The U.S. Departments of Justice (DOJ) recently announced that German software company, SAP SE, agreed to pay $8 million in penalties as part of a global resolution with the DOJ, Commerce and Treasury Departments. In voluntary disclosures the company made to the three agencies, SAP acknowledged violations of the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations. As a result of its voluntary disclosure to DOJ, extensive cooperation and a $27 million remediation program, the DOJ entered into a Non-Prosecution Agreement with SAP. As part of the agreement, SAP will also disgorge $5.14 million.
The resolution was the first under the DOJ’s Export Control and Sanctions Enforcement Policy for Business Organizations. This settlement serves as a strong message from the agency that businesses must abide by export control and sanctions laws, but if a violation does occur, there is a clear benefit to voluntary disclosure, full cooperation, and remediation.
As part of the agreement, SAP admitted to thousands of export violations between January 2010 and September 2017 wherein the company willfully exported, or caused the export, of its products to Iranian users, without a license. The violations happened in two ways. First, SAP and its overseas partners released U.S-origin software, including upgrades or software patches to users located in Iran. SAP senior executives were aware that geolocation filters were not being used to identify and block Iranian downloads, yet the company failed to fix the issue. Most of these Iranian downloads went to 14 companies, which were known to be Iranian-controlled front companies. The remaining downloads went to multinational companies with operations in Iran, which downloaded SAP’s software, updates, or patches from locations in Iran. Second, SAP’s Cloud Business Group companies permitted Iranian users to access U.S.-based cloud services from Iran. SAP was aware that these Cloud Business Group companies lacked adequate export control and sanctions compliance processes. Unfortunately, SAP allowed these companies to continue to operate as standalone entities after acquiring them without fully integrating them into SAP’s export controls and sanctions compliance program.
As part of the announcement, the DOJ acknowledged the Non-Prosecution Agreement recognizes the value of voluntary self-disclosure and cooperation. Not only did SAP issue a voluntary self-disclosure, but the company also cooperated with the government and conducted an extensive internal investigation over a three-year period. SAP produced thousands of translated documents, answered inquiries, and made foreign-based employees available for interviews. SAP also remediated and executed significant changes to its export compliance and sanctions program, spending more than $27 million on the changes. These changes included:
1. Implementing GeoIP blocking;
2. Deactivating thousands of individuals users of SAP cloud-based services based in Iran;
3. Transitioning to automated sanctioned party screening of its Cloud Business Group companies;
4. Auditing and suspending SAP partners that sold to Iran-affiliated customers;
5. Hiring experienced U.S.-based export controls staff, and
6. Conducting stronger due diligence with involvement of the Export Control Team and requiring new acquisitions to adopt GeoIP blocking.
In addition to the agreement with the DOJ, SAP also entered into administrative agreements with the Department of Commerce, Bureau of Industry and Security (BIS) and the Department of the Treasury, Office of Foreign Assets Control (OFAC). SAP will pay $3.29 million to Commerce and $5.14 million to the Justice Department. The more than $2 million OFAC fine will be waived after the payments to the Commerce and Justice departments. Among other things, the BIS settlement agreement will also require SAP to conduct internal audits of its compliance with U.S. export control laws and regulations and produce audit reports to BIS for a period of three years.
With export violations, a voluntary self-disclosure will not insulate a company from penalties. However, despite the hefty consequences, the government intends for this settlement to encourage companies to voluntarily self-disclose violations of the Arms Export Control Act (AECA), the Export Control Reform Act (ECRA), and the International Emergency Economic Powers Act (IEEPA) to DOJ’s National Security Division. Here, a voluntary self-disclosure, absent aggravating factors, creates a presumption in favor of a non-prosecution agreement and limits any monetary payment.
If you have any questions about possible violations of export control laws and sanctions regimes, do not hesitate to contact an attorney at Barnes, Richardson & Colburn LLP.