Sanctions-as-a-Service: US Regulators Escalate Sanctions Enforcement Priorities Into the Cloud with SAP Settlement

On April 29, 2021, the departments of Justice, Commerce and Treasury announced that they had reached a global resolution with SAP SE (SAP), a multinational software company based in Germany, resulting from the company’s disclosure of the fact that it had provided software to users in Iran in violation of export and sanctions regulations.¹ Specifically, SAP entered into a Non-Prosecution Agreement with the Department of Justice (DOJ), and separately entered into administrative agreements with the Bureau of Industry and Security (BIS) and the Office of Foreign Assets Control (OFAC) after it made voluntarily disclosures to all three agencies, acknowledging years of violations of the Export Administration Regulations (EAR) and the Iranian Transactions and Sanctions Regulations (ITSR).² SAP’s voluntary disclosures resulted in remediation that cost the company more than $27 million in its efforts to enhance its export and sanctions compliance programs; the company has also agreed to pay over $8 million in penalties across the three resolutions.

The SAP settlement is the most significant of a number of recent sanctions and export controls enforcement matters involving the provision of remote or cloud-based services to sanctioned or restricted parties. Where historically the financial sector has faced the most sanctions risk, and has spent decades building sophisticated compliance programs to avoid US sanctions violations, companies in the tech sector, from established behemoths such as Apple³ and Amazon,⁴ to startups, have faced sanctions enforcement for failing to avoid providing services to sanctioned parties. Given that it takes very little capital to begin remotely serving customers worldwide, and that many key resources for providing such services are based in the US or sourced from the US (including necessary software and technology and server capacity), the US government has begun to focus in the past 18 months on sanctions compliance in the tech industry. In fact, the global resolution marks the second US government enforcement action in recent months to highlight the importance of implementing access controls with respect to sanctioned countries. In December 2020, OFAC announced a settlement agreement with BitGo, Inc. (BitGo) as a result of BitGo’s failure to filter out users with IP address in sanctioned countries and territories.⁵

The SAP settlement also follows close on the heels of another recent OFAC action against SITA, a Swiss telecommunications company that, in 2020, settled apparent violations involving the provision of messaging services that were routed through hardware located in the US.⁶

The global resolution with SAP seems to represent a growing interest with export, trade, and sanctions regulators to assert jurisdiction over the activities of tech companies, where the main jurisdictional hook is the presence of information on US servers.

For companies that provide global services, these cases generally point to a few key themes:

• Sanctions and export controls compliance procedures need to be implemented into all stages of a company’s product lifecycle, from sales to customer support.
• Despite the cost and burden, the US government has repeatedly emphasized the need for a robust screening program, even where there are many users dispersed globally and the company does not have substantial information on its users.
• Where possible, companies should use geofencing and other technical controls to prevent services from being provided to sanctioned or embargoed countries or jurisdictions without authorization.
• Companies must take primary responsibility for trade compliance, including where they use third party agents and distributors. Third parties have been a significant cause of sanctions exposure in recent cases and this has not absolved first parties of liability.

The bottom line is that, just as the US government expects banks to monitor global money flows and to prevent prohibited transactions, the recent cases demonstrate that companies are similarly expected to monitor and ensure compliance throughout the global flow of data.

What Were SAP’s Violations?

SAP is a developer of enterprise software that is used by businesses to manage their operations and customer relations. Headquartered in Germany, SAP distributes software licenses, maintenance and update services, and cloud-based subscription services in over 180 countries. According to the settlement materials, SAP sells its software and services both directly to consumers and through third-party resellers (SAP Partners). The conduct that led to SAP’s apparent EAR and ITSR violations (and to the three agency-resolutions) arose from two groups of activities. First, SAP and SAP Partners allowed users in Iran to access software by downloading it directly from SAP servers in the United States or through SAP’s US-headquartered content delivery provider. Second, SAP provided cloud-based software subscription services that were accessed remotely by Iranian users through SAP’s cloud businesses in the United States.

Release-of-Software Violations

From 2010 to 2017, SAP Partners in Turkey, the United Arab Emirates (UAE), Germany and Malaysia sold software licenses and other services to certain overseas companies, including some that were controlled Iranian companies. Ultimately, SAP released US-origin software, including patches or upgrades, more than 20,000 times to end-users located in Iran. SAP never received a license to export this software to Iran. The majority of the Iranian downloads went to fourteen Iranian-controlled front companies, with the remainder going to multinational companies with operations in Iran. The multinational companies provided SAP software to their Iranian employees, leading to downloads of software, updates, or patches from locations in Iran.

Even though the sale of the software was led by SAP Partners, SAP itself was aware of the weaknesses in its exports and sanctions compliance program. After a 2006 internal audit, SAP’s senior executives were aware that neither the company nor its US based content delivery provider used geo-location filters to identify or block Iranian IP downloads. The company did not remedy this until 2015. Internal communications also indicated that SAP managers oversaw the sale of SAP software and services from the United States or US persons to pass-through entities knowing they would provide the software and services to Iranian companies. SAP personnel even traveled to Iran to secure SAP software sales.

Additionally, SAP failed to conduct sufficient due diligence on SAP Partners—some SAP Partners publicized their business ties with Iranian companies on their company websites. SAP did not adequately investigate whistleblower allegations it received between approximately July 2011 to March 2016 that claimed SAP software had been sold to Iranian front companies registered in UAE, Turkey and Malaysia.

Cloud-Access Violations

Two of SAP’s US subsidiaries that deal in cloud networking also provided cloud-based subscription services to customers who, in turn, provided access to users located in Iran. SAP acquired cloud business subsidiaries in 2011 and—through pre-acquisition due diligence as well as post-acquisition export control-specific audits—learned that these companies lacked adequate export control and sanctions compliance processes. Instead of improving the compliance processes or fully integrating them into SAP’s existing compliance measures, SAP allowed the subsidiaries to function as standalone entities, despite the fact that their compliance programs were under-resourced and under-staffed. SAP did not appropriately address compliance deficiencies within their cloud business subsidiaries until September 2017.

How Did the US Government Arrive at $8 Million?

SAP’s Non-Prosecution Agreement with DOJ includes a provision that SAP will disgorge $5.14 million of its Iran-based profits. Concurrently, SAP entered into separate agreements to pay OFAC $2.13 million, and $3.29 million to BIS. The BIS payment was credited against the OFAC payment to reach a total of over $8 million.

The actual civil penalty to which SAP agreed represents a steep departure from the statutory maximum penalty, which OFAC determined to be $56,025,470. OFAC arrived at the substantially lower actual penalty by following its Economic Sanctions Enforcement Guidelines, and by weighing the aggravating factors of SAP’s behavior against certain mitigating factors.

OFAC found that the following aggravating factors militated against leniency with respect to SAP’s civil monetary penalty:

• Reckless disregard and failure to exercise a minimal degree of caution or care for US economic sanctions: OFAC determined that, despite having conducted multiple internal audits conducted over a period of at least eight years highlighting sanctions risks, as well as having received warnings from its compliance personnel indicating compliance program deficiencies, SAP failed to act on that information. Further, the settlement stated that SAP ignored warning signs, such as whistleblower claims.
• Recklessness: In OFAC’s view, SAP was reckless for not having a compliance program commensurate with its size. SAP’s failure to implement controls—such as geo-location IP address screening—in a timely fashion, conduct adequate due diligence on its third party partners, and implement adequate controls or compliance measures on SAP Partners and its subsidiaries contributed to OFAC’s conclusion.
• Direct knowledge or reason to know of the violations: OFAC determined that certain SAP managers and personnel knew that SAP software was being purchased by companies that enabled the products’ use in Iran. Further, certain SAP Partners publicized their Iranian ties.
• Harm to US sanctions program and foreign policy objectives: The settlement agreement concluded that SAP’s actions provided economic benefit to Iran by having provided software for a total value of $3.9 million.
• Sophistication: In OFAC’s view, SAP is a sophisticated company with significant international business.

Mitigating Factors

Each agency noted that SAP voluntarily disclosed its violations, in addition to the fact that it cooperated with investigators at DOJ, OFAC, and BIS. Indeed, DOJ gave SAP full credit for its voluntary self-disclosure, as well as for its cooperation.

OFAC highlighted three main mitigating factors that warranted the significant departure from the statutory maximum penalty. First, SAP had no prior sanctions history in the five years preceding the earliest date of the activities that gave rise to the apparent violations. Second, OFAC found that SAP substantially cooperated with the investigation, including by enabling investigators to interview SAP employees overseas. Third, OFAC stated that SAP took “significant remedial actions,” which included:

• Developing an enhanced compliance program, with geo-location IP screening;
• Terminating all SAP Partners who sold software or services to Iran; all users associated with companies that provided software or services to Iran; and all five SAP employees who were found to have knowingly engaged in sales to Iran, or who failed to comply with SAP’s policies prohibiting such sales;
• Hiring six new employees responsible for export and sanctions compliance; and
• Blocking all downloads from Iran.

In addition to some of the factors noted by OFAC, DOJ highlighted certain additional factors that it credited in its own agreement with SAP, including that it engaged in the following activities:

• Deactivating thousands of SAP cloud based services based in Iran;
• Transitioning to automated sanctioned party screening of its cloud business groups;
• Auditing and terminating SAP Partners engaged in sales to Iranian companies;
• Implementing enhanced export employee training across the company, as well as a risk-based export control framework for SAP Partners that requires a stringent review of proposed sales by a third-party auditor; and
• Conducting more robust due diligence at the acquisition stage by requiring new acquisitions to adopt GeoIP blocking and requiring involvement of the Export Control Team before acquisition.

These remedial measures cost SAP a reported $27 million dollars. Further, as part of BIS’s enforcement action, SAP has agreed to complete three audits of its export compliance program over a three year period.

Conclusion

The SAP action highlight the great importance of risk-based sanctions compliance programs for global companies providing software products online, including cloud-based services. This includes due diligence for all third-party vendors or distributors and those who deliver services to customers who might then provide those services to employees or other users in sanctioned companies.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.