Skip to content

The Integrity Agenda: The high price of missing self-disclosure credit

All compliance officers know the lofty ideal that voluntary self-disclosure of corporate misconduct is its own reward. Now a recent FCPA enforcement action lets us get a sense of the cash value of such disclosure anyway.

The case involves German software giant SAP, which recently paid more than $220 million and entered into a deferred-prosecution agreement with U.S authorities to settle charges that subsidiaries in South Africa and elsewhere bribed foreign government officials in the 2010s. Crucial to our analysis today, SAP did not receive any credit for voluntary self-disclosure because South African media brought the corruption scheme to light first.

From that detail, we can conduct a fascinating thought experiment into how much money SAP might have saved itself if it had self-disclosed its troubles. That’s a thought experiment well worth a compliance officer’s time, so that you can argue the merits of voluntary self-disclosure more persuasively if your own company ever finds itself in a similar predicament.

Solution

The Integrity Platform

Drive tangible impact with the Integrity Platform, making your people active participants in a journey toward ethical business transformation by engaging them with ethical experiences at all touchpoints.

Learn more

Doing the Math

Let’s first remember the tenets of the U.S. Justice Department’s Corporate Enforcement Policy. If a company wants to avoid criminal prosecution and receive steep discounts on potential penalties, it must do three things:

  • Voluntary self-disclosure of the misconduct
  • Full cooperation in any ensuing investigation
  • Remediation of internal control failures that allowed the misconduct to happen in the first place

If a company can meet all those criteria, then prosecutors will recommend a reduction in monetary penalties of at least 50 percent off the bottom end of what the U.S. Sentencing Guidelines recommend for the misconduct in question, and possibly as much as 75 percent off.

For example, if the Sentencing Guidelines recommend a penalty somewhere between $100 million to $200 million, prosecutors will instead settle on a fine of not more than $50 million (50 percent off the $100 million lower limit), and possibly as little as $25 million (75 percent off the $100 million).

Now let’s apply that math to the facts we know about SAP.

SAP is paying a total of $221 million to settle its FCPA charges. Of that amount, $118.8 million is a criminal penalty. Justice Department prosecutors arrived at that number by following three steps.

  • First, they evaluated SAP’s misconduct against the U.S. Sentencing Guidelines, which recommended a range of $180 million to $360 million for possible criminal penalties.
  • Second, given the egregious nature of SAP’s violations, they moved up to the 10th percentile of that $180 million lower limit, which brings us to a potential penalty of $198 million. ($180 million plus $18 million more = $198 million.)
  • Third, thanks to SAP’s extensive cooperation and remediation, prosecutors then moved down by offering a 40 percent discount from that $198 million.

A 40 percent discount is $79.2 million. Subtract that amount from $198 million, and you arrive at the $118.8 million criminal penalty that SAP actually paid.

The Value of Self-Disclosure

Why do all this math? Because, thanks to the guidance already provided by the Justice Department, we can also model out the even larger penalty deductions SAP might have won if it had self-disclosed its misconduct.

Imagine a world where SAP had voluntarily self-disclosed its misconduct. It then would have met all three of the Justice Department’s criteria, and been eligible for discounts of 50 to 75 percent off the bottom end of that $180 million limit decreed by the U.S. Sentencing Guidelines.

Even if prosecutors still pushed SAP up to $198 million for its egregious offenses and previous settlements, 50 to 75 percent off that number implies a criminal penalty of only $49.5 million to $99 million — not the $118.8 million SAP actually paid. Conceivably, SAP could have received the maximum credit of 75 percent off the $180 million boundary, whittling its penalty all the way down to $35 million.

We should be clear that these numbers are just theoretical. In practice, even if SAP had received full credit for voluntary self-disclosure, other factors — factors that we on the sidelines of this case don’t get to see — might push its final penalty higher than what we’ve modeled here.

At the same time, it’s also clear that voluntary self-disclosure can potentially save a company tens of millions of dollars when settling egregious corporate misconduct cases. That’s the point compliance officers need to keep in mind both when building a compliance program, and when debating how to handle specific crises with other senior executives.

That is, you’ll never be able to voluntarily self-disclose corporate misconduct that employees never report internally; hence a strong speakup culture is so important. Or if cynics in the C-suite ever argue that perhaps your company should keep quiet about misconduct you’ve found and hope regulators never notice — well, that might work; or it could be a very expensive gamble that goes the wrong way.

SAP’s case simply gives us a chance to consider just how expensive the lack of voluntary self-disclosure can be.


Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution