Why Should IT Companies take Sanctions Compliance Very Seriously?

US Treasury Department and Microsoft reached a settlement over the tech firm’s apparent violations of sanctions and export controls, which it voluntarily disclosed. Microsoft has agreed to pay almost $3 million in fines for selling software to sanctioned entities and individuals in Cuba, Iran, Syria, and Russia (also Crimea region) from 2012 to 2019.This settlement and its details are important for the whole internet–based computing sector because the global demand for software applications has expanded the potential user base of technology, software, or services exported from the United States globally.

According to the Treasury Department, the causes of sanctions violations included a lack of complete or accurate information on the identities of the end customers for Microsoft products, as well as shortcomings in Microsoft’s restricted-party screening. These occurred because of Microsoft’s failure to identify and prevent the use of its products by prohibited parties. The majority of the apparent violations involved blocked Russian entities or persons located in the Crimea region of Ukraine. The base civil monetary penalty amount in the peaceful settlement applicable in this matter is $5,960,531.72, equalling one-half the transactional value for each of the Apparent Violations.

However, there were a considerable amount of mitigating factors to minimize the settlement:

Microsoft voluntarily self-disclosed the Apparent Violations to OFAC and cooperated with OFAC’s investigation.
management was not aware of the violation. Apparent violations came to light in the course of a self-initiated lookback. Among other efforts, Microsoft conducted a retrospective review of thousands of past transactions, engaged in extensive ownership research and data analysis, engaged a team of more than 20 Russian-speaking attorneys to analyze relevant correspondence, and conducted numerous interviews.
Microsoft terminated the accounts of the SDNs or blocked persons at issue, and deactivated the license keys so that the prohibited parties cannot activate Microsoft’s software programs. Microsoft updated its “suspension and shutdown” procedures to disable access to its products and services when a sanctioned party is discovered.
Upon discovering the Apparent Violations, Microsoft undertook significant remedial measures and enhanced its sanctions compliance program through substantial investment and structural changes, including:
Enhancing Microsoft’s trade compliance program
Improving the governance structure of Microsoft’s sanctions compliance program and increasing its resources.
Prior to its suspension of new sales in Russia in March 2022, requiring that Russian service contracts be cleared by Microsoft’s High Risk Deal Desk. The process further required pre-contract review of various risk factors, including a detailed review of the ultimate end customer, assessment of the deal structure to identify the beneficiary of Microsoft’s services, and an internal analysis of any existing trade or sanctions restrictions.
Implementing an “end-to-end” screening system that gathers data when an outside party makes its first contact with the company; collects risk-based, compliance oriented data to enable accurate and reliable restricted-party screening; and screens its data on a persistent, rather than a transactional, basis.
Improving the methods by which it researches potential sanctions matches, modifying the procedures to respond to matches, and expanding the scope and volume of data screened.
Deploying detailed sanctions compliance training.
Adopting a new “Three Lines of Defense” model to govern its trade compliance program, which emphasizes management oversight and compliance monitoring.
Terminating or otherwise disciplining the Microsoft Russia employees engaged in the activity described above.

ECOVIS ProventusLaw pays attention that all companies with sophisticated technology operations and a global customer base should ensure their sanctions compliance controls, that they remain commensurate with that risk and leverage appropriate technological compliance solutions.

What global IT service providers could learn from this case:

1. Conduct a holistic risk assessment to identify and remediate potential infringements;

2. Assess the foreign–based subsidiaries, distributors, resellers and their sanction compliance frameworks;

3. Evaluate pre-existing trade relationships to avoid dealings with prohibited parties, taking into account that the sanctions list is dynamic.

4. Ensure, that a company’s employees, including employees located in foreign jurisdictions, adhere to the company’s sanctions compliance program.

5. Engage in periodic international sanctions audits/testing of the compliance program at the enterprise- wide level, which can help identify instances where employees have attempted to circumvent internal policies and procedures.

6. Be aware of sanction evaders from Russia – this example shows the persistent efforts of actors in the Russian Federation to evade international sanctions. Sanctioned Russian enterprises may use a variety of means, including obscuring the identity of actual end users, to circumvent restrictions. All persons continuing to engage in business with Russia should be aware of such evasion techniques and associated red flags.

Prepared by Inga Karulaitytė, partner of ECOVIS ProventusLaw, based on download (treasury.gov).