OFAC announced only one settlement in the first three months of 2023.  Given its ongoing role in the implementation and enforcement of Russia Sanctions, OFAC’s enforcement record so far is completely understandable.  The situation changed, however, in the first week of April 2023 – OFAC announced two enforcement actions: a major action against Microsoft and another against Uphold HQ, Inc. (“Uphold”), a U.S. money service business.

Microsoft Corporation (“Microsoft”) is headquartered in Redmond, Washington.  Microsoft agreed to pay $2,980,265.86 for illegal exports of services and software to sanctioned jurisdictions and Specially Designated Nationals (“SDNs”) in violation of OFAC’s Cuba, Iran, Syria, and Ukraine-/Russia-Related sanctions programs.

Most of the violations involved prohibited Russian entities or persons located in the Crimea region of Ukraine. Microsoft failed to identify and prevent the use of its products by prohibited parties. Microsoft voluntarily disclosed the conduct.  OFAC also cited Microsoft’s “significant remedial measures.”  OFAC and The Bureau of Industry and Security of the Department of Commerce jointly conducted a joint investigation and coordinated resolution.

Microsoft Conduct

Between July 2012 and April 2019, Microsoft conducted 1,339 transactions in violation of multiple sanctions programs stemming from the sale of software licenses, activated software licenses, and/or provided related services from servers and systems located in the United States and Ireland to SDNs, blocked persons, and other end users located in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine. The total value of these sales and related services was $12,105,189.79.

Microsoft’s violations occurred in the context of its volume licensing sales and incentive programs, under which Microsoft engaged with third-party distributors and resellers to sell Microsoft software products.

In Russia, Microsoft employed an indirect resale model through third-party licensing partners (“LSP”).  Microsoft worked with the LSPs to develop sales leads and negotiate bulk sales agreements with end customers, while the LSP and the end customer would negotiate the final sales price and sign a commercial supply agreement.  Microsoft’s Ireland subsidiary billed the LSPs annually for licenses it supplied, and the LSPs would separately bill and collect payment from end customer.

An end customer would download or otherwise access a copy of the software, install the software and activate the product using a product key.  The end customer could then access, activate, and manage its software (e.g., for renewals, updates, and enhancements). The process of facilitating Microsoft software downloads, license activations, product key verifications, and subsequent usages relied, at least in part, on U.S.-based servers and systems managed by personnel in the United States or third countries. Similarly, end customers that were blocked pursuant to the Ukraine sanctions program benefitted from certain services processed, at least in part, through Microsoft’s U.S.-based servers and systems.

When Microsoft supported these third-party sales to prohibited parties, Microsoft provided prohibited software and services to SDNs and end customers in sanctioned jurisdictions.

The violations occurred because Microsoft did not have complete or accurate information on the identities of the end customers for Microsoft’s products. For example, in certain volume-licensing programs involving sales by intermediaries, Microsoft was not provided, nor did it otherwise obtain, complete or accurate information on the ultimate end customers for its products from Microsoft’s distributors and resellers. At times, Microsoft Russia employees appear even to have intentionally circumvented Microsoft’s screening controls to prevent other Microsoft affiliates from knowing the identity of the ultimate end customers.

For example, following OFAC’s 2014 designation of Stroygazmontazh, a Russian company operating in the oil and gas industry, and Microsoft’s initial rejection of one of this entity’s subsidiaries as a potential customer upon screening, certain Microsoft Russia employees successfully used a pseudonym for that subsidiary to arrange orders on behalf of the SDN.

In addition, during the time period in which the apparent violations occurred, there were shortcomings in Microsoft’s restricted-party screening. In some instances, for example, when Microsoft Ireland was made aware of the end customer by the distributor or reseller, Microsoft’s restricted-party screening architecture did not aggregate information known to Microsoft, such as an address, name, and tax-identification number, across its databases to identify SDNs or blocked persons. In a number of cases Microsoft also failed to timely screen and evaluate pre-existing customers following changes to OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”) and implement timely corrective measures to avoid continued dealings with SDNs or blocked persons.

Further, Microsoft’s screening against restricted-party lists did not identify blocked parties not specifically listed on the SDN List, but owned 50 percent or more by SDNs, or SDNs’ Cyrillic or Chinese names, even though many customers in Russia and China supplied order and customer information in their native scripts. These failures, which also included missing common variations of the restricted party names, resulted in Microsoft engaging in ongoing business relationships with SDNs or blocked persons.

In total, Microsoft committed 54 violations of the Cuban Sanctions Program, 30 violations of the Iran Sanctions Program, 3 of the Syrian Sanctions Program, and 1252 violations of the Ukraine-Russia Sanctions Program.