When reviewing factual reports of global corporate failures – be it FCPA, sanctions, export controls, or anti-money laundering schemes and systemic misconduct schemes – the story appears to follow a familiar pattern. A company starts with inadequate compliance controls, engages in violations driven by the desire to earn money and increase business, learns about the violations through an internal audit, compliance program assessment and/or whistleblower report, and fails to respond to the internal reporting mechanism, thereby continuing the conduct and even expanding the scheme to enjoy increased profits.
To simplify, the company makes a basic calculation, the business is worth the risk of an enforcement action, the penalty and any reputational damage. Maybe I am getting cynical but more and more it looks like companies make a basic economic choice – the revenues from illegal conduct are not deterred by whatever penalty may be imposed. How to change this calculation is a topic for another day, but suffice it to say, something is not clicking in today’s world, incentives are skewed and money reigns king, even when shortsighted strategies control.
Turning to SAP’s years of export control and sanctions violations, I am about to repeat the story yet again.
SAP is a global software company and conducts business in 180 countries. It provides a broad complement of software services, including premises-based software, cloud-based subscriptions and professional services. SAP has a broad network of resellers.
SAP customers obtain software, as well as upgrades, often by downloading from the cloud. Many SAP products contain U.S.-origin software for purposes of export controls and sanctions regulations.
Staring in 2017 and continuing until 2017, SAP released thousands of downloads of SAP products, upgrades and patches to users in Iran. SAP downloads to Iran users exceeded 25,000 separate instances. SAP senior management was aware that SAP did not maintain geolocation filters to identify and block Iran downloads, and for years failed to take any steps to address the issue. The vast majority of these downloads went to 14 companies, which SAP Partners in Turkey, United Arab Emirates, Germany and Malaysia knew were Iran front companies. The remaining downloads went to several multinational companies with operations in Iran.
In addition, SAP third parties, SAP Business Partners, sold SAP-premises software and related services to Iran customers. From approximately 2011 to 2017, SAP’s Cloud Business Group (“CBG”) permitted approximately 2,360 Iran users to access U.S.-based cloud services from Iran. Beginning in 2011, SAP acquired various CBGs, and learned that these companies did not have adequate export control and sanctions compliance processes. SAP made the decision to allow these companies to continue to operate as standalone entities after acquiring them and failed to integrate them into SAP’s robust export controls and sanctions compliance program.
SAP conducted several internal audits of its export controls and sanctions compliance processes during a period of 2006 to 2014. Starting as early as 2006, SAP identified the fact that it failed to identify the country to which a customer download occurred and that it might be at risk for violating export controls and sanctions. No changes were instituted.
Subsequent audits continued to identify gaps in SAP’s export controls and sanctions compliance programs. The 2014 audit noted that SAP continued not to identify the countries associated with customer IP addresses in order to block downloads to embargoed countries. It was not until 2015 that SAP began to block downloads to certain customers in embargoes countries, although SAP had the technical capability to do so much earlier. Starting in 2015, SAP began to block on-premise downloads to customers in embargoed countries, but continued to permit unrestricted downloads of cloud-based services, upgrades and patches.
With respect to its third-party resellers, from June 2013 to January 2018, SAP sold software licenses, maintenance services and cloud-based subscription services through resellers in Turkey, the UAE, Germany and Malaysia to Iran end users. These reseller companies were, in fact, controlled by Iran nationals. SAP knew or had reason to know that the resellers were providing software services to Iran customers.
SAP’s due diligence of its resellers was deficient and would have revealed their connections to Iran companies. For example, a reseller’s website publicized its business ties with Iran companies. SAP also failed to investigate whistleblower complaints in 2011 and 2016 reporting that SAP software was being sold to Iran front companies for ultimate delivery and use to Iran customers.