On April 29, 2021, the SAP SE, a global software company based in Germany, reached a global resolution with the US Departments of Justice, Commerce and Treasury after SAP voluntarily disclosed to all three agencies that it violated the Export Administration Regulations and Iranian Transactions and Sanctions Regulations (ITSR). Under the settlement, SAP agreed to pay over $8 million in combined penalties and disgorge $5.14 million in unlawful gains. The DOJ reports that this is the agency’s first resolution entered pursuant to export control and sanctions enforcement policies related to business organizations. The DOJ extended the Non-Prosecution Agreement to SAP because of the company’s voluntary disclosure of violations, its extensive cooperation with investigators and significant remediation efforts that totaled more than $27 million.
Between 2010 and 2017, SAP and its overseas partners engaged in 190 apparent violations of the ITSR for exporting US-origin software and related services to Iran. According to the DOJ, SAP allowed users in Iran to download its software and software-related upgrades and patches more than 20,000 times, due to the company’s failure to use geolocation filters to identify and block these downloads – a fact that SAP senior executives were allegedly aware of but failed to remedy for many years. In addition, between 2011 and 2017, SAP allegedly allowed approximately 2,360 users in Iran to access US-based cloud services, after SAP acquired various Cloud Business Group companies (CBGs) with inadequate export controls and sanctions compliance programs. Even though SAP knew that their compliance policies inadequate, SAP allowed the CBGs to operate as usual rather than require them to adopt SAP’s more stringent policies, thereby enabling the unlawful cloud access.
SAP also entered concurrent agreements with the Department of Commerce’s Bureau of Industry and Security (BIS) and the Department of Treasury’s Office of Foreign Assets Control (OFAC). OFAC specifically disclosed that its portion of the settlement with SAP was approximately $2 million in civil penalties, based on OFAC’s determination that SAP’s 190 apparent violations were non-egregious and voluntarily self-disclosed.
Several government officials, including Assistant Attorney General John Demers with the DOJ’s National Security Division, stated that this resolution should send a strong message to US companies that while export controls and sanctions violations are severe and should be taken seriously, there is a clear benefit to companies that voluntarily disclose such violations and cooperate with authorities to resolve them.