SAP has reached an agreement with US investigators to close a case relating to the violation of economic sanctions and the illegal export of software to Iran. The software provider has admitted to violating existing sanctions and an embargo imposed on the country by the United States.
According to the US Department of Justice (DOJ), SAP violated US sanctions rules on Iran “thousands” of times over a six-year period. Last week, the DoJ claimed that the investigation into the practices of SAP – a case that also involves the Treasury Department, the Office of Foreign Assets Control (OFAC), the Department of Commerce and the Bureau of Industry and Security ( BIS) – revealed two “main” ways in which economic sanctions were violated.
From 2010 to 2017, SAP and its foreign partners exported US-sourced software – including upgrades and security patches – to users in Iran more than 20,000 times. The majority of “exports” went to a total of 14 “Iran-controlled shell companies” located in countries like Turkey and Germany, while others were directly downloaded from Iranian IPs.
$ 8 million to settle the dispute
During the same period, SAP’s Cloud Business Group (CBG) units enabled more than 2,300 users in Iran to access US-based cloud services.
“From 2011, SAP realized, through specific audits, that these companies did not have adequate export control and sanction compliance processes,” says the DoJ. “Yet SAP made the decision to allow these companies to continue operating as stand-alone entities after acquiring them and failed to fully integrate them into SAP’s more robust program for export controls and compliance with sanctions. “
SAP, as U.S. investigators noted, admitted the charges, leading to a settlement worth $ 8 million to avoid action and legal action. Under the terms of the deal, SAP will have to remit $ 5.14 million in “ill-gotten gains” to the United States.
IP blocking by geolocation
The software giant has also spent more than $ 27 million on corrective and compliance measures, including expanding geo-location IP blocking, removing user accounts that would violate sanctions, and hiring dedicated staff. export control.
“SAP will face sanctions for its sanctions violations against Iran, but these would have been much worse if the company had not disclosed, cooperated and taken corrective action,” commented Deputy Attorney General John Demers. “We hope that other companies, software and others, will heed this lesson. “
In a statement, SAP explains that the company “strives for the highest standards of corporate integrity.”
“SAP has conducted a thorough and extensive investigation into historic export controls and violations of economic sanctions,” the company said. “We accept full responsibility for our past conduct, and we have improved our internal controls to ensure compliance with applicable laws. Our significant remedial efforts, combined with our full and proactive cooperation with the US authorities, led to a mutually acceptable resolution of the Iran investigation without the imposition of an external monitor. “