| | | Effective PR

Cloud services providers and sanctions.

Nigel Morris-Cotterill

German software company SAP SE has done a deal with the USA's OFAC to avoid court proceedings relating to transactions with Iran. But that's not the important part of this story: what matters is that services were provided "in the cloud" and OFAC claims jurisdiction over it.

"OFAC has announced a $2,132,174 settlement with SAP SE (“SAP”). SAP, a software company located in Walldorf, Germany has agreed to settle its potential civil liability for 190 apparent violations of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. part 560. Specifically, between approximately 2013 and 2018, SAP engaged in the export, re-export, sale, or supply of technology or services from the United States to companies in third countries with knowledge or reason to know the software or services were intended specifically for Iran, and sold cloud-based software subscription services accessed remotely through SAP’s cloud businesses in the United States to customers that made the services available to their employees in Iran. "

So says OFAC in its brief announcement of this case. In its more detailed note, it says "

From approximately June 1, 2013 to January 1, 2018, SAP authorized 13 sales of SAP software licenses, 169 sales of related maintenance services and updates, and eight sales of cloud-based subscription services. The sales of SAP software licenses and related maintenances services and updates (collectively “SAP software”) were sold by third-party resellers (“SAP Partners”) in Turkey, the United Arab Emirates (UAE), Germany, and Malaysia. SAP Partners in these countries sold these licenses and services to companies in third countries, including companies controlled by Iranian companies, that provided the SAP software to users in Iran. SAP referred to these third-country companies as “pass-through entities.” The software was delivered from SAP servers in the United States and SAP’s U.S.-headquartered content delivery provider. The sales of cloud-based subscription services to third country-based customers that then provided access to users located in Iran were conducted by two of SAP’s cloud business group subsidiaries in the United States, with SAP’s knowledge or reason to know the services would be provided specifically to Iran. In doing so, SAP appears to have violated § 560.204 of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. part 560 (ITSR), prohibiting the export, re-export, sale, or supply, directly or indirectly from the United States, or by a United States person, wherever located, of any goods, technology, or services to companies and individuals in Iran, including the export, re-export, sale, or supply to a third country undertaken with knowledge or reason to know the goods, technology, or
2 services are intended specifically for Iran (the “Apparent Violations”). The total value of the transactions constituting the Apparent Violations is $3,693,898. Sales to “Pass-Through” EntitiesThe Apparent Violations connected with the sales of SAP software by SAP Partners to pass-through entities were caused in part by shortcomings in SAP’s compliance processes. For example, internal audits conducted in 2006, 2007, 2010, and 2014 found that SAP did not screen customers’ Internet Protocol (IP) addresses, resulting in SAP’s inability to identify the country in which SAP software was downloaded. This deficiency, the audits found, put SAP at risk of breaching U.S. economic sanctions and export controls. The 2006 audit recommended that SAP implement tools to verify the location of users making download requests of SAP software. In 2010, the findings of the internal audits, including the failure to implement IP blocking, were brought to the attention of SAP’s Executive Board. In 2014, the audit specifically recommended the implementation of geolocation IP address screening as a corrective measure. Though SAP knew of this compliance vulnerabilitysince 2006, and despite being aware that its U.S.-based content delivery provider had the ability to conduct geolocation IP address screening years earlier, SAP failed to implement the recommended geolocation IP address screening until 2015. IP address data reviewed during the course of SAP’s internal investigation confirmed that SAP software was being downloaded by users in Iran. The Apparent Violations related to the sale of SAP software to pass-through entities were also enabled by SAP personnel. Internal communications show that SAP product line and overseas subsidiary managers oversaw the sale of SAP software and services from the United States or U.S. persons to pass-through entities knowing they would provide the software and services to Iranian companies. In one instance, SAP personnel traveled to Iran to secure SAP software sales.Additionally, SAP failed to conduct sufficient due diligence on SAP Partners, which could have revealed SAP Partners’ connections to Iranian companies. For instance, SAP Partner websites publicized their business ties with Iranian companies. SAP also failed to adequately investigate whistleblower allegations it received between approximately July 2011 to March 2016 that claimed SAP software had been sold to Iranian front companies registered in UAE, Turkey, and Malaysia, claims that SAP subsequently substantiated. Cloud-Based Software Sales Additional Apparent Violations occurred when SAP’s cloud business group (CBG) subsidiaries in the United States sold cloud-based software subscription services to customers that enabled access to employees or customers in Iran. These exports occurred partly as a result of a failure to timely integrate the CBG subsidiaries into SAP’s broader compliance structure. In 2011, SAP had begun acquiring several U.S.-based CBGs that operated internationally. Pre- and post-acquisition due diligence on the CBGs found that they generally lacked comprehensive export controls and sanctions compliance programs, and in some instances had no sanctions compliance measures at all.Despite these findings, SAP permitted the CBGs to continue operations as standalone entitieswithout fully integrating them into SAP’s existing compliance measures. SAP instead relied on itssmall U.S.-based Export Compliance Team to coordinate and enforce compliance processes for theCBGs. The U.S.-based Export Compliance Team was not resourced or empowered to manage these processes appropriately. These processes, moreover, were not consistent across all the CBGs due to technological challenges and encountered resistance from some CBGs that did not view sanctions compliance as necessary. The Export Compliance Team reported these challenges to SAP’s Germany- based compliance team, but received limited support. SAP compliance deficiencies within the CBGs were not appropriately addressed until September 2017.

(more on the page following)

This case raises some serious questions. First, not all countries impose identical sanctions on Iran. The USA goes beyond those required by the United Nations, for example. OFAC takes action against companies, where it can find jurisdiction, which source items in the USA and ship them via staging posts in countries that have no similar export ban.

But this is different: there was no physical item to be shipped and re-shipped. Here there is a service. That service was, in this case, supported not out of Germany but out of the USA. That gives OFAC jurisdiction. Moreover, SAP software operates in "the cloud" which means that it sits on several servers around the world, and is accessed in the most efficient way. SAP USA knew, or had reason to know, that its end users were in Iran. This is not rocket science: IP logs provide traces. Arguably, all Iranian IPs should be flagged or even blocked in cases where OFAC might have jurisdiction.

SAP has a large footprint in the USA. There is no doubt that OFAC would be able to establish jurisdiction.

On the next page there is a further information on the case from OFAC. We have not sorted out the spelling, grammar or peculiar words ("exportation" instead of "export", for example).

It is useful because it shows how risk and compliance was disassociated from the sales and technical people in the company and how a failure to adequately train staff in sanctions, etc. can have serious consequences.