United States: Lessons From The SAP SE Settlement On The Benefits Of Self-Reporting Corporate Export Control And Sanctions Violations

I. A First: The Department of Justice Enters into a Non-Prosecution Agreement with SAP SE Under its Revised Voluntary Self-Disclosure Policy

On April 29, 2021, the Boston US Attorney's Office announced that SAP SE, a multinational software company headquartered in Walldorf, Germany, entered into the first non-prosecution agreement under the Department of Justice's (DOJ) revised Voluntary Self-Disclosure Policy, announced on December 13, 2019. As part of the global settlement, SAP agreed to pay combined penalties of more than $8 million to the Departments of Justice, Commerce, and the Treasury. SAP also agreed to disgorge $5.14 million in profits and admitted to illegally exporting thousands of software products to companies in Iran and Iranian-controlled front companies based in Turkey, the United Arab Emirates, Germany, and Malaysia. Additionally, certain SAP executives admitted they knew that neither SAP nor its US-based content delivery provider used geolocation filters to block Iranian downloads yet failed to remedy the issue.

In addition to the non-prosecution agreement, SAP entered into Administrative Agreements with the Department of Commerce, Bureau of Industry and Security (BIS), and the Department of the Treasury, Office of Foreign Assets Control (OFAC). Among other things, these agreements require SAP to conduct internal audits of its compliance with US export control laws and regulations and produce audit reports to BIS for a period of three years.

II. The DOJ's Export Control and Sanctions Enforcement Policy Provides Voluntary Self-Disclosure Guidance for Businesses

Under the revised voluntary self-disclosure program, the DOJ "encourages companies to voluntarily self-disclose all potentially willful ¹ violations of the statutes implementing the US government's primary export control and sanctions regimes-the Arms Export Control Act (AECA), 22 U.S.C. § 2778, the Export Control Reform Act (ECRA), 50 U.S.C. § 4801 et seq., and the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. § 1705-directly" to the National Security Division of the DOJ. As the revised policy clarifies, disclosures to other agencies, including OFAC and BIS alone, will not serve in lieu of a disclosure to DOJ. Under this policy, absent aggravating factors, there is a presumption that companies that voluntarily disclose a willful violation, fully cooperate with DOJ, and appropriately remediate the issue, will receive a non-prosecution agreement and will not be assessed a fine. If, as in the SAP case, aggravating circumstances do warrant an enforcement action, disclosure will allow for a 50 percent reduction in the potential penalty, and DOJ will not impose a monitor.

SAP was able to negotiate a non-prosecution agreement with the DOJ because it voluntarily disclosed the violations, fully cooperated with DOJ, and timely and appropriately remediated the circumstances that led to the violation through the following actions:

• Voluntary self-disclosure
• Extensive internal investigation and cooperation over a three-year period
• Producing thousands of translated documents and answering DOJ inquiries
• Making foreign-based employees available for interviews
• Timely remediating and implementing significant changes to its export compliance and sanctions programs (at a cost of more than $27 million)

In sum, because SAP cooperated extensively with the DOJ, BIS, and OFAC, and greatly enhanced its compliance programs, it was able to secure a non-prosecution agreement.

III. Compliance Best Practices Mitigate Risk

The SAP SE case illustrates how voluntary disclosure and cooperation with the government may result in a constructive resolution for an apparent US sanctions and export controls violation. As emphasized in the NPA and in the OFAC and BIS Administrative Agreements, this enforcement action highlights "the importance of implementing a risk-based sanctions compliance program commensurate with [a company's] size and sophistication and appropriate to their marketing and operational structures," including the following best practices:

• Employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program predicated on: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
• Implement IP address identification and blocking, especially if your company makes sales through third parties.
• Conduct pre- and post- acquisition due diligence to ensure newly acquired subsidiaries have sufficient compliance programs.
• Resource and empower sanctions compliance staff to undertake thorough examinations of risks and to implement appropriate controls.

Since those who violate US export and sanctions laws may be subject to criminal and/or civil penalties, a robust compliance program is a worthwhile investment.

Footnote

1. A violation is "willful" if done with the knowledge that it is illegal. DOJ, Export Control and Sanctions Enforcement Policy for Business Organizations, at 1 (Dec. 13, 2019), download (justice.gov) (citing Bryan v. United States, 524 U.S. 184 (1998)).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.