Microsoft to Pay $3.3 Million to Settle Export Controls, Sanctions Violations
Microsoft will pay more than $3.3 million combined to settle alleged export control and sanctions violations largely related to its foreign subsidiaries, the Bureau of Industry and Security and the Office of Foreign Assets Control said in a pair of news releases April 6.
Many of the alleged sanctions violations, and all of the alleged export controls violations, resulted from the activities of Microsoft’s Russian subsidiary. Microsoft voluntarily self-disclosed the alleged violations to both BIS and OFAC, cooperated with the joint investigation by the two agencies and “took remedial measures after discovering the conduct at issue, which predated the export controls and sanctions imposed in connection with the current Russian war in Ukraine,” the BIS news release said.
“U.S. companies will be held accountable for the activities of their foreign subsidiaries,” BIS Assistant Secretary for Export Enforcement Matthew Axelrod said. “As this coordinated resolution demonstrates, BIS and OFAC will work together to ensure that U.S. export control and sanctions laws are enforced effectively, wherever in the world the underlying conduct occurs,” he said.
"Microsoft takes export control and sanctions compliance very seriously, which is why after learning of the screening failures and infractions of a few employees, we voluntarily disclosed them to the appropriate authorities," a Microsoft spokesperson said in an emailed statement. "We cooperated fully with their investigation and are pleased with the settlement."
The alleged export controls violations related to the sale of software license agreements to companies on the BIS Entity List, BIS said. Between December 2016 and December 2017, Microsoft Rus “caused another Microsoft subsidiary” to enter into license agreements for software subject to the Export Administration Regulations with the listed Russian companies FAU ‘Glavgosekspertiza Rossii’ and United Shipbuilding Corporation.
In the case of FAU ‘Glavgosekspertiza Rossii,’ a Russian government institution involved in construction projects, including in Crimea, Microsoft Rus employees “ordered software licenses through one of Microsoft’s Open sales programs in the names of parties not on the Entity List,” BIS said. “In the case of United Shipbuilding, an increased number of software licenses were added under non-listed affiliates’ enterprise agreements.”
The sanctions violations “occurred in the context of Microsoft’s volume licensing sales and incentive programs, under which the Microsoft Entities engaged with third-party distributors and resellers to sell Microsoft software products,” OFAC said.
Between July 2012 and April 2019, Microsoft companies “engaged in 1,339 apparent violations of multiple OFAC sanctions programs when they sold software licenses, activated software licenses, and/or provided related services from servers and systems located in the United States and Ireland to SDNs, blocked persons, and other end users located in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine. The total value of these sales and related services was $12,105,189.79,” OFAC said.
The causes of the sanctions violations included “a lack of complete or accurate information on the identities of the end customers for Microsoft’s products,” OFAC said. “For example, in certain volume-licensing programs involving sales by intermediaries, Microsoft was not provided, nor did it otherwise obtain, complete or accurate information on the ultimate end customers for its products from Microsoft’s distributors and resellers.”
Microsoft Rus employees “appear even to have intentionally circumvented Microsoft’s screening controls to prevent other Microsoft affiliates from knowing the identity of the ultimate end customers,” OFAC said. “For example, following OFAC’s 2014 designation of Stroygazmontazh, a Russian company operating in the oil and gas industry, and Microsoft’s initial rejection of one of this entity’s subsidiaries as a potential customer upon screening, certain Microsoft Russia employees successfully used a pseudonym for that subsidiary to arrange orders on behalf of the SDN.”
The total $3.3 million penalty includes a $624,013 BIS penalty for the export control violations, as well as a $2,980,265.86 OFAC penalty for the sanctions violations. BIS gave Microsoft a $276,382 credit as long as the company fulfills the terms of the OFAC settlement.
Aggravating factors identified by OFAC include a “reckless disregard” for U.S. sanctions by failing to identify such a high number of violations, as well as conduct that harmed U.S. foreign policy objectives and the “substantial experience and expertise” Microsoft has in software sales and transactions.
Mitigating factors included that personnel in Microsoft’s U.S. offices were not aware of the violations at the time they occurred; the violations were discovered as a result of a “retrospective review of thousands of past transactions” that included a team of more than 20 Russian-speaking attorneys, OFAC said. Microsoft also voluntarily self-disclosed the violations, terminated the accounts and undertook “significant remedial measures and enhanced its sanctions compliance program,” including by way of additional resources.
The action “highlights the importance of companies conducting business through foreign-based subsidiaries, distributors, and resellers having sufficient visibility into end users with which they may have an ongoing relationship, including through the provision of services after an initial sale, to avoid engaging in business dealings with prohibited parties,” OFAC said. It also “emphasizes the importance of ensuring a company’s employees, including employees located in foreign jurisdictions, adhere to the company’s sanctions compliance program.”
It also “underscores the persistent efforts of actors in the Russian Federation to evade U.S. sanctions. Sanctioned Russian enterprises may use a variety of means, including obscuring the identity of actual end users, to circumvent U.S. restrictions,” OFAC said.