| | | Effective PR

Cloud services providers and sanctions.

Nigel Morris-Cotterill

German software company SAP SE has done a deal with the USA's OFAC to avoid court proceedings relating to transactions with Iran. But that's not the important part of this story: what matters is that services were provided "in the cloud" and OFAC claims jurisdiction over it.

aggravating factors: (1) SAP demonstrated reckless disregard and failed to exercise a minimal degree of caution or care for U.S. economic sanctions by failing to act upon the findings of multiple internal audits conducted over a period of at least eight years highlighting sanctions risks, as well as warnings from its compliance personnel indicating compliance program deficiencies that could lead to violations of U.S. economic sanctions regulations. SAP also ignored other warning signs, including whistleblower claims alleging sales of SAP software from the United States to Iran. It further permitted its U.S.-based CBGs to operate as standalone entities despite pre- and post-acquisition due diligence and reports from its U.S.-based Export Compliance Team notifying SAP headquarters of significant compliance deficiencies; (2) SAP also acted recklessly by having a compliance program that was not commensurate to SAP’s size and sophistication and that did not: 1) implement adequate controls in a timely manner (e.g., instituting geo-location IP address screening for SAP software delivered from the United States); 2) conduct a n adequate degree of due diligence on SAP Partners; and 3) implement robust controls or compliance requirements for SAP Partner sales and SAP CBGs; (3) SAP had direct knowledge or reason to know that SAP software and cloud services were being sold or used by entities and end-users in Iran and were supported from the United States. In some cases, SAP managers and other personnel had direct knowledge and facilitated the purchases of SAP software by third-country entities that enabled the use ofSAP products in Iran. SAP had reason to know, from IP address data, that SAP software, updates, and services were being downloaded from the United States by end-users located in Iran. In addition, information posted on SAP Partners’ websites publicized business ties with Iranian companies; (4) SAP’s exportation from the United States of business enterprise software and services to Iran caused harm to U.S. sanctions program objectives and undermined U.S. policy objectives by providing economic benefit to Iran, including the provision of leading business enterprise software in the amount of $3.9 million to be used by Iranian businesses; and(5) SAP is a sophisticated software company with significant international operations and has numerous foreign subsidiaries

mitigating factors: (1) SAP has no prior OFAC sanctions history, including no penalty notice or Finding of Violation in the five years preceding the earliest date of the transactions giving rise to the Apparent Violations; (2) SAP substantially cooperated with OFAC’s investigation, including arranging interviews with SAP employees; (3) SAP took significant remedial actions, including:•Terminating all users associated with the third-country entities that provided software and services to Iran, and Iranian cloud services; •Terminating SAP Partners engaged in sales to Iranian companies; •Blocking all downloads of software, support, and maintenance from Iran and other embargoed countries; •Implementing a risk-based export control framework for SAP Partners that requires a stringent review of proposed sales by a third-party auditor; •Developing and implementing an improved compliance program, including geolocation IP screening; •Hiring more than six new employees responsible for export control and trade sanctions compliance; and •Terminating five employees found to have knowingly engaged in the sale of SAP products to Iran or failed to adhere to SAP internal policy prohibiting sales to embargoed countries. Compliance ConsiderationsThis enforcement action highlights for global companies providing software products online, including through cloud-based services, direct downloads, or other such means, the importance of implementing a risk-based sanctions compliance program commensurate with their size and sophistication and appropriate to their marketing and operational structures. Screening processes for such programs will generally include IP address identification and blocking capabilities and are especially important for companies that use sales models where engagement with the end-user is indirect. Such companies include those using third-party vendors or distributors for product delivery, or who deliver services to customers who might provide them to employees or other users. As in other industries, due diligence for software distributors, resellers, and agents is essential. This enforcement action also emphasizes the importance of conducting sufficient pre- and post-acquisition due diligence to identify and promptly remediate compliance deficiencies in newly
5 acquired subsidiaries. Compliance efforts in such circumstances should be sufficiently resourced and empowered to undertake thorough examinations of risks and to implement appropriate controls, including, if needed, any stopgap measures. OFAC sanctions compliance programs should further maintain the support and commitment of senior-level managers to be effective. In circumstances where senior-level managers are made aware of potentially violative conduct or compliance deficiencies, it is incumbent on them to take expeditious action to seek and abide by appropriate guidance.