Software firm SAP is paying $13.1 million to settle charges that the company and its business partners violated U.S. sanctions law in the 2010s by offering software patches and upgrades to users in Iran and allowing Iranian customers access to SAP’s cloud-based technology services.
The settlement was announced Thursday by the U.S. Justice Department, along with other regulators such as the Office of Foreign Assets Control and the Commerce Department. This is a great case for compliance officers to study, because the settlement also outlines the extensive compliance reforms SAP implemented — totaling at least $27 million — to end its case with the fines and a non-prosecution agreement.
Let’s begin with a summary of the facts as outlined in the non-prosecution agreement.
From 2010 through 2017, SAP allowed sanctions violations in numerous ways. First, the company released software patches, upgrades, and other products through an operating center in the United States known as its Content Delivery Provider, as well as through other SAP servers located around the world. During the relevant period, SAP allowed more than 25,000 software downloads that went to 14 shell companies operating in Iran.
Second, some SAP partner firms in Turkey, Malaysia, Germany, and the United Arab Emirates also sold SAP software to those same 14 shell companies that were fronts for Iranian businesses. (So unless I’m mistaken, the SAP partners sold the software, and those 14 shell companies then continued to receive patches and upgrades directly from SAP after the sales deals were done.)
Third, 31 multi-national corporations that were legitimate SAP customers also downloaded 720 software patches for operations they had in Iran, through the U.S. Content Delivery Provider. Those businesses could use SAP software, but not for any operations they had in Iran; SAP should have prevented the downloads, but didn’t.
Fourth, SAP had acquired a number of cloud-based software vendors over the years, collectively identified as the “Cloud Business Group.” External legal advisers had warned SAP pre-acquisition that those firms did not have sophisticated export compliance controls, but SAP didn’t implement any appropriate controls until 2017. As a result, at least 2,300 Iranian users accessed SAP’s cloud-based services during that time.
End result: $8 million in penalties spread among the Justice Department, OFAC, and Commerce; plus $5.14 million in disgorgement of ill-gotten gains. Seems like OFAC is taking $2.1 million in penalties; the Commerce Department’s Office of Export Enforcement gets $3.29 million; and the Justice Department gets the rest.
Debut of the Export Control Policy
What’s most notable for compliance professionals is how SAP handled itself once the company understood that it had a significant problem on its hands. This is a case you might want to cite if you’re ever in a similar situation and you have a general counsel or board dragging their feet about whether to self-disclose.
This is the first settlement reached under the Justice Department’s Export Control and Sanctions Enforcement Policy, which was developed under the Trump Administration and essentially has the same three pillars as the FCPA Corporate Enforcement Policy:
- Voluntary self-disclosure of the misconduct
- Full cooperation with any ensuing investigation
- Remediation of any compliance program weaknesses that allowed the misconduct to happen in the first place
That’s what SAP did, prosecutors say, starting with self-disclosure in 2017 after an internal investigation.
The SAP resolution shows “there is a clear benefit to coming to the department before [a company] gets caught,” assistant attorney general John Demers, head of the National Security Division, said in a statement Thursday. “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, will heed this lesson.”
Quick Sanctions Compliance Lessons
We should also note the extensive compliance program improvements SAP implemented, which the Justice Department pegged at more than $27 million in four years. (For context, SAP had $32.9 billion in annual revenue last year.)
The Justice Department also singled out six specific steps that SAP undertook as remediation:
- Implementing GeoIP blocking;
- Deactivating thousands of individuals users of SAP cloud based services based in Iran;
- Transitioning to automated sanctioned-party screening of its CBGs;
- Auditing and suspending SAP partners that sold to Iran-affiliated customers;
- Hiring of experienced U.S.-based export controls staff;
- Conducting more robust due diligence at the acquisition stage by requiring new acquisitions to adopt GeoIP blocking and requiring involvement of the Export Control Team before acquisition.
Perhaps most interesting to me are the points about enhanced pre-acquisition due diligence, and about moving to automated sanctioned-party screening. Those of us who swim in the anti-corruption lane of the compliance pool should use automated due diligence screening; but it’s not specifically required. In the export control swim lane, however, regulators like OFAC have been much more emphatic in their guidance that, yes, you really should use automated screening technology. OFAC in particular has fined companies for not using such technology or configuring it incorrectly.
As to better pre-acquisition due diligence — well, that’s interesting just because it’s such an important step, and even businesses as large and sophisticated as SAP still get it wrong. Due diligence isn’t just about cybersecurity, or anti-corruption, or even export control; it’s about all those things, fashioned together into a comprehensive third-party risk management capability.
We’ll have more to come on this case next week, I’m sure. Give it a read.