Over $8 Million in Fines - SAP Case Highlights Sanctions Risks and Compliance Expectations for Cloud Providers and Software Companies

Last week, three U.S. agencies – the Office of Foreign Assets Control (“OFAC”), the U.S. Department of Commerce (“Commerce”), and the U.S. Department of Justice (“DOJ”) – announced the global resolution of apparent U.S. sanctions violations by SAP SE (“SAP”), a German software company.

The settlement agreements with OFAC and Commerce, and the non-prosecution agreement with DOJ, highlight sanctions risks specific to the cloud and software industry and provide insight on the U.S. government’s compliance program expectations for companies that sell software and services online.

What happened

According to the agency notices, between 2010 and 2018, SAP supplied software and cloud-based services from the United States to third parties with reason to know that the offerings would be provided to users or customers in Iran. The violations transpired in two ways:

  • Sales of software through “pass through” entities – SAP sold software licenses and maintenance services to SAP resellers located in Turkey, the UAE, Germany, and Malaysia, which in turn, sold the licenses and services to third parties for end use in Iran. Iranian end-users then downloaded SAP software, updates, or patches from the company’s servers in the United States. The agencies noted that SAP failed to prevent downloads of its software from IP addresses associated with Iran, even though internal audits recommended the adoption of IP address geolocation screening. SAP also failed to conduct sufficient due diligence on its resellers, many of which publicized ties with Iranian companies on their websites.
  • Cloud services – SAP’s Cloud Business Group subsidiaries allowed 2,360 users in Iran to access U.S.-based cloud services. SAP became aware, through due diligence and audits, that its subsidiaries lacked adequate compliance controls over its cloud offerings, but did not take appropriate or timely remedial action.
SAP voluntarily disclosed the issues to the three agencies, cooperated with investigators, and made significant changes to its export controls and sanctions compliance program by (1) implementing an IP-based geoblock, (2) deactivating user accounts of cloud-based services in Iran, (3) auditing and suspending resellers that sold to Iranian entities, and (4) involving the export compliance team in any new acquisitions, among other improvements.

Compliance expectations & lessons learned

The SAP case is the latest sanctions enforcement action dealing with the provision of goods or services over the internet. As with prior announcements, we can glean a few lessons for the technology industry and for companies that conduct business online:

  • Geo-blocking (again): The SAP case is the latest reminder that the U.S. government expects technology companies to adopt effective geo-blocking from IP addresses associated with sanctioned jurisdictions. In its case summary, OFAC called out the particular need for an effective blocking solution when providing services indirectly through third parties.
  • U.S.-based servers are subject to U.S. rules: U.S. sanctions and export control laws have broad extraterritorial reach. This case highlights the fact that the provision of services and the download of software from U.S. servers are considered “exports” and may require approval from OFAC and/or Commerce. Non-U.S. companies should take note and consider their use of U.S. servers when assessing business opportunities that implicate destinations subject to U.S. sanctions. U.S.-based platforms should also consider whether customers’ use of their services in sanctioned jurisdictions could create liability for the U.S. company providing the service.
  • Due diligence on intermediaries: The SAP case exemplifies how intermediary parties can create liability for a company under U.S. sanctions and export control rules. Appropriate due diligence, controls, and monitoring of distributers and resellers is a must in any industry, particularly when a U.S. company does not have full insight into the identity of the end users of its goods or services.
  • Intercompany business is not risk-free: SAP allowed its subsidiaries to operate independently, although SAP knew, based on pre- and post-acquisition due diligence and notification by SAP’s U.S. compliance team, that those subsidiaries had insufficient sanctions compliance programs. Companies need to ensure that non-U.S. affiliates dealing in U.S. origin services or software maintain appropriate controls, especially after acquiring new entities.
  • Resourcing export and sanctions compliance teams: SAP relied on its U.S.-based compliance team to oversee the compliance of all of its Cloud Business Group subsidiaries. However, the team received inadequate resources, lacked authority to manage the processes, and encountered resistance from the subsidiaries. In its notice, OFAC emphasized that compliance teams must be resourced and empowered to implement compliance controls, when risks are identified.
  • Training is key: According to OFAC, SAP employees outside of the United States oversaw the sale of U.S.-based offerings to Iran, and even traveled to Iran on a sales trip. Multinational companies with a U.S. presence should train all relevant employees on U.S. sanctions red flags so that these types of issues are spotted and appropriately reported.
  • Don’t ignore audit findings: SAP auditors highlighted the company’s lack of IP address geoblocking as a sanctions compliance risk as early as 2006, but the company did not implement effective controls until 2015. By failing to act in response to the audit findings, OFAC indicated that SAP “demonstrated reckless disregard and failed to exercise a minimal degree of caution or care” for U.S. economic sanctions and cited this failure as an aggravating factor in the case.
Over $8 million in fines and $27 million in remediation

All told, SAP paid $8.3 million in penalties and fines to resolve these cases, including a $3.2 million fine to Commerce and the disgorgement of $5.1 million in ill-gotten proceeds to DOJ. OFAC suspended its separate penalty of $2.1 million.

Of course, those figures do not reflect the full cost of investigating and remediating the issues at hand. According to DOJ, SAP spent over $27 million on remediation, which was noted as an important mitigating factor in the case. SAP also agreed to three years of third-party compliance audits following the agreements with the U.S. government.