology conferences;
(viii) enhancing its proactive audit functions;
(ix) introducing measures to improve the level of expertise and quality of its partner network and reducing substantially the number of partners within its network;
(x) enhancing the procedures for engaging third parties, including the due diligence processes to which partners are subjected;
(xi) implementing a compliance data analytics program; and
(xii) enhancing training and communications provided to employees and third parties regarding anti-corruption, internal controls, and other compliance issues.
