Lessons to Learn for Global Software Providers from SAP Settlements of DOJ, BIS and OFAC Investigations Concerning Software Downloads in Iran

By Anthony D. Mirenda, Gwendolyn Wilber Jaramillo, Luciano Racco, Shrutih V. Tewarie

Sales of your software are robust around the globe. You have a network of third-party resellers, distributors or implementation partners that are driving international growth. Your customers praise your efficient maintenance and update services. You’ve made some strategic acquisitions of smaller companies over the past few years. It all sounds good, right? But the recent experience of SAP SE (SAP), a global provider of software, services and support headquartered in Germany, serves as a cautionary tale. U.S. enforcement agencies sent a strong message that steep monetary penalties, multi-year audits or even a corporate monitor and potential criminal prosecution are waiting if your U.S. export controls and sanctions compliance program is not as robust as those sales.

On April 29, 2021, the U.S. Department of Justice (DOJ), the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) simultaneously announced settlements with SAP to resolve concurrent investigations concerning violations of the U.S. sanctions regime as well as export controls targeting Iran.

SAP is a company with a lot of resources and a strong brand – what went wrong?

Between 2010 and 2017, according to the settlement documents, SAP engaged in thousands of transactions (downloads of software, upgrades and patches) with users in Iran both directly and indirectly through third-party resellers.  In addition, SAP permitted thousands of users in Iran to access SAP’s U.S.-maintained cloud-based services.

First, SAP’s third-party resellers in Turkey, the UAE, Germany and Malaysia distributed SAP software into Iran via a number of Iranian-controlled front companies.  Some of the resellers even publicly acknowledged on their own websites their business relationship with the Iranian-controlled front companies and their business dealings in Iran.  In other instances, the resellers failed to conduct adequate diligence on the front companies.  Some senior-level managers at SAP’s subsidiaries were aware that the front companies intended to use the SAP software in Iran.  A very few of the transactions involved multinationals conducting legitimate operations in Iran that were not subject to U.S. sanctions, but in those instances SAP failed to prevent downloads of SAP software by users in Iran.

Second, cloud-based subscriptions were sold through several of SAP’s recently-acquired U.S. subsidiaries.  In both pre-acquisition diligence and post-acquisition internal audits, SAP recognized that those business lacked adequate compliance programs and controls.  Notwithstanding this gap, SAP did not require integration into SAP’s overall compliance systems, but instead permitted the acquisitions to continue to operate as standalone business.

Finally, SAP failed to implement IP geolocation screening (GeoIP blocking) of users requesting software downloads, despite multiple internal audits noting the compliance vulnerability and recommending implementation.  And SAP did not adequately respond to internal whistleblower allegations, received over several years, claiming that sales had been made to Iranian front companies in UAE, Turkey and Malaysia.

The DOJ Settlement – resolving potential criminal national security violations 

SAP entered into a Non-Prosecution Agreement (NPA) with DOJ to resolve criminal charges that could have been brought based on this conduct, and agreed to pay a total monetary penalty of $5,140,000, representing the gross revenue from the improper transactions.  SAP avoided a DOJ-mandated corporate monitor in part because SAP separately agreed with BIS to conduct an annual audit for the next three years and provide the audit reports and compliance certifications to DOJ, OFAC and BIS.

DOJ identified several key factors justifying this resolution.

  1. SAP’s voluntary self-disclosure of the misconduct
  2. SAP’s extensive post-disclosure cooperation with the government, including:
    • conducting a substantial internal investigation
    • giving periodic factual presentations to update the government
    • making foreign-based employees available for interviews overseas
    • providing counsel to those employee to facilitate their cooperation
    • producing documents and translations of those documents
    • collecting, analyzing and organizing voluminous factual information
    • disclosing additional conduct beyond the scope of the initial voluntary disclosure
  3. SAP’s extensive ($27 million) investment in remediation, including:
    • Implementing GeoIP blocking
    • Deactivating thousands of individual users in Iran
    • Implementing automated sanctioned party screening
    • Auditing and suspending third-party resellers who sold to users in Iran
    • Requiring acquisitions to implement GeoIP blocking and engage with SAP’s export control compliance team prior to acquisition
    • Implementing enhanced training
    • Terminating employees aware of the sales into Iran
    • Committing to a risk-based export controls compliance program and mandating compliance certifications
    • Adding 15 professionals to the export control and sanctions compliance organization
  4. SAP’s ongoing cooperation with the government
  5. SAP’s self-disclosure, remediation and cooperation “tempered” the ramifications of the misconduct on U.S. national security
  6. SAP’s lack of any history of similar conduct

The OFAC Settlement – resolving the sanctions violations

The OFAC settlement focused on about 200 particular transactions (SAP software licenses, maintenance services or updates, and cloud-based subscriptions) generating about $3.7 million in total revenue to SAP.  Even this small number of transactions could have generated a statutory maximum civil monetary penalty of over $56 million.  Because SAP voluntarily self-disclosed the conduct, and because OFAC determined that these violations, while problematic, were “non-egregious,” under OFAC’s Enforcement Guidelines, OFAC calculated the base civil monetary penalty to be about $1.3 million.  OFAC then balanced aggravating and mitigating factors, coming to a final $2.1 million penalty, which it deemed satisfied by SAP’s payment of a larger amount to DOJ and BIS.

OFAC identified significant shortcomings in SAP’s compliance efforts to be “aggravating factors” in its assessment:

  • Failure to implement GeoIP blocking of users requesting software downloads despite multiple internal recommendations to do so
  • Failure to conduct sufficient due diligence on certain third-party resellers which would have revealed their ties to Iranian businesses
  • Failure of leadership of certain product lines and overseas subsidiaries to stop transactions knowing that the ultimate end-users were Iranian companies
  • Failure to adequately investigate whistleblower allegations, received over the prior five years, claiming that sales had been made to Iranian front companies in UAE, Turkey and Malaysia
  • Failure to integrate certain acquisitions into SAP’s compliance structure, notwithstanding that shortcomings had been identified and reported to SAP compliance in Germany by the U.S compliance team during pre-acquisition diligence and post-acquisition internal compliance audits. Instead, SAP permitted them to continue to operate as stand-alone businesses, subject to limited and inadequately resourced U.S.-based compliance oversight with little support from SAP in Germany
  • SAP’s size, sophistication and extensive international operations

OFAC then balanced several mitigating factors, including the fact that SAP had no prior sanctions violations, provided substantial cooperation and adopted significant remedial action, investing millions in implementing an enhanced compliance program in coming to its relatively modest penalty amount.

The BIS Settlement – resolving export control violations

SAP agreed to pay approximately $3.3 million to BIS to settle the export control violations associated with the export of the SAP software, maintenance services and updates to end-users located in sanctioned countries, including Iran.  In describing the seriousness of the offense, BIS noted that the items were controlled for encryption and national security reasons.

BIS explained that SAP’s voluntary self-disclosure and cooperation with the ensuing BIS investigation were significant factors in arriving at the specific settlement amount.  In addition, SAP agreed, as part of the BIS settlement, to conduct three audits of its enhanced export control and sanctions compliance program over the next three years.  And it agreed to provide copies of the audit reports and the associated compliance certifications to DOJ and OFAC as well.  This ongoing level of oversight will provide some assurance to BIS, and the other enforcement agencies, that SAP’s compliance program improvements have taken hold.

Key Takeaways

This outcome was by no means assured.  Had it not been for SAP’s voluntary self-disclosure, its substantial cooperation, and the extensive remediation, the financial penalties would almost certainly have been substantially higher, a multi-year corporate monitor would almost certainly have been imposed, and the company would likely have been required to enter a criminal guilty plea.

If SAP’s experience teaches anything, it is that global companies providing software products online, including through direct downloads or cloud-based services, must implement a risk-based export controls and sanctions compliance program commensurate with their size and sophistication, which should include:

  • end-user screening processes with IP address identification and blocking capabilities (GeoIP blocking), especially for companies with a sales model with indirect end-user engagement
  • appropriate due diligence for third-party agents and intermediaries, including software distributors, resellers, and sales agents
  • appropriate pre- and post- acquisition due diligence to identify potential compliance deficiencies in to-be-acquired subsidiaries, coupled with prompt remediation of any identified deficiencies
  • a sufficiently resourced and empowered compliance team to undertake thorough examinations of risks and to implement appropriate controls
  • the support and commitment of senior-level managers to take expeditious action upon learning of compliance deficiencies or apparent violations to obtain and abide by appropriate compliance guidance

The global settlement also highlights the need for companies to address the key elements of OFAC’s Sanctions Compliance Program Framework: 1. a commitment to compliance from senior management; 2. conducting risk assessments; 3. establishing and maintaining internal controls; 4. auditing and transactional testing; and 5. providing training to employees.

Once a compliance program is implemented, management cannot ignore recommendations from the compliance function to address serious compliance gaps.

Leave a Reply

Your email address will not be published. Required fields are marked *