SAP has agreed to pay $ 8m fines for giving Iranian users access to software upgrades, patches and cloud services that violate U.S. sanctions laws.
The German software giant also spent $ 27m on cooperation with U.S. authorities and remedial actions. And it promised to pay $ 5.14m in unearned gains.
SAP first discovered and reported penal violations, and worked with the U.S. Department of Justice and the U.S. Attorney’s Office for the District of Massachusetts for three years to reach a non-prosecution agreement.
In a statement, assistant attorney general for the National Security Division of the Department of Justice John Demers said: “SAP will suffer penalties for its violations of sanctions on Iran, but it will be worse if they do not disclose, collaborate, and recover. We hope that with other businesses, software or otherwise, follow this lesson. “
FBI Boston Division special agent Joseph Bonavolonta thanked SAP “for working hard to improve their compliance program to prevent future violations.”
The SAP violations of US sanctions on Iran, which took place in various forms since 1979, occurred from January 2010 to September 2017.
It broke export policies in two ways, according to U.S. authorities.
First, the German company and its overseas partners released software originating in the US, along with upgrades or software patches, more than 20,000 times to users located in Iran.
A statement from the Attorney’s Office said SAP senior executives were unaware that the company or the content delivery provider were not using geolocation filters to identify and block Iranian downloads, but were not the company resolved the issue.
“Most of Iran’s downloads went to 14 companies, of which SAP partners in Turkey, the United Arab Emirates, Germany and Malaysia are known to be front-line companies controlled by Iran,” the statement said . The remaining downloads went to several multinational companies with operations in Iran, which downloaded SAP software, updates, or patches from locations in Iran.
The second way SAP violated the rules came from accessing cloud services from within Iran. From approximately 2011 to 2017, by acquiring companies that host its software in the cloud, SAP found that nearly 2,360 users accessed U.S.-based cloud services from Iran . Although these companies lack adequate export control and compliance with penalty compliance processes, SAP decided to allow these companies to continue to operate as standalone entities after they are acquired and ” failed to fully integrate them into tighter export controls and sanctions compliance programs, ”according to the DoJ.
The SAP said in a statement that it accepted the conclusion of the investigations. “As noted in the settlement agreements, SAP has conducted a thorough and extensive investigation into historical export controls and violations of economic sanctions. We accept full responsibility for past violations. behavior, and we have enhanced our internal controls to ensure compliance with applicable laws.
“SAP remains committed to maintaining a robust, worldwide export control and trade sanctions compliance program.” ®