In a first of its kind, on April 29, the U.S. Department of Justice announced1 the entry into a Non-Prosecution Agreement (“NPA”) with German software company SAP SE (“SAP”) as resolution of SAP’s voluntary disclosure to DOJ of thousands of violations of the Export Administration Regulations (“EAR”) and the Iranian Transactions and Sanctions Regulations (“ITSR”) pursuant to the Department’s Export Control and Sanctions Enforcement Policy for Business Organizations (the “Voluntary Self-Disclosure Policy”).2 As a result of its voluntary disclosure to DOJ, extensive cooperation, and implementation of remediation measures costing more than $27 million, SAP agreed to a disgorgement of $5.14 million. Concurrent with the NPA, SAP also entered into administrative agreements with the Department of Commerce’s Bureau of Industry and Security (“BIS”)3 and the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”),4 requiring, among other things, payment of an additional civil penalty of $3.29 million and a commitment to conduct internal compliance audits for several years.5
The SAP settlement provides a number of lessons for companies, both large and small, on complying with U.S. export control and sanctions laws and regulations. Listed below are four key takeaways:
- IP address identification and blocking capabilities are essential compliance protocols for internet-based companies.
According to settlement documents, between 2009 and 2019, SAP and several of its non-U.S. third-party content delivery partners (the “SAP Partners”) sold SAP software licenses and maintenance agreements to Iranian-controlled front companies or multinational companies that conducted business in Iran or were directly affiliated with Iranian companies, allowing for U.S-origin software, including upgrades or software patches, to be released more than 20,000 times to users located in Iran without requisite licensing from BIS or OFAC.
These violations were caused mainly by shortcomings in SAP’s compliance processes, specifically its lack of Internet Protocol (IP) address identification and blocking capabilities, which had been previously identified in several internal audits of its export controls processes. According to settlement documents, a 2006 audit found that SAP was not identifying the country to which on-premise software and support products were being downloaded and recommended the implementation of tools to verify the location of users making download requests of SAP software. Subsequent audits in 2007, 2010, and 2014 continued to identify this compliance gap and to recommend geo-location IP address screening, with the 2014 audit report specifically noting that this deficiency could allow users with IP addresses in U.S.-embargoed countries, such as Iran, to download SAP products. These audit reports were provided to senior SAP managers, including SAP Board members, U.S.-based legal counsel responsible for export controls, and the Head of Logistics.
Though SAP was aware of this compliance vulnerability since 2006, and that its U.S.-based content delivery provider already possessed the capability to conduct geolocation IP address screening, SAP did not implement the recommended geolocation IP address screening until 2015. IP address data reviewed during the course of SAP’s internal investigation confirmed that SAP software was being downloaded by users in Iran.
- Comprehensive supply chain due diligence is vital for companies that rely on third-party vendors for product distribution.
According to settlement documents, the unlicensed release of SAP software to Iranian end-users largely was enabled by the SAP Partners, located in Turkey, United Arab Emirates, Germany, and Malaysia, which knew that the vast majority of the downloads went to Iranian-controlled front companies. Certain SAP and SAP Partner executives, including senior leaders at the SAP Partner located in the United Arab Emirates (UAE), were aware that these “pass-through” entities had purchased the SAP software with the sole intent of using it in Iran.
Both BIS and OFAC claim that, had SAP conducted sufficient due diligence on the SAP Partners prior to entering into business relationships, it would have revealed serious red flags concerning their preexisting ties to Iran. In fact, publicly available information posted on some of the SAP Partners’ websites actually promoted their business ties to Iranian companies. SAP also failed to adequately investigate several whistleblower complaints, starting in 2011, claiming that the SAP Partners were making sales of SAP software to affiliates of Iranian companies registered in the UAE, Turkey, and Malaysia. It was not until late 2017 that SAP conducted on-site examinations of the SAP Partners and were able to substantiate these claims.
- Companies must make compliance integration of acquired targets an immediate priority post-closing.
In addition to the unlicensed release of software to users in Iran, SAP’s Cloud Business Group of companies (“CBGs”) in the United States permitted over 2,000 users located in Iran to access U.S.-based cloud services from approximately 2011 to 2017. According to settlement documents, these violations were a direct result of SAP’s failure to fully integrate several acquired CBGs into SAP’s export controls and sanctions compliance program post-closing.
Beginning in 2011, SAP acquired several U.S.-based CBGs that operated internationally and became aware, through both pre-acquisition due diligence and post-acquisition export control-specific audits, that these companies generally lacked comprehensive export controls and sanctions compliance programs, and in some instances had no sanctions compliance measures at all. Despite this, SAP permitted these companies to continue to operate as standalone entities without adopting SAP’s more robust export controls and sanctions compliance program. Instead, SAP relied on its small U.S.-based Export Compliance Team (“ECT”) to coordinate and enforce compliance processes for the CBGs, which was neither adequately resourced nor empowered to manage these processes properly. In fact, the ECT encountered resistance from some of these CBGs, which did not consider sanctions compliance to be important. Although the ECT reported these difficulties to SAP’s Germany-based compliance team, it received little support until September 2017, when the compliance deficiencies within the CBGs finally were addressed.
- There are clear benefits for companies to voluntarily disclose potential export controls or sanctions violations, particularly those that are willful in nature.
As noted above, the SAP NPA is the first-ever resolution pursuant to DOJ’s Voluntary Self-Disclosure Policy. Originally drafted in October 2016 and revised in December 2019, the Voluntary Self-Disclosure Policy states that if companies voluntarily disclose a violation, fully cooperate with DOJ, and timely and appropriately remediate, there is a presumption that the company will receive a NPA and will not be assessed a fine, absent aggravating factors. If aggravating circumstances do warrant an enforcement action, but the company still satisfies all other criteria, DOJ will recommend a fine that is at least 50 percent lower than what would otherwise be available under the alternative fine provision and will not require the imposition of a monitor. BIS and OFAC also maintain voluntary self-disclosure mechanisms for potential civil violations of export controls or sanctions laws, respectively, which each agency considers as a mitigating factor in enforcement actions, resulting in a steep reduction in the base amount of any proposed civil penalty (or the issuance of no penalty at all).
For context, the total fines to be paid by SAP to settle its liability with all three agencies, $8.43 million, is just a small fraction of the statutory maximum monetary penalty that OFAC alone could have imposed for just SAP’s civil liability under the ITSR, $56,025,470. As Assistant Attorney General John C. Demers stated in response to the NPA, “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, [will] heed this lesson.”
5We note that OFAC also imposed a fine of $2,132,174 for SAP’s potential civil liability under the ITSR, but considered the payment obligation satisfied by SAP’s payment of a greater amount in satisfaction of penalties assessed by DOJ and BIS arising from the same course of conduct.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of more than 700 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology, and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.