German software firm SAP SE show the benefits of self-disclosure with reduced penalties for US control breaches

SAP SE logo

German software company SAP SE has become the first company to benefit from a US Justice Department programme that encourages companies to self-report criminal export violations in exchange for leniency.

The firm disclosed that it violated export and sanctions laws related to Iran.

It agreed to help US agencies conduct further investigations, the US Justice Department announced.

Resolution

Europe’s biggest software maker agreed to pay combined penalties of more than $8 million as part of a resolution with the U.S. Departments of Justice, Commerce and Treasury.

The company voluntarily had admitted it illegally exported thousands of software products to companies in Iran and front companies outside of Iran in violation of US sanctions.

Breach

SAP and its overseas partners released its US-origin software – including upgrades, and/or software patches – more than 20,000 times to users located in Iran.

SAP senior management was aware that neither the company nor its US-based content delivery provider used geolocation filters to identify and block Iranian downloads, yet for years the company did nothing to remedy the issue.

Lack of compliance processes

SAP also acquired various cloud business group companies and became aware – through pre-acquisition due diligence and post-acquisition export control-specific audits – that these companies lacked adequate export control and sanctions compliance processes.

However, SAP allowed these companies to continue to operate as standalone entities after acquiring them and failed to fully integrate them into SAP’s more robust export controls and sanctions compliance program.

Reduced penalties

John Demers, Head of the Justice Department’s national-security division, said that both criminal and civil penalties could have been substantially higher if the firm had not self-reported.

The non-prosecution agreement was based upon SAP’s voluntary self-disclosure as well as its extensive internal investigation and cooperation over a three-year period.

During this time, SAP worked with prosecutors and investigators, producing thousands of translated documents, answering inquiries and making foreign-based employees available for interviews.

Full responsibilities

In a statement, SAP said it accepted “full responsibility for past conduct” and had enhanced its internal controls.

Since uncovering the conduct in 2017, the company has spent more than $27 million on compliance changes, including implementing new filters, deactivating thousands of users in Iran, and auditing and suspending partners who sold to Iran-affiliated customers, according to the agreement.

Knowledge is king

Roger Arthey, chair of the IOE&IT’s Export Control Profession, said: “This fine demonstrates to companies, and export control staff in particular, the need to know where your exports are going (even if they are electronic). It also shows the importance of comprehensive due diligence during acquisition, and correcting any shortcomings identified before violations occur.”

“The good news is that penalties can be mitigated by self-disclosure prior to discovery and by cooperating with the authorities,” he added.