Microsoft was fined $3 million for providing software to Cuba, Iran, Syria, and Russia from 2012 to 2019. The U.S. Department of Treasury said that “the majority of the alleged breaches concerned prohibited Russian businesses or people situated in the Crimea area of Ukraine” and that the corporation would pay $2.98 million to OFAC and $347,631 to Commerce. (It settled for $624,013 but will be credited for its Treasury agreement.)
Microsoft, Microsoft Ireland, and Microsoft Russia failed to monitor third-party partners’ software and service purchases, according to OFAC’s enforcement notice. Microsoft marketed to legitimate firms, while those companies sold to illegal companies. “In certain volume-licensing schemes involving sales by intermediaries, Microsoft was not supplied, nor did it otherwise get, complete or accurate information on the eventual end consumers for its products,” the notification said.
Microsoft Russia staff may have purposely thwarted due diligence. For example, Microsoft rejected a Russian oil and gas infrastructure firm before “some Microsoft Moscow employees successfully employed a pseudonym for that subsidiary to make orders on behalf” of the company. “Underscoring the continuous attempts of actors in the Russian Federation to avoid U.S. sanctions,” OFAC said those workers were dismissed.
The Treasury also claims Microsoft has additional compliance breaches. For example, it possessed information that should have alerted it to a sanctioned party utilizing its products, but for various reasons, it didn’t. In addition, the Treasury said it failed to aggregate its data properly and didn’t scan for all forbidden parties, including firms majority-owned by a sanctioned corporation and Cyrillic or Chinese names, which clients typically offered when requesting to buy the software.
When the Treasury says Microsoft made $12 million from the transactions, the penalty may appear little. Microsoft “demonstrated a reckless disregard for U.S. sanctions,” but the Treasury appears to be forgiving the corporation due to its handling of the problem. Microsoft found, investigated, and self-reported the offenses to the authorities, and the firm has made “substantial” improvements to its enforcement policies and practices.
The final portion matters most. Russia invaded and occupied Crimea in 2014, but since early 2022, the number of sanctions on the country has increased, and many involve selling technology. Last week, the Department of Justice indicted an Estonian national for allegedly providing American technology and hacking equipment to the Russian military.
