Communications Litigation Today was a Warren News publication.

Greater Attention Should Be Paid to Export Control Due Diligence, Law Firm Says

Following the Department of Justice's first resolution of action under a new export control tool, greater efforts should be made to conduct export-related due diligence and act on those recommendations, according to a May 6 analysis from Sidley Austin. Merely conducting audits of exports and sanctions is not good enough anymore, Sidley said. Implementing audit recommendations and putting in place a robust process to receive, investigate and elevate whistleblower complaints should be a priority following the DOJ's settlement with German software company SAP SE.

SAP agreed to pay more than $8 million in fines after it admitted to violating U.S. export controls and sanctions against Iran, the Justice, Treasury and Commerce departments revealed April 29 (see 2104290069). The company came to settlement agreements with all three agencies after it voluntarily disclosed the violations, which included illegal exports and reexports of U.S.-origin software, marking the first application of DOJ's Dec. 2019 Export Control and Sanctions Enforcement Policy. Despite having conducted multiple audits and having knowledge of its products going to U.S.-sanctioned sources, Treasury's Office of Foreign Assets Control considered the firm's behavior to be “reckless,” failing “to exercise a minimal degree of caution or care for U.S. economic sanctions.”

Responding to this first use of the new export and sanctions policy, Sidley detailed other steps companies should take to ensure full compliance with the regulation. Aside from taking audit recommendations, “companies should conduct and act on diligence findings, including by updating and integrating compliance processes where necessary to ensure compliance with export controls and sanctions laws,” the analysis said. As detailed in SAP's settlement agreement, the company will now have to implement greater diligence mechanisms such as the Corporate Compliance Program. The program requires SAP to implement an effective mechanism to respond to internal reporting of violations, highlighting the need for proper whistleblower processing systems.

The analysis concluded with a discussion of the U.S.'s sanctions and export controls jurisdiction relating to global information technology systems. Even though SAP is a German company, the federal government had jurisdiction over the company due to the use of U.S.-based assets. U.S. “touchpoints” should be better understood within each company to understand U.S. jurisdiction exposure, Sidley said.