SAP’s Comprehensive Export Control and Sanctions Settlement – A New Compliance Frontier for Cloud-Based Services (Part III of IV)
The Justice Department’s National Security Division used the SAP comprehensive settlement of export control and sanctions violations to send a message – a loud and clear one.
As the first real flexing of its Business Organizations Corporate Enforcement policy, the Justice Department underscored that companies that voluntarily disclose illegal conduct, fully cooperate, and implement timely and robust remediation will earn a non-prosecution agreement or deferred prosecution agreement and a significant reduction in corporate fines.
SAP’s illegal conduct was broad, systemic and covered a long period – at least seven years. SAP knew that the illegal conduct was occurring through direct sales and indirect third-party reseller sales. Indeed, SAP ignored or delayed several audit findings and recommendations to institute compliance measures, improve its compliance programs, and increase resources and compliance technologies needed to support an effective program. Notwithstanding all of these problems, DOJ cited SAP’s voluntary disclosure in 2017, its full cooperation, and its remediation and compliance improvements.
SAP now stands as a poster child for other companies facing internal discoveries of export control and sanctions compliance deficiencies.
SAP’s fortune is a warning sign to cloud-based services and increases the importance of export control and sanctions compliance to these types of business operations. Global companies that provide software products online, including through cloud-based services, direct downloads or other means, face enormous risks unless robust controls are implemented. Screening processes are important to focus on IP address identification and blocking capabilities, especially in those situations where the company has an indirect connection (through a third party) with the end user. Due diligence of each party in the chain is critical.
SAP spent a total of $27 million to enhance its export controls and sanctions compliance program. SAP’s remedial actions, in response to its years of misconduct, included: (1) terminating all users associated with the third-country entities that provided software and services to Iran, and Iranian cloud services; (2) terminating third-party resellers engaged in sales to Iranian companies; (3) blocking all downloads of software, support, and maintenance from Iran and other embargoed countries; (4) implementing a risk-based export control framework for resellers that requires a stringent review of proposed sales by a third-party auditor; (5) developing and implementing an improved compliance program, including geolocation IP screening; (6) hiring more than six new employees responsible for export control and trade sanctions compliance; and (7) terminating five employees found to have knowingly engaged in the sale of SAP products to Iran or failed to adhere to SAP internal policy prohibiting sales to embargoed countries.
DOJ’s compliance fine print is located in Attachment B to the non-prosecution agreement. SAP is directed to maintain a “rigorous” export control and sanctions compliance program. As a minimum, DOJ requires SAP to maintain the five require elements set forth in OFAC’s Sanctions Compliance Program Framework: (1) Senior Management Commitment; (2) a Risk Assessment; (3) Internal Controls; (4) Testing and Auditing; and (5) Training.
But DOJ extends compliance requirements beyond those in the OFAC Guidance to include a broad range of additional requirements. These are described below and are important statements of expectations:
Internal Reporting and Timely Review Requirements: SAP is mandated to maintain a confidential and anonymous hotline reporting system, including telephone and email addresses, that directors, officers, employees, agents, and business partners are informed of and can be used to report violations of export and sanctions laws, SAP’s policies and procedures, and ethics policy. All messages received on this internal reporting system shall be reviewed by SAP’s head of export control compliance or group compliance officer by five (5) days of receipt. SAP shall publicize this confidential and anonymous reporting system and underscore its commitment to non-retaliation against any reporter.
Broad Training Requirements: SAP shall conduct annual ethics and export control and sanctions training for directors, officers, and its employees. The training program shall cover, at a minimum: (1) all relevant U.S. export and sanctions laws; (2) SAP’s code of business conduct; (3) SAPs export compliance policies, controls, and procedures, including record-keeping requirements; and the requirements to respond, notify and resolve any violation of these requirements; and (4) a commitment by SAP’s senior executive board to communicate, in writing or by video, its endorsement of the training program. SAP is mandated to begin this training program within 90 days of execution of the NPA.
Third-Party Business Partner Notification: SAP is required to notify its third-party business partners, including agents, consultants, representatives, distributors, and partners of their obligation to report any violations of export and sanctions laws, SAP’s code of conduct or relevant export and sanctions compliance policies. SAP is required to begin this process by 180 days after execution of the NPA.
Audits: SAP is required to conduct audits of newly-acquired companies to determine whether the company has sufficient export and sanctions compliance controls. If SAP identifies any violations, SAP is required to notify and report to DOJ no later than 5 days after completion of the audit. If the newly-acquired company has an insufficient export and sanctions compliance program in place, SAP has 90 days from the completion of the audit to implement a sufficient compliance program. If additional time is needed to complete the remediation project, SAP may seek an extension from DOJ.
Discipline: DOJ required SAP to implement a written disciplinary policy setting forth a system applicable to all directors, officers, employees, and business partners in response to a violation of export or sanctions laws, SAP’s code of conduct, and SAP’s export control compliance policies and procedures.
Notification and Reporting of Violations to DOJ: SAP is required to notify DOJ of any credible evidence of any potential criminal violation of U.S. export control or sanctions laws. DOJ may require SAP to produce non-privileged documents relating to such a possible criminal violation. In addition, SAP may have to provide DOJ with an investigative plan and any resulting remedial measures.