The most notable and relevant details in settlement agreements concerning regulatory compliance violations are often what is not stated. The Securities and Exchange Commission’s (SEC) cease-and-desist order against recidivist Oracle over violations of the Foreign Corrupt Practices Act (FCPA) is no exception.

Companies and regulators alike are intentionally tactical about the details they craft publicly in settlement agreements. For the compliance profession to glean anything truly insightful requires reading between the lines.

In September, Oracle, without admitting or denying SEC’s findings, agreed to pay more than $23 million to resolve charges of FCPA violations resulting from sales employees at the technology company’s Turkey, United Arab Emirates (UAE), and India subsidiaries allegedly engaging in multiple schemes whereby they created and used slush funds to bribe foreign officials over several years.

In a press release, Charles Cain, chief of the SEC’s FCPA Unit, said the Oracle matter highlighted the “critical need for effective internal accounting controls throughout the entirety of a company’s operations,” which is as obvious as stating, “No company should commit bribery.”

Any chief compliance officer worth his or her salt is already aware of the regulatory compliance obligations of the anti-bribery, books and records, and internal accounting control provisions of the FCPA. What this case—and most every FCPA case—more importantly highlights is the critical need for a culture that values compliance controls.

The number of times the order stresses the alleged misconduct violated “Oracle’s internal policies” gives the impression lawyers had a heavier hand in crafting the language than the SEC. FCPA misconduct that violates internal written policies is a moot point. A “paper tiger” compliance program can roar all it wants. That doesn’t mean it has teeth.

What this case—and most every FCPA case—more importantly highlights is the critical need for a culture that values compliance controls.

In this case, Oracle allegedly didn’t have even basic compliance controls, like enhanced due diligence and documentation requirements, particularly in the high-risk region of India. In 2012, Oracle agreed to pay $2 million in a settlement with the SEC over similar FCPA violations at its India subsidiary. The SEC said then, “Oracle failed to seek transparency in or audit third-party payments made by distributors on Oracle India’s behalf. This control would have enabled Oracle to check that payments were made to appropriate recipients.”

Without directly stating it, the 2022 order pointed blame at lower-level sales employees—again, typical of a bribery and corruption case—and contained just one brief sentence about Oracle’s recidivism while altogether brushing over how the company’s “additional due diligence in its partner transactions in India” and “greater transparency into end-user pricing in government contracts,” mentioned as remedial acts in the 2012 order, enabled the misconduct to occur again.

Oracle is a global technology giant literally in the business of, according to its own website, providing customers with “advanced analytics” to help fight financial crime and yet did not have a robust data analytics program as part of its own compliance operations—made clear by the long list of remedial efforts Oracle implemented included in the SEC’s order. The agency stated Oracle “exercised control over its subsidiaries.”

Asked how the company could have enabled FCPA violations to occur again, Oracle’s Vice President of Global Corporate Communications Michael Egbert would only reiterate, “The conduct outlined by the SEC is contrary to our core values and clear policies, and if we identify such behavior, we will take appropriate action.”

The SEC’s reply was just as cookie-cutter: “The SEC does not comment beyond public filings,” a spokesperson said.

In the 2012 matter, the Department of Justice did not bring a parallel criminal action, indicating a lack of evidence to support bribery charges. It will be telling for the legal and compliance profession to watch if that’s the case this time around.

For the time being, don’t expect any real transparency from Oracle or the SEC.