SAP Settles U.S. Charges After Thousands of Software Exports to Iran

The German company becomes the first to receive benefit from a U.S. enforcement policy encouraging firms to voluntarily self-disclose wrongdoing

(Source: SAP SE)

By Samuel Rubenfeld

Thursday, April 29, 2021

German software firm SAP SE agreed on Thursday to pay more than USD 8 million to resolve U.S. investigations into thousands of exports of software products to Iranian users.

Between 2010 and 2017, SAP and its partners provided U.S.-origin software, including upgrades or patches, more than 20,000 times to users in Iran, and allowed more than 2,300 Iranian users to access U.S.-based cloud services from Iran, according to prosecutors. Certain SAP executives knew that neither the company nor its U.S.-based content delivery provider used geolocation filters to block Iranian downloads, yet for years the firm didn’t remedy the issue, prosecutors said.

The Walldorf, Germany-based company, which voluntarily self-disclosed the exports, reached agreements with the U.S. Departments of Justice, Treasury and Commerce over the sanctions and export controls violations. SAP entered into a non-prosecution agreement with the Justice Department and agreed to disgorge USD 5.14 million. It also agreed to pay USD $2.1 million to the Treasury’s Office of Foreign Assets Control (OFAC) and USD 3.3 million to the Commerce Department’s Bureau of Industry and Security (BIS). 

SAP became the first company to benefit from a Justice Department policy announced in 2019 that requires a separate self-disclosure to prosecutors to receive leniency, authorities said.

“SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated and remediated,” said Assistant Attorney General John C. Demers. “We hope that other businesses, software or otherwise, heed this lesson.”  

A statement from SAP said the company accepted full responsibility for its conduct, and that it has enhanced its internal controls to ensure compliance with applicable laws. The company will not be required to retain an external monitor, the statement said. 

SAP made the voluntary self-disclosures to the Justice Department and the Treasury in September 2017, and to BIS in early 2018, according to a statement of facts attached to the non-prosecution agreement. The company took a series of remedial actions, including terminating partners who sold to Iranian companies; firing employees who knowingly sold products to Iran; blocking downloads from Iran and other embargoed jurisdictions; and developing an improved compliance program, including geolocation screening, OFAC said.

The vast majority of the Iranian downloads were made by 14 companies, which SAP partners in Turkey, the United Arab Emirates, Germany and Malaysia knew were Iranian-controlled front companies, prosecutors said. The remaining downloads went to several multinationals with operations in Iran that downloaded the software, patches or updates there, prosecutors said.

The partners had sold the licenses to companies in third countries, which SAP referred to as “pass-through entities,” and those entities in turn provided the software to Iranian users, according to the OFAC notice. SAP failed to conduct due diligence on the partners, which had publicized the Iranian business ties on their websites, OFAC said. The company also failed to investigate whistleblower allegations related to the partners’ Iranian sales; it later substantiated the tipster’s claims, the statement of facts and the OFAC notice both said.

Multiple internal audits found that SAP did not screen customers’ IP addresses, resulting in the company’s inability to track where the software was downloaded, the OFAC notice said. SAP didn’t implement a geolocation screening process until 2015, and a subsequent internal probe confirmed that the software was being downloaded in Iran, OFAC said in the notice.

Separately, SAP’s Cloud Business Group companies (CBGs) allowed the Iranian users to access cloud services despite SAP learning, through pre-acquisition due diligence and post-acquisition audits, that the CBGs lacked adequate compliance programs, according to prosecutors. After the acquisitions, SAP allowed them to operate as standalone entities after acquiring them and did not fully integrate them into the more-robust compliance program at the parent, prosecutors said. 

Instead, SAP relied on an under-resourced U.S.-based export compliance team to handle the compliance processes for the CBGs, according to the OFAC notice. But compliance processes weren’t consistent across all of the CBGs, and some didn’t view it as necessary, the OFAC notice said. The U.S.-based team reported the issue to the German parent but received limited support; compliance deficiencies weren’t addressed until September 2017, the same month as the voluntary self-disclosure, OFAC said.

“This enforcement action highlights for global companies providing software products online, including through cloud-based services, direct downloads, or other such means, the importance of implementing a risk-based sanctions compliance program commensurate with their size and sophistication and appropriate to their marketing and operational structures,” OFAC said.