SAP SE (“SAP”), a global software company headquartered in Walldorf, Germany, has agreed to pay a total of $8.43 million in penalties as part of settlement agreements with the United States Departments of Justice, Commerce and Treasury, a penalty that would have significantly higher if the company had not extensively cooperated with the United States. Involuntary disclosures to all three agencies, SAP acknowledged that, from January 2010 through September 2017, it knowingly released more than 25,000 downloads of its products, upgrades and/or patches from its U.S. Headquartered Content Delivery Provider to Iranian users in violation of the Export Administration Regulations (“EAR”) and the Iranian Transactions and Sanctions Regulations (“ITSR”). Many of the downloads were associated with sales by non-SAP entities (“SAP Partners”) or the activities of SAP customers headquartered outside of Iran but had used SAP products and services in Iran. The Non-Prosecution Agreement (“NPA”) notes that SAP had advanced warning of these unlawful activities from audit reports provided to senior SAP managers alerting leaders that SAP was not screening customers’ IP addresses to prevent downloads from users in U.S.-embargoed countries. Notably, SAP also failed to investigate various whistleblower complaints, received as early as 2011, alleging sales by SAP Partners to foreign-registered affiliates of Iranian companies.
Beginning in 2011, SAP acquired various cloud-based companies in the United States. SAP’s pre-acquisition and post-acquisition due diligence identified that these companies lacked comprehensive export control and sanctions compliance programs. Despite being armed with this knowledge, SAP allowed these companies to continue to operate as standalone entities and did not address the compliance gaps until 2017, thus permitting Iranian users to access SAP cloud services that were maintained and supported in the U.S. and by U.S. persons worldwide.
Notwithstanding these knowing violations, the United States was willing to limit the penalties imposed because of the high level of cooperation exhibited by SAP. SAP made a voluntary self-disclosure regarding its potential violations in September of 2017 and made “significant remediation efforts” in the form of more than $27 million invested into its export compliance and sanctions program improvements, including:
- The implementation of a GeoIP blocking system,
- Deactivating thousands of individual users,
- Transitioning to automated sanctioned party screening for its cloud businesses,
- Auditing and suspending SAP Partners,
- Requiring acquisitions to adopt GeoIP blocking,
- Enhanced export control training,
- Termination of employees who were aware of the sale of SAP software to Iran,
- Committing to maintaining its export compliance program and mandating compliance certifications, and
- Hiring of approximately 15 additional export compliance personnel.
SAP agreed to cooperate fully with the DOJ’s National Security Division and the U.S. Attorney’s Office for the District of Massachusetts (collectively, “the Offices”) by providing any information or communication upon request, as further explained below. In light of SAP’s remediation efforts and cooperation with the Offices, the Offices agreed to not criminally prosecute SAP for the conduct described above. They determined that a compliance monitor was not necessary.
In accordance with the NPA, SAP agreed to:
- Payback its “ill-gotten gain” of $5.14 million;
- Not commit any federal criminal offenses during the three-year Agreement period;
- Fully cooperate with the Offices in any and all matters related to the conduct described in the Agreement.
This cooperation includes providing the Offices with any factual information or documents upon request, promptly reporting any evidence or credible allegations of violations, and providing an annual certification that SAP is in incompliance with the terms of the Agreement.
Concurrently with the DOJ settlement, SAP entered into separate agreements to pay $2.13 million to the Department of the Treasury, Office of Foreign Assets Controls (“OFAC”), and to pay $3.29 million to the Department of Commerce, Bureau of Industry and Security (“BIS”). The BIS payment was credited against the OFAC penalty. The total penalty amount, $8.43 million, is substantially less than the maximum penalty determined by OFAC ($56 million). Additionally, SAP was spared the imposition of a compliance monitor.
These actions by the United States highlight the importance of export control and sanctions compliance for all businesses involved in international trade. The repeated reference to GeoIP blocking systems heightens the need for software companies to implement such technology for cloud-based computing and download services. The emphasis on monitoring hotlines and due diligence in both pre-and post-acquisition activities is a warning to all companies. Perhaps most importantly, these penalties indicate both the seriousness with which the United States considers these violations and the significant mitigation considerations that are given to companies that commit to compliance through the use of voluntary disclosures and the implementation of significant and measurable process improvements. In the words of Assistant Attorney General John C. Demers for the Justice Department’s National Security Division, “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, w[ill] heed this lesson.”