Last week, three
The settlement agreements with OFAC and Commerce, and the non-prosecution agreement with DOJ, highlight sanctions risks specific to the cloud and software industry and provide insight on the
What happened
According to the agency notices, between 2010 and 2018, SAP supplied software and cloud-based services from
- Sales of software through “pass through” entities - SAP sold software licenses and maintenance services to SAP resellers located in
Turkey , theUAE ,Germany , andMalaysia , which in turn, sold the licenses and services to third parties for end use in Iran. Iranian end-users then downloaded SAP software, updates, or patches from the company's servers in the United States. The agencies noted that SAP failed to prevent downloads of its software from IP addresses associated withIran , even though internal audits recommended the adoption of IP address geolocation screening. SAP also failed to conduct sufficient due diligence on its resellers, many of which publicized ties with Iranian companies on their websites. - Cloud services -
SAP's Cloud Business Group subsidiaries allowed 2,360 users inIran to accessU.S. -based cloud services. SAP became aware, through due diligence and audits, that its subsidiaries lacked adequate compliance controls over its cloud offerings, but did not take appropriate or timely remedial action.
SAP voluntarily disclosed the issues to the three agencies, cooperated with investigators, and made significant changes to its export controls and sanctions compliance program by (1) implementing an IP-based geoblock, (2) deactivating user accounts of cloud-based services in
Compliance expectations & lessons learned
The SAP case is the latest sanctions enforcement action dealing with the provision of goods or services over the internet. As with prior announcements, we can glean a few lessons for the technology industry and for companies that conduct business online:
- Geo-blocking (again): The SAP case is the latest reminder that the
U.S. government expects technology companies to adopt effective geo-blocking from IP addresses associated with sanctioned jurisdictions. In its case summary, OFAC called out the particular need for an effective blocking solution when providing services indirectly through third parties. U.S. -based servers are subject toU.S. rules:U.S. sanctions and export control laws have broad extraterritorial reach. This case highlights the fact that the provision of services and the download of software fromU.S. servers are considered “exports” and may require approval from OFAC and/or Commerce. Non-U.S. companies should take note and consider their use ofU.S. servers when assessing business opportunities that implicate destinations subject toU.S. sanctions.U.S. -based platforms should also consider whether customers' use of their services in sanctioned jurisdictions could create liability for theU.S. company providing the service.- Due diligence on intermediaries: The SAP case exemplifies how intermediary parties can create liability for a company under
U.S. sanctions and export control rules. Appropriate due diligence, controls, and monitoring of distributers and resellers is a must in any industry, particularly when aU.S. company does not have full insight into the identity of the end users of its goods or services. - Intercompany business is not risk-free: SAP allowed its subsidiaries to operate independently, although SAP knew, based on pre- and post-acquisition due diligence and notification by SAP's
U.S. compliance team, that those subsidiaries had insufficient sanctions compliance programs. Companies need to ensure that non-U.S. affiliates dealing inU.S. origin services or software maintain appropriate controls, especially after acquiring new entities. - Resourcing export and sanctions compliance teams: SAP relied on its
U.S. -based compliance team to oversee the compliance of all of itsCloud Business Group subsidiaries. However, the team received inadequate resources, lacked authority to manage the processes, and encountered resistance from the subsidiaries. In its notice, OFAC emphasized that compliance teams must be resourced and empowered to implement compliance controls, when risks are identified. - Training is key: According to OFAC, SAP employees outside of
the United States oversaw the sale ofU.S. -based offerings toIran , and even traveled toIran on a sales trip. Multinational companies with aU.S. presence should train all relevant employees onU.S. sanctions red flags so that these types of issues are spotted and appropriately reported. - Don't ignore audit findings: SAP auditors highlighted the company's lack of IP address geoblocking as a sanctions compliance risk as early as 2006, but the company did not implement effective controls until 2015. By failing to act in response to the audit findings, OFAC indicated that SAP “demonstrated reckless disregard and failed to exercise a minimal degree of caution or care” for
U.S. economic sanctions and cited this failure as an aggravating factor in the case.
Over
All told, SAP paid
Of course, those figures do not reflect the full cost of investigating and remediating the issues at hand. According to DOJ, SAP spent over
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr
Twenty-Third Floor
CA 90067
Tel: 212808 7800
Fax: 212808 7897
E-mail: crubsamen@kelleydrye.com
URL: www.kelleydrye.com
© Mondaq Ltd, 2021 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source