Skip to main content
Top Button
Groundbreaking DOJ Non-Prosecution Agreement Over Global Software Company’s Iran Sanctions & Export Groundbreaking DOJ Non-Prosecution Agreement Over Global Software Company’s Iran Sanctions & Export

Groundbreaking DOJ Non-Prosecution Agreement Over Global Software Company’s Iran Sanctions & Export Controls Violations

Resolving violations of U.S. sanctions and export controls programs continues to become a more complex matter for companies, and a recent groundbreaking non-prosecution agreement (NPA) between the Department of Justice (DOJ) and SAP SE, a global software company based in Germany, is worth digging into as it contains many important lessons for compliance and for dealing with voluntary disclosures.
  • Not surprisingly, the core issues involved in the investigated conduct focus on software services, which as we recently noted in the context of military export controls under the ITAR, are often challenging to scope and often overlooked in export-focused industries that view exports as tied to “things.”
  • SAP reportedly exported software from the U.S. to companies in third-party countries with knowledge or reason to know that the software was intended specifically for Iran and sold cloud-based U.S. software subscription services to customers that made the services available to their employees in Iran. SAP used third-party countries as “pass-through entities” to provide the company’s software to users in Iran. The delivery of software from U.S.-based servers and use of cloud-based subscriptions managed by the company’s U.S. subsidiaries triggered U.S. export controls and sanctions restrictions even though SAP is headquartered in Germany.
  • SAP’s internal investigation unearthed numerous shortcomings in its compliance program, including failures to screen customers through the website, even after internal audits recommended implementing relatively simple blocking tools. SAP also failed to review the business activities of its pass-through entity customers to determine whether they were selling the company’s software to Iranian companies—when in fact many were publicly advertising such activities.
Don’t Do This at Home: How to Avoid NPAs in the First Place

The SAP NPA is the first reported example since the DOJ rolled out a revised policy on voluntary self-disclosures for criminal violations of export controls and sanctions administered by the Department of Treasury’s Office of Foreign Assets Control (OFAC). Following the well-trodden path of many NPA and Deferred Prosecution Agreements (DPA) involving violations of the Foreign Corrupt Practice Act, the new approach encourages companies to self-disclose by reducing penalties and limiting them to the amounts gained from the illegal conduct.

The SAP NPA lays out in detail the extraordinary steps that the company undertook. These steps serve as a reminder—and encouragement—for others similarly situated to consider focusing their attention, and spending their time and resources, on preventing illegal conduct rather than cleaning up after the fact. According to the NPA, SAP:
  • Conducted a thorough internal investigation, with regular factual updates to U.S. authorities;
  • Made foreign-based employees available for interviews in an overseas location;
  • Produced documents, including translations, at the U.S. government’s request;
  • Provided legal counsel to employees to facilitate their cooperation;
  • “Collected, analyzed, and organized voluminous evidence” shared with the government; and
  • Investigated and disclosed conduct “outside the scope” of the initial disclosures.
Most tellingly, SAP then spent $27 million to remediate and implement significant changes to compliance and sanctions programs, which included:
  • Transitioning to a global automated sanctions screening program;
  • Company-wide training;
  • Terminating employees who were aware of the sales to Iran; and
  • Hiring approximately 15 additional professionals devoted to export control and sanctions compliance.
Concurrently with the NPA, SAP entered into administrative agreements with OFAC and the Department of Commerce’s Bureau of Industry and Security (BIS).

In light of SAP’s cooperation and other factors, SAP was able to escape without having a monitor imposed over its business—a significant development as monitorships are extraordinarily complex and expensive undertakings for the company. SAP, however, did have to agree to continuing obligations to disclose future wrongdoing to DOJ that will require the company to be very diligent and thorough about investigating any allegations of misconduct—failure to do so would put senior managers in jeopardy given the requirement that they certify the company’s compliance with the requirements of the NPA. During the term of the NPA, SAP has effectively committed to report any evidence or credible allegation of a violation of U.S. federal law to the government.

As evident in this recent settlement, companies dealing with data, software, and cloud services should pay attention to export controls and sanctions restrictions because digital trade can cross borders easily and with little notice. Companies should consider the following steps:
  • Instituting geolocation IP address screening for software delivered from the U.S.;
  • Blocking downloads of software, support, and maintenance from Iran and other embargoed countries;
  • Screening all third parties and customers and doing spot checks on distributors or channels of sales to ensure compliance with U.S. laws;
  • Developing and implementing effective compliance programs that flag issues that require closer scrutiny; and
  • Conducting adequate review of supply chain partners to limit resale to companies in Iran or other embargoed countries.
Connect with Ice Miller for More Details

If you have questions concerning the sanctions and export controls compliance, Ice Miller has extensive experience assisting companies to comply with laws governing the export of goods, technology, software, and services, and helping companies navigate DOJ, OFAC, and BIS inquiries. Our team includes Guillermo Christensen, Office Managing Partner, Washington DC, and a former CIA officer with national security experience in the intelligence community and internationally with the U.S. Department of State; Timothy Belevetz, Co-Chair of Ice Miller’s White Collar Defense & Investigations Group and a former federal prosecutor and U.S. Securities and Exchange Commission attorney; and Christian Robertson, a former U.S. Air Force intelligence officer who regularly advises clients on export controls and international supply chain matters.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

View Full Site View Mobile Optimized