On April 29, 2021, the Office of Foreign Assets Control ("OFAC") of the U.S. Department of Treasury, and the Bureau of Industry and Security ("BIS") of the U.S. Department of Commerce announced settlements with German software company SAP, SE ("SAP") to resolve violations of the Iranian Transactions and Sanctions Regulations ("ITSR"), and the Export Administration Regulations ("EAR") stemming from SAP's exportation of software and software services-through third-party resellers-to end-users in Iran.  Additionally, the National Security Division of the U.S. Department of Justice ("DOJ") and the U.S. Attorney's Office for the District of Massachusetts collectively entered into a Non-Prosecution Agreement ("NPA") with SAP regarding the same violations.

The combined settlements and NPA highlight the continued focus by the U.S. Government on companies using all information available to them, especially geolocation and IP screening, to ensure end-users are not restricted parties or located in embargoed countries.  They also underscore that companies that fail to follow up on indications of potential non-compliance or implement measures to remediate identified compliance gaps do so at their peril.  Conversely, this case is also indicative of the value placed by the U.S. Government, and particularly the DOJ, on voluntarily disclosing export violations in accordance with the DOJ policy issued in December 2019, which assigned a presumption in favor of an NPA and a reduction in penalties if companies voluntarily disclose violations of export controls and sanctions programs.

Specifically, the settlements cite SAP's failure to implement geolocation screening and IP blocking measures, despite such measures having been recommended as corrective actions during compliance audits conducted years earlier.  For companies that engage in international transactions, this repeated reference to location screening serves as a reminder that OFAC considers screening of identifiable geographic information as critical for compliance.  In previous enforcement actions, against BitPay, Inc. and BitGo, Inc., OFAC cited to the companies' failures to implement geolocation screening and IP blocking technology that would have prevented persons in embargoed countries and other blocked persons from transacting in digital currency on their platforms.  The SAP settlement agreements again underscore the importance of implementing technology that identifies and blocks IP addresses associated with sanctioned destinations. 

The settlements also reflect the expectation that companies will conduct appropriate due  diligence on their business partners to ensure that they are aware of and undertake sufficient measures to ensure compliance with US export controls and economic sanctions.  Such diligence should include a review of the business partner's websites for any red flags that those partners might engage in dealings with sanctioned persons, entities, or destinations or that any goods or services might be provided to sanctioned persons or destinations.  Companies should also ensure that they inform those business partners of their obligations to comply with U.S. export control and sanctions laws.  Where red flags come to light (whether through diligence or through other means such as a compliance hotline), companies must not ignore them-instead they must proactively address those red flags.  The attention to diligence not only applies to business partners, but it also applies to newly-acquired businesses.  If acquired businesses do not have adequate export control and sanctions programs in place, it is important to implement such a framework within the company to prevent violations of export controls and sanctions programs.     

To resolve the allegations, SAP agreed to pay civil fines of $2,132,174 to OFAC and $3,290,000 to BIS (credited against OFAC's penalty), as well as a monetary penalty of $5,140,000 to DOJ as part of the NPA.  SAP also spent more than $27 million to overhaul its export controls and sanctions compliance programs, including measures such as:

  • Terminating relationships with all SAP Partners that provided software licenses and related software services to Iranian end-users;
  • Implementing an export controls process in which a third party auditor must review proposed sales by SAP Partners;
  • Audit newly-acquired companies for export control and sanctions compliance, including implementing a sufficient export control program in all newly-acquired companies where inadequate controls were in place;
  • Using IP blocking technology to block downloads of software, support, and maintenance from Iran and other embargoed countries;
  • Expanding the use of geolocation IP screening as part of its compliance program;
  • Conducting additional audits of its export controls and sanctions compliance program;
  • Implement and maintain a confidential and anonymous "hotline" for employees to report export controls and sanctions violations; and
  • Hiring additional employees in charge of export control and sanctions compliance.

The penalties assessed against SAP by all three government agencies make clear the need for compliance protocols that prevent exports, reexports, and transfers of goods and services to end-users in Iran, other embargoed countries, and to blocked persons and entities.  Such protocols should be reviewed and updated as new technology or identifiable information-such as IP blocking technology and geolocation data-becomes available.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.