SAP SE, a global software company headquartered in Waldorf, Germany, has agreed to pay combined penalties of more than $8 million as part of a global resolution with the U.S. Departments of Justice, Commerce, and the Treasury. SAP acknowledged violations of the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations.
Between 2010 and 2017, SAP and its overseas partners released its U.S-origin software more than 20,000 times to users located in Iran. SAP senior management was aware that neither the Company nor its U.S.-based Content Delivery Provider used geolocation filters to identify and block Iranian downloads, yet for years the Company did nothing to remedy the issue. The vast majority of the Iranian downloads went to 14 companies, which SAP Partners in Turkey, United Arab Emirates, Germany, and Malaysia knew were Iranian-controlled front companies.
During the same period of time, SAP’s Cloud Business Group companies (CBGs) permitted approximately 2,360 Iranian users to access U.S.-based cloud services from Iran. Beginning in 2011, SAP acquired various CBGs and became aware, through pre-acquisition due diligence as well as post-acquisition export control-specific audits, that these companies lacked adequate export control and sanctions compliance processes. Yet, SAP made the decision to allow these companies to continue to operate as standalone entities after acquiring them and failed to fully integrate them into SAP’s more robust export controls and sanctions compliance program.
The Non-Prosecution Agreement is based upon SAP’s voluntary self-disclosure as well as extensive internal investigation and cooperation over a three-year period. SAP also implemented significant changes to its export compliance and sanctions program, spending more than $27 million on such changes, including, among other things detailed in the NPA: (1) implementing GeoIP blocking; (2) deactivating thousands of individuals users of SAP cloud based services based in Iran; (3) transitioning to automated sanctioned party screening of its CBGs; (4) auditing and suspending SAP partners that sold to Iran-affiliated customers; and (5) conducting more robust due diligence at the acquisition stage by requiring new acquisitions to adopt GeoIP blocking and requiring involvement of the Export Control Team before acquisition.
Concurrently with this agreement, SAP is entering into a BIS settlement agreement which requires SAP to conduct internal audits of its compliance with U.S. export control laws and regulations, and produce audit reports to BIS for a period of three years.