On April 29, 2021, the U.S. Department of Justice's National Security Division and the U.S. Attorney's Office for the District of Massachusetts (collectively, "DOJ") announced that DOJ entered into a precedent-setting non-prosecution agreement with German software company SAP SE ("SAP") for more than $8 million, after it became the first company to voluntarily disclose U.S. export and sanctions violations pursuant to DOJ's new export control and sanctions voluntary self-disclosure ("VSD") policy.  Although SAP was required to disgorge $5.14 million of ill-gotten gains, DOJ did not prosecute SAP nor seek any additional penalty amount.  The resolution - which carefully tracks the National Security Division's 2019 VSD policy (on which we have written before) - provides a roadmap for how companies can obtain full voluntary self-disclosure credit, and a case study of when DOJ will eschew criminal prosecution and fines.    

Concurrently with the DOJ Non-Prosecution Agreement ("DOJ Agreement"), SAP also entered into settlements with the Department of Commerce's Bureau of Industry and Security ("BIS") and the Department of the Treasury's Office of Foreign Assets Control ("OFAC").  As part of those settlements, SAP agreed to pay OFAC $2.13 million and BIS $3.19 million, although the OFAC payment was deemed satisfied by the payments to DOJ and BIS.

As part of the resolution, SAP acknowledged violations of the Export Administration Regulations ("EAR") and the Iranian Transactions and Sanctions Regulations ("ITSR") stemming from the fact that its software cloud servers and online portal were accessible to and in fact accessed by users in Iran.  Specifically, SAP allowed its software, including upgrades and software patches, to be sold by third-party resellers and thereafter downloaded by users in Iran more than 20,000 times, and permitted more than 2,000 Iranian users to access SAP cloud services from Iran.  DOJ focused on the fact that neither the company nor its U.S.-based content delivery provider used geolocation filters to identify and block Iranian downloads or access.  

In addition to paying combined penalties of more than $8 million dollars and admitting responsibility for the illegal exports as part of its resolution with the U.S. government, SAP agreed to continue cooperating with DOJ and other U.S. agencies, revamp its existing internal controls and compliancy policies and procedures, and conduct internal audits of its compliance with U.S. export control laws and regulations and produce audit reports to BIS and DOJ for a period of three years.

The DOJ's Voluntary Self-Disclosure Policy

In a previous client alert, we examined the National Security Division's ("NSD") revised policy to encourage voluntary self-disclosures of criminal violations of export control and sanctions laws.  The new guidance issued in December 2019 provided greater clarity regarding the incentives for companies that self-report, including a presumption that such companies will receive a non-prosecution agreement and limits on any monetary payment to an amount equal to the gains from the illegal conduct, absent aggravating factors.

The policy reflects NSD's emphasis on private-sector cooperation as part of its overall strategy to enforce export control and sanctions laws.  The SAP resolution confirms this emphasis on cooperation and provides businesses with key insight into the factors NSD values in reaching favorable resolutions under the new VSD policy.

Key Factors under DOJ's Voluntary Self-Disclosure Policy

Although SAP's conduct constituted "serious violations of U.S. law involving the release of U.S. origin technology and software through cloud servers and online portals," the DOJ Agreement recognized the importance of SAP's voluntary self-disclosure as well as its extensive internal investigation and cooperation over a three-year period.

More specifically, DOJ identified the following facts and circumstances that lead to a favorable agreement:

  • SAP's timely and voluntary disclosure;
  • SAP's initial and continued cooperation with DOJ, BIS, and OFAC;
  • SAP's thorough internal investigation and proactive identification of issues and facts;
  • SAP's timely remediation and implementation of, and $27 million investment in, significant changes to its export control and sanctions compliance program;
  • The national security ramifications of SAP's actions were tempered by its voluntary self-disclosure, remediation, and cooperation; and
  • SAP had no history of similar misconduct.

Importantly, because of SAP's significant remediation efforts and the current state of its export control and sanctions compliance program, DOJ determined that a monitor is not necessary.

Conclusion

SAP's non-prosecution agreement reflects NSD's efforts to incentivize companies to promptly disclose potential criminal violations of export control and sanctions laws. As companies contemplate whether and when to make a voluntary disclosure to DOJ, they will need to consider the incentives offered by the policy alongside other factors, including the nature of the violation, the evidence of willfulness, the likelihood that DOJ will independently identify the violation, and which agencies to share information with and in what order.  Given the favorable outcome here, we expect a slight uptick in voluntary self-disclosures.

Raymond Rif, a Legislative and Policy Specialist in the Morrison & Foerster LLP National Security practice, contributed to this alert.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved