Microsoft has agreed to pay $3.3 million to settle potential civil liability relating to exporting services or software to comprehensively sanctioned jurisdictions and Specially Designated Nationals (SDNs) in violation of OFAC's Cuba, Iran, Syria, and Ukraine-/Russia-Related sanctions programs.
The majority of the apparent violations involved blocked Russian entities or individuals in the Crimea region of Ukraine, resulting from Microsoft Entities' failure to identify and prevent their products' usage by prohibited parties.
Between July 2012 and April 2019, Microsoft Entities were involved in 1,339 apparent violations of multiple OFAC sanctions programs. They sold and activated software licenses and provided related services worth $12,105,189.79 to Specially Designated Nationals (SDNs), blocked persons, and end users in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine. The apparent violations were committed through servers and systems located in the United States and Ireland.
The violations occurred when Microsoft Entities engaged with third-party distributors and resellers to sell Microsoft software products. In Russia, Microsoft Entities employed an indirect resale model through third-party Licensing Solution Partners (LSPs). Microsoft Russia collaborated with LSPs to develop sales leads and negotiate bulk sales agreements with end customers. Microsoft Ireland billed the LSPs annually for licenses supplied, and the LSPs separately billed and collected payment from end customers.
End customers downloaded or accessed the software, installed it on devices or networks, and activated it using a product key. The processes for software downloads, license activations, product key verifications, and subsequent usages relied on U.S.-based servers and systems managed by personnel in the United States or third countries. End customers blocked under the Ukraine sanctions program also benefited from services processed through Microsoft's U.S.-based servers and systems.
When Microsoft Entities supported sales or arranged services for prohibited parties through third-party distributors and resellers, they provided prohibited software and services to SDNs, blocked persons, and end customers in sanctioned jurisdictions. The software and related services were ineligible for any general licenses or other exemptions.
The causes of these apparent violations included the lack of complete or accurate information on the identities of end customers for Microsoft's products. In certain volume-licensing programs involving sales by intermediaries, Microsoft did not have complete or accurate information on the ultimate end customers. In some instances, Microsoft Russia employees even intentionally circumvented Microsoft's screening controls to hide the identity of the ultimate end customers.
During the time period of the apparent violations, there were shortcomings in Microsoft's restricted-party screening. For example, Microsoft's screening architecture did not aggregate information known to Microsoft, such as an address, name, and tax-identification number, across its databases to identify SDNs or blocked persons. Microsoft also failed to timely screen and evaluate pre-existing customers following changes to OFAC's Specially Designated Nationals and Blocked Persons List (SDN List) and implement timely corrective measures.
Microsoft's screening against restricted-party lists did not identify blocked parties not specifically listed on the SDN List, but owned 50 percent or more by SDNs, or SDNs' Cyrillic or Chinese names. Many customers in Russia and China provided order and customer information in their native scripts. These failures, which also included missing common variations of the restricted party names, resulted in Microsoft engaging in ongoing business relationships with SDNs or blocked persons.
In total, the Microsoft Entities appear to have engaged in 54 apparent violations of the Cuban Assets Control Regulations, 30 apparent violations of the Iranian Transactions and Sanctions Regulations, 3 apparent violations of the Syrian Sanctions Regulations, and 1,252 apparent violations of the Ukraine-/Russia Related Sanctions Regulations.
The settlement amount reflects OFAC's determination that the conduct was non-egregious, voluntarily self-disclosed, and significant remedial measures were taken by Microsoft upon discovering the apparent violations. This action was part of a joint administrative enforcement effort with the Bureau of Industry and Security (BIS), which settled with Microsoft for $624,013 for related violations of the Export Administration Regulations
The statutory maximum civil monetary penalty for Microsoft's apparent violations of OFAC sanctions is $404,646,121.89. Microsoft voluntarily self-disclosed the apparent violations, which were deemed non-egregious, resulting in a base civil monetary penalty of $5,960,531.72. The settlement amount of $2,980,265.86 takes into account the General Factors under the Enforcement Guidelines. Aggravating factors include the reckless disregard for U.S. sanctions, harm to U.S. foreign policy objectives, and Microsoft's position as a leading technology company.
Mitigating factors include the absence of knowledge by U.S. offices or management, Microsoft's voluntary self-disclosure and cooperation, termination of SDNs or blocked persons' accounts, and significant remedial measures and enhancements to its sanctions compliance program.
Companies with sophisticated technology operations and a global customer base should ensure their sanctions compliance controls remain commensurate with the risks and leverage appropriate technological compliance solutions.
Holistic risk assessments, especially for companies operating in high-risk jurisdictions, are vital to avoid engaging in business dealings with prohibited parties. This action emphasizes the importance of ensuring employees adhere to the company's sanctions compliance program and highlights the persistent efforts of actors in the Russian Federation to evade U.S. sanctions