How to bribe: What can we learn from SAP’s bribery and corruption schemes? – The South Africa conspiracy

On 10 January 2024, the United States Department of Justice (DOJ) unsealed the deferred prosecution agreement (‘DPA’) of the United States v. SAP SE bribery and corruption case. SAP SE is a global software company headquartered in Walldorf, Germany. The DPA provides valuable insights in how bribe paying works, the damages corruption causes and what regulatory enforcement looks like. Insights which are very useful for compliance professionals and auditors. We have analysed the DPA for you and summarised the lessons that can be learned from the case.

According to the press releases by the DOJ and the Securities and Exchange Commission (SEC), the SAP bribery practices were widespread and covered multiple geographies, including South Africa, Malawi, Kenya, Tanzania, Ghana, Indonesia and Azerbaijan. From December 2014 to January 2022, SAP used intermediaries and consultants in these countries to facilitate the payment of bribes. SAP also used other schemes such as direct cash payments, gifts and hospitality. The purpose of this corruption scheme is to maintain current and to win new business. The DPA details the schemes in Indonesia and South Africa. In this blog focus on the South African case. Our take on the Indonesia scheme can be found here.

Background of the bribery and corruption scheme

The information sheet that was published alongside the DPA provides insight into SAP’s wrongdoing: “In or about and between 2013 and 2017, through its agents, including SAP Africa, SAP South Africa, and SAP Employees, SAP engaged in a scheme to bribe South African officials and to falsify SAP’s books, records, and accounts, all with the goal of obtaining improper advantages for SAP in connection with various contracts between and among SAP and South African departments, agencies, and instrumentalities. In furtherance of this conspiracy, SAP relied, in part, on third party intermediaries to facilitate payments to South African officials and SAP engaged other third parties with no legitimate business purpose, and thereafter falsified SAP’s books and records regarding its payments to those third parties“.

SAP shall pay over USD 220 million to resolve the investigations by the DOJ and the SEC. This includes not only the Indonesian and South Africa schemes, but also the ones in Malawi, Kenya, Tanzania, Ghana and Azerbaijan. Pursuant to the DPA, SAP will pay a criminal penalty of USD 118,8 million and an administrative forfeiture of USD 103 million. SAP also needs to continue cooperating with the DOJ in any ongoing or future criminal investigation arising during the term of the DPA. In addition, the DOJ will credit up to USD 55 million of the criminal penalty against amounts that SAP pays to resolve investigations by law enforcement authorities in South Africa for the conduct.

If we continue reading the settlements we find that the bribes came in the form direct cash payments, payments through a third party (like intermediaries and consultants) and via the offering of gifts and hospitality. Read our blogs “How They Do It blog on bribery and corruption through agents and intermediaries” and “How They Do It: Bribery and Corruption Through Travel and Entertainment” if you want to learn more about these forms of bribery.

Unravelling the South Africa bribery and corruption scheme

Let’s have look how the scheme was set up and what we can learn from it. Note that, when assessing bribery schemes, we use the three step approach in which bribery typically takes place. This is (1) selecting the method via which bribes are to be paid, followed by (2) the creation of funding and execution of payments. The third step is (3) the cover up of the payments by integrating the payments in regular business transactions to conceal their actual business rationale.

The DPA describes 4 modi operandi through which SAP paid bribes in South Africa. We have visualised these modi operandi in the figure below.

Step 1: Agree method of paying bribes

The first step in any bribes scheme is to select the methods of payment. Modus operandi 1 concerned a direct payment to an intermediary. In obtaining and retaining a contract with the City of Johannesburg, SAP used an intermediary to pay the bribes to the a public official working for the City of Johannesburg. The DPA details correspondence between a SAP employee and a public official which discusses a payment for the City of Johannesburg official. In the exchange, the SAP employee represented that the SAP employee could “confirm” the forthcoming bribe payment. In response, the City of Johannesburg official asked: “[s]hould give [SAP Employee 2] the bank account or you’ll give me cash”.

Ultimately, SAP paid 2.200.000 South African Rand that was routed through an intermediary and onward paid to an entity associated to the City of Johannesburg official. According to the DPA the payment “…was falsely recorded in SAP SA’s books and records as a “Sales Commission.”…”

Modus operandi 2 involved the payment of commissions to an intermediary which ultimately were used for payments to a Department of Water and Sanitation (DWS) official. A SAP Employee approved the payment of a bribe of approximately 3.000,000 South African Rand to a DWS Official in connection with a DWS contract. As in the first modus operandi, the payment was routed through an intermediary. Upon receiving the funds from SAP, in an attempt to avoid detection, the intermediary paid the bribe to another corporate entity. According to the DPA, this was done for eventual forwarding to or for the benefit of the DWS Official.

In obtaining the DWS Contract, SAP undertook the unusual step of engaging two intermediaries. Each intermediary was paid a commission of 14,9% of SAP’s revenue from the DWS Contract. The maximum percentage allowable according SAP policies without requiring significantly higher-level approvals within the organisation. Moreover, SAP conducted limited due diligence on the intermediary that was used to forward the bribe. The DPA notes that subsequent review revealed that the intermediary had no financial statements (audited or unaudited), had not filed any returns for employee tax purposes, and found no signs of activity at the intermediary’s claimed business address.

For modus operandi 3 SAP engaged another intermediary with the aim to obtain and retain business with the city of Tshwana and multiple other South African government agencies and state-owned entities. SAP paid this intermediary more than 9.000.000 South African Rand in connection with these engagements. These payments were falsely booked as ‘commissions’, despite the lack of substantive
work performed by the intermediary. On various occasions SAP paid the commissions to the intermediary within days of the receipt of the invoice and without receive any substantive work in return. The DPA states that the intermediary forwarded the commissions to business entities owned or controlled by government officials.

Modus operandi 4 concerned payments to multiple other intermediaries. This with the purpose to obtain and retain business with Eskom and other South African, departments, agencies, and instrumentalities. The DPA states that the payments were falsely booked as being for ‘sales related services’ where, in fact, the intermediaries provided no legitimate services. The intermediaries failed to provide any deliverables, lacked experience or expertise in SAP’s business, or were otherwise uninvolved in work on behalf of SAP. Regardless, SAP paid these intermediaries which according to the DPA were owned by individuals who were closely affiliated with multiple South African government officials.

Step 2: Create funding and execute payments

The amounts paid to the intermediaries were presented as ‘commissions’ and ‘sales related services’. Possibly the intermediaries issued fictitious invoices for services that were never provided. Employees within SAP involved in the scheme where authorised to approve these invoices/payments or where able to enforce approvals by others. In other words, the bribes were funded by commissions and sales expenses.

The DPA states “…executives of SAP Africa and SAP South Africa falsely certified to the operating effectiveness of internal controls over financial reporting, which included payments falsely booked as “commissions” and other, similar expenses…“. The DPA mentions that SAP had implemented internal controls on commission payments/percentages. Commissions exceeding 14,9% were subject to “significantly higher-level approvals”. By keeping the commission percentages below 15% indicates that this was chosen by the perpetrates to prevent that further checks and approval would be necessary. Regardless, one might raise concerns about the adequacy of the control design if additional scrutiny is only triggered when the commission is 15% or higher. The percentage already seems high in itself, but given the inherent risk with agents and intermediaries, one would expect heightened scrutiny on all such relationships and corresponding payments.

Another control that is mentioned in the DPA is due diligence on third parties. A common ‘misstep’ in bribery schemes were intermediaries are used is the lack of due diligence. Another ‘misstep’ is the use of intermediaries in situations where their presence is unexpected or unnecessary. As explained above, SAP also made these missteps. At least it is clear that SAP’s due diligence procedures were not properly executed as serious red flags were not spotted or not adequately investigated. We urge everyone, when witnessing such missteps or ‘red flags’ as we call them, to ask follow-up questions to understand why certain decisions are made and what the business rationale is of related transactions.

Step 3: Cover up the payments

The DPA notes that SAP covered up the true nature of the payment by recording them in the financial administration as commissions and sales related services. This to hide the true nature of the payments and give the payment the appearance of legitimacy.

The scheme itself does not appear to be very complex and would have raised questions if SAP would have had an effective anti-bribery and corruption program. Those controls that should have prevented the payments, or at least should have raised suspicions, were not executed properly or were circumvented.

Preventing bribery because it is the right thing to do

Based on the information sheet and the DPA it appears that SAP’s bribery schemes were systematic and widespread. Not to forget, SAP is a repeated offender as SAP paid about USD 3,9 million to settle SEC civil charges in 2016 involving breaches of internal controls provision in connection with a bribery scheme in Panama.

Therefore you would expect that SAP would get a substantially higher penalty. We think that the relativity low penalty (i.e., USD 220 million) is the result of the DOJ and the SEC more lenient approach towards corporate offenders who (pro)actively cooperate and take remedial actions in line with the focus areas as detailed in the Monaco Memo.

The DPA provides some insight in what the DOJ and SEC considered to be important in such cooperation. This includes, among others, disciplining employees involved and remedial actions such as root cause analysis, risk assessments, enhance internal controls, improving mechanisms to detect and respond to misconduct, and data driven compliance. In a separate blog on the SAP enforcement action we will zoom in on these elements of effective compliance.

Thus, smart compliance professionals study DPA, in particular the expectations of US enforcement agencies, when designing or strengthening their compliance programs. This to mitigate the risk of reputational damage and financial penalties as a result of bribery and corruption. But more importantly, because these expectations are simply the right thing to do as they help to prevent bribery and corruption.