SAP SE (“SAP”), a global software company headquartered in Walldorf, Germany, has agreed to pay a total of $8.43 million in penalties as part of settlement agreements with the United States Departments of Justice, Commerce and Treasury, a penalty that would have significantly higher if the company had not extensively cooperated with the United States. Involuntary disclosures to all three agencies, SAP acknowledged that, from January 2010 through September 2017, it knowingly released more than 25,000 downloads of its products, upgrades and/or patches from its U.S. Headquartered Content Delivery Provider to Iranian users in violation of the Export Administration Regulations (“EAR”) and the Iranian Transactions and Sanctions Regulations (“ITSR”). Many of the downloads were associated with sales by non-SAP entities (“SAP Partners”) or the activities of SAP customers headquartered outside of Iran but had used SAP products and services in Iran. The Non-Prosecution Agreement (“NPA”) notes that SAP had advanced warning of these unlawful activities from audit reports provided to senior SAP managers alerting leaders that SAP was not screening customers’ IP addresses to prevent downloads from users in U.S.-embargoed countries. Notably, SAP also failed to investigate various whistleblower complaints, received as early as 2011, alleging sales by SAP Partners to foreign-registered affiliates of Iranian companies.
Beginning in 2011, SAP acquired various cloud-based companies in the United States. SAP’s pre-acquisition and post-acquisition due diligence identified that these companies lacked comprehensive export control and sanctions compliance programs. Despite being armed with this knowledge, SAP allowed these companies to continue to operate as standalone entities and did not address the compliance gaps until 2017, thus permitting Iranian users to access SAP cloud services that were maintained and supported in the U.S. and by U.S. persons worldwide.
Notwithstanding these knowing violations, the United States was willing to limit the penalties imposed because of the high level of cooperation exhibited by SAP. SAP made a voluntary self-disclosure regarding its potential violations in September of 2017 and made “significant remediation efforts” in the form of more than $27 million invested into its export compliance and sanctions program improvements, including:
SAP agreed to cooperate fully with the DOJ’s National Security Division and the U.S. Attorney’s Office for the District of Massachusetts (collectively, “the Offices”) by providing any information or communication upon request, as further explained below. In light of SAP’s remediation efforts and cooperation with the Offices, the Offices agreed to not criminally prosecute SAP for the conduct described above. They determined that a compliance monitor was not necessary.
In accordance with the NPA, SAP agreed to:
This cooperation includes providing the Offices with any factual information or documents upon request, promptly reporting any evidence or credible allegations of violations, and providing an annual certification that SAP is in incompliance with the terms of the Agreement.
Concurrently with the DOJ settlement, SAP entered into separate agreements to pay $2.13 million to the Department of the Treasury, Office of Foreign Assets Controls (“OFAC”), and to pay $3.29 million to the Department of Commerce, Bureau of Industry and Security (“BIS”). The BIS payment was credited against the OFAC penalty. The total penalty amount, $8.43 million, is substantially less than the maximum penalty determined by OFAC ($56 million). Additionally, SAP was spared the imposition of a compliance monitor.
These actions by the United States highlight the importance of export control and sanctions compliance for all businesses involved in international trade. The repeated reference to GeoIP blocking systems heightens the need for software companies to implement such technology for cloud-based computing and download services. The emphasis on monitoring hotlines and due diligence in both pre-and post-acquisition activities is a warning to all companies. Perhaps most importantly, these penalties indicate both the seriousness with which the United States considers these violations and the significant mitigation considerations that are given to companies that commit to compliance through the use of voluntary disclosures and the implementation of significant and measurable process improvements. In the words of Assistant Attorney General John C. Demers for the Justice Department’s National Security Division, “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, w[ill] heed this lesson.”
Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you (an â€˜engagement letterâ€™).
By clicking the â€˜ACCEPTâ€™ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and, further, even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you. Please click the â€˜ACCEPTâ€™ button if you understand and accept the foregoing statement and wish to proceed.