SAP SE $8 million settlement
Those of us with children know that some kids choose to learn “the hard way” while others take “the easy way.” The same can be said for companies trying to comply with U.S. sanctions and export control regulations.
Last month, German software behemoth SAP SE (“SAP”) agreed to pay more than $8 million to settle “thousands of export violations spanning six years” with three different U.S. Government agencies.
Those agencies are the Commerce Department’s Bureau of Industry and Security (BIS), Treasury’s Office of Foreign Assets Control (OFAC) and the U.S. Department of Justice.
There are many interesting aspects one can glean from this case. (Take note Empowered Officials, legal counsel and compliance officers!) Here are some highlights:
- From 2010 to 2017, SAP released U.S.-origin software to users located in Iran more than 20,000 times.
- During roughly the same time period, SAP allowed more than 2,000 Iranian users to access its U.S.-based cloud services from Iran.
- Through various due diligence and audit activities, SAP became aware that some of its business units lacked adequate export compliance and sanctions compliance measures, yet they allowed these units to continue operating “as-is” and failed to make them adhere to SAP’s own (more stringent) program controls.
- SAP voluntarily disclosed the violations and has spent an estimated $27 million to improve its compliance program as a result.
Much has already been written about SAP and this situation. The case represents a first-of-its kind non-prosecution agreement under the Justice Department’s new policy on sanctions and export control violations. That said, here are two key learnings that have broad applications for many organizations in the United States and abroad.
Key Learning #1 – Software companies beware!
Let’s make an educated guess. Approximately how many companies do you think sell U.S.-origin software or SaaS today via direct download from their websites? Thousands? Tens of thousands? Keep in mind that a company does not have to be physically located in the United States to sell U.S.-origin items.
Now, how many downloads do these companies process per day/week/month/year? Millions? Tens of millions? More? Each one of these downloads represents a potential violation of U.S. sanctions and/or export control regulations. Each violation can carry a maximum penalty that is easily in the six figures.
So, do the math, and you quickly come to a number that is approaching “COVID-19 stimulus” levels.
Let’s continue with our guessing game.
- How many of these not-so-imaginary software companies have a comprehensive sanctions compliance program and export control compliance procedures in place?
- How much training do they provide to employees so they can recognize risks, flag potential violations and self-correct?
- Which companies include IT professionals as part of this training?
- How many use geolocation filters and IP address blocks to prevent unauthorized downloads?
- Who among these companies screens the various restricted parties lists and resolves false positives from true matches before accepting a new customer and selling to them?
- How often do they perform audits of their programs to identify gaps and improve?
- Now, I know what you’re thinking. “Everyone does all of these things, right?”
Hmmm. Let’s just say that…
If a company like SAP can make mistakes, then anyone who plays in the software space is at risk.
In fact, it’s entirely possible that this case will mark a turning point in U.S. enforcement efforts in the same way that the cases of Boeing and other large aerospace companies did for that industry over two decades ago.
The bottom line – software and SaaS companies can no longer “fly blind” and pretend they are immune from U.S. export control laws and regulations simply because they download from the cloud.
The argument that, “We don’t put anything in a box and ship it overseas” no longer works. (It hasn’t worked for some time, but cases like this will only serve to shine a brighter light on the problem.) Software companies must develop programs that are more than just words on paper.
They must implement appropriate controls, provide adequate training and resources, and then evaluate those approaches to ensure compliance. There is no other way forward.
Key Learning #2 – The truth shall set you free
As you read this case about SAP, it’s impossible to ignore the fact that the company voluntarily disclosed the violations to the U.S. Government, made honest efforts to work with the various agencies along the way, and sought to bolster their compliance program (to the tune of $27 million).
Without a doubt, these actions helped SAP arrive at a settlement that was tolerable versus one that could have been nothing short of “horrendous.” To put this another way, if you think an $8 million penalty is bad for SAP, consider that the software giant reported around $32 billion in revenue for 2020.
Also consider that the maximum penalties for the OFAC violations alone could have been $56 million!
The message from the government is clear:
- Be honest and forthcoming with your mistakes.
- Work to correct them.
- Be cooperative (not combative) with the enforcement agencies involved.
This goes a long way to achieving an outcome that is better in the long run. Time and again, we see the U.S. Government rewarding and even recognizing those companies who submit voluntary self-disclosures and then make honest efforts to improve their compliance.
Don’t believe me?
Here’s Assistant Attorney General John C. Demers from the Justice Department press release:
“SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, we [sic] heed this lesson.”
Companies would do well to follow the example of SAP and not attempt to hide their mistakes in the hopes of not getting caught.
The “ABCs” of sanctions and trade compliance
In summary, SAP walked away from this situation with what amounts to a slap on the wrist.
How did they do it?
The trade compliance industry is awash in acronyms that can be difficult for outsiders to understand. But here’s one acronym that can help any organization follow in SAP’s footsteps. It’s as easy as easy as “ABC.”
A = Audit/Assessment
Evaluate your program. Don’t have one? Assess where you are and take an honest inventory of your risks. Get outside help if you need it. Otherwise, you simply “flying blind” and have no idea where your company is headed.
B = Be Honest
Submit voluntary self-disclosures. Admit to your mistakes and make genuine efforts to improve. Believe it or not, the government agencies responsible for sanctions/export compliance want to know where companies fall short. They want to see all companies improve. Cooperating with the government will get you further than fighting them.
C = Continually Improve
Even with the best of programs, improvement can be made. There is no such thing as “perfect” compliance. So, start where you are, then build up from there. You’ll be better off in the long run than those companies who did nothing and hoped they never got caught.
Need help? For more than 12 years, our firm has assisted organizations of all sizes with evaluating their trade compliance and making meaningful improvements. Schedule a no-charge consultation and let’s discuss how we can help you today.
Tom Reynolds is the President of Export Solutions, a consultancy firm which specializes in helping companies with import/export compliance.