US Export Control violations: German SAP settles with OFAC for $2 million

US Export Controls and Sanctions apply even outside the US. A German software now agreed to pay up - big time!

OFAC, the Office of Foreign Asset Controls of the U.S. has announced a $2,132,174 settlement with SAP SE (“SAP”).

SAP, a software company located in Walldorf, Germany has agreed to settle its potential civil liability for 190 apparent violations of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. part 560.

Violations over 5 years

Specifically, between approximately 2013 and 2018, SAP engaged in the export, re-export, sale, or supply of technology or services from the United States to companies in third countries with knowledge or reason to know the software or services were intended specifically for Iran and sold cloud-based software subscription services accessed remotely through SAP’s cloud businesses in the United States to customers that made the services available to their employees in Iran.

OFAC determined that SAP voluntarily self-disclosed the apparent violations

What happened?

From approximately June 1, 2013 to January 1, 2018, SAP authorized 13 sales of SAP software licenses, 169 sales of related maintenance services and updates, and eight sales of cloud-based subscription services.

The sales of SAP software licenses and related maintenances services and updates (collectively “SAP software”) were sold by third-party resellers (“SAP Partners”) in

• Turkey,

• the United Arab Emirates (UAE),

• Germany, and

• Malaysia.

SAP Partners in these countries sold these licenses and services to companies in third countries, including companies controlled by Iranian companies, that provided the SAP software to users in Iran.

The software was delivered from SAP servers in the United States and SAP’s U.S.-headquartered content delivery provider.

The sales of cloud-based subscription services to third country-based customers that then provided access to users located in Iran were conducted by two of SAP’s cloud business group subsidiaries in the United States, with SAP’s knowledge or reason to know the services would be provided specifically to Iran.

Violations of US Iran Sanctions

In doing so, SAP appears to have violated § 560.204 of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. part 560 (ITSR), prohibiting the export, re-export, sale, or supply, directly or indirectly from the United States, or by a United States person, wherever located, of any goods, technology, or services to companies and individuals in Iran, including the export, re-export, sale, or supply to a third country undertaken with knowledge or reason to know the goods, technology, or services are intended specifically for Iran (the “Apparent Violations”). The total value of the

transactions constituting the Apparent Violations is $3,693,898.

Lack of good compliance: They KNEW!

The Apparent Violations connected with the sales of SAP software by SAP Partners to pass-through entities were caused in part by shortcomings in SAP’s compliance processes. For example, internal audits conducted in 2006, 2007, 2010, and 2014 found that SAP did not screen customers’ Internet Protocol (IP) addresses, resulting in SAP’s inability to identify the country in which SAP software was downloaded.

This deficiency, the audits found, put SAP at risk of breaching U.S. economic sanctions and export controls. The 2006 audit recommended that SAP implement tools verify the location of users making download requests of SAP software. In 2010, the findings of the internal audits, including the failure to implement IP blocking, were brought to the attention of SAP’s Executive Board.

Head in the sand

In 2014, the audit specifically recommended the implementation of geolocation IP address screening as a corrective measure. Though SAP knew of this compliance vulnerability since 2006, and despite being aware that its U.S.-based content delivery provider had the ability to conduct geolocation IP address screening years earlier, SAP failed to implement the recommended geolocation IP address screening until 2015.

Data showed the download came from Iran

IP address data reviewed during the course of SAP’s internal investigation confirmed that SAP software was being downloaded by users in Iran. The Apparent Violations related to the sale of SAP software to pass-through entities were also enabled by SAP personnel. Internal communications show that SAP product line and overseas subsidiary managers oversaw the sale of SAP software and services from the United States or U.S. persons to pass-through entities knowing they would provide the software and services to Iranian

companies.

Travel to Iran

In one instance, SAP personnel travelled to Iran to secure SAP software sales.

Failure to implement sufficient due diligence

Additionally, SAP failed to conduct sufficient due diligence on SAP Partners, which could have revealed SAP Partners’ connections to Iranian companies. For instance, SAP Partner websites publicized their business ties with Iranian companies.

Whistleblower allegations ignored

SAP also failed to adequately investigate whistleblower allegations it received between approximately July 2011 to March 2016 that claimed SAP software had been sold to Iranian front companies registered in UAE, Turkey, and Malaysia claims that SAP subsequently substantiated.

What can businesses do to protect themselves from compliance problems?

On May 2, 2019, OFAC published A Framework for OFAC Compliance Commitments in order to provide organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States or U.S. persons, or that source goods or services from the United States, with OFAC’s perspective on the essential components of a sanctions compliance program.

Download