In late April 2021, the German software company SAP SE (SAP) entered into nonprosecution and settlement agreements with the U.S. Department of Justice (DOJ) National Security Division, the U.S. Department of Commerce Bureau of Industry and Security (BIS), and the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC). These resolutions followed SAP’s voluntary self-disclosure of violations of U.S. export control and sanctions laws and mark the first application of DOJ’s December 2019 Export Control and Sanctions Enforcement Policy, which emphasizes the importance of voluntary self-disclosure. As a senior DOJ official stated in a press release: “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated.We hope that other businesses ... will heed this lesson.”
SAP is a German software company that employs nearly 100,000 people globally and provides a broad range of cloud subscriptions, software licenses, maintenance support, and professional services to customers in over 180 countries. At issue was the conduct of SAP, its subsidiaries (including its U.S.-based Cloud Business Group companies (CBGs)), and its independent thirdparty resellers (SAP Partners or Partners). The SAP Partners resell SAP software licenses and provide maintenance, logistical, and other consulting support. Many SAP products and support services are delivered to customers directly via a U.S.-based SAP server or indirectly via SAP’s U.S.-headquartered content delivery provider.
The violations of U.S. laws involving the release of U.S.-origin technology and software through cloud servers and online portals occurred between 2009 and 2019 and fell into two categories. First, SAP and its Partners released U.S.-origin software, upgrades, and patches to Iranian and Iran-based end users, sometimes via SAP’s content delivery provider. Second, SAP’s CBGs allowed Iranian users located in Iran to access U.S.-based cloud services. Over three years, SAP undertook significant investigation, cooperation, and remediation, including spending more than $27 million on strengthening its compliance program. Changes include implementing GeoIP blocking (also known as “ring fencing,” which prevents IP addresses from certain countries from accessing technology and is considered particularly important when a company’s sale model involves engagement with indirect end users); implementing automated sanctioned party screening for the CBGs; and auditing and suspending SAP Partners that sold to Iran-affiliated customers.
Thanks in part to its voluntary self-disclosures, SAP was able to avoid the filing of any criminal charges. The company did, however, agree to pay more than $8 million in combined penalties for its violations of the U.S. Export Administration Regulations and Iranian Transactions and Sanctions Regulations on top of the $27 million spent on strengthening its compliance program. In addition, the BIS Settlement Agreement requires SAP to conduct and report on internal audits of its compliance programs for three years.
1. This case was the first resolution announced under DOJ’s National Security Division Export Control and Sanctions Enforcement Policy for Business Organizations.
In a press release, federal prosecutors and regulators emphasized that they intend to take this policy seriously and that it is the responsibility of the business community to ensure compliance, including by foreign subsidiaries, with U.S. sanctions and export regulations. The policy states: “[W]hen a company (1) voluntarily self-discloses export control or sanctions violations to [DOJ’s Counterintelligence and Export Control Section], (2) fully cooperates, and (3) timely and appropriately remediates ... there is a presumption that the company will receive a nonprosecution agreement and will not pay a fine, absent aggravating factors.” Such aggravating factors include, but are not limited to, exports of particularly sensitive items; export to end users that are of heightened concern; repeated violations; involvement of senior management; and significant profit. Where aggravating factors exist, but a company has nonetheless voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated, resolutions more onerous than a nonprosecution agreement — such as a deferred prosecution agreement or a guilty plea — may be required, but the company could benefit from significantly reduced fines and will not require appointment of a monitor.
Companies should familiarize themselves with this policy and determine their risks accordingly
2. It is critical that companies implement audit recommendations.
SAP conducted internal audits of its compliance program in 2006, 2007, 2010, and 2014, generally considered a best practice and one element of OFAC’s recommendations for an effective compliance program. The 2006 audit highlighted that SAP was not verifying the location of users making download requests for on-premise software and support products and recommended implementing tools to close this gap. Similarly, the 2014 audit noted that SAP did not screen customers’ IP addresses to prevent sale to individuals located in U.S.-embargoed countries and recommended that SAP conduct appropriate screening. However, senior SAP managers, including board members and U.S. legal counsel, had access to these reports and did not timely act on the recommendations. SAP did not begin implementing remedial measures until 2015, nine years after the first audit, despite the ability to do so. OFAC considered such behavior to be “reckless disregard” and a failure “to exercise a minimal degree of caution or care for U.S. economic sanctions.”
Companies should take their internal auditing processes seriously, including by creating remediation plans and promptly implementing such recommendations. Enforcement agencies may also consider a company’s size and sophistication when determining the sufficiency of processes, so a large company with significant auditing capabilities may be held to a higher standard.
3. Companies must put in place a process to receive, investigate, and elevate whistleblower complaints.
As early as 2011, SAP received — and failed to investigate — whistleblower complaints alleging sales by SAP Partners to Iranian-controlled front companies (also called “pass-through entities”) and companies making SAP products available to Iran-based employees. Internal investigations conducted beginning in 2017 revealed thatsome SAP Partners made these sales as a result of due diligence failures. However, executives and senior leaders at certain other SAP Partners publicly flaunted their ties to Iranian companies, including their sales of SAP products, via their websites and on social media. OFAC considered SAP’s disregard of these warning signs to constitute an aggravating factor justifying imposition of a fine.1 The Corporate Compliance Program mandated by SAP’s nonprosecution agreement with DOJ requires SAP to implement “an effective system for internal reporting of suspected or actual violations,” including, to the extent legally permissible, maintaining a “confidential, anonymous ‘hotline’ and e-mail address” available to anyone, regardless of their employer or location.
Companies should assess their proceduresto ensure that potential whistleblowers can easily report violations and that the proper personnel, including export and sanctions compliance personnel, receive, investigate, and elevate such reports.
4. Companies should conductsanctions and export-related diligence in both day-to-day business operations and during acquisition due diligence.
As noted in the OFAC settlement and in point three above, SAP Partners sold SAP products and services to Iranian-controlled front companies and companies making SAP products available to Iran-based employees. Although SAP screened its Partners and customers, SAP failed to performed adequate sanctions-related diligence on counterparties and end usersto identify diversion risks prior to sale or take advantage of readily available information on counterparties and end users. Further, the company did not take advantage of ongoing diligence tools available, such as monitoring or restricting incoming IP information regarding users accessing SAP software and services, which would have alerted the company sooner to access from Iran.
This settlement also highlights the importance of acquisition diligence on sanctions and export issues. Despite acquisition diligence of the U.S.-based CBGs indicating that the CBGs lacked adequate, and in some cases any, compliance programs, SAP did not effectively integrate the CBGs into its own corporate compliance program. Although SAP tasked its Export Compliance Team to enforce SAP’s compliance program for the CBGs, this team was understaffed, underresourced, and inconsistent in applying the procedures, and, in some cases, it faced resistance from the CBGs. OFAC considered SAP’s failure to address these compliance deficiencies an aggravating factor.
As with audit findings, companies should conduct and act on diligence findings, including by updating and integrating compliance processes where necessary to ensure compliance with export controls and sanctions laws.
As companies think about sanctions and export control risks in the acquisition process, they should also think about compliance violations that can occur as part of the diligence itself. For example, if a deal data room containing controlled technology is inadvertently made available to a person sitting in a country for which a license is required to export U.S. items or sitting in the United States but a national of a country for which a license is required to export U.S. items and not otherwise a U.S. person — such as also a U.S. citizen, permanent resident, or protected person (such as an asylee or refugee), known as a deemed export.
5. The SAP settlement serves as an important reminder of the breadth of U.S. sanctions and export controls jurisdiction as it relates to global information technology systems.
Despite SAP’s status as a German company, U.S. sanctions and export jurisdiction existed because of the use of U.S.-based assets, such as U.S.-based servers from which software was downloaded and cloud services were provided. This is an important reminder of the breadth of U.S. jurisdiction, not just for the owners of such assets but for users of third-party, U.S.-based software and infrastructure as a service.
Companies should ensure that they understand and appreciate the implications of their U.S. touchpoints in otherwise non-U.S. activity. In addition to applying to U.S. persons, U.S. sanctions also apply to the extent there is a U.S. nexus for activity, and U.S. export controls apply anywhere in the world to the extent the items (goods, software or technology) are of U.S. origin or contain more than a de minimis level of U.S. content, among other things. For example, non-U.S. entities may be subject to U.S. jurisdiction to the extent their transactions with sanctioned parties or prohibited countries involve the U.S. financial system (e.g., transactions denominated in U.S. dollars), items subject to U.S. jurisdiction, or the provision of items or services from the United States. For non-U.S. companies related to a U.S. company, or using U.S.-based third-party infrastructure as a service, activities may involve the United States by virtue of using U.S.-based global services, information technology platforms or other systems, or other common interactions in global enterprises.