Microsoft agreed to pay more than $3 million in fines for selling software to sanctioned entities and individuals in Cuba, Iran, Syria, and Russia between 2012 and 2019. The US Treasury Department says that “most of the apparent violations involved blocked entities or persons located in the Crimean region of Ukraine” and that the company will pay about $2.98 million to the Treasury’s Office of Foreign Assets Control (or OFAC) and $347,631 to the Department of Commerce. (It was settled for $624,013 but you will receive a credit for your agreement with the Treasury.)
According an OFAC enforcement notice, Microsoft, Microsoft Ireland, and Microsoft Russia could not monitor who purchased the company’s software and services through third-party partners. Basically, Microsoft sold things to companies that could deal legally, but then those companies turned around and sold them to companies that shouldn’t have been able to get Microsoft products. “In certain Volume Licensing programs involving sales by intermediaries, Microsoft did not receive, or otherwise obtain, complete or accurate information about the ultimate end customers of its products,” the notice says.
Treasury says this is just one example of Russia trying to circumvent sanctions.
Microsoft Russia employees may have also intentionally attempted to thwart the company’s due diligence efforts. The statement includes details about a Russian oil and gas infrastructure company that Microsoft evaluated and rejected before “certain Microsoft Russia employees successfully used a pseudonym for that subsidiary to arrange orders on behalf” of the company. Those employees were fired, but OFAC says the act “underscores persistent efforts by actors in the Russian Federation to evade US sanctions.”
Treasury also says that Microsoft had other loopholes in its compliance procedures. Apparently, there were cases where you had information that should have alerted you to the fact that a sanctioned party was using your products, but you missed it for a variety of reasons. These included the failure to properly aggregate its information and the fact that it was not looking for all restricted parties: its lists did not include companies majority owned by a sanctioned company, nor did it include Cyrillic or Chinese names. , which are often what customers gave up when they applied to buy the software, according to the Treasury.
The fines may seem like a small drop in the bucket for Microsoft, especially when the Treasury says the company made about $12 million from the sales. Yet despite Treasury saying that Microsoft “demonstrated reckless disregard for US sanctions,” it appears to be giving the company quite a bit of leeway because of the way it handled the situation. According to the announcement, it was Microsoft who discovered the breaches, investigated them and then self-reported them to the government, and the company made “significant” changes to strengthen its policies and compliance measures.
