SAP to pay $8m in non-prosecution agreement with US authorities over Iran sanction violations

SAP has agreed to pay penalties of $8m for providing Iranian users with access to software upgrades, patches and cloud services in breach of US sanctions laws.

The German software giant also spent $27m on cooperating with the US authorities and remediation actions. And it promised to pay back $5.14m in ill-gotten gains.

SAP first uncovered and reported the sanctions violations, and has been working with the Department of Justice and US Attorney's Office for the District of Massachusetts for three years to reach a non-prosecution agreement.

In a statement, assistant attorney general for the Justice Department's National Security Division John Demers said: "SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, heed this lesson."

FBI Boston Division special agent Joseph Bonavolonta thanked SAP "for working hard to enhance their compliance program to prevent future violations."

• Xiaomi hit by US sanctions: Can't list on stock exchanges and investors can't invest
• Let the chips fall where they may: US Commerce dept whacks Middle Kingdom firm SMIC on naughty list
• New drinking game idea: Down a shot every time Huawei blames US sanctions for the current tech industry woes
• Iran to issue license for national bug bounty program to clean up its code base

SAP's violations of US sanctions on Iran, which have been in place in various forms since 1979, happened from January 2010 through to September 2017.

It broke the export rules in two ways, according to the US authorities.

Firstly, the German company and its overseas partners released US-origin software, including upgrades or software patches, more than 20,000 times to users located in Iran.

The statement from the Attorney General's Office said SAP senior executives were aware that neither the company nor its content delivery provider used geolocation filters to identify and block Iranian downloads, but the company did not remedy the issue.

"The vast majority of the Iranian downloads went to 14 companies, which SAP partners in Turkey, United Arab Emirates, Germany and Malaysia knew were Iranian-controlled front companies," the statement said. The remaining downloads went to several multinational companies with operations in Iran, which downloaded SAP's software, updates, or patches from locations in Iran.

The second way SAP violated the rules came from access to its cloud services from inside Iran. From approximately 2011 to 2017, through the acquisition of companies hosting its software in the cloud, SAP became aware that around 2,360 users were accessing US-based cloud services from Iran. Although these companies lacked adequate export control and sanction compliance processes, SAP decided to allow these companies to continue to operate as standalone entities after acquiring them and "failed to fully integrate them into SAP's more robust export controls and sanctions compliance program," according to the DoJ.

SAP said in a statement that it welcomed the conclusion of the investigations. "As noted in the settlement agreements, SAP conducted a thorough and extensive investigation into historical export controls and economic sanctions violations. We accept full responsibility for past conduct, and we have enhanced our internal controls to ensure compliance with applicable laws.

"SAP remains committed to maintaining a robust, world-class export controls and trade sanctions compliance program." ®