In a precedent-setting agreement, the Justice Department, OFAC and the Bureau of Industry and Security announced a settlement with SAP SE for more than $8 million for numerous violations of the Iran Sanctions program.

While the Justice Department’s National Security Division (“NSD”) has settled prior export control and sanctions cases against corporations for violations of the North Korea Sanctions program, the SAP case is the first in which DOJ’s NSD flexed its new Export Control and Sanctions Enforcement Policy for Business Organizations, by crediting voluntary disclosure, cooperation and remediation. Further, the SAP settlement provides important insights into DOJ’s export control and sanctions compliance expectations.

The SAP case pushes DOJ’s views and expectations for export control and sanctions compliance programs.  Like the past history of enforcement actions and compliance program requirements involving the FCPA, DOJ’s SAP settlement is the beginning of a new, aggressive approach to export and sanctions compliance standards beyond those required by OFAC and BIS.

As a result, global companies have to review, once again, their export control and compliance programs in accordance with new and important DOJ precedent. In light of DOJ’s anticipated aggressive approach to export control and sanctions enforcement, proactive compliance measures are warranted to ensure effective compliance strategies.

SAP, a German software company, entered into a non-prosecution agreement (“NPA”) for illegally exporting its US-made software products to users in Iran.  SAP agreed to pay DOJ $5.14 million, OFAC $2.13 million, and Commerce/BIS $3.29 million.  The BIS payment was credited against the OFAC payment to reach a total of over $8 million.

SAP earned a NPA under DOJ’s Export Control and Sanctions Enforcement Policy by voluntarily disclosing the conduct, cooperating with the DOJ, OFAC and BIS investigations and implementing comprehensive remediation.

SAP conducted an extensive internal investigation and cooperated over a three-year period, producing thousands of translated documents, answering inquiries, and making foreign-based employees available for interviews. SAP also spent more than $27 million to remediate its export compliance and sanctions program, including: (1) implementing GeoIP blocking; (2) deactivating thousands of individuals users of SAP cloud based services based in Iran; (3) transitioning to automated sanctioned party screening; (4) auditing and suspending SAP partners that sold to Iran-affiliated customers; and (5) conducting more robust due diligence at the acquisition stage by requiring new acquisitions to adopt GeoIP blocking and requiring involvement of the Export Control Team before acquisition.  

The BIS settlement agreement requires SAP to conduct annual internal audits of its export control and sanctions compliance program over a three-year period and produce the audit reports to BIS.

SAP’s conduct involved a large number of violations and occurred over a seven-year period, from 2010 to 2017, when it initially disclosed the violations to the government.  SAP and its overseas business partners released its US-origin software, including upgrades, and/or software patches more than 20,000 times to users located in Iran.  In addition, from approximately 2011 to 2017, SAP’s Cloud Business Group (“CBG”) permitted approximately 2,360 Iranian users to access U.S.-based cloud services from Iran.  SAP acquired a number of CBGs during this time period and became aware through pre-acquisition due diligence and post-acquisition audits, that these companies lacked adequate export control and sanctions compliance processes.

SAP also implemented enhanced export control and sanctions compliance remediation, and agreed to continue these improvements.