On April 29, 2021, the German enterprise software company, SAP SE (“SAP”), reached a $10.6 million combined settlement with the U.S. Department of Justice (“DOJ”), the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”), and the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”). SAP voluntarily disclosed to the three agencies that it provided software and services to Iran in violation of the Export Administration Regulations (“EAR”) and the Iranian Transactions and Sanctions Regulations (“ITSR”). Due to the separate legal and regulatory frameworks, SAP disclosed the apparent violations and entered into stand-alone settlements with each agency. Some of the penalties offset each other, resulting in a total payout of over $8 million.
In addition to these fines, SAP will disgorge $5.14 million in revenues associated with its Iran-related transactions and entered into a deferred prosecution agreement with DOJ. Beyond penalties, SAP undertook extensive remedial measures costing the company more than $27 million, and SAP also agreed to complete three audits of its export compliance program over a three-year period. DOJ, BIS and OFAC each credited SAP’s cooperation with the investigations and significant remedial actions as mitigating factors in the penalty calculations.
This case provides a significant new trade compliance benchmark for companies involved in provision of software-as-a-service (“SaaS”) and digital downloads of software products:
- SAP is a German-headquartered company, but the presence of U.S. origin software and services in its portfolio triggered U.S. jurisdiction over its business.
- The U.S. government made clear in this case that it expects companies dealing in U.S. origin software products and services to implement Internet Protocol (“IP”) geolocation (“GeoIP”) blocking to prevent access by embargoed countries, as well as procedures to know and screen resellers and ultimate customers in an indirect sales model.
- The U.S. government has reiterated its expectations that companies need to immediately integrate the operations of their newly acquired subsidiaries into their compliance programs, and that delays in compliance program implementation will not provide an excuse for trade violations.
Alleged Software and Services Transactions with Iran
The U.S. government reported that from 2009 to 2019, SAP’s non-U.S. third-party resellers provided U.S. origin software and services to Iranian users in violation of U.S. export control and sanctions regulations. The DOJ settlement announcement cited over 20,000 prohibited releases of SAP software – including routine updates/patches necessary for the continued maintenance of software – to users in Iran. The majority of these downloads reportedly went to 14 Iranian front companies located in UAE, Turkey, and Malaysia, and the remainder went to multinational companies with operations in Iran.
The U.S. government highlighted the following red flag factors that arose during the period of time covered by the enforcement actions:
- SAP’s internal audits found the company failed to screen its customers’ IP addresses, which SAP noted as a deficiency, and one audit specifically recommended the implementation of GeoIP address screening as a corrective measure;
- SAP’s third-party resellers publicized their business ties to Iranian companies on their websites, indicating failure to conduct due diligence on business partners;
- SAP received internal whistleblower allegations between 2011 to 2016 that software had been sold to Iranian front companies registered in UAE, Turkey, and Malaysia;
- SAP’s product line managers who made the sales to pass-through entities knew that the software would ultimately be provided to Iranian companies; and
- SAP personnel traveled to Iran in one instance to secure a sale.
The settlement notices also report that SAP’s newly acquired U.S.-based subsidiaries sold cloud-based software subscriptions to customers that subsequently gave access to their employees or customers located in Iran. The U.S. government took the position that these alleged violations occurred as a result of SAP’s failure to timely integrate its new subsidiaries into SAP’s export and sanctions compliance program. Pre- and post-acquisition due diligence on these cloud business subsidiaries identified that these companies lacked adequate export and sanctions compliance measures. Nonetheless, the cloud business subsidiaries continued operating as standalone entities, and SAP reportedly relied on a small U.S.-based trade compliance team that was not appropriately resourced or empowered to manage trade issues arising from those new businesses.
The SAP case is the first in which DOJ has applied its newly reissued Export Control and Sanctions Enforcement Policy for Business Organizations in an export control context (DOJ has previously applied this Policy in the context of sanctions enforcement). The SAP settlement provides insights into DOJ’s export control and sanctions compliance expectations, and offers a guide to companies that face similar fact patterns. DOJ is willing to grant remedial credit when companies voluntarily disclose their apparent violations, demonstrate cooperation with the investigation, and initiate remedial actions.
SAP settled with BIS for a $3.29 million civil penalty and an agreement to conduct three independent audits of its trade compliance program over three years. During a period from 2009 through 2019, SAP allegedly violated the EAR by exporting SAP products including software, upgrades, and patches from the United States to various end users located in sanctioned countries, including Iran, without the required export licenses.
The SAP items were controlled for encryption and national security reasons. That observation is notable because the Iran export embargo in Section 746.7 of the EAR does not apply to EAR99 items, whereas encryption software controlled under ECCN 5D002 is controlled for business communications and national security reasons and restricted for Iran. Aside from controls on certain proliferation and military-intelligence activities, the EAR generally does not regulate the provision of services. BIS published guidance in 2014 making clear that the provision of SaaS and other cloud-based services are not exports subject to the EAR (although the transmission of technical data or downloading of software via those channels could be). Thus, the focus of BIS’ enforcement action is on software downloads, upgrades and patches – export transactions squarely within BIS’ jurisdiction – as opposed to provision of SaaS and cloud services.
SAP agreed to pay more than $2.1 million to OFAC to settle its potential civil liability for 190 apparent violations involving the provision of U.S. origin software and related services to Iran. Specifically, OFAC alleged that from 2013 to 2018, SAP authorized 13 sales of SAP software licenses, 169 sales of related maintenance services and updates, and 8 sales of cloud-based subscription services.
Unlike BIS, OFAC has jurisdiction over exports of EAR99 items from the United States when intended specifically for Iran, as well as the provision of services to or involving Iran, such as SaaS and cloud platforms. Thus, the scope of the OFAC settlement included the sale of cloud-based software subscription services accessed remotely through SAP’s cloud businesses in the United States. Those alleged violations arose when SAP customers in turn made SAP’s services available to their employees in Iran. Similar to recent settlements involving BitGo and BitPay, OFAC specifically called out SAP’s failure to implement IP blocking to prevent users located in Iran from accessing U.S.-based software and services, even though a compliance audit had recommended the implementation of GeoIP blocking measures.
As part of its settlement, SAP agreed to the following remedial measures:
- Three independent audits of its export compliance program to be conducted over a three year period;
- The implementation of automated GeoIP blocking and screening for all downloads of software, support, and maintenance to embargoed countries, and for SAP’s cloud services businesses;
- The deactivation of thousands of users of SAP cloud-based services;
- Termination of partnerships with third-party resellers engaged in the sales to Iranian companies, and implementing a risk-based export control framework for SAP partners that requires a stringent review of proposed sales by a third-party auditor;
- The hiring of new employees for SAP’s trade compliance program;
- The termination of five employees who knowingly engaged in sales to Iran; and
- Adoption of a more robust compliance program, including integration procedures for new acquisitions.
Implications for Software and Cloud Service Providers
This latest enforcement action highlights the importance of software and cloud service companies implementing adequate controls to govern their trade compliance. OFAC’s settlement notice provided the following observation: “SAP also acted recklessly by having a compliance program that was not commensurate to SAP’s size and sophistication and that did not: 1) implement adequate controls in a timely manner (e.g., instituting geo-location IP address screening for SAP software delivered from the United States); 2) conduct an adequate degree of due diligence on SAP Partners; and 3) implement robust controls or compliance requirements for SAP Partner sales and SAP [cloud business groups].”
Unlike exports of goods, where physical shipments provide natural checkpoints for implementation of trade compliance screening and controls, the intangible and constantly moving nature of digital trade necessitates automated controls that match the risks presented by a company’s unique business model. Companies in the software and cloud services industry need to engage their IT departments as strategic stakeholders in ensuring compliance with U.S. export controls and sanctions. For example, automated screening is a best practice at different check-points in digital transactions, such as when a new customer engagement is considered, when a new relationship is established, a new software subscription license is issued, a cloud portal customer log-in account is created, or prior to a software download occurring. Moreover, the U.S. government’s expectations are clear that companies in this industry need mechanisms to implement geolocation IP address screening to detect locations in embargoed countries and to automatically block access from those regions.
Finally, this case highlights that non-U.S. companies need to be alert to the presence of U.S. origin software products, cloud services, network support, and U.S. persons providing services throughout the organization. These are all touchpoints for U.S. jurisdiction. OFAC has a long tradition of using the U.S financial system to assert jurisdiction over foreign transactions, and it is taking a similar approach with respect to activities that pass-through U.S. servers and cloud platforms. For example, in 2020, OFAC entered into a $7.8 million settlement with the Swiss company SITA, a provider of telecommunications network and IT services to the air transportation industry. In that case, OFAC determined that SITA’s services and software were subject to U.S. jurisdiction because they were provided from, or transited through, the United States or involved the provision of U.S.-origin software. Given the interconnectedness of the U.S. tech sector with the rest of the world, we expect OFAC will continue to find opportunities to assert its enforcement jurisdiction over foreign companies using U.S. systems and software.