Stephen Martin would often tell the story about when he was a Department of Justice (DOJ) prosecutor and a company would come in and claim they spent all the money they could on their corporate compliance program. Martin would then ask, “How much did you spend last year on Post-It Notes?” The answer was always four to five times the amount of their annual compliance budget. This immediately put the company back on its heels and would set the tone for rest of the negotiations. The bottom line was that the company viewed Post-It Notes as more business critical than a corporate compliance program.

I was reminded of that story when I read recently in the New York Times of the passing of “Spencer Silver, a research chemist at 3M who inadvertently created the not-too-sticky adhesive that allows Post-it Notes to be removed from surfaces as easily as they adhere to them”. Interestingly, Silver was not trying to invent them but “was trying to create one that was so strong it could be used in aircraft construction.” He failed in that goal but “during his experimentation, he invented something entirely different: an adhesive that stuck to surfaces, but that could be easily peeled off and was reusable. It was a solution to a problem that did not appear to exist, but Dr. Silver was certain it was a breakthrough.”

The solution came in two changes. First in 1974, a colleague used Silver’s invention  to bookmark a choir hymnal. It worked and did not tear the page. (Choir hymnals are printed on very thin paper.) Silver later wrote a Memo to his boss about this discovery and he used the tape to add a note posted onto the Memo. His boss returned the Memo with his answer written on the same Post-It. The color yellow? That came from the note paper used in the lab where Silver worked. Voila! The Post-It Note was fully formed and became ubiquitous on the corporate world when it was released in 1980.

Martin, Post-It Notes and Silver all inform today’s blog post as I take another look at the recent SAP SE trade sanction enforcement action, which was settled via a Non-Prosecution Agreement (NPA). In an earlier blog post, I considered the need for robust and effective post-acquisition compliance program integration. Today, I want to consider the steps that SAP took which led to it receiving the NPA. This NPA was in the face of quite egregious conduct, identified in the DOJ’s Press Release as including willfully exporting, without a license, from January 2010 through approximately September 2017, its products to Iranian users.

The NPA detailed the conduct quite extensively but what interested me was the actions taken by SAP to garner the NPA. SAP’s actions prove once again that a robust response to compliance violation, whether it is a Foreign Corrupt Practices Act (FCPA) violation or an export control/trade sanction violation, can put a company in good stead with prosecutors. Initially, I would note that SAP self-disclosed their violations to the government. This met the threshold of Voluntary Self-Disclosure (VSD) under the DOJ’s Export Control and Sanctions Enforcement Policy for Business Organizations. There was also an extensive internal investigation and cooperation with the government during this investigation.

The NPA specified, “SAP worked with prosecutors and investigators, producing thousands of translated documents, answering inquiries and making foreign-based employees available for interviews in a mutually agreed upon overseas location. SAP also timely remediated and implemented significant changes to its export compliance and sanctions program, spending more than $27 million on such changes over the last four years, including, among other things detailed in the NPA: (1) implementing GeoIP blocking; (2) deactivating thousands of individuals users of SAP cloud based services based in Iran; (3) transitioning to automated sanctioned party screening of its CBGs; (4) auditing and suspending SAP partners that sold to Iran-affiliated customers; and (5) hiring of experienced U.S.-based export controls staff, and (6) conducting more robust due diligence at the acquisition stage by requiring new acquisitions to adopt GeoIP blocking and requiring involvement of the Export Control Team before acquisition.”

The total fine applied was $5.14 million for “ill-gotten gain”. This made SAP’s cost in the range of $32 million. Think about how much SAP could have saved if it had simply integrated the acquired entities at the heart of this enforcement action more directly into SAP’s compliance program. The savings would certainly have been significant.

However, SAP was also required to implement what Mike Volkov called a “rigorous” export control and sanctions compliance program. It went beyond the five required elements from OFAC’s Sanctions Compliance Program Framework: (1) Senior Management Commitment; (2) Risk Assessment; (3) Internal Controls; (4) Testing and Auditing; and (5) Training. It included:

1. Internal Reporting: SAP is required to implement a confidential and anonymous hotline, which directors, officers, employees, agents, and business partners are informed of and can be used to report violations of export and sanctions laws, SAP’s policies and procedures, and ethics policy. All messages received on this internal reporting system are required to be reviewed by SAP’s head of Export Control or Chief Compliance Officer within five days of receipt. SAP must vigorously publicize the reporting system and emphasize its commitment to non-retaliation.

2. SAP must conduct annual ethics and export control and sanctions training for directors, officers, and its employees. The training program shall cover, at a minimum: (1) relevant U.S. export and sanctions laws; (2) SAP’s Code of Business Conduct; (3) SAPs export compliance policies, controls, and procedures; and (4) the duty of all to report misconduct. SAP is mandated to begin this training program within 90 days of execution of the NPA.

3. 3^rd SAP is required to notify its third-party business relationships of their legal obligations and duty to report any violations of export and sanctions laws, SAP’s Code of Business Conduct or relevant compliance policies.

4. SAP is required to conduct audits of newly-acquired companies to determine whether the company has sufficient controls within 60 days. If SAP identifies any violations, SAP is required to notify and report to DOJ no later than 5 days after completion of the audit.

5. SAP must implement a written disciplinary policy applicable to all directors, officers, employees, and business partners in response to a violation of export or sanctions laws, SAP’s Code of Business Conduct, and SAP’s Export Control compliance policies and procedures.

6. Notification and Reporting of Violations to DOJ. SAP is required to notify DOJ of any credible evidence of any potential violation of export control or sanctions laws. SAP must produce non-privileged documents relating to such a possible violation. Finally, SAP may have to provide DOJ with an investigative plan and any resulting remedial measures.

It is clear from these further defined obligations, the DOJ wants robust compliance from SAP. To SAP’s credit the work it did allowed it to avoid a monitorship so apparently the DOJ felt confident SAP would meet its obligations under the NPA. While SAP could have saved much more money had it followed their compliance program or enhanced the program it had in place during the time of the violations. For the compliance professional it also demonstrates that a company can make a substantive come-back from egregious conduct to obtain an NPA.

[View source.]