The Department of Justice’s National Security Division, like its counterpart, the Criminal Division, has made a splash on the enforcement and compliance arena. DOJ has elevated the importance and standing of export and sanctions enforcement to make one message clear – DOJ will hold companies accountable for criminal violations of U.S. export and sanctions laws.  And it will do so with the carrot and stick approach – so long as companies voluntarily disclose, cooperate and remediate – DOJ will give the company a carrot – a DPA, NPA and a reduced penalty. 

We are witnessing an important transformation in the enforcement landscape – prior to the SAP case, OFAC and BIS drove the enforcement train with civil enforcement and settlements.  DOJ concentrated on individual criminal schemes often focusing on Iran, China and North Korea, for national security reasons. 

The SAP settlement cements, and is the beginning, of enforcement coordination, akin to the SEC and DOJ in the FCPA area, of DOJ and the administrative agencies: OFAC and BIS. You can add to the mix the State Department’s ITAR program administered by the DTTC, which has coordinated on important national security cases involving military items. 

DOJ will make its mark and will do so quickly. The SAP settlement is a commitment to the carrot but with some real and significant costs.   DOJ’s broad outline of compliance program requirements moves well beyond those required by OFAC in its May 2019 Guidance. Indeed, the new compliance requirements will quickly gain weight and influence as best practice expectations relating to internal reporting systems, timely review of complaints, training, third-party notifications, and audits. Some companies may already have met these new and specific requirements.  Most have not, and it will be incumbent on companies to address these issues as soon as possible.

DOJ’s arrival on the scene coincides with the new DOJ mantra of aggressive enforcement. It is hard to know whether this new approach reflects a push from the Attorney General or Deputy Attorney General’ Offices but suffice it to say, this is a harbinger of other initiatives likely to follow in other areas, including FCPA, antitrust, money laundering and financial crimes.

Looking closer at the SAP settlement, it is evident that many of the same suspects or compliance deficiencies occurred.  The specific issues have broad application to cloud-based software services and delivery technology.  To name a few:

IP Blocking: Global cloud-based companies have to ensure that they have the ability to block IP addresses linked to prohibited countries, such as Cuba, Iran, Syria, North Korea, and the region of Crimea.  As a technology company, cloud-based companies cannot claim ignorance nor lack of will.  They have to implement robust systems and they have to do it now.

Third-Party and End User Risks: What a surprise!! Yes, third party agents, resellers, distributors, and subs of each of these functions have to be managed. A lack of due diligence on the front end is a recipe for disaster.  More importantly, global companies have to understand the entire distribution chain – from the company to the end user to know where each participant is located, where the services are used, and the payment system employed.

SAP’s compliance efforts on this subject were obviously deficient.  SAP conducted minimal if any due diligence of various resellers that turned out to be Iran front companies, controlled by Iran nationals who, in turn, provided SAP’s services to Iran customers. SAP’s compliance program ignored these risks and no attempt was made to tailor its controls to identify and fix these potential violations.

Acquisition of Cloud-Based Companies: SAP failed to conduct robust due diligence of acquired companies and did not conduct appropriate post-acquisition audits.  Like the FCPA arena, global companies have to conduct pre-acquisition due diligence and post-acquisition audits to identify deficiencies in the target’s company’s export control and sanctions compliance program, as well as any potential violations of these laws and regulations.

Response to Compliance and Audit Findings: Like almost every major DOJ enforcement action against a global company, the SAP case presents yet another instance when internal audit or compliance functions identifies compliance program deficiencies and are ultimately ignored by senior management. Again, DOJ should ask the rhetorical question – why have an internal audit or compliance function if they will be ignored when they detect violations of law?