CALL US TODAY
202.772.2039

Settlements for Exports of Controlled Encryption Software to Iran

Settlements of Exports of Controlled Encryption Software to Iran blog

SAP, a German multinational software corporation with a significant U.S. presence, recently settled allegations that it violated OFAC and BIS regulations concerning exports of software, upgrades and patches from the United States to Iran and Iranian companies. The settlement amounts totalled in excess of $6.4 million.

Watch the video as George W. Thompson, International Trade Attorney, discusses the nature of the violations and what companies engaged in cloud-based software-as-a-service exports should be aware of.

Transcript of Settlements for Exports of Controlled Encryption Software to Iran

Good afternoon, this is George Thompson, and today I’m going to discuss a recent enforcement case that the Bureau of Industry and Security, Office of Foreign Assets Control, and Justice Department settled with the software company SAP. The case involves a couple of significant compliance issues: encryption controls, transactions with Iran, and provision of cloud-based services.

SAP is a German-based company, but with a significant U.S. presence. The compliance problems arose from its exports of software, upgrades and patches from the United States to Iran and Iranian companies. This activity implicates both the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations, although for different reasons.

The BIS concerns arose due to SAP’s unlicensed exports of controlled encryption software. According to that agency, “The items were controlled for encryption and national security reasons.” Items controlled for those reasons require an export license to Iran, which SAP did not get.

OFAC prohibits exports of virtually all items and services to Iran, so providing controlled or non-controlled software from the U.S. to Iran is a violation of the OFAC sanctions. As described by OFAC, “The software was delivered from SAP servers in the United States and SAP’s U.S.-headquartered content delivery provider. The sales of cloud-based subscription services to third country-based customers that then provided access to users located in Iran were conducted by two of SAP’s cloud business group subsidiaries in the United States.” Some of the apparent violations arose from SAP’s allowing the use of cloud-based software in Iran by non-Iranian parties, presumably business visitors from third countries.

Compounding the situation, some SAP employees knew these activities were not permitted, but let them occur anyway. Internal audits that had uncovered gaps in the company’s compliance program also were ignored. SAP itself discovered and disclosed them to OFAC and BIS. Doing so mitigated the severity of the potential penalty, but nevertheless SAP was required to pay $2,132,000 to settle the OFAC case and $3,290,000 for the BIS one.

There are a couple of compliance lessons here. The first is that companies making software available on the internet – and that’s by far the most common method these days – should be aware of their products’ control status and ensure that appropriate measures are in place to block access from restricted countries. In particular, software with encryption functionality that remains covered by the Commerce Control List cannot be available to controlled destinations.

Second, the provision of cloud services can be a problem. Although the use of software-as-a-service is not an export under the EAR, it does constitute provision of a service under the OFAC regulations. Here too, appropriate blocking measures should be put in place.

Third, Iran remains a highly-restricted destination under both the EAR and the Iranian Transactions and Sanctions Regulations. U.S. companies have to ensure that their products and services are not exported there, directly or indirectly. One of the allegations against SAP was that a number of its multinational customers, headquartered outside of Iran, engaged in the use of SAP products and services in that country without a license. SAP didn’t have the safeguards in place to prevent that from happening.

The settlement summaries are available on the OFAC, BIS and DOJ websites. They’re well worth reviewing to gain insight into common compliance issues in the electronic age.

Thompson & Associates, PLLC provides representation in all aspects of customs laws and regulations, specializing in export and import regulations and international business counseling.We can be reached at 202-772-2039 or online.

SHARE THIS ARTICLE
Facebook
Twitter
LinkedIn
WhatsApp
Email
Print
SUBSCRIBE TO OUR EMAIL NEWSLETTER

Get delivered once a week to your inbox, a hand-picked list of the latest news on international trade compliance issues as well as the latest articles from George W. Thompson.

MORE VIDEOS