Microsoft Fined $3.3M on Sanctions
Microsoft has agreed to pay more than $3.3 million to settle civil charges that its Russia subsidiary violated U.S. sanctions law in the 2010s by covering up sales of Microsoft products to people in Cuba, Iran, and elsewhere.
The settlement was announced on Thursday by the Office of Foreign Assets Control (OFAC) and the Bureau of Industry and Security (BIS), the top U.S. agencies for enforcing export control sanctions. Compliance officers have a few interesting points to ponder here about how to structure your sanctions compliance program, so let’s take a look.
We’ll start with OFAC. As described in its settlement order, Microsoft violated U.S. sanctions more than 1,300 times from 2012 into 2019. The violations mostly arose out of Microsoft Russia, thanks to a complicated sales process that also involved Microsoft Ireland offices.
Basically, Microsoft Russia worked with licensed resellers to develop sales leads and negotiate bulk sales agreements with end customers; the reseller and the end customer would negotiate the final sales price and sign a commercial supply agreement. Microsoft Ireland would bill the resellers annually for licenses it supplied, and the resellers would separately bill and collect payment from end customers. Once all that was done, the end-users would sometimes access software and support directly from Microsoft’s U.S. data centers.
You can guess what happened next: the local resellers were selling to end-use customers in Iran, Syria, and Cuba, as well as to Russian businesses sanctioned by the United States in 2014 when Russia invaded Crimea. At times, Microsoft Russia employees apparently even circumvented Microsoft’s screening controls, such as by using pseudonyms for prohibited customers after Microsoft flagged the original name.
The settlement with BIS focused on seven specific transactions in the mid-2010s, where Microsoft Russia employees employed various types of chicanery to sell software licenses to two Russian shipping companies sanctioned after the Crimea invasion.
What Went Wrong
OFAC details lapses in Microsoft’s sanctions compliance program that are painful to read in hindsight. For example:
- Documentation. Microsoft didn’t collect complete or accurate information on the identities of the end-use customers. Sometimes the resellers didn’t provide that information, and sometimes Microsoft didn’t follow up or seek to obtain that information via other means.
- Screening. In some instances when the resellers in Russia did provide information to administrators back in Microsoft Ireland, Microsoft’s screening software didn’t pull together various pieces of information (address, name, tax ID number, and so forth) that Microsoft already had in other databases to screen the customer against sanctions lists.
- More screening. Microsoft’s screening procedures also didn’t identify parties who weren’t specifically named on sanctions lists, but were owned by various parties that used Cyrillic or Chinese script for their names — another red flag for screening Russian and Chinese nationals.
So even though Microsoft had employees in Russia apparently working to thwart its sanctions compliance, which is bad; the company also had flawed documentation and screening procedures. That’s worse, because it’s a systemic failure that might cause violations even without the deliberate intent of rogue employees.
The good news is that all this came to light after Microsoft decided to undertake an audit of its compliance program in 2019, which led to a “comprehensive investigation” to discover the cause and extent of the trouble. That investigation included a retrospective review of thousands of past transactions, extensive ownership research and data analysis, the hiring of many Russian-speaking lawyers to analyze correspondence and conduct interviews.
After all that, Microsoft voluntarily self-disclosed its misconduct and worked closely with OFAC to remediate its issues.
Speaking of Remediation…
Those remediation efforts were extensive. Foremost, Microsoft implemented a Three Lines of Defense model for sanctions screening.
In the first line, Microsoft sales executives have day-to-day responsibility for compliance, with support from Microsoft’s trade and legal functions. In the second line, Microsoft’s legal, compliance, tax, and other oversight teams respond to issues raised by the first line, and they also conduct quarterly testing. Those second-line teams then report directly to Microsoft’s senior management, rather than to any sales or marketing leaders. The third line is Microsoft’s internal audit team, which performs regular audits and reports to Microsoft’s leadership and board of directors.
Another important step: Microsoft implemented an “end to end” screening process that gathered data whenever an outside party made contact with Microsoft. The company would collect “risk-based, compliance-oriented data” (What types of data, exactly? The order doesn’t specify) for better restricted-party screening; and that screening happened on a persistent, rather than transactional, basis.
Microsoft also rolled out extensive compliance training for employees, fired some offenders in the Russia subsidiary, and implemented various other reforms as well.
Perhaps most interesting, however, was this item: that Microsoft’s compliance program at the time was developed based on a risk assessment undertaken before OFAC published its new guidance for sanctions compliance programs in 2019.
That guidance should be tacked to the wall of every sanctions compliance officer. It’s extensive and detailed, and we’ve seen previous OFAC enforcement actions numerous times that reflect the priorities expressed in the document.
One major theme of that guidance is that sanctions compliance should be centralized, with dedicated and competent sanctions compliance officers running the show. Another theme is the importance of calibrating your sanctions screening software correctly. Both issues seemed to be problems for Microsoft in the past, which it corrected once the Russia sales came to light.
Unfortunately, Russia then invaded Ukraine in 2022 and now Microsoft has ceased business in the country entirely. At least the lessons here still apply.