On April 6, 2023, Microsoft Corporation and its subsidiaries, Microsoft Ireland Operations Ltd. and Microsoft Rus LLC, reached a $2,980,265.86 settlement with the Office of Foreign Assets Control (OFAC) over potential civil liability relating to apparent violations of multiple OFAC sanctions programs. The majority of these violations involved blocked Russian entities or persons in Crimea and were a result of Microsoft’s failure to identify and prevent the use of their products by prohibited parties.
Between July 2012 and April 2019, Microsoft entities sold software licenses, activated licenses, or provided related services to Specially Designated Nationals (SDNs), blocked persons, and other end users in Cuba, Iran, Syria, Russia, and Crimea. The total value of these transactions amounted to $12,105,189.79. Microsoft’s apparent violations were caused by incomplete or inaccurate information about end customers, shortcomings in restricted-party screening, and failure to identify blocked parties not specifically listed on the SDN List. In some instances, Microsoft Russia employees intentionally circumvented screening controls to conceal the identity of ultimate end customers.
The maximum civil penalty for Microsoft’s apparent violations was $404,646,121.89. However, the company voluntarily self-disclosed the apparent violations, which OFAC deemed non-egregious, resulting in a reduced base civil penalty of $5,960,531.72 and a final settlement amount of $2,980,265.86.
Upon discovering the violations, Microsoft implemented extensive remedial actions and enhanced its sanctions compliance program. These improvements included updating its trade compliance program, improving the governance structure, implementing an end-to-end screening system, improving methods for researching potential sanctions matches, deploying detailed sanctions compliance training, adopting a “Three Lines of Defense” model, and terminating or disciplining Microsoft Russia employees involved in the apparent violations.
This case underscores the importance of companies maintaining robust sanctions compliance controls, especially those with sophisticated technology operations and global customer bases. A holistic risk assessment can help identify and remediate instances of engagement with OFAC-prohibited entities, while periodic auditing can ensure employee adherence to the company’s sanctions compliance program.
The settlement also highlights the need for companies to be aware of evasion techniques used by sanctioned actors, particularly those from the Russian Federation. OFAC’s Compliance Framework provides essential components of a sanctions compliance program and guidance on how OFAC may incorporate these components into its evaluation of apparent violations and resolution of investigations.