OFAC and BIS regulations
SAP, a German multinational software corporation with a significant U.S. presence, recently settled allegations that it violated OFAC and BIS regulations concerning exports of software, upgrades, and patches from the United States to Iran and Iranian companies. The settlement amounts totaled in excess of $6.4 million.
In the following transcript George W. Thompson, International Trade Attorney discusses the nature of the violations and what companies engaged in cloud-based software-as-a-service exports should be aware of.
Good afternoon. This is George Thompson and today I’m going to discuss a recent enforcement case that the Bureau of Industry and Security Office of Foreign Assets Control and Justice Department settled with the software company SAP. The case involves a couple of significant compliance issues, encryption controls transactions with Iran, and the provision of cloud-based services. SAP is a German-based company but with significant U.S. presents. The compliance problems arose from its exports of software upgrades and patches from the United States to Iran and Iranian companies. This activity implicates both the Export Administration Regulations and the Iranian transactions and sanctions regulations, although, for different reasons, the biggest concerns arose due to SAPs unlicensed exports of controlled encryption software. According to that agency, the items were controlled for encryption and national security reasons. Items controlled for those reasons require an export license to Iran, which SAP did not get. OFAC prohibits exports of virtually all items and services to Iran. So providing controlled or uncontrolled software from the US to Iran is a violation of the OFAC sanctions. As described by OFAC the software was delivered from SAP servers in the United States and SAP’s US headquarters content delivery provider. The sales of cloud-based subscription services to the third country-based customers that then provided access to users located in Iran were conducted by two of SAP’s cloud business group subsidiaries in the United States. Some of the apparent violations arose from SAP’s allowing the use of cloud-based software in Iran by non-Iranian parties, presumably business visitors from third countries. Compounding the situation. Some SAP employees knew these activities were not permitted, but like them occur anyway. Internal audits that had uncovered gaps in the company’s compliance program also were ignored. SAP itself discovered in disclose them to OFAC and bis doing so mitigated the severity of the potential penalty, but nevertheless, SAP was required to pay $2,132,000 to settle the OFAC case, and $3,290,000. For this one, there are a couple of compliance lessons here. The first is that companies make software available on the internet. And that’s by far the most common method these days should be aware of the products control status and ensure that appropriate measures are in place to block access from restricted countries. In particular software with encryption functionality that remains covered by the Commerce Control List cannot be available to control destinations. Second, the provision of cloud services can be a problem. Although the use of software as a service is not an export under the EAR. It does constitute the provision of the service under the OFAC regulations here to appropriate blocking measures should be put in place. Third, Iran remains a highly restricted destination. Under both the EAR and the Iranian transactions and sanctions regulations. US companies have to ensure that their products and services are not exported, they’re directly or indirectly. One of the allegations against SAP was that a number of multinational customers headquartered outside of Iran engaged in the use of SAP products and services in that country without a license. SAP didn’t have the safeguards in place to prevent that from happening. The settlement summaries are available on the OFAC business and DOJ websites. They’re well worth reviewing to gain insight into common compliance issues in the electronic age.