German software company SAP SE on Thursday agreed to pay more than $8 million in combined penalties issued by three U.S. agencies after admitting to committing numerous violations of sanctions against Iran that occurred when Iranian-based users paid to download SAP software, upgrades, and patches.

SAP agreed to disgorge $5.14 million paid by Iranian users for its software over a seven-year period as part of a non-prosecution agreement reached with the Department of Justice (DOJ). The company will also pay $3.3 million in penalties to settle export control law violations with the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) and $2.1 million as part of a settlement with U.S. Treasury’s Office of Foreign Assets Control (OFAC).

Portions of the penalties are offset by each other, resulting in the approximately $8 million total.

For three years, BIS will require that SAP conduct internal audits of its compliance with U.S. export control laws and regulations and produce those audit reports to the agency.

SAP self-disclosed the violations and offered extensive aid to the DOJ investigation over the course of three years, “producing thousands of translated documents, answering inquiries and making foreign-based employees available for interviews in a mutually agreed upon overseas location,” the DOJ said.

“Today’s first-ever resolution pursuant to the Department’s Export Control and Sanctions Enforcement Policy for Business Organizations sends a strong message that businesses must abide by export control and sanctions laws, but that when they violate those laws, there is a clear benefit to coming to the Department before they get caught,” said Assistant Attorney General John Demers for the Justice Department’s National Security Division in a press release.

“SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, we [sic] heed this lesson.”

The details: From 2010 to 2017, SAP and its overseas partners allowed more than 20,000 downloads of its U.S.-based software, upgrades, and patches by users in Iran. The company did not use geolocation filters to block Iranian downloads, despite senior SAP executives knowing about the issue. The DOJ said the majority of the downloads went to 14 companies, which SAP’s overseas partners in several countries knew were Iranian-controlled front companies.

SAP also acquired several cloud-based businesses from 2011 to 2017, and these companies permitted more than 2,000 Iranian users to access U.S.-based cloud services. SAP knew these acquired companies lacked adequate export control and sanctions compliance processes but did not integrate them into its more robust compliance program, the DOJ said.

The BIS said SAP exported software, upgrades, and patches to users in several sanctioned countries, including Iran, from 2009 to 2019 without the required export licenses.

OFAC said SAP violated U.S. sanctions against Iran by authorizing 13 sales of software licenses, 169 sales of related upgrades and patches, and eight sales of cloud subscription services from 2013 to 2018. The total value of the transactions was approximately $3.7 million.

Compliance takeaways: Beyond self-reporting the violations and cooperating with the investigations, SAP took significant steps to improve its compliance programs in an effort that took four years and cost $27 million, the DOJ said.

The company fired five employees who knowingly engaged in sales of SAP products to Iran, OFAC said. The DOJ said SAP hired 15 new U.S.-based staff responsible for export control and sanction compliance.

SAP implemented a GeoIP blocking system, deactivated thousands of individual users of its cloud-based services in Iran, transitioned to automated sanctioned party screening of its cloud-based businesses, and audited and suspended partners that sold to Iran-affiliated customers, the DOJ said.

When SAP acquires other companies, it will now conduct robust due diligence that includes input from its export control team before completing the acquisition. All new acquisitions will be required to adopt GeoID blocking.

SAP responds: In a statement, SAP said it welcomed the settlements with the three agencies.

“SAP conducted a thorough and extensive investigation into historical export controls and economic sanctions violations. We accept full responsibility for past conduct and we have enhanced our internal controls to ensure compliance with applicable laws,” the company said. “Our significant remediation efforts, combined with our full and proactive cooperation with U.S. authorities, have led to a mutually agreeable resolution of the Iran investigation without the imposition of an external monitor.”