SAP paid $235m after being charged with bribery

The global software giant agreed to a settlement with the US Department of Justice that is one of the largest of its kind

SAP, the German-based company, was charged with bribing government officials around the world and agreed to pay over $235m in one of the largest bribery settlements.

The company along with co-conspirators bribed South African and Indonesian foreign officials, providing cash, political contributions and wire transfers, along with luxury goods purchased during shopping trips. The goal was to obtain advantages for SAP in connection with various contracts with South African departments and agencies including Eskom Holdings Limited, a South African state-owned and state-controlled energy company.

The company also bribed government officials in Malawi, Kenya, Tanzania, Ghana, and Azerbaijan through third-party intermediaries and consultants it employed who paid bribes to obtain business with public sector customers in these countries. 

Government officials from South Africa and Indonesia were sent on trips to New York, shopping excursions and dining and golf outings. In one instance, according to the US Securities and Exchange Commission (SEC), an executive at SAP’s Indonesian subsidiary paid bribes to officials in the country’s Maritime Affairs and Fisheries ministry. To hand over the bribes, the executive was instructed to have “seventy million, in fifty thousand bills… Bring empty envelope.” 

In another instance, SAP’s South African subsidiary signed a deal with Eskom Holdings, South Africa’s state-owned power company, worth $29 million. The SEC identified over $6.7 million in payments to “consultants” who never performed any services.

The company did not have effective oversight over its intermediaries and consultants. It did not implement adequate internal accounting controls over third party freelancers and lacked sufficient entity-level controls over its wholly owned subsidiaries.

“SAP has accepted responsibility for corrupt practices that hurt honest businesses engaging in global commerce,” said US Attorney Jessica D. Aber. “We will continue to vigorously prosecute bribery cases to protect domestic companies that follow the law while participating in the international marketplace.” 

The company took steps to improve its compliance program. It increased its budget and restructured its compliance office to ensure its autonomy. SAP is also participating in a Justice Department pilot program.

In our new series on bribery stories, we examine the details of the case, look at what the company did wrong and, importantly, provide tips on how companies can mitigate bribery risks when conducting business.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.