In settlement agreements involving violations of regulatory compliance, the most significant and important information is frequently left out. This includes the cease-and-desist order issued by the Securities and Exchange Commission (SEC) on recidivist Oracle for breaking the Foreign Corrupt Practices Act (FCPA).
Both businesses and regulators are purposefully tactful when it comes to the information they craft publicly in settlement agreements. Reading between the lines is necessary for the compliance profession to learn anything genuinely meaningful.
Oracle agreed to pay more than $23 million in September to settle charges of FCPA violations stemming from sales employees at the technology company's Turkey, United Arab Emirates (UAE), and India subsidiaries allegedly engaging in multiple schemes whereby they created and used slush funds to bribe foreign officials over a number of years. Oracle did not admit or deny the SEC's findings.
Charles Cain, head of the SEC's FCPA Unit, stated in a news statement that the Oracle case demonstrated the "critical need for effective internal accounting controls throughout the entirety of a company’s operations," which is as clear as saying, "No company should commit bribery."
The regulatory compliance requirements of the FCPA's anti-bribery, books and records, and internal financial control clauses are already known to any chief compliance officer worth their salt. More significantly, this case—and nearly every FCPA case—highlights the urgent requirement for a culture that prioritizes compliance controls.
The order's repeated emphasis that the alleged misbehavior violated "Oracle's internal policies" creates the appearance that attorneys had more influence over the phrasing than the SEC when it came to writing it. A moot point is FCPA wrongdoing that contravenes internal written policies. The compliance "paper tiger" program can roar all it likes. That does not imply that it is toothy.
In this instance, it was claimed that Oracle lacked even the most fundamental compliance measures, such as increased due diligence and documentation standards, especially in the high-risk nation of India. In a 2012 settlement with the SEC over comparable FCPA breaches at its India business, Oracle consented to pay $2 million. "Oracle failed to seek transparency in or audit third-party payments made by distributors on Oracle India’s behalf," the SEC stated at the time. "This control would have enabled Oracle to check that payments were made to appropriate recipients."
Again, typical of a bribery and corruption case, the 2022 order implied that lower-level sales staff were to blame while containing only one brief sentence about Oracle's recidivism and glossing over how the company's "additional due diligence in its partner transactions in India" and "greater transparency into end-user pricing in government contracts," which were mentioned as corrective measures in the 2012 order, allowed the misconduct to occur again.
According to its own website, the multinational technology giant Oracle is in the business of giving customers "advanced analytics" to help fight financial crime. Despite this, Oracle's lack of a robust data analytics program as part of its own compliance operations is evident from the lengthy list of corrective actions Oracle took that was included in the SEC's order. Oracle "exercised control over its subsidiaries," according to the agency.
Oracle's Vice President of Global Corporate Communications Michael Egbert would only reiterate that "The conduct outlined by the SEC is contrary to our core values and clear policies, and if we identify such behavior, we will take appropriate action" when asked how the company could have allowed FCPA violations to happen again.
A spokesman for the SEC responded that the agency "does not comment beyond public filings".
The lack of a comparable criminal action by the Department of Justice in the 2012 case suggests that there is insufficient evidence to proceed with bribery charges. If such is the case this time, it will be interesting to see what the legal and compliance professions make of it.
Expect no real transparency from Oracle or the SEC for the time being.
By fLEXI tEAM