Software Company Self-Reports Illegal Exports

Written by

A software company based in Germany has self-disclosed violating United States sanction laws by exporting American products and services to Iran.

SAP SE, which is headquartered in Walldorf, admitted to carrying out thousands of export violations over a seven-year period. 

After self-reporting its transgressions, the company agreed to pay combined penalties of more than $8m as part of a global resolution reached with the United States Departments of Justice (DOJ), Commerce, and Treasury. 

SAP entered into a non-prosecution agreement with the three agencies that requires the company to disgorge $5.14m of ill-gotten gains. 

From around January 2010 through approximately September 2017, SAP and its overseas partners released US-origin software more than 20,000 times to users located in Iran. Software exported by SAP without a license included upgrades and patches. 

"Certain SAP senior executives were aware that neither the company nor its U.S.-based content delivery provider used geolocation filters to identify and block Iranian downloads, yet for years the company did not remedy the issue," stated the DOJ.

Most of the Iranian downloads went to 14 companies, which SAP's partners in Turkey, United Arab Emirates, Germany, and Malaysia knew to be under Iranian control. The remaining downloads were sold to several multinational companies then downloaded by their Iranian-based operations.

During the same period, SAP’s Cloud Business Group companies (CBGs) permitted approximately 2,360 Iranian users to access US-based cloud services from Iran.

The DOJ praised SAP for voluntarily confessing its violations, running an extensive internal investigation, and for cooperating with the US government over a three-year period. 

"During this time, SAP worked with prosecutors and investigators, producing thousands of translated documents, answering inquiries and making foreign-based employees available for interviews in a mutually agreed upon overseas location," stated the DOJ.

SAP also spent more than $27m on remediating its export compliance and sanctions program. Changes introduced by the company included the implementation of GeoIP blocking, the deactivation of thousands of Iran-based user accounts for cloud services, and the suspension of SAP partners who sold to customers affiliated with Iran. 

Assistant Attorney General John Demers said: “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated."

What’s hot on Infosecurity Magazine?