SAP SE Settlement With US Federal Agencies Signals Additional Sanctions and Export Controls Compliance Burden

On April 29, 2021, SAP SE (SAP), a leading international provider of enterprise application software based in Germany, entered into settlements and a non-prosecution agreement (collectively, the SAP settlements) with US federal agencies for alleged violations of US sanctions and US export controls with respect to Iran. SAP entered into a non-prosecution agreement with the National Security Division (NSD) of the US Department of Justice (DOJ) for $5,140,000, and entered into settlement agreements with the Bureau of Industry and Security (BIS) of the US Department of Commerce for $3,290,000, and the Office of Foreign Assets Control (OFAC, and collectively with the NSD and BIS, the US federal agencies) of the US Department of the Treasury for $2,132,174.

The press release from the DOJ announcing the settlements indicates that SAP conducted an “extensive,” three-year internal investigation into the alleged violations, which dated to between 2010 and 2017.  SAP voluntarily reported the violations to the NSD and OFAC on September 8, 2017, and to BIS on January 11, 2018.  In addition, SAP undertook a reported $27 million in remedial measures, and, among other commitments, agreed to perform annual “audits” of its compliance function, and to turn the results over to US authorities for review.  In its press release, the DOJ credited these measures for a significant reduction in the penalties assessed against SAP.  Notably, the DOJ stated that the penalties would have been “far worse” if SAP had not “disclosed, cooperated, [and] remediated.”

The SAP settlements mark a significant new development in sanctions and export controls compliance, marking the first-ever instance of the DOJ applying its December 2019 Export Control and Sanctions Enforcement Policy for Business Organizations (DOJ Enforcement Policy) following a voluntary disclosure.  The DOJ Enforcement Policy has important implications for sanctions compliance best practices going forward, and underscores the Justice Department’s increased interest in enforcement actions related to sanctions and trade controls.  Moreover, the SAP settlements illustrate the extraterritorial scope of US sanctions and export controls enforcement.  Although SAP is based in the EU, the location of subsidiaries and servers in the United States was key focus of the violations alleged in the SAP settlement documents.

Background

SAP is alleged to have violated US financial sanctions pursuant to the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. §§ 1701 et seq., and the Iranian Transactions and Sanctions Regulations (ITSR), 31 C.F.R. Part 560, and US export controls pursuant to the Export Administration Regulations (EAR), 15 C.F.R. Parts 730-774.  The US federal agencies alleged two broad categories of violations, involving (i) so-called “on-premise” software (i.e., software running on the user’s local hard drive) being made available to Iran-based users; and (ii) granting access to certain US-based cloud services to Iranian users.  We briefly address the facts relevant to each category of violation below.

Regarding the “on-premise” software, SAP allegedly permitted Iran-based users to download the software from SAP servers, as well as from SAP’s Content Delivery Provider based in the United States.  Various internal audits in the relevant period identified “gaps” in SAP’s export compliance function, e.g., SAP was not verifying the countries from which “on-premise” downloads were made.  In addition, certain non-US affiliates of SAP (SAP Partners) based in Turkey, the United Arab Emirates, Germany, and Malaysia sold and distributed SAP on-premise software to Iranian “front companies” or “pass-through entities.”  SAP not only allegedly received whistle-blower complaints regarding these practices and failed to take action to correct them; the websites of certain SAP Partners reportedly “touted their business ties to Iranian companies . . . .”  Finally, 31 multinational companies that were existing customers of SAP allegedly were permitted to download SAP software, upgrades, or patches while in Iran through SAP’s US-based Content Delivery Provider.

Regarding cloud services, SAP is alleged to have permitted Iran-based users to access cloud services hosted on servers in the United States.  Specifically, SAP acquired various so-called Cloud Business Group companies (CBGs) located in the United States.  Despite pre-acquisition due diligence that suggested the CBGs “lack[ed] comprehensive export control and sanctions compliance programs,” SAP “allowed” the CBGs to continue to operate as standalone entities, without being “fully integrated into SAP’s more robust export controls and sanctions compliance program.”  The result of the alleged lapse in oversight of the US-based CBGs was that approximately 2,360 Iran-based users were able to access SAP’s cloud services via the CBGs.

Significance

The SAP settlements are significant for non-US companies operating in jurisdictions subject to US sanctions or engaging in transactions that involve items subject to US export controls, for the following reasons.

First, the SAP settlements mark a new level of coordination among the US federal agencies in sanctions and export controls enforcement, centered on the DOJ.  The DOJ refers to the SAP settlements as the “first-ever resolution” pursuant to the DOJ Enforcement Policy, which the DOJ released on December 13, 2019.  Notably, the DOJ indicates it will “continue to leverage” companies’ existing sanctions and export controls obligations to promote enforcement “through criminal, civil penalties, or both when appropriate.”  The coordination between the NSD, BIS, and OFAC suggests that, going forward, sanctions and export controls compliance may represent a greater focus of US law enforcement.

Second, the SAP non-prosecution agreement with the DOJ is likely to influence, in combination with the DOJ Enforcement Policy, how best practices for sanctions and export controls compliance are defined going forward.  This may present certain compliance challenges for companies, as companies may have to navigate different or competing compliance paradigms.  For example, OFAC issued its Economic Sanctions Enforcement Guidelines (OFAC Enforcement Policy) in November 2009 and its Framework for OFAC Compliance Commitments (OFAC Framework, and together with the OFAC Enforcement Policy, the OFAC Policies) in May 2019.  The OFAC Policies define OFAC’s positions on risk-based compliance and the factors that OFAC will consider in assessing penalties.  However, companies that have drafted internal protocols to comply with OFAC Policies might be well-served to revisit such policies in light of the DOJ Enforcement Policy.

Third, the SAP settlements reinforce certain best practices that have emerged from recent enforcement actions in the software and cloud based services context.  Beyond the familiar components of a risk-based compliance program such as adequate employee training, adequately staffing a company’s internal compliance team, and performing adequate due diligence on third parties, companies that provide cloud-based services and software would be well-advised to consider implementing a suite of “automated” sanctions and export controls compliance protocols such as IP blocking and automated screening services.  The remedial steps undertaken by SAP, listed below, reflect this combination of more traditional compliance strategies and automated functions:

• implementing GeolP blocking;
• deactivating thousands of individual users of SAP cloud based services based in Iran;
• transitioning to automated sanctioned party screening for its cloud businesses;
• auditing and suspending SAP Partners that sold to Iran-affiliated customers;
• requiring new acquisitions to adopt Geo IP blocking and requiring involvement of the Export Control team before acquisition;
• initiating enhanced export control employee training program across the company;
• terminating employees who were aware of the sale of SAP software to users in Iran;
• committing to maintain a risk-based export controls compliance program and mandating compliance certifications; and
• hiring approximately 15 additional professionals devoted exclusively to export control and sanctions compliance.

The importance of automated sanctions screening and IP blocking for companies doing business over the internet or in cloud-based services is reflected in recent enforcement actions by OFAC, including the July 2020 OFAC press release regarding settlement agreement with Amazon.

We will continue to monitor developments in this area, and encourage you to subscribe to be kept informed of latest developments. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.

** This article was first published on our Sanction Notes blog **