On
The SAP settlement is the most significant of a number of recent sanctions and export controls enforcement matters involving the provision of remote or cloud-based services to sanctioned or restricted parties. Where historically the financial sector has faced the most sanctions risk, and has spent decades building sophisticated compliance programs to avoid US sanctions violations, companies in the tech sector, from established behemoths such as Apple3 and Amazon,4 to startups, have faced sanctions enforcement for failing to avoid providing services to sanctioned parties. Given that it takes very little capital to begin remotely serving customers worldwide, and that many key resources for providing such services are based in the US or sourced from the US (including necessary software and technology and server capacity), the US government has begun to focus in the past 18 months on sanctions compliance in the tech industry. In fact, the global resolution marks the second US government enforcement action in recent months to highlight the importance of implementing access controls with respect to sanctioned countries. In
The SAP settlement also follows close on the heels of another recent OFAC action against SITA, a Swiss telecommunications company that, in 2020, settled apparent violations involving the provision of messaging services that were routed through hardware located in the US.6
The global resolution with SAP seems to represent a growing interest with export, trade, and sanctions regulators to assert jurisdiction over the activities of tech companies, where the main jurisdictional hook is the presence of information on US servers.
For companies that provide global services, these cases generally point to a few key themes:
- Sanctions and export controls compliance procedures need to be implemented into all stages of a company's product lifecycle, from sales to customer support.
- Despite the cost and burden, the US government has repeatedly emphasized the need for a robust screening program, even where there are many users dispersed globally and the company does not have substantial information on its users.
- Where possible, companies should use geofencing and other technical controls to prevent services from being provided to sanctioned or embargoed countries or jurisdictions without authorization.
- Companies must take primary responsibility for trade compliance, including where they use third party agents and distributors. Third parties have been a significant cause of sanctions exposure in recent cases and this has not absolved first parties of liability.
The bottom line is that, just as the US government expects banks to monitor global money flows and to prevent prohibited transactions, the recent cases demonstrate that companies are similarly expected to monitor and ensure compliance throughout the global flow of data.
What Were SAP's Violations?
SAP is a developer of enterprise software that is used by businesses to manage their operations and customer relations. Headquartered in
Release-of-Software Violations
From 2010 to 2017,
Even though the sale of the software was led by
Additionally, SAP failed to conduct sufficient due diligence on SAP Partners—some
Cloud-Access Violations
Two of SAP's US subsidiaries that deal in cloud networking also provided cloud-based subscription services to customers who, in turn, provided access to users located in
How Did the US Government Arrive at
SAP's Non-Prosecution Agreement with
The actual civil penalty to which SAP agreed represents a steep departure from the statutory maximum penalty, which OFAC determined to be
OFAC found that the following aggravating factors militated against leniency with respect to SAP's civil monetary penalty:
- Reckless disregard and failure to exercise a minimal degree of caution or care for US economic sanctions: OFAC determined that, despite having conducted multiple internal audits conducted over a period of at least eight years highlighting sanctions risks, as well as having received warnings from its compliance personnel indicating compliance program deficiencies, SAP failed to act on that information. Further, the settlement stated that SAP ignored warning signs, such as whistleblower claims.
- Recklessness: In OFAC's view, SAP was reckless for not having a compliance program commensurate with its size. SAP's failure to implement controls—such as geo-location IP address screening—in a timely fashion, conduct adequate due diligence on its third party partners, and implement adequate controls or compliance measures on
SAP Partners and its subsidiaries contributed to OFAC's conclusion. - Direct knowledge or reason to know of the violations: OFAC determined that certain SAP managers and personnel knew that SAP software was being purchased by companies that enabled the products' use in
Iran . Further, certainSAP Partners publicized their Iranian ties. - Harm to US sanctions program and foreign policy objectives: The settlement agreement concluded that SAP's actions provided economic benefit to
Iran by having provided software for a total value of$3.9 million . - Sophistication: In OFAC's view, SAP is a sophisticated company with significant international business.
Mitigating Factors
Each agency noted that SAP voluntarily disclosed its violations, in addition to the fact that it cooperated with investigators at
OFAC highlighted three main mitigating factors that warranted the significant departure from the statutory maximum penalty. First, SAP had no prior sanctions history in the five years preceding the earliest date of the activities that gave rise to the apparent violations. Second, OFAC found that SAP substantially cooperated with the investigation, including by enabling investigators to interview SAP employees overseas. Third, OFAC stated that SAP took "significant remedial actions," which included:
- Developing an enhanced compliance program, with geo-location IP screening;
-
Terminating all
SAP Partners who sold software or services toIran ; all users associated with companies that provided software or services toIran ; and all five SAP employees who were found to have knowingly engaged in sales toIran , or who failed to comply with SAP's policies prohibiting such sales; - Hiring six new employees responsible for export and sanctions compliance; and
-
Blocking all downloads from
Iran .
In addition to some of the factors noted by OFAC,
- Deactivating thousands of SAP cloud based services based in
Iran ; - Transitioning to automated sanctioned party screening of its cloud business groups;
-
Auditing and terminating
SAP Partners engaged in sales to Iranian companies; -
Implementing enhanced export employee training across the company, as well as a risk-based export control framework for
SAP Partners that requires a stringent review of proposed sales by a third-party auditor; and - Conducting more robust due diligence at the acquisition stage by requiring new acquisitions to adopt GeoIP blocking and requiring involvement of the Export Control Team before acquisition.
These remedial measures cost SAP a reported
Conclusion
The SAP action highlight the great importance of risk-based sanctions compliance programs for global companies providing software products online, including cloud-based services. This includes due diligence for all third-party vendors or distributors and those who deliver services to customers who might then provide those services to employees or other users in sanctioned companies.
Footnotes
1. See, e.g., Press Release,
2. Id.; see also Enforcement Release, OFAC Settles with
3. See, e.g., Enforcement Release,
4. See, e.g., Enforcement Release, OFAC Settles with
5. Arnold & Porter, Bits Too Far: Digital Wallet Company Settles OFAC Sanctions Violations, Enforcement Edge(
6. OFAC, Enforcement Information for
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Arnold & Porter
601 Mass. Ave., NW
DC 20001-3743
Tel: 202942.5000
Fax: 202942.5999
E-mail: Anna.shelkin@apks.com
URL: www.arnoldporter.com
© Mondaq Ltd, 2021 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source