What began as allegations of systemic political corruption in South Africa has since morphed into full-blown government investigations in the state and abroad, including in the United States and the United Kingdom. As the list of major global companies ensnared continues to grow, so too do the compliance lessons derived from others’ failures.

Treason, extortion, fraud, racketeering, money laundering, collusion—the laundry list of crimes committed reads like a suspense novel. At the center of it all is South Africa’s Gupta family, who gained notoriety after whistleblower accusations surfaced that the Gupta’s family empire—with business interests in computers, technology, mining, air travel, energy, and media—for years has been using their close, personal ties with President Jacob Zuma to control state business.

Tensions escalated in 2016, when former South Africa Public Protector Thuli Madonesel published a scathing 355-page “State of Capture” report, citing evidence and information obtained through various whistleblowers, detailing how the Gupta family removed and handpicked cabinet members and directors of state-owned-enterprises, resulting in dodgy dealings, all to the benefit of Gupta-affiliated companies. 

Ongoing investigations have been fueled in recent months by a vast trove of leaked e-mails exposing damning new evidence against several multinational companies that facilitated financial crime activity linked to the Guptas. As many as 200,000 personal e-mails between the Gupta family, their associates, political officials, and others—first obtained by South African newspaper, Daily Maverick, and independent investigative non-profit amaBhungane—have trickled into the public domain in an exposé called the #GuptaLeaks.

To date, those implicated include German software giant SAP; international consultancy McKinsey & Company; and international accounting firm KPMG. More companies are likely to be shoved into the harsh spotlight, however, now that the U.S. Federal Bureau of Investigation is probing other individuals, bank accounts, and U.S. companies with ties to the Gupta family, people familiar with the matter told the Financial Times. The FBI’s investigation focuses on suspicious cash flows from the Guptas in South Africa to Dubai and the United States.

Outside the United States, the U.K.’s Financial Conduct Authority, the Serious Fraud Office, and the National Crime agency have been informed that British financial institutions—among them, HSBC and Standard Chartered—may have handled illicit funds connected to the Guptas. On Oct. 19, during the House of Lords meeting, Lord Peter Hain said, “In my letter of 25 September to [Chancellor Philip Hammond], I supplied for investigation 27 names and personal identification numbers, including President Jacob Zuma, 11 members of his family, 11 members of his close friends, the Gupta family, and their five associates, together with 14 entities linked to the Guptas and suspected to have been set up for the purposes of transnationally laundering an estimated £400 million, or 7 billion rand, of their illicit proceeds.”

In South Africa, the state’s special crime investigation unit, the Hawks, and members of parliament, are investigating what has been dubbed “state capture” by the Gupta family. Compliance officers and legal counsel will want to pay special attention to how aggressively South Africa enforces its anti-corruption law relative to Gupta-related dealings.

FCPA violations?

In the United States, potential violations of the U.S. Foreign Corrupt Practices Act linger in the shadows. On Oct. 26, SAP announced that it has made a self-disclosure to the U.S. Department of Justice and the Securities and Exchange Commission its dealings with the Gupta family, becoming the first multinational company to do so. It has further acknowledged that it has begun the process of sharing documents and information with authorities. The investigations remain ongoing.

“There are things we wish we had done differently and will do differently in the future, but we reject the notion that our firm was involved in any acts of bribery or corruption.”
Tom Barkin, Global Chief Risk Officer, McKinsey & Company

The disclosure follows allegations that SAP’s South African unit agreed to pay kickbacks (to the tune of a “10% sales commission”) with the Gupta-affiliated CAD House, a maker of 3D printers, to secure a contract with state railway, Transnet, according to the #GuptaLeaks. SAP allegedly paid CAD House a total of 99.9 million rand (about US$7.6 million), which was then laundered to several Gupta subsidiaries.

Then, in December 2016 and June 2017, SAP went on to sign a contract with state-owned power utility company Eskcom, with the assistance of former SAP managing director Lawrence Kandaswami and part-owner of CAD House Santosh Choubey, according to the #GuptaLeaks.

SAP has since enlisted the assistance of law firm Baker McKenzie to investigate its contracts with Transnet and Eskom. To date, SAP said the investigation has not uncovered any evidence of payments to a South African government official, including Transnet and Eskom employees. That portion of the investigation, on SAP’s contracts with Transnet and Eskom, will conclude by the end of the year.

The investigation involved a data analytics search of 8.4 million documents, upon which a first-level review of 131,609 documents, and a second level review of 52,985 documents, has been completed. Baker McKenzie has also conducted numerous interviews.

International consultancy McKinsey has also launched an internal investigation of its own, assisted by law firms Norton Rose Fulbright and Morrison & Foerster. That investigation has involved collecting 2.4 million e-mails; reviewing hundreds of thousands of documents, including contracts, invoices, payments, telephone, personal e-mail, and financial records, and conducting over 60 interviews. The investigation concerns dealings with Eskom involving Trillian, McKinsey’s local consulting partner affiliated at the time with the Gupta family.

The red flags should have been there: Two damning documents—the Budlender Report published in June 2017 and a Trillian whistleblower statement published in September 2017—collectively paint a dark picture of Trillian’s longstanding corrupt dealings acting as a gatekeeper for multinational companies to access state contracts, while extracting millions of dollars in rand for itself from Eskom in the process.

The Budlender Report further points to an agreement made by McKinsey to subcontract 30 percent of its Eskom work to Trillian under the guise of a “supplier development,” despite McKinsey’s continued denial of any wrongdoing. “There are things we wish we had done differently and will do differently in the future, but we reject the notion that our firm was involved in any acts of bribery or corruption,” Tom Barkin, McKinsey’s global chief risk officer, said in a statement.

In 2016, Eskom paid McKinsey and Trillian roughly 1.6 billion rand ($120 million), of which Trillian received a substantial portion of the proceeds, without a contract. The question McKinsey will seek to defend before a High Court in South Africa is whether it turned a blind eye to the shady dealings so that it could secure a $78 million contract to advise Eskom.

Findings from its internal investigation concluded that McKinsey never served the Gupta family nor any companies publicly linked to the Gupta family; never made payments directly or indirectly to secure contracts nor aided others in doing so; and neither made payments to Trillian nor had a contract or supplier development partnership with Trillian (although it worked alongside them for several months at Eskom).

McKinsey argues that it was Eskom that was complicit. According to McKinsey, Trillian failed due diligence procedures in March 2016 by repeatedly refusing to provide details about its beneficial ownership, at which time McKinsey said it terminated discussions with it about a supplier development partnership, and further informed Eskom in a letter of this decision.

In a statement, McKinsey said it “did not authorize any payments made by Eskom to Trillian,” and that any such payments made “were made by Eskom after McKinsey informed Eskom that Trillian failed our due diligence.”

McKinsey, like SAP, will have to explain itself to U.S. authorities. “We deplore corruption, and we will cooperate fully with relevant authorities and any official inquiries and investigations into these matters,” said Dominic Barton, McKinsey’s global managing partner.

A third global firm, KPMG, is facing scrutiny for botching audits of Gupta-family holdings, and particularly its 2014 audit of Linkway Trading, a project management company in the Oakbay Group that project-managed the wedding of the niece of the Oakbay Gupta directors. Essentially what is alleged is that public money under the control of Gupta-linked companies was used to pay for the extravagant wedding.

In a prepared statement, KPMG said it stands by its audit opinion. “We conducted our audit of Linkway Trading in accordance with International Standards on Auditing. At no stage, based on the facts at our disposal, did we consider that any transaction required to be reported under South African or foreign legislation.”

Compliance lessons

For SAP, McKinsey, and KPMG, damage control is in full swing: Several executives have been fired or have resigned. Apologies have been made. Due diligence controls, risk management procedures, and compliance controls are being revised or, in some cases, being implemented for the first time.

Chief compliance officers, chief risk officers, and internal audit have lots to learn from the missteps of all involved. Consider the following:

Due diligence procedures. The Gupta corruption scandal is a telling reminder of what happens to a company when due diligence procedures are ignored, circumvented, or not in place at all. McKinsey learned this lesson the hard way: “We were not careful enough about who we associated with, did not understand fully the agendas at play, and should not have worked alongside Trillian, even for a few months, before completing our due diligence,” Barkin said.

McKinsey added in its press statement that, “Had we fully understood Trillian’s ownership structure at the time, we would not have considered working with them.”

SAP, similarly, said it has made enhancements to its due diligence controls. Its executive board has initiated on a global scale “extensive additional controls and due diligence into relationships with sales agents and value-added resellers, including additional audit functions.”

Internal controls. In addition to lax due diligence procedures, both SAP and McKinsey announced that they are making changes to their internal control processes. For example, SAP said it has made “significant changes” to its global sales deal processes, including by eliminating sales commissions on all public-sector deals in countries that score below 50 on Transparency International’s Corruption Perceptions Index (South Africa’s rating is 45).

McKinsey too is becoming smarter about how it engages with supplier development partners: “We will only work with our own approved supplier development partners. We will not start work with a supplier development partner until due diligence is complete and a contract is signed.”

Third-party risk management. McKinsey has also instituted a rigorous process to identify and vet potential new supplier development partners for its firm. “Sixteen firms have been shortlisted for legal and financial due diligence,” the firm said. “We will devote significant resources to helping the firms we finally select, and others vetted through the same process, grow into self-sustaining black-owned consulting firms.” Barkin will be tasked with overseeing implementation of these changes to its South African office.

McKinsey also has suspended its work for state-owned companies (SOCs) in South Africa until further notice. “We will commit, as a condition of engaging with SOCs in the future, to greater transparency with the National Treasury and relevant shareholder departments, so they have a full understanding of the work we are undertaking, the value we will bring, and our contracting arrangements. We will ask SOCs for detailed documentary evidence that they have all the appropriate approvals in place before we begin work.”

The overall lesson this raises for compliance officers and risk officers is to tailor your risk management processes accordingly—a point that U.S. enforcement authorities have repeated time and again. “Specifically, with respect to South Africa, the problems that we’re seeing are largely with respect to state-owned entities,” says Alexandra Wrage, president of non-profit business association TRACE International.

Private-sector companies are generally more transparent and pose a lower degree of risk than SOCs. Thus, it’s important for compliance and risk departments to get more sophisticated in the analysis of their third-party risk profile and allocate resources accordingly, rather than taking a one-size-fits-all approach.

Compliance and risk oversight. Moving forward, McKinsey said it will not begin any SOC work in South Africa until it has been thoroughly reviewed and formally approved by a newly formed and independent South Africa SOC risk committee. “This committee will set a very high bar for impact and the quality of the contracting process,” McKinsey said.

SAP, too, said it intends to allocate additional legal compliance staff to its Africa market unit. “They will be based in South Africa and report into SAP’s global compliance organization. SAP will further strengthen its compliance committee in the SAP Africa region—consisting of local management, compliance, and other corporate functions—to ensure individual deal sanity and integrity, and promote compliance generally.”

For other companies, placing individual compliance staff in every country around the world may simply not be feasible, especially a company operating in hundreds of regions around the world. “Most companies can’t allocate that kind of headcount,” Wrage says. What’s more important is training local staff already on the ground or when entering a new market and giving them the support they need and somebody to contact when they have concerns, she says.

Many companies are also embedding into their compliance programs a team of compliance ambassadors, champions, liaisons—whatever name you want to give them—whose role is one in the same: to be the local voice of the chief ethics and compliance officer, assisting in promoting and embedding values throughout the company, and serving as a trusted, approachable point of contact for other employees with whom to report concerns.

The overall message here is to focus on building more robust compliance and internal controls, rather than shying away from lucrative markets because of the risks they pose. “With respect to South Africa, the recent cases that we’ve seen, including allegations around the Gupta family, were not so much a failure of compliance or a failure of due diligence as they were a circumvention of compliance and due diligence,” Wrage says. “I don’t think multinationals should feel that compliance can’t work in South Africa. A lot of companies are doing business there in a clean and transparent manner.”

Best practice, however, for companies doing business in South Africa, or looking to do business in South Africa, would be to reassess their due diligence processes, risk management, and internal and controls, to ensure that their business transactions do not have any ties to the Gupta family, their affiliates, or other politically exposed persons.

The Gupta corruption probe in South Africa and abroad is only just warming up, as more leaked evidence makes its way into the media and as enforcement authorities in several countries continue their investigations. Prudent executives in compliance, risk, and audit will want to stay ahead of this risk, or else face the consequences of financial and reputational damage that’s sure to follow.