SAP Non-Prosecution Agreement Signals a New Standard for Compliance

What Happened:

On April 29, 2021, the Department of Justice (“DOJ”) announced that it had entered into a non-prosecution agreement (“NPA”) with SAP SE, the German software company, wrapping up a three-year investigation that began with SAP’s voluntary disclosure of numerous Iran sanctions and export control violations to DOJ. As part of its global resolution of liability with DOJ, the Treasury Department’s Office of Foreign Assets Control (“OFAC”), and the Commerce Department’s Bureau of Industry and Security (“BIS”), SAP will pay more than $8 million in penalties, continue to strengthen its revamped sanctions and export control compliance program, and conduct and disclose the results of annual audits of that program to BIS. 

The Bottom Line:

This is the first case resolved under DOJ’s Export Control and Sanctions Enforcement Policy for Business Organizations, and it reflects DOJ’s new, more aggressive enforcement approach towards companies that violate US sanctions and export control laws.¹ The SAP case is a warning to all companies—particularly those who provide tech products and services—about the risks of under-resourcing sanctions and export control compliance and ignoring deficiencies once they are discovered. For companies with undisclosed sanctions and export control issues, it provides a playbook for how to avoid ending up on the wrong side of a criminal conviction. It is clear, however, that a favorable resolution will not come easily—or cheaply. The key takeaway from the SAP NPA is that DOJ has high expectations for compliance remediation and will require companies to make significant investments in compliance improvements to secure a deal under the new policy.  

The Full Story:

According to the DOJ press release announcing the NPA, SAP engaged in numerous violations of US export control and Iran sanctions laws between 2010 and 2017. The violations took one of two forms. First, SAP and its foreign partners released US-origin software (including patches and upgrades) to Iran-based users more than 20,000 times between 2010 and 2017. Second, SAP’s Cloud Business Group companies (“CBGs”) allowed approximately 2,360 Iran-based users to access US-based cloud services from within Iran.  

In both scenarios, SAP knew or had reason to know that its internal controls were insufficient to ensure compliance with US sanctions and export control laws. Senior SAP executives knew that neither SAP nor its US-based content delivery provider was using geolocation filters to prevent Iranian downloads, despite having the ability to do so. Even after identifying that risk, the company failed to take action to block downloads from Iran. Similarly, as SAP acquired new CBGs, it learned that their sanctions and export control compliance practices were inadequate. Despite its awareness of these deficiencies from both pre-acquisition and post-acquisition due diligence and audits, SAP declined to implement its compliance processes at these companies and instead left them to continue managing their own compliance. 

SAP voluntarily disclosed this conduct to DOJ’s National Security Division (“NSD”) and OFAC in September 2017 and to BIS in January 2018. Under the new DOJ policy, companies must voluntarily self-disclose potentially willful violations of US sanctions laws directly to DOJ’s NSD; disclosures to OFAC or BIS alone are insufficient. The policy provides that when a company voluntarily discloses export control or sanctions violations to DOJ’s NSD, fully cooperates with DOJ’s investigation, and timely and appropriately remediates its compliance issues, there is a presumption that the company will receive an NPA and will not pay a fine (unless there are aggravating factors). Although aggravating factors may result in a deferred prosecution agreement or guilty plea instead of an NPA, DOJ will recommend a 50% (or more) reduction in the potential penalty amount and will not require a compliance monitor.   

In its press release announcing the NPA, DOJ credited SAP for disclosing its violations, conducting an extensive internal investigation, and cooperating fully with DOJ’s investigation.  Over the course of three years, SAP produced thousands of translated documents, answered DOJ inquiries, and made foreign-based employees available for interviews. DOJ also highlighted SAP’s $27+ million investment in strengthening its sanctions and export control compliance program by, among other things, 1) implementing GeoIP blocking, 2) deactivating Iran-based users of its software, 3) implementing automated sanctioned party screening for its CBGs, 4) auditing and suspending SAP partners that sold to Iran-affiliated customers, 5) hiring experienced US-based export control staff, and 6) conducting more thorough pre-acquisition due diligence and mandating GeoIP blocking for newly acquired companies.  

As Assistant Attorney General John C. Demers of DOJ’s NSD commented in the press release, “SAP will suffer the penalties for its violations of Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, w[ill] heed this lesson.” Indeed, the SAP settlement makes clear that there is much to be gained from voluntarily disclosing clear violations of sanctions and export control laws to DOJ, cooperating with its investigation, and remediating compliance failures promptly and robustly.  Not only is SAP avoiding prosecution for seven years’ worth of violations; it is paying a fraction of the maximum statutory penalty it faced and avoiding a long and costly monitorship. SAP’s decision to disclose, cooperate, and remediate significantly improved its ability to negotiate a favorable resolution with DOJ, OFAC, and BIS. 

All companies should heed this case as a harbinger of sanctions and export control enforcement actions to come and take steps now to strengthen compliance and mitigate risk. Generally, third party compliance remains a critical issue regardless of industry, and companies need to conduct due diligence at each point in their supply chains and distribution channels to identify and address gaps. Specifically, software companies are now on notice that DOJ expects them to leverage available technology, like using geolocation filters to screen for and block IP addresses linked to embargoed jurisdictions, to ensure compliance with US law. The key to success remains the adoption of a risk-based compliance program built on management commitment, accurate risk assessment, implementation of internal controls, testing and auditing, and employee training. In the SAP NPA, DOJ went beyond those core elements by imposing additional, detailed obligations on SAP around internal reporting, broad training on ethics and export control compliance, notifying third parties of their sanctions and export control compliance obligations, auditing newly acquired companies’ sanctions and export control compliance and reporting deficiencies to DOJ, implementing a written disciplinary policy for violations of sanctions and export control laws or SAP policies, and notifying DOJ of credible evidence of potential violations of sanctions and export control laws. The specifics of these additional requirements reflect DOJ’s expectations for what an effective sanctions and export control compliance program should include, and suggest that current best practices should be updated accordingly.       

Hunton Andrews Kurth LLP will continue to monitor closely the development of this and other US sanctions and export control matters. Please contact us if you have any questions or would like further information regarding sanctions risks and sanctions compliance programs.

¹ DOJ’s interest in pursuing sanctions and export control cases against companies and individuals appears more robust than ever. The SAP settlement is but one of a string of recent DOJ enforcement actions for sanctions and export control violations. On May 26, 2021, DOJ announced that an Italian company pled guilty for its role in a conspiracy to violate US sanctions and export control laws (available at https://www.justice.gov/usao-sdga/pr/italian-company-admits-guilt-scheme-evade-us-national-security-trade-sanctions). On May 7, 2021, a federal jury in San Antonio convicted a man for his role in a scheme to violate Iran sanctions (available at https://www.justice.gov/opa/pr/jury-convicts-iranian-national-illegally-exporting-military-sensitive-items). In March and April 2021, DOJ announced that two foreign nationals and a Russian company pled guilty to violating US sanctions and export control laws in two unrelated cases (available at https://www.justice.gov/usao-sdga/pr/russian-national-and-engineering-company-admit-guilt-scheme-evade-us-national-security and https://www.justice.gov/usao-ma/pr/chinese-national-pleads-guilty-illegal-exports-northwestern-polytechnical-university).