Microsoft recently paid over $3 million for multiple sanctions violations involving illegal services and software exports to sanctioned jurisdictions. The violations span seven years and involved prohibited Russian entities or persons in the Crimea region of Ukraine. However, what makes this case particularly intriguing is the remedial actions taken by Microsoft, which offer best practices and insights into what can be done when resources are available. In this week’s Corruption, Crime, and Compliance episode, Michael Volkov delves See more +

Microsoft recently paid over $3 million for multiple sanctions violations involving illegal services and software exports to sanctioned jurisdictions. The violations span seven years and involved prohibited Russian entities or persons in the Crimea region of Ukraine. However, what makes this case particularly intriguing is the remedial actions taken by Microsoft, which offer best practices and insights into what can be done when resources are available. In this week’s Corruption, Crime, and Compliance episode, Michael Volkov delves into the Microsoft OFAC enforcement action.

He discusses these ideas:

1. Microsoft committed 1339 transactions violating multiple sanctions programs over seven years, totaling over $12 million worth of sales and services.

2. Violations included selling software licenses and providing related services from servers and systems in the US and Ireland to SDNs, blocked persons, and other end users in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine.

3. The violations were due to Microsoft’s failure to obtain complete or accurate information on the identities of end customers and shortcomings in its restricted party screening. At times, Microsoft Russia employees intentionally circumvented Microsoft screening controls to prevent other Microsoft affiliates from knowing the identity of the ultimate end customers.

4. Microsoft’s significant remedial measures included enhancing its trade compliance program, improving its governance structure and screening resources, adopting a new three-lines of defense model, and conducting a holistic risk assessment to identify and remediate instances of prohibited engagements.

5. Microsoft deployed a multidisciplinary internal investigation team proficient in 16 foreign languages, modified its procedures to respond to matches, and expanded the scope and volume of data screened.

6. “Companies with sophisticated technology operations and a global customer base should ensure that their sanctions compliance controls remain commensurate with risk.”

7. Companies should consider conducting a holistic risk assessment to identify and remediate prohibited engagements and ensure employees adhere to the sanctions compliance program.

8. OFAC emphasized that companies conducting business through foreign-based subsidiaries, distributors, and resellers should have sufficient visibility into their end-users, including providing services after an initial sale. See less -