Microsoft Corporation has been ordered to pay a combined $3.3 million civil penalties in a coordinated enforcement effort brought by the Department of Commerce’s Bureau of Industry and Security (BIS) and the Department of the Treasury’s Office of Foreign Assets Control (OFAC) resulting from alleged and apparent violations of U.S. export controls and sanctions laws.
According to BIS, Microsoft voluntarily self-disclosed the alleged violations to both BIS and OFAC, cooperated with the joint investigation conducted by BIS’s Office of Export Enforcement and OFAC, and took remedial measures after discovering the conduct at issue, which predated the export controls and sanctions imposed in connection with the current Russian war in Ukraine.”
Under BIS’s order, Microsoft will pay an administrative penalty of $624,013. In addition to the BIS penalty, Microsoft entered into a corresponding settlement with OFAC, in which it agreed to an additional $3 million civil penalty to resolve 1,339 apparent violations of OFAC sanctions regulations involving Ukraine/Russia, Cuba, Iran, and Syria.
In light of the related OFAC action, BIS gave Microsoft a $276,382 credit, “contingent upon Microsoft fulfilling its requirements under the OFAC settlement agreement,” resulting in a combined overall penalty of $3.3 million, BIS stated.
BIS Case Background
According to BIS, on seven occasions between Dec. 28, 2016, and Dec. 22, 2017, “employees of Microsoft Russia caused another Microsoft subsidiary to enter into or sell software licensing agreements that would allow the transfer or access to software subject to the EAR by FAU “Glavgosekspertiza Rossii” and United Shipbuilding Corporation, both of which were on BIS’s Entity List.
FAU Glavgosekspertiza Rossii is a Russian federal institution involved with construction projects, including the Kerch Bridge, which was built to connect Crimea to Russia after its 2014 invasion. United Shipbuilding Corporation is responsible for developing and building the Russian Navy’s warships.
“In the case of FAU Glavgosekspertiza Rossii, certain Russia-based employees of Microsoft Russia ordered software licenses through one of Microsoft’s open sales programs in the names of parties not on the entity list,” BIS sated. “In the case of United Shipbuilding, an increased number of software licenses were added under non-listed affiliates’ enterprise agreements.”
Compliance Lessons
OFAC credited Microsoft for its remedial measures and enhancements made to its sanctions and trade compliance program, which compliance officers should take note of as they seek to enhance their own compliance practices in this area.
For example, prior to suspending new sales in Russia in March 2022, Microsoft “require[ed] that Russian service contracts be cleared by Microsoft’s “High-Risk Deal Desk,” a function that provides additional compliance oversight and “required pre-contract review of various risk factors, including a detailed review of the ultimate end customer, assessment of the deal structure to identify the beneficiary of Microsoft’s services, and an internal analysis of any existing trade or sanctions restrictions,” according to OFAC’s enforcement release.
Other remedial actions undertaken by Microsoft included:
- Implementing an “end-to-end” screening system that gathers data when an outside party makes its first contact with the company; collects risk-based, compliance-oriented data to enable accurate and reliable restricted-party screening; and screens its data on a persistent, rather than on a transactional, basis;
- Improving the methods by which it researches potential sanctions matches, modifying the procedures to respond to matches, and expanding the scope and volume of data screened;
- Deploying detailed sanctions compliance training for certain employees and jurisdictions, designed to account for specific vulnerabilities identified throughout this disclosure process;
- Adopting a new “Three Lines of Defense” model to govern its trade compliance program, which emphasizes management oversight and compliance monitoring. Further details on the responsibilities of each of these lines of defense are described in the OFAC enforcement release; and
- Terminating or otherwise disciplining the Microsoft Russia employees engaged in the activity described above.
“Companies with sophisticated technology operations and a global customer base should ensure that their sanctions compliance controls remain commensurate with that risk and leverage appropriate technological compliance solutions,” OFAC stated. “Such companies should also consider conducting a holistic risk assessment to identify and remediate instances where the company may, directly or indirectly, engage with OFAC-prohibited persons, parties, countries, or regions.”
“Such an assessment is particularly important for companies operating in or exposed to high-risk jurisdictions,” OFAC added. “This action also highlights the importance of companies conducting business through foreign-based subsidiaries, distributors, and resellers having sufficient visibility into end users with which they may have an ongoing relationship, including through the provision of services after an initial sale, to avoid engaging in business dealings with prohibited parties.”
OFAC further recommended, upon changes to OFAC’s SDN List, that companies “evaluate their pre-existing trade relationships to avoid dealings with prohibited parties,” ensuring that employees located in foreign jurisdictions “adhere to the company’s sanctions compliance program,” and supported by periodic auditing.
Lastly, OFAC stressed the variety of means that sanctioned Russian enterprises use to circumvent U.S. restrictions. Companies that engage in business with Russia “should be aware of such evasion techniques and associated red flags, such as those described in the March 2023 Alert, “Cracking Down on Third-Party Intermediaries Used to Evade Russia-Related Sanctions and Export Controls” and FinCEN’s March 2022 Alert, “FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts.” 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.