On April 6, 2023, the Department of Treasury Office of Foreign Assets Control (“OFAC”) and the Department of Commerce Bureau of Industry and Security (“BIS”) announced a settlement with Microsoft Corporation (“Microsoft”) and issued a combined $3.3 million in civil penalties to settle potential violations of sanctions and export control laws pertaining to Russia and other sanctioned jurisdictions. According to the enforcement release, Microsoft filed a voluntary self-disclosure to both OFAC and BIS and took remedial measures after discovering the alleged violations.

The Alleged Violations

From 2012 to 2019, Microsoft Corporation and its subsidiaries, Microsoft Ireland Operations Ltd. and Microsoft Rus LLC (collectively “Microsoft Entities”), engaged in apparent violations of OFAC sanctions programs by selling software licenses and providing related services to end users that included persons listed on OFAC’s Specially Designated Nationals List (“SDN List”) and blocked persons located in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine. These violations involved Microsoft’s volume licensing sales and incentive programs whereby the Microsoft Entities utilized third-party distributors and resellers to sell Microsoft software products. The Microsoft Entities relied on an indirect resale model in Russia through third-party licensing solution partners (“LSPs”). Using this sales model, Microsoft Rus worked with LSPs to develop sales leads and negotiate bulk sales agreements with end customers. Thereafter, the LSPs would negotiate final sales and sign supply agreements with the end customers. While Microsoft Ireland Operations billed the LSPs annually for licenses it supplied, the LSPs would separately bill and collect payment from the end customer. Under the sales model, an end customer would download and install the Microsoft software and activate the product key. The end customer would then have access to activate and manage the Microsoft software that relied, at least in part, on U.S. based servers and U.S. personnel managed systems.

Therefore, when the Microsoft Entities engaged in these third-party sales, Microsoft provided prohibited software and services to SDNs and end customers in sanctioned jurisdictions. The software and related services sold to end customers were not eligible for any general licenses or other exemptions. According to OFAC, end users blocked pursuant to the Ukraine sanctions program particularly benefitted from Microsoft services through its U.S.-based servers and systems.

Why Did These Violations Occur?

According to OFAC, the apparent violations were caused by the lack of complete or accurate information on the identities of the end customers who bought Microsoft products from LSPs. OFAC also noted additional weaknesses in Microsoft’s restricted-party screening regime. Microsoft failed to timely screen and reevaluate existing customers against the continually updated OFAC SDN List. Microsoft additionally failed to implement appropriate corrective measures to avoid continued dealings with SDNs or blocked persons. Furthermore, Microsoft’s screening did not identify blocked parties not specifically listed on the SDN List but owned 50% or more by SDNs.

The Remedial Actions

In calculating Microsoft’s final civil monetary penalty amount, OFAC considered as mitigating factors Microsoft’s voluntary self-disclosure, cooperation with OFAC and BIS investigations, and “significant remedial measures” once the violations were discovered. BIS credited Microsoft with $276,382¹ to fulfil its commitments under the OFAC settlement agreement.

Upon learning of its apparent violations, Microsoft took remedial measures to enhance its sanctions compliance programs while also making structural changes. Microsoft’s remedial measures included the following:

• Enhancing its trade compliance program.

• Increasing its resources by rectifying its screening technology and methodology.

• Requiring Russian service contracts to be cleared by Microsoft’s High Risk Deal Desk, a new function that provides additional compliance screening.

• Implementing an “end-to-end” screening system that gathers data when an outside party makes its first contact with the company and screens its data on a recurring basis.

• Implementing an internal team to assist its contractors and employees in reviewing and researching potential restricted parties.

• Expanding its detailed sanctions compliance training for certain employees and jurisdictions.

• Adopting a new “Three Lines of Defense” model to supervise its trade compliance program, which emphasizes management oversight and compliance monitoring.

• Terminating or disciplining the Microsoft Russia employees engaged in the apparent violations.

Lessons Learned: Compliance Considerations

This settlement echoes U.S. regulatory agencies’ continued pursuit of companies and individuals who violate sanctions and export controls. Companies should revisit and update their compliance programs to minimize the risk of violating these regulations. Businesses that do not have a compliance program should prioritize the development and implementation of one. Exporters of U.S. technology, software, or services should consider performing an internal audit to assess, identify, and remediate any risks. If the internal audit uncovers possible violations, the voluntarily disclosure of suspected violations will be considered a mitigating factor by OFAC or BIS.

In addition, companies should monitor changes to the SDN List by proactively screening and reviewing their end customers. BIS and OFAC have made it clear that they will hold U.S. companies accountable for the activities of their foreign subsidiaries, distributors, and resellers. It is a company’s responsibility, no matter how big or small, to ensure its foreign affiliates and sales teams adhere to all sanctions and export control regulations under U.S. law. Companies should also be vigilant against Russian efforts to evade U.S. sanctions, including attempts to obscure actual end users to bypass U.S. restrictions.

***

For additional guidance on voluntary self-disclosures, due diligence screening, international company investigations, or any other trade topic, feel free to contact us at info@torrestradelaw.com.