top of page

Microsoft will pay $3.3 million to address sanctions and export control offences

Microsoft will pay more than $3.3 million to settle claims from two federal agencies that its subsidiaries violated sanctions laws and export restrictions in their activities with four sanctioned nations and the Crimean region of Ukraine, which is under Russian authority.

Microsoft was sanctioned by the Treasury Department's Office of Foreign Assets Control (OFAC) and the Commerce Department's Bureau of Industry and Security (BIS) for 1,339 apparent sanctions violations and seven transactions with companies subject to export control restrictions. The apparent infractions included sales to forbidden jurisdictions in Cuba, Iran, Syria, Russia, and Ukraine's Crimea peninsula, the authorities stated in separate press releases on Thursday.

Microsoft self-reported the apparent infractions to both agencies, participated with the investigations, and resolved issues that existed before to Russia's invasion of Ukraine in 2022 and the sanctions that followed. The lapses were deemed non-egregious by OFAC.

The specifics: According to OFAC, Microsoft sold more than $12.1 million in software licenses, activated software licenses, and/or offered related services to companies in sanctioned nations using servers and systems based in the United States and Ireland between 2012 and 2019.

Microsoft firms in Ireland and Russia used an indirect reselling model via third-party sellers known in Russia as licencing solution partners (LSPs).

OFAC stated that while Microsoft Russia negotiated bulk sales agreements with end customers, the LSPs would negotiate the final pricing and execute a commercial supply agreement. Microsoft Ireland would bill the LSPs for the sales licences on an annual basis, and the LSPs would bill and collect payment from end users separately.

According to OFAC, end users would then access, activate, and administer Microsoft software via downloads, licence activations, product key verifications, and subsequent usages that relied, at least in part, on access to US-based servers and systems operated by US-based employees.

Microsoft erred by failing to get complete and accurate information about its end customers, resulting in usage in sanctioned territories, according to OFAC.

According to the BIS, Microsoft engaged in seven transactions with businesses that its Russian-based employees knew or should have known were subject to export control prohibitions between 2016 and 2017.

Compliance considerations: While Microsoft's subsidiaries demonstrated a "reckless disregard" for US sanctions by selling services to end users in sanctioned territories, the company's US operations were apparently oblivious of the violations because they occurred through Microsoft Russia, according to OFAC.

According to OFAC, Microsoft uncovered the problem through a "self-initiated lookback, after which it conducted a comprehensive investigation to discover the causes and extent of the conduct leading to the apparent violations." Its remediation measures included a review of hundreds of previous transactions, "extensive" ownership research and data analysis, and an intensive internal probe.

According to OFAC, the corporation terminated the affected end user accounts, cancelled the users' licence keys, and changed its "suspension and shutdown" procedures to prevent access to its products and services when a sanctioned party is detected. Microsoft Russia employees who were involved in the apparent infractions were fired.

Microsoft also upgraded the governance of its sanctions compliance programme and introduced an additional layer of assessment for all Russia-related transactions before ceasing operations in the nation in March 2022, following its invasion of Ukraine.

“Companies with sophisticated technology operations and a global customer base should ensure that their sanctions compliance controls remain commensurate with that risk and leverage appropriate technological compliance solutions,” OFAC said.

According to the regulator, such enterprises should consider completing a comprehensive risk assessment to determine where they might engage with entities in sanctioned jurisdictions. The regulator also stated that such companies should have adequate visibility into the end consumers of their products when making sales through foreign-based subsidiaries, distributors, and resellers.

Company response: “Microsoft takes export control and sanctions compliance very seriously, which is why after learning of the screening failures and infractions of a few employees, we voluntarily disclosed them to the appropriate authorities,” a company spokesperson said in an emailed statement. “We cooperated fully with their investigation and are pleased with the settlement.”



bottom of page