Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Alerts
    4. Microsoft settles OFAC and BIS sanctions violations for $3.3M

      Alerts

    Alert / Export Controls & Economic Sanctions

    Microsoft settles OFAC and BIS sanctions violations for $3.3M

    April 13, 2023

    LinkedInX (Twitter)EmailCopy URL

    By Christopher Grigg and Alexandra Lopez-Casero

    Alleged export control and sanctions violations relating to software exports to sanctioned jurisdictions could have cost Microsoft over $400M—here’s how your company can reduce risk.

    What’s the impact?

    • All exporters, including technology companies, must be vigilant about screening end users and weeding out blocked persons and entities.
    • Exporters should gather all customer and business partner identifiers to spot red flags and screen the fullest range of available data.
    • Foreign-based subsidiaries, partners, and sales teams can generate risk if not properly integrated into meaningful sanctions and export compliance programs.
    • Like sanctions and export control laws, effective compliance programs are not static; companies should regularly audit their practices to identify opportunities for improvement.

    DOWNLOAD

    PDF: Microsoft settles OFAC and BIS sanctions violations

    On April 6, the Department of the Treasury published an Enforcement Release detailing Microsoft Corporation’s settlement with the Treasury’s Office of Foreign Assets Control (“OFAC”) for $2,980,265.86, relating to alleged violations of OFAC’s Cuba, Iran, Syria, and Ukraine-/Russia-related sanctions programs. This settlement was part of a coordinated enforcement action with the Department of Commerce’s Bureau of Industry and Security (“BIS”) and resulted in a combined $3.3 million in civil penalties against Microsoft for alleged and apparent violations of U.S. export controls and sanctions laws.

    According to the Enforcement Release, Microsoft engaged in over 1,000 alleged violations of OFAC sanctions programs by selling software licenses and providing related services to end users that included persons listed on OFAC’s Specially Designated Nationals and Blocked Persons List (the “SDN List”) and blocked persons located in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine. Microsoft voluntarily self-disclosed the alleged violations to both BIS and OFAC, cooperated with the joint investigation conducted by BIS’s Office of Export Enforcement and OFAC, and took remedial measures after discovering the conduct at issue, which predated the export controls and sanctions imposed in connection with the current Russian war in Ukraine.

    How did the violations happen?

    Sanctions and export controls are complex, and compliance can be extremely challenging, especially for companies active in international supply and distribution markets. The Enforcement Release highlights that even the largest companies with robust compliance programs can err, especially if they do not actively monitor their foreign affiliates’ activities. Here, the violations appear to have occurred in the context of Microsoft’s volume licensing sales and incentive programs through which two Microsoft subsidiaries in Ireland and Russia utilized third-party distributors and resellers to sell Microsoft software products and also relied on an indirect resale model through third-party licensing solution partners.

    This sales model apparently allowed end users to access a copy of the software, install the software on its devices, and activate and manage the software using a product key, relying at least in part on U.S.-based servers.

    According to OFAC, this also meant that end customers that were blocked via the Ukraine sanctions program benefitted from certain services processed, at least in part, through these U.S.-based servers. By operating through these third-party distributors and/or supporting sales or services benefiting the prohibited parties, Microsoft was inadvertently providing prohibited software and services to SDNs, blocked persons, and/or end users in sanctioned jurisdictions. The software and services in question were not eligible for any general licenses or other exemptions. The Enforcement Release not only details the sales and service models that apparently enabled the violations to occur but also details alleged screening gaps, including failure to screen existing customers after changes were made to OFAC’s SDN List and failure to identify Russiaa and China-based parties and entities.

    OFAC’s enforcement notice observed that the cause of the apparent violations “included the lack of complete or accurate information on the identities of the end customers for Microsoft’s products.” OFAC also noted additional shortcomings in restricted-party screening. For example, OFAC indicated that, in some instances, when Microsoft Ireland was made aware of the end customer by the distributor or reseller, “Microsoft’s restricted-party screening architecture did not aggregate information known to Microsoft, such as an address, name, and tax-identification number, across its databases to identify SDNs or blocked persons.”

    OFAC’s reference to tax ID numbers is noteworthy because, thus far, OFAC has not stressed that tax ID numbers should also be screened. Many, if not most, commercially available screening tools do not offer the option to screen parties through their tax ID. On the other hand, experienced exporters know that OFAC’s online sanctions list search tool, which is available for so-called “manual” searches, offers a generic identification number search field. The key takeaway here is not to abandon commercial screening software but rather that companies should gather all customer and other party identifiers so that they can spot red flags and screen the fullest range of available data.

    In a number of cases Microsoft apparently also failed to timely screen and evaluate pre-existing customers following changes to the SDN List and implement timely corrective measures to avoid continued dealings with SDNs or blocked persons. Further, according to OFAC, “Microsoft’s screening against restricted-party lists did not identify blocked parties not specifically listed on the SDN List, but owned 50 percent or more by SDNs, or SDNs’ Cyrillic or Chinese names, even though many customers in Russia and China supplied order and customer information in their native scripts. These failures, which also included missing common variations of the restricted party names, resulted in Microsoft engaging in ongoing business relationships with SDNs or blocked persons.” It would have been helpful if OFAC had clarified if the parties with sanctioned ownership above 50% where in or outside Russia. Further, just as with tax ID screening, many screening tools do not offer screening in Cyrillic or Chinese. Moreover, this is not a realistic screening option for companies that screen transactions through compliance staff located outside China (and certainly outside Russia), who in most cases do not have the language skills and technical tools to (correctly) input names in Chinese or Cyrillic.

    The OFAC settlement

    Microsoft agreed to pay $2,980,265.86 to settle its potential civil liability stemming from the exportation of its software and services in apparent violation of the Cuban Assets Control Regulations, the Iranian Transactions and Sanctions Regulations, the Syrian Sanctions Regulations, and the Ukraine-/Russia-Related Sanctions Regulations.

    While the statutory max could have resulted in $404,646,121.89 in civil monetary penalties, the final amount reflects OFAC’s conclusion that (a) the conduct was non-egregious, (b) Microsoft voluntarily self-disclosed, and (c) Microsoft took “significant remedial measures” upon discovery of the violations. These factors are typical of the considerations that the three primary federal sanctions and export enforcement agencies—OFAC, BIS, and the U.S. Department of Justice—weigh when evaluating corporate wrongdoing.

    The BIS settlement

    According to BIS, on seven occasions prior to the Ukraine war, employees of Microsoft Russia caused another Microsoft subsidiary to enter into or sell software licensing agreements that would allow the transfer or access to software subject to the Export Administration Regulations by FAU ‘Glavgosekspertiza Rossii’ and United Shipbuilding Corporation Joint Stock Company (“United Shipbuilding Corporation”), both of which were on BIS’s Entity List. The alleged time frame was between December 28, 2016, and December 22, 2017. FAU ‘Glavgosekspertiza Rossii’ is a Russian federal institution involved with construction projects, including the Kerch Bridge, which was built to connect Crimea to Russia after its 2014 invasion. United Shipbuilding Corporation is responsible for developing and building the Russian Navy’s warships. In the case of FAU ‘Glavgosekspertiza Rossii,’ BIS alleged that certain Russia-based employees of Microsoft Russia ordered software licenses through one of Microsoft’s open sales programs in the names of parties not on the Entity List; in the case of United Shipbuilding, an increased number of software licenses were added under non-listed affiliates’ enterprise agreements.

    Lessons learned

    This settlement reflects U.S. government agencies’ stringent commitment to preventing foreign adversaries and bad actors from obtaining and benefitting from U.S. technologies and demonstrates that even inadvertent engagement with blocked persons and entities will not be tolerated.

    Businesses in advanced technology fields should take heed and learn lessons from this recent action. Here are some key steps your company can take to protect its assets, products, and reputation:

    Improve your screening processes

    According to OFAC, Microsoft’s restricted-party screening underperformed in many instances by failing to identify:

    • SDNs or blocked persons
    • Blocked parties not explicitly named on the SDN List but owned 50 percent or more by SDNs
    • SDNs’ Cyrillic or Chinese names

    OFAC concluded that “a world-leading technology company operating globally with substantial experience and expertise in software and related services sales and transactions” should not have tolerated these screening malfunctions. Microsoft’s leading status in the tech space was deemed to be an aggravating factor.

    This Enforcement Release reiterates OFAC’s view from other cases where large, globally operating companies are held to a higher standard than others. This case also highlights the common sanctions risks of offering software and related services through IT platforms. Engage talent to review and assess potential blind spots in your screening processes.

    Stay on top of SDN and Entity List changes

    OFAC found a number of cases in which Microsoft failed to timely screen and evaluate existing customers following changes to the SDN List and also failed to implement timely corrective measures to prevent further dealings with SDNs or blocked persons.

    The SDN list and BIS’s Entity List and Unverified List are not stagnant documents, and companies must stay on top of changes to the list to minimize their exposure. Proactive screening, review, and preventive actions can minimize the risk that your company will inadvertently engage with blocked parties.

    Keep your customers close

    OFAC acknowledges that even vigilant companies can fall prey to evasion tactics by bad actors. The Enforcement Release reiterated that:

    Sanctioned Russian enterprises may use a variety of means, including obscuring the identity of actual end users, to circumvent U.S. restrictions. All persons continuing to engage in business with Russia should be aware of such evasion techniques and associated red flags, such as those described in the Treasury–Commerce–Justice March 2023 Alert, “Cracking Down on Third-Party Intermediaries Used to Evade Russia-Related Sanctions and Export Controls” and FinCEN’s March 2022 Alert, “FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts.”

    In announcing the settlement, both BIS and OFAC made clear that they would seek to hold U.S. companies accountable for the activities of their foreign subsidiaries, distributors, and resellers. No matter how large or small your company is, foreign-based subsidiaries, distributors, and sales representatives can generate risk if not properly integrated into your company’s compliance program. It is your responsibility to ensure your foreign affiliates and sales teams focus on screening, licensing, record-keeping, and the other hallmarks of effective sanctions and export compliance practices under U.S. law. According to the BIS Order and the OFAC notice resolving their respective enforcement actions, employees of Microsoft’s foreign subsidiary discussed and devised techniques to circumvent screening controls through sales to affiliates of the listed entities. Companies should consider regularly auditing foreign-based sales activities and related communications and act swiftly to address any deficiencies or non-compliant behavior.

    Compliance and cooperation are sound strategies

    Microsoft’s liability was reduced substantially from the statutory maximum due, in part, to Microsoft’s voluntary self-disclosure and subsequent cooperation with the Treasury entities.

    While self-reporting violations and cooperating with the government can reduce your risk of severe penalties, determining whether and when to voluntarily disclose suspected violations can be one of the most difficult and complex decisions a company can face. Companies weighing whether to self-disclose should work closely with experienced counsel to avoid the many pitfalls that can arise.

    Practices

    Global Compliance & InvestigationsCross-Border RisksGovernment Investigations & White Collar DefenseForeign Corrupt Practices Act (FCPA)Supply Chain Risks & Customs SeizuresIntellectual PropertyCFIUS (Committee on Foreign Investment in the U.S.)Regulatory & Government RelationsInternational ServicesInternational Trade, Transportation & MaritimeExport Controls & Economic Sanctions

    Industries

    TechnologyInfrastructure

    Insights And Happenings

    • Alert

      CFIUS proposes revising its procedures and penalties

      April 23, 2024
    • Alert

      BIS issues new commerce control list for specific cameras and loosens related military end user restrictions for US main exports

      March 15, 2024
    • Alert

      New Russia-related sanctions on second anniversary of Russia’s further invasion of Ukraine

      Feb 23, 2024
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved