U.S. prosecutors said Thursday that German software giant SAP will pay more than $8 million in penalties in acknowledging that it illegally exported its products to Iran.
The U.S. said the company could have faced stiffer penalties and prosecution had it not voluntarily disclosed the activities that violated American sanctions against Iran.
The company agreed to the penalties and changes to its business practices as part of an agreement with the U.S. departments of Justice, Commerce and Treasury.
SAP said it welcomed the resolution.
“We accept full responsibility for past conduct, and we have enhanced our internal controls to ensure compliance with applicable laws,” the company said.
SAP was not properly using its geolocation filters to identify and block thousands of Iranian downloads of software and software updates over many years, said Nathaniel Mendell, the acting U.S. attorney for Massachusetts, where the resolution was reached after a three-year investigation following SAP’s disclosure.
That allowed a number of Iranian-controlled front companies, some of them presumably connected to the government, to be able to use the software, including well-known SAP products that human resources departments use to manage employees’ hours, Mendell said.
“It wasn’t anything that would pose a more serious threat,” he said. “It was the more standard SAP suite.”
He said some SAP senior executives were aware their export controls were inadequate for years before they were fixed.
The resolution marks the first to follow a “voluntary self-disclosure” policy that has been on the books since 2016 and was amended in 2019 to encourage more participation.
It’s meant to show that there is a benefit to coming to U.S. authorities before getting caught, said U.S. Assistant Attorney General John Demers.
“This could have been far worse for SAP if we discovered this on our own,” he said.