Software Company Settles With BIS, DOJ, OFAC for Iran Export Control, Sanctions Violations
A German software company agreed to pay more than $8 million in fines after it admitted to violating U.S. export controls and sanctions against Iran, the Justice, Treasury and Commerce departments announced April 29. The company, SAP SE, came to settlement agreements with all three agencies after it voluntarily disclosed the violations, which included illegal exports and reexports of U.S.-origin software.
Between 2010 and 2017, SAP and its partners in Turkey, the United Arab Emirates, Germany and Malaysia released U.S. origin software, upgrades and software patches more than 20,000 times to Iranian users, the Justice Department said. SAP senior officials knew that it didn’t use geolocation filters to “identify and block Iranian downloads, yet for years the company did not remedy the issue,” the agency said. The software was downloaded by Iranian-controlled front companies or multinational companies operating in Iran.
The Justice Department also said SAP’s Cloud Business Group companies (CBGs) allowed more than 2,300 Iranian users to access U.S.-based cloud services from Iran, and SAP officials knew the CBGs “lacked adequate export control and sanctions compliance processes.” But SAP allowed the companies “to continue to operate as standalone entities” and “failed to fully integrate them into SAP’s more robust export controls and sanctions compliance program.”
Commerce’s Bureau of Industry and Security said SAP conducted several internal audits of its export control compliance programs from 2006 to 2014, and each revealed that the company “risked breaching applicable U.S. export controls and sanctions.” Even so, SAP didn’t fix some of the compliance gaps revealed in the audits, BIS said, and failed to “implement geo-location IP address blocking for its on-premise download delivery portal” until July 2015. BIS also said the company received several whistleblower complaints about sales to affiliates of Iranian companies but didn’t “adequately” investigate them.
Treasury’s Office of Foreign Assets Control said SAP “failed to conduct sufficient due diligence” on its partners, which could have revealed their ties to Iranian companies. In addition, the company’s export compliance team was “not resourced or empowered to manage” compliance processes. SAP showed “reckless disregard” for U.S. sanctions, ignored “warning signs,” “acted recklessly by having a compliance program that was not commensurate to SAP’s size and sophistication” and had “reason to know” their software was being used by Iranian end-users, OFAC said.
But OFAC also pointed to several mitigating factors, including its lack of a prior sanctions history, its cooperation with OFAC’s investigation and its remedial measures, including the termination of all users connected to Iranian companies. SAP also voluntarily disclosed the violations.
SAP agreed to pay $3.29 million to Commerce and $5.14 million to the Justice Department. The more than $2 million fine levied by OFAC will be waived after the payments to the Commerce and Justice departments. The company will also have to complete three internal export control audits and submit the results of those audits to BIS. The Justice Department said SAP has already spent more than $27 million to improve its export control and sanctions compliance programs.