Out of Control: SEC Says Lack of Internal Controls Led to HP Paying More Than $108 Million to Settle FCPA Actions

On April 9, 2014, the Securities and Exchange Commission announced that Hewlett-Packard had agreed to pay more than $108 million to settle Foreign Corrupt Practices Act actions brought by the SEC and the Department of Justice.  These actions were based on HP’s subsidiaries’ alleged payments of more than $3.6 million to Russian, Polish, and Mexican government officials to obtain or maintain lucrative public contracts.  The settlement is important because it highlights the SEC’s and DOJ’s continued focus on companies’ internal controls, particularly in the FCPA arena.  It also shows that the SEC may be able to use lesser, non-fraud offenses in which the underlying conduct involves a fairly de minimis amount of money to police behavior and subject companies to significant financial consequences.

Under the Securities Exchange Act of 1934, issuers of securities are required to keep books, records, and accounts that are reasonably detailed and accurately reflect the respective transactions and dispositions of assets.  Moreover, they must devise and maintain systems of internal accounting controls to ensure that transactions are accurately recorded.  According to Kara Brockmeyer, chief of the FCPA unit of the SEC’s Enforcement Division, “Companies have a fundamental obligation to ensure that their internal controls are both reasonably designed and appropriately implemented across their entire business operations, and they should take a hard look at the agents conducting business on their behalf.”

According to the SEC, HP’s internal controls missed the mark – they were insufficient to detect, prevent, and/or stop the “pattern of illegal payments to win business.”  The SEC found that HP’s subsidiaries made payments to obtain business in Poland, Russia, and Mexico that were falsely recorded as payments for legitimate services, expenses, or commissions in HP’s consolidated financial statements.  Specifically, the order found that HP’s Russian subsidiary paid more than $2 million to a Russian official to maintain a multi-million dollar contract with the federal prosecutor’s office, that HP’s Polish subsidiary paid more than $600,000 to a Polish official to secure contracts with the national police agency, and that HP’s Mexican subsidiary paid more than $1 million in inflated commissions to a consultant who had close ties to officials of Mexico’s state-owned petroleum company to win a software sale.

HP consented to the settlement order, which found violations of the internal controls and books and records provisions of the 1934 Act, and agreed to disgorge $29 million, pay fines totaling $74.2 million, and pay $5 million in prejudgment interest between the SEC and criminal actions.  HP also voluntarily implemented remedial measures, including firm-wide screening for channel partners and increased compliance training for its global work force.  HP’s decision to make voluntary changes may have been an attempt to get ahead of SEC Chair Mary Jo White’s late 2013 public comment that people could expect to see SEC orders begin to include mandates to prevent future wrongs, including requiring new policies, procedures, and other controls when entering into “settlement with a company involving systems control failures.”  Companies like HP may now begin to voluntarily enact remedial measures to prevent the SEC from mandating changes that may be more costly and difficult to implement.  At its core, however, the HP settlement serves as a warning bell to companies, encouraging them to enhance their internal controls on the front end to create more defensible books and records, thus eliminating SEC scrutiny or forcing the SEC to litigate underlying violations that are more difficult to prove.