Today we return to that enforcement action imposed on business software giant SAP, which last week settled charges that it had violated U.S. export control law in the 2010s by offering software patches, upgrades and cloud-based services to users in Iran.
Our first post on the case was more a summary of the overall facts, such as the various ways that SAP and its overseas subsidiaries delivered software to Iranian users. We also recapped the extensive compliance program improvements that SAP implemented in the late 2010s, which ultimately led to a quite favorable resolution to the case: $13.1 million in penalties and disgorgement, plus a non-prosecution agreement for three years.
OK, but how did SAP’s earlier incarnation of its compliance program not work? What was not happening in the late 2000s and early 2010s, that its software sales and services into Iran went unaddressed for years?
We can begin with the statement of facts released by the Justice Department. According to that document, SAP conducted at least four internal audits of its export controls process from 2006 to 2014. The first audit from 2006 originally flagged that SAP wasn’t identifying the country to which its software downloads were being sent, and warned that the company was at risk of violating U.S. sanctions law. That audit even suggested implementing tools to verify the location of users making download requests.
Alas, no such actions were taken. In 2010, another internal audit cited the failure to implement IP-blocking software. Yet another internal audit in 2014 raised the same concerns, and made the same recommendation: implement geo-location screening software. SAP finally took that step in 2015, after thousands of downloads into Iran had already been happening at least since 2010.
All those audit reports went to senior executives at SAP, including board members and the U.S. head of export control compliance. Those executives knew they had a compliance risk and what measures to take to reduce that risk. So one immediate question: why didn’t SAP act on those audit findings in a more timely manner?
Failures in Due Diligence & Integration
SAP also went on an acquisition spree in the early 2010s, scooping up U.S. software firms such as Ariba, Concur, and Success Factors, collectively dubbed the “cloud business group” (CBGs).
The good news is that SAP’s due diligence teams did identify export control compliance among these firms as a potential concern pre-acquisition. The bad news is that… well, let’s just quote directly from the settlement order from the Office of Foreign Assets Control:
Pre- and post-acquisition due diligence on the CBGs found that they generally lacked comprehensive export controls and sanctions compliance programs, and in some instances had no sanctions compliance measures at all. Despite these findings, SAP permitted the CBGs to continue operations as standalone entities without fully integrating them into SAP’s existing compliance measures.
Instead, SAP let those U.S.-based subsidiaries run their own export compliance programs. Again, from the OFAC order:
The U.S.-based export compliance team was not resourced or empowered to manage these processes appropriately. These processes, moreover, were not consistent across all the CBGs due to technological challenges and encountered resistance from some CBGs that did not view sanctions compliance as necessary.
We have two strands of compliance program failure to unravel here. First, again we see that senior executives at SAP were aware of compliance risks (poor export control processes in among the CBGs), and declined to address those risks (integrate the CBG firms into SAP’s larger compliance program). So we’re back to why SAP leaders weren’t responding to compliance risks in a timely manner.
The second strand here, however, is more specific to export control compliance programs. The CBGs were left to their own devices, with multiple compliance processes using different types of technology. OFAC specifically warns against this idea in its guidance for effective sanctions compliance programs, published in 2019. Numerous businesses, that guidance says, “have committed apparent violations due to a de-centralized program, often with personnel and decision-makers scattered in various offices or business units.”
FCPA compliance people might quibble about how centralized your anti-corruption compliance program should be. Export controls compliance is a different subject, with much less room for differences of opinion. Centralized oversight, with competent export controls personnel and consistent application of policies and procedures, is crucial. So a carefree approach to due diligence and subsidiary oversight is not a good idea.
Compliance Program Reforms
Despite all these failures of accountability in the early 2010s, we should also note the compliance reforms that SAP implemented in the late 2010s. Those actions were what secured such a favorable resolution.
First, the Justice Department identified six steps SAP has already taken:
- Implementing GeoIP blocking;
- Deactivating thousands of individuals users of SAP cloud based services based in Iran;
- Transitioning to automated sanctioned-party screening of its CBGs;
- Auditing and suspending SAP partners that sold to Iran-affiliated customers;
- Hiring of experienced U.S.-based export controls staff;
- Conducting more robust due diligence at the acquisition stage by requiring new acquisitions to adopt GeoIP blocking and requiring involvement of the export control team before acquisition.
We can also glean a few more details from other sources. For example, OFAC’s order says that SAP hired “more than six” employees to work on export control and sanctions compliance; and fired five employees who violated existing SAP sanctions policy. The company also adopted a risk-based export control framework for SAP Partners that requires a stringent review of proposed sales by a third-party auditor.
And there’s that non-prosecution agreement, which specifies a few more remediation steps that SAP must achieve:
- Maintain an internal reporting hotline for export control issues, and all messages received on the hotline must be reviewed by the head of export controls or the chief compliance officer within five business days.
- Conduct mandatory annual export control training for all directors and officers, plus other relevant SAP employees.
- Audit all newly acquired business units for export control compliance within 60 days of acquisition; and if the subsidiary doesn’t have an export control program in place, implement one within 90 days of the audit’s conclusion.
- Develop written disciplinary policies for all employees, directors, officers, and business partners that might violate the company’s export control policies.
That’s a whole lotta compliance program improvement SAP either must do now, or has already done in recent years. And let’s remember, the company has already spent more than $27 million on remediation related to this misconduct — which had netted the company only $5.14 million in improper revenue.
That’s a pretty terrible ROI for misconduct. Perhaps quote it back to bosses or coworkers the next time they ask about the ROI for compliance.