How to bribe: What can we learn from SAP’s bribery and corruption schemes? – The Indonesia conspiracy

On 10 January 2024, the United States Department of Justice (DOJ) unsealed the deferred prosecution agreement (‘DPA’) of the United States v. SAP SE bribery and corruption case. SAP SE is a global software company headquartered in Walldorf, Germany. The DPA provides valuable insights in how bribe paying works, the damages corruption causes and what regulatory enforcement looks like. Insights which which are very useful for compliance professionals and auditors. We have analysed the DPA for you and summarised the lessons that can be learned form the case.

According to the press releases by the DOJ as well as the Securities and Exchange Commission (SEC), the SAP bribery practices were widespread and covered multiple geographies, including South Africa, Malawi, Kenya, Tanzania, Ghana, Indonesia and Azerbaijan. Between December 2014 to January 2022 SAP engaged intermediaries and consultants in these countries to facilitate the bribes. SAP also used other schemes such as direct cash payments, gifts and hospitality. This all with the objective of maintaining or winning business. The DPA solely details the schemes in South Africa and Indonesia, this blog will focus on the latter. Out take on the Indonesia scheme can be found here.

Background of the bribery and corruption scheme

The information sheet published alongside the DPA’s provide more insight into the wrongdoing: “Between approximately 2015 and 2018, SAP, through its agents, including but not limited to SAP Indonesia and its personnel, engaged in a scheme to bribe Indonesian officials, to obtain improper business advantages for SAP in connection with various contracts between and among SAP and Indonesian departments, agencies, and instrumentalities. In furtherance of the conspiracy, SAP and its agents, either directly or through third party intermediaries, provided or offered payments and other things of value to and for the benefit of foreign officials.”

SAP shall pay over USD 220 million to resolve the investigations by the DOJ and the SEC. Pursuant to the DPA, SAP will pay a criminal penalty of USD 118,8 million and an administrative forfeiture of USD 103 million. SAP will also continue cooperating with the DOJ in any ongoing or future criminal investigation arising during the term of the DPA. In addition, the DOJ will credit up to USD 55 million of the criminal penalty against amounts that SAP pays to resolve investigations by law enforcement authorities in South Africa for the conduct.

Unravelling the Indonesia bribery and corruption scheme

Let’s have look how the scheme was set up and what we can learn from it. Note that, when assessing bribery schemes, we use the three step approach in which bribery typically takes place. This is (1) selecting the method via which bribes are paid, followed by (2) the creation of funding and execution of payments. The third step is (3) the cover up of the payments by integrating it in regular business transactions.

The first step in any bribes scheme is to select the methods of payment. According to the DPA, SAP bribed government officials that were working for the Indonesian state-owned agency Balai Penyedia dan Pengelola Pembiayaan Telekomunikasi dan Informatika (BP3TI) and the Indonesian Ministry of Maritime Affairs and Fisheries (KKP).

Step 1: Agree method of paying bribes

The DPA describes text messages between SAP employees and outside consultants to coordinate bribes for multiple KKP officials. The amounts of these bribes range from 50 million to 70 million Indonesian Rupiah. Around USD 3.600 and USD 5.040 respectively. The messages also describe the method of delivery, with the consultant noting that the KKP official had requested cash. The SAP employee was advised to “[b]ring [an] empty envelope” to a meeting with the consultant in the lobby of the KKP.

In obtaining and retaining the BP3TI contracts SAP provided gifts to multiple government officials and official’s family members. The DPA also notes that multiple BP3TI officials and at least one family member traveled to the United States. An employee of an Indonesian intermediary engaged by SAP accompanied the BP3TI officials on this trip. This intermediary employee would later be employed by SAP. The intermediary employee paid for shopping sprees for a BP3TI official and a family member, purchasing handbags, keychains, novelties, gifts and other items.

The DPA notes that the intermediary employee that accompanied the BP3TI official on the shopping sprees sent text messages from the United States to co-conspirators in Indonesia, updating them on the purchases and sending pictures of the shopping trip. The intermediary employee had a budget of approximately USD 10,000 over five days and, during that time, also bought a BP3TI official a luxury watch. WhatsApp chats also indicate that others at SAP Indonesia discussed requests to pay for meals and travel expenses for employees of public sector customers.

Step 2: Create funding and execute payments

The DPA notes that the bribes came in the form of direct cash payments, gifts and hospitality but does not provide much detail on the expenses were recorded in SAP’s financial administration. Regardless, the cash and expenses need to be recorded somewhere. The fact that such transaction were not prevented by internal control already raises questions on the how SAP was keeping an eye on outgoing payments. Even if internal controls had picked up red flags, than these flags were not properly addressed.

Also read our blog “How They Do It: Bribery and Corruption Through Travel and Entertainment” if you want to learn more about these forms of bribery and how organisations can manage this risk.

Step 3: Cover up the payments

Based on the description in the DPA is does not appear that SAP employees did their utmost to cover up the payments as they discussed the gifts digitally and even sent pictures. The scheme itself is far from complex. Especially given the risk inherent to relationships with government entities one would expect increased scrutiny and controls.

Preventing bribery because it is the right thing to do

Based on the information sheet and the DPA it appears that SAP’s bribery schemes were systematic and widespread. Not to forget, SAP is a repeated offender as SAP paid about USD 3,9 million to settle SEC civil charges in 2016 involving breaches of internal controls provision in connection with a bribery scheme in Panama.

Therefore you would expect that SAP would get a substantially higher penalty. We think that the relativity low penalty is the result of the DOJ and the SEC more lenient approach towards corporate offenders who (pro)actively cooperate and take remedial actions in line with the focus areas as detailed in the Monaco Memo.

The DPA provides some insight in what the DOJ and SEC considered to be important in such cooperation. This includes, among others, disciplining employees involved and remedial actions such as root cause analysis, risk assessments, enhance internal controls, improving mechanisms to detect and respond to misconduct, and data driven compliance. In a separate blog on the SAP enforcement action we will zoom in on these elements of effective compliance.

Thus, smart compliance professionals study DPA, in particular the expectations of US enforcement agencies, when designing or strengthening their compliance programs. This to mitigate the risk of reputational damage and financial penalties as a result of bribery and corruption. But more importantly, because these expectations are simply the right thing to do as they help to prevent bribery and corruption.