3 FCPA Compliance Lessons From Microsoft's Settlement
Microsoft’s recent settlement with the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) over violations of the Foreign Corrupt Practices Act (FCPA) sheds light on the DOJ’s new Corporate Enforcement Policy (the “Policy”) and provides a framework for government enforcement efforts and priorities going forward. The settlement also teaches a few lessons about the benefits of full cooperation and lasting, meaningful remediation, including the importance of being vigilant about the vetting, use and ongoing monitoring of third-party intermediaries (TPIs), which cause the greatest corruption risk for U.S. companies under the FCPA.
The Microsoft Settlement
On July 22, 2019, after more than six years of investigation, Microsoft reached a settlement with the DOJ and the SEC. Under the settlement, Microsoft agreed to pay a combined $25.3 million for violations of the FCPA’s books and records and internal accounting provisions arising out of subsidiary operations, and related misconduct of TPIs, in Hungary, Saudi Arabia, Thailand and Turkey.
The Microsoft violations involved improper payments to foreign government officials (directly and through various TPIs) to secure and win business for Microsoft. The inducements were funneled primarily through excessive TPI discounts approved by Microsoft. The discounts were not passed on to Microsoft’s customers, and there was little evidence of services being performed. With inadequate internal controls to verify the legitimacy of these discounts or track the impact on end-user pricing, the discounts falsely and inaccurately appeared as legitimate transactions in Microsoft’s books and records.
Much more can usually be done to mitigate these issues through proactive risk assessments, strong business leadership messaging on ethics and integrity, consistent implementation of policies, and holding people accountable for violations.
In each of the subject countries, Microsoft employees disguised discounts or marketing expenses as legitimate expenditures. The subsidiaries reported their financial results to Microsoft, which in turn consolidated those results on its publicly-reported financial statements. The subsidiaries’ conduct caused Microsoft to falsely record these improper payments and discounts as legitimate transactions in its books and records, in violation of the FCPA’s books and records provisions. Microsoft also failed to exercise adequate supervision over the subject activities.
In resolving these FCPA violations, Microsoft consented to an administrative order issued by the SEC and agreed to pay more than $16 million in disgorged profits and prejudgment interest. Microsoft’s Hungarian subsidiary also entered into a three-year non-prosecution agreement with the DOJ, in which it agreed to pay a criminal penalty of approximately $8.75 million.
Lesson #1: Be Vigilant With TPIs
The Microsoft enforcement action and the resulting settlement are a harsh reminder of the need for vigilance when engaging TPIs who interact with employees of state-owned enterprises, foreign government regulators or other foreign officials.
Lesson #2: Allocate Adequate Compliance Resources
The settlement underscores the importance of proactively prioritizing compliance resources on the highest-risk jurisdictions, TPI relationships and transactions to minimize the risk of FCPA violations. While perfection is not the standard to which companies subject to the FCPA are held, much more can usually be done to mitigate these issues through proactive risk assessments, strong business leadership messaging on ethics and integrity, consistent implementation of policies, and holding people accountable for violations. These efforts form the foundation of a strong and defensible compliance culture.
Lesson #3: Act Quickly and Thoroughly to Receive Declination or Sentencing Reduction
In 2017, Deputy Attorney General Rod Rosenstein announced the DOJ’s Corporate Enforcement Policy. The Policy was designed to provide greater transparency into DOJ’s approach to corporate prosecutions and to encourage companies to engage in voluntary disclosures, full cooperation, and robust and timely remediation to earn a declination from the DOJ with respect to FCPA enforcement actions. When announced, though, the significance and implications of the Policy and how it worked in practice were unknown.
Microsoft’s settlement provides further transparency into how the Policy operates in practice for DOJ investigations and enforcement actions. As the Policy mandates, Microsoft was not eligible to receive, nor did it receive, a declination, because it did not voluntarily disclose its FCPA violations. Given the “nature and seriousness of the offense conduct” of the Hungarian senior executives and other employees involved, Microsoft also did not receive the full 50% reduction off the sentencing guidelines. Microsoft did receive a 25% reduction, though, as well as a three-year non-prosecution agreement, for its full cooperation with the DOJ, “thorough internal investigation and regular factual presentations to the government,” disclosure of all individuals involved in the corruption scheme, and extensive remediation efforts. Microsoft’s remediation efforts included:
- Strengthening its internal controls and compliance programs.
- Taking disciplinary action against four of its Microsoft Hungary employees.
- Terminating four Hungarian licensing partners.
- Implementing data analytics to identify high-risk transactions.
The Microsoft settlement clarifies the DOJ’s view of full cooperation and remediation that underscore its Corporate Enforcement Policy. Companies addressing FCPA issues will benefit from carefully considering this enforcement action and the lessons to be learned from it when evaluating the pros and cons of a voluntary disclosure and cooperating with U.S. enforcement authorities.