Microsoft’s remedial steps provide important best-practices for companies facing similar risk factors in the global economy, especially for global software companies that rely on Internet-based operations. 

According to OFAC, Microsoft demonstrated a reckless disregard for U.S. sanctions by failing to identify that over a seven-year period, more than $12,000,000 worth of software and services were exported from the United States through Microsoft systems and servers to SDNs, blocked persons, and to multiple sanctioned jurisdictions. The violations “were not isolated or atypical in nature,” and Microsoft “had reason to know that such conduct was occurring.”

OFAC concluded that there was no evidence that persons in Microsoft’s U.S. offices or management were aware of the OFAC violations and were discovered as a result of a self-initiated look-back, after which it conducted a comprehensive root-cause investigation.  Specifically, Microsoft conducted a retrospective review of thousands of past transactions, engaged in extensive ownership research and data analysis, engaged a team of more than 20 Russian-speaking attorneys to analyze relevant correspondence, and conducted numerous interviews.

Microsoft terminated the accounts of the SDNs or blocked persons at issue, and deactivated the license keys so that the prohibited parties cannot activate Microsoft’s software programs. Further, Microsoft updated its “suspension and shutdown” procedures to disable access to its products and services when a sanctioned party is discovered.

Upon discovering the violations, Microsoft undertook significant remedial measures and enhanced its sanctions compliance program through investment and structural changes, including:

• Enhancing Microsoft’s trade compliance program.
• Improving the governance structure of Microsoft’s sanctions compliance program.
• Requiring that Russian service contracts be cleared by Microsoft’s High Risk Deal Desk, a function that provides additional compliance oversight. Microsoft also reduced the number of resellers in Russian and enhanced its vetting process.
• Implementing an “end-to-end” screening system that gathers data when an outside party makes its first contact with the company; collects risk-based, compliance- oriented data to enable accurate and reliable restricted-party screening; and screens its data on a recurring basis.
• Improving the methods by which it resolves potential red flags by conducting additional independent research. For example, Microsoft deployed a multi-disciplinary internal investigative team to review and research potential restricted-party hits. Collectively, the investigative team members are fluent or proficient in 16 foreign languages including Russian, Chinese, Farsi, and Arabic. The team conducts research of organizational documents, physical and email addresses, and various other open-source materials to identify SDNs or blocked persons, and has shared its findings with a provider of commercial restricted-party screening lists.
• Deploying detailed sanctions compliance training for certain employees and jurisdictions.
• Adopting a new “Three Lines of Defense” model to govern its trade compliance program, which emphasizes management oversight and compliance monitoring.
  • Under the first line of defense, Microsoft personnel responsible for sales transactions are tasked with day-to-day responsibility for ensuring compliance, with support from Microsoft’s trade and legal functions.
  • The second line of defense consists of oversight of the first line by Microsoft’s legal compliance, high-risk, financial integrity, and tax and trade units, which respond to questions or escalated issues as they arise and conduct quarterly testing. These compliance personnel are independent of the sales and marketing functions whose compliance they oversee, and report directly to Microsoft’s senior management.
  • The third line of defense consists of Microsoft’s internal audit team, which performs regular independent audits and reports to Microsoft’s leadership and board of directors.
• Terminating or otherwise disciplining the Microsoft Russia employees engaged in the activity described above.

OFAC explained that the Microsoft settlement reflects the fact that “the increased use of internet-based computing and global demand for software applications has expanded the potential user base of technology, software, or services exported from the United States. Companies with sophisticated technology operations and a global customer base should ensure that their sanctions compliance controls remain commensurate with that risk and leverage appropriate technological compliance solutions. Such companies should also consider conducting a holistic risk assessment to identify and remediate instances where the company may, directly or indirectly, engage with OFAC-prohibited persons, parties, countries, or regions. Such an assessment is particularly important for companies operating in or exposed to high-risk jurisdictions.”

OFAC further stated the action “highlights the importance of companies conducting business through foreign-based subsidiaries, distributors, and resellers having sufficient visibility into end users with which they may have an ongoing relationship, including through the provision of services after an initial sale, to avoid engaging in business dealings with prohibited parties. Relatedly, because OFAC’s SDN List is dynamic, when changes to OFAC’s SDN List are implemented, companies should evaluate their pre-existing trade relationships to avoid dealings with prohibited parties.”

In light of Microsoft’s extensive foreign operations, OFAC noted that the settlement further emphasizes the importance of ensuring a company’s employees, including employees located in foreign jurisdictions, adhere to the company’s sanctions compliance program. By engaging in periodic auditing, a company may promptly identify instances where employees have attempted to circumvent internal policies and procedures. Testing or auditing, whether conducted on a specific element of a compliance program or at the enterprise-wide level, are important tools to ensure the program is working as designed and weaknesses are promptly remediated.

Finally, OFAC observed that the settlement reflects “the persistent efforts of actors in the Russian Federation to evade U.S. sanctions. Sanctioned Russian enterprises may use a variety of means, including obscuring the identity of actual end users, to circumvent U.S. restrictions. All persons continuing to engage in business with Russia should be aware of such evasion techniques and associated red flags, such as those described in the Treasury–Commerce–Justice March 2023 Alert, “Cracking Down on Third- Party Intermediaries Used to Evade Russia-Related Sanctions and Export Controls” and FinCEN’s March 2022 Alert, “FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts.”