Post It Notes and the SAP Non-Prosecution Agreement | Thomas fox
Stephen Martin would often tell the story of his days as a Justice Department (DOJ) prosecutor and one company would come up and claim that they had spent all the money they could on their corporate compliance program. Martin then asked: “How much did you spend last year on post-it?” The answer was always four to five times their annual compliance budget. This immediately put the company back on its heels and would set the tone for further negotiations. Ultimately, the company viewed Post-It notes as more business-critical than a corporate compliance program.
I remembered this story when I recently read in the New York Times the death of “Spencer Silver, a research chemist at 3M who inadvertently created the not-too-tacky adhesive that removes Post-it notes from surfaces as easily as they adhere to.” Interestingly, Silver was not trying to invent them, but “to create one that was so powerful it could be used in aircraft construction.” He failed in this goal, but “in his experimentation he invented something entirely different: an adhesive that stuck to surfaces, but could be easily peeled off and was reusable. It was a solution to a problem that didn’t seem to exist, but Dr. Silver was convinced it was a breakthrough.
The solution came in two changes. First in 1974, a colleague used Silver’s invention to mark a choir hymn. It worked and didn’t tear the page up. (The choir hymns are printed on very thin paper.) Silver later wrote a memo to his boss about this discovery and he used the tape to add a posted note to the memo. Her boss returned the Memo with her response written on the same Post-It. The yellow color? It was from the stationery used in the lab where Silver worked. Here is! The Post-It Note was fully formed and became ubiquitous in the corporate world when it was released in 1980.
Martin, Post-It Notes, and Silver all update today’s blog as I take another look at the recent SAP SE trade sanctions enforcement action, which was resolved via a Non-prosecution agreement (NPA). In a previous blog post, I discussed the need for a strong and effective integration of the post-acquisition compliance program. Today I want to review the actions taken by SAP that led to it receiving the NPA. This NPA was faced with rather blatant conduct, identified in the Press release as including the deliberate unlicensed export from January 2010 to approximately September 2017 of its products to Iranian users.
The NPA detailed the conduct in some detail, but what interested me were the steps SAP took to obtain the NPA. SAP’s actions prove once again that a robust response to a compliance violation, whether it is a violation of the Foreign Corrupt Practices Act (FCPA) or a violation of export control / trade sanctions. , can put a company in a good position with prosecutors. Initially, I would point out that SAP has self-disclosed its violations to the government. This has reached the threshold for voluntary disclosure (VOD) under the Export control and sanctions policy for trade organizations. A thorough internal investigation and cooperation with the government also took place during this investigation.
The NPA clarified: “SAP has worked with prosecutors and investigators, producing thousands of translated documents, responding to inquiries and making overseas-based employees available for interviews at an agreed overseas location. from a common agreement. SAP has also corrected and timely implemented significant changes to its export compliance and sanctions program, spending over $ 27 million on these changes over the past four years, including, among other things detailed in the NPA: (1) implementation of GeoIP blocking; (2) the deactivation of thousands of individual users of cloud-based SAP services based in Iran; (3) the transition to automated screening of sanctioned parts of its GBCs; (4) audit and suspension of SAP partners who sold to Iran affiliate customers; and (5) hiring experienced export control personnel based in the United States, and (6) conducting more robust due diligence at the acquisition stage by requiring new acquisitions to adopt blocking GeoIP and requiring the participation of the export control team prior to acquisition. “
The total fine applied was $ 5.14 million for “ill-gotten gain”. This put SAP’s cost in the order of $ 32 million. Think what SAP could have saved if it had simply incorporated the acquired entities at the heart of this enforcement action more directly into SAP’s compliance program. The savings would certainly have been significant.
However, SAP also had to implement what Mike Volkov called a “rigorous” program of export controls and sanctions compliance. It went beyond the five required elements of OFAC’s sanctions compliance program framework: (1) senior management engagement; (2) Risk assessment; (3) Internal controls; (4) Testing and verification; and (5) Training. It included:
- Internal Reporting: SAP is required to operate a confidential and anonymous hotline, of which directors, officers, employees, agents and business partners are aware and can be used to report violations of export laws and sanctions, SAP policies and procedures and ethics policy. . All messages received on this internal reporting system must be reviewed by the Export Control Officer or SAP Compliance Officer within five days of receipt. SAP should vigorously publicize the reporting system and emphasize its commitment to not suffer retaliation.
- SAP is to conduct annual training on ethics, export control and sanctions for directors, officers and its employees. The training program must cover, at a minimum: (1) US export and sanction laws; (2) the SAP Code of Business Conduct; (3) SAP export compliance policies, controls and procedures; and (4) everyone’s duty to report misconduct. SAP is mandated to begin this training program within 90 days of completing the NPA.
- 3rd SAP is obligated to inform its business relationships with third parties of their legal obligations and their duty to report any violation of export and penalty laws, SAP’s code of business conduct or relevant compliance policies.
- SAP is required to conduct audits of newly acquired companies to determine whether the company has sufficient controls within 60 days. If SAP identifies violations, SAP is obligated to notify and report to the DOJ no later than 5 days after the end of the audit.
- SAP shall implement a written disciplinary policy applicable to all directors, officers, employees and business partners in response to a violation of export laws or sanctions, the SAP Code of Business Conduct and compliance policies and procedures. SAP export control.
- Notification and reporting of violations to the DOJ. SAP is obligated to inform the DOJ of any credible evidence of any potential violation of export control laws or sanctions. SAP must produce unprivileged documents relating to such a possible violation. Finally, SAP may need to provide the DOJ with an investigation plan and any resulting corrective actions.
It is clear from these more fully defined obligations that the DOJ wants strong compliance from SAP. To SAP’s credit, the work he did enabled him to avoid an audit, so the DOJ was apparently confident that SAP would meet its obligations under the NPA. Although SAP could have saved a lot more money if it had followed its compliance program or improved the program it had in place at the time of the violations. For the compliance professional, it also demonstrates that a business can make a substantial return after blatant conduct to obtain an NPA.