Microsoft has agreed to pay more than $3 million in fines for selling software to sanctioned entities and individuals in Cuba, Iran, Syria and Russia from 2012 to 2019. The US Treasury Department says that “the majority of the apparent violations of Russian entities or persons based in the Crimea region of Ukraine” and that the company will pay approximately $2.98 million to the Treasury’s Office of Foreign Assets Control (or OFAC) and $347,631 to the Department of Commerce. It settled for $624,013 but will receive credit for its deal with the Treasury.)
According to an enforcement notice from OFAC, Microsoft, Microsoft Ireland and Microsoft Russia did not monitor who bought the company’s software and services through third-party partners. Basically, Microsoft was selling things to companies that it could be deal with it legally, but then those companies turned around and sold to companies that shouldn’t have gotten their hands on Microsoft products. “In certain volume licensing programs involving broker sales, Microsoft has not obtained or otherwise obtained complete or accurate information about the ultimate end customers for its products,” the statement said.
The Treasury Department says this is just one example of how Russia is trying to circumvent sanctions
Microsoft Russia employees may also have deliberately attempted to thwart the company’s due diligence efforts. The release details a Russian oil and gas infrastructure company that Microsoft screened and rejected before “certain Microsoft Russia employees successfully used a pseudonym for that subsidiary to fulfill orders on its behalf.” Those employees were fired, but OFAC says the fact “underscores the continued efforts of actors in the Russian Federation to circumvent US sanctions.”
The Treasury Department also says Microsoft had some other gaps in its compliance practices. There were apparently instances where it had information that should have alerted it to a sanctioned party using its products, but it failed to get hold of it for various reasons. Those included a failure to correctly aggregate its information and the fact that it was not scanning for all restricted parties – the lists did not include companies that had a majority stake in a sanctioned company, nor Cyrillic or Chinese names. , which the Treasury says is often what the customers gave when they signed up to buy the software.
The fines may seem like a small drop in the ocean for Microsoft, especially when the Treasury says the company took about $12 million from the sale. Despite the Treasury saying Microsoft showed “a reckless disregard for US sanctions,” it appears to be giving the company quite a bit of leeway for how it handled the situation. According to the announcement, it was Microsoft that discovered, investigated and then self-reported the violations to the government, and the company has made “significant” changes to expand its enforcement policies and actions.
