Software Giant SAP Agrees to Pay Over $8 Million in Penalties; Case Highlights Sanctions Compliance Expectations

On April 29, 2021, SAP SE, a global software company based in Germany, agreed to pay combined penalties of more than $8 million to settle its liability for violations of the Export Administration Regulations (EAR) and the Iranian Transactions and Sanctions Regulations (ITSR) as a result of willfully exporting or causing the export of U.S.-origin software and technology to users in Iran. The penalties are part of a global resolution with the Departments of Justice, Commerce, and the Treasury.

Description of the Conduct and Compliance Shortcomings

Between 2010 and 2017, SAP, along with its overseas partners, released U.S.-origin software, software upgrades, and software patches to Iranian end-users without the required export licenses. At the time, these third-party resellers (SAP Partners), located in Turkey, the UAE, Germany, and Malaysia, knew that many of the downloads were going to Iranian-controlled front companies.

Additional violations occurred from 2011 to 2017, when SAP’s cloud business group (CBG) subsidiaries sold cloud-based software subscription services that allowed access to Iranian employees and customers.

SAP’s violations were caused in part by numerous shortcomings in its compliance processes that are described further below.

• Multiple internal audits dating back to 2006 found that SAP did not screen customers’ Internet Protocol (IP) addresses, resulting in SAP’s inability to identify the country in which SAP software was downloaded. This deficiency, the audits found, put SAP at risk of breaching U.S. economic sanctions and export controls. A 2014 audit specifically recommended the implementation of geolocation IP address screening as a corrective measure. Though SAP knew of this compliance vulnerability since 2006, and despite being aware that its U.S.-based content delivery provider had the ability to conduct geolocation IP address screening years earlier, SAP failed to implement the recommended geolocation IP address screening until 2015.
• Internal communications were also identified showing that SAP product line and overseas subsidiary managers oversaw the sale of SAP software and services from the United States or U.S. persons to these third-party SAP Partners knowing they would provide the software and services to Iranian companies. In one instance, SAP personnel traveled to Iran to secure SAP software sales.
• SAP failed to conduct sufficient due diligence on SAP Partners, which could have revealed their connections to Iranian companies. For instance, an SAP Partner website publicized its business ties with Iranian companies.
• SAP failed to adequately investigate whistleblower allegations it received between approximately July 2011 to March 2016 that claimed SAP software had been sold to Iranian front companies registered in the UAE, Turkey, and Malaysia, claims that SAP subsequently substantiated.
• SAP failed to timely integrate the CBG subsidiaries into SAP’s broader compliance structure. Through pre- and post-acquisition due diligence and audits of the CBGs, SAP was aware that these companies did not have adequate export control and sanctions compliance programs. Despite this, SAP allowed its CBGs to continue to operate as standalone organizations and did not require any implementation of more robust compliance practices. SAP instead relied on a small U.S.-based Export Compliance Team to coordinate and enforce compliance processes for the CBGs, and this team was not resourced or empowered to manage these processes appropriately.

This enforcement action highlights the importance of conducting due diligence of product and software distributors, resellers, and agents; implementing screening processes that include IP address identification and blocking capabilities; conducting pre- and post-acquisition due diligence to identify potential compliance deficiencies in newly acquired companies; providing sufficient resources to compliance personnel; and ensuring compliance programs maintain the support and commitment of senior-level managers.

Penalty Settlement

In addition to the combined monetary penalties, SAP entered into a Non-Prosecution Agreement with the United States Attorney’s Office for the District of Massachusetts and the DOJ’s National Security Division. Pursuant to that agreement, SAP will disgorge $5.14 million of ill-gotten gain. This case represents the first resolution under the DOJ’s Export Control and Sanctions Enforcement Policy for Business Organizations, which was released in December 2019 and incentivizes companies to self-report any and all violations of U.S. export laws and regulations. “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated,” stated Assistant Attorney General John C. Demers of the National Security Division.

SAP also entered into administrative agreements with BIS and OFAC, which, among other things, require SAP to conduct internal audits of its compliance with U.S. export control laws and regulations and produce audit reports to BIS for a period of three years.

For more information on how these could impact your business, contact:

• Martin Lutz, Partner (mlutz@mcginnislaw.com, 512-495-6024),
• Jamie Joiner, Special Counsel (jjoiner@mcginnislaw.com, 713-615-8530),
• Lindsey Roskopf, Partner (lroskopf@mcginnislaw.com, 713-615-8534),
• Justin Cawley, Senior Counsel (jcawley@mcginnislaw.com, 202-812-2644), or
• Another member of the McGinnis Lochridge International Trade and Transactions Practice Group