The SEC is on a mission – companies that engage in egregious payment schemes for gifts, hospitality and travel are going to get prosecuted for civil FCPA violations. Recent SEC enforcement actions against companies continue, and BHP Billiton’s settlement last week is another example of the SEC’s prosecution strategy.

BHP Billiton agreed to pay a $25 million penalty to settle SEC charges for internal controls violations arising from its program to sponsor attendance of government representatives at the 2008 Beijing Summer Olympics.

The SEC’s enforcement action focused on BHP’s failure to maintain sufficient controls over its global hospitality program when it invited 176 government officials and employees to state-owned enterprises to attend the Olympic Games at the company’s expense. Approximately 60 guests as well as some spouses and others attend the Summer Olympic Games. BHP paid for them to attend for a three or four-day hospitality package that included event tickets, luxury hotel accommodations and sightseeing excursions valued at $12,000 to $16,000 per excursion. Sponsored guests were primarily from countries in Africa and Asia.

Those are the headlines from the story in this case. However, there is much more that is relevant from a compliance standpoint.

BHP recognized that the invitations to government officials to the Olympics created a serious anti-corruption risk. Unfortunately, BHP’s internal controls were not sufficient, from the SEC’s viewpoint, to mitigate this risk.

First, the purpose of the hospitality program, as specifically expressed by BHP, was to “reinforce and develop relationships with key stakeholders” in China and in “product and investor markets, and regions where [BHP has] or would like to have operations.” BHP employees prepared specific leverage plans to develop relationships with key stakeholders to increase business opportunities. Specific invitees were identified based on the “business benefit” of an Olympic invitation.

BHP designed a specific application for business managers to submit requesting authority to invite individuals, including government officials. BHP’s Country President was required to approve the application.

The SEC cited the following deficiencies in the internal review process:

First, BHP did not require independent legal or compliance review of the applications by someone outside the business unit, and failed to communicate that the Ethics Panel was not reviewing and approving each application. As a result, business managers had sole and exclusive authority to review and approve the application.

Second, some hospitality applications were not accurate or complete, and did not identify some invitee’s as government officials, even when BHP had ongoing negotiations or efforts to obtain access to mining rights. Many applications shared the same explanation for why the application was appropriate.

Third, BHP did not provide employees and executives with any specific training on how to fill out the forms or how to evaluate whether the invitation complied with its business conduct policies.

Fourth, BHP did not institute a process to update the form if conditions changed prior to the event.

Fifth, BHP did not address any ongoing interactions the company was having in other parts of the company outside of the specific parties involved in the invitation.

In the end, as a result of its failure to design and maintain sufficient internal controls over the global hospitality program, BHP invited a number of government officials who were directly involved with, or in a position to influence pending negotiations concerning access rights.

The SEC’s action underscores an important trend – even when a company has an existing compliance program and policy, a company has to ensure that it is tailored to the risk and satisfies basic risk reduction strategies and requirements. If not, the SEC will always be able to cite deficiencies in a company’s internal controls as the basis for an enforcement action.