Microsoft recently paid over $3 million for multiple sanctions violations involving illegal exports of services and software to sanctioned jurisdictions. The violations spanned seven years and involved prohibited Russian entities or persons located in the Crimea region of Ukraine. However, what makes this case particularly intriguing is the remedial actions taken by Microsoft, which offer best practices and insights into what can be done when resources are available. In this week's episode of Corruption, Crime, and Compliance, Michael Volkov takes a deep dive into the Microsoft OFAC enforcement action.

He discusses these ideas:

• Microsoft committed 1339 transactions in violation of multiple sanctions programs over seven years, totaling over $12 million worth of sales and services.
• Violations included the sale of software licenses and the provision of related services from servers and systems located in the US and Ireland to SDNs, blocked persons, and other end users located in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine.
• The violations were due to Microsoft's failure to obtain complete or accurate information on the identities of end customers and shortcomings in its restricted party screening. At times, Microsoft Russia employees intentionally circumvented Microsoft screening controls to prevent other Microsoft affiliates from knowing the identity of the ultimate end customers.
• Microsoft's significant remedial measures included enhancing its trade compliance program, improving its governance structure and screening resources, adopting a new three lines of defense model, and conducting a holistic risk assessment to identify and remediate instances of prohibited engagements.
• Microsoft deployed a multidisciplinary internal investigation team proficient in 16 foreign languages, modified its procedures to respond to matches, and expanded the scope and volume of data screened.
• “Companies with sophisticated technology operations and a global customer base should ensure that their sanctions compliance controls remain commensurate with risk.” 
• Companies should consider conducting a holistic risk assessment to identify and remediate prohibited engagements and ensure that employees adhere to the sanctions compliance program.
• OFAC emphasized that companies conducting business through foreign-based subsidiaries, distributors, and resellers should have sufficient visibility into their end-users, including through the provision of services after an initial sale.

KEY QUOTES:

"Now, when Microsoft supported these third-party sales to prohibited parties, they provided prohibited software and services to SDNs and end customers in sanctioned jurisdictions, and the violations occurred. The root cause really was because Microsoft did not have complete or accurate information on the identities of the end customers for Microsoft's products." - Michael Volkov

"Companies with sophisticated technology operations and a global customer base should ensure that their sanctions compliance controls remain commensurate with that risk and leverage in appropriate technological compliance solutions." - Michael Volkov

"Testing or auditing, whether conducted on a specific element of a compliance program or enterprise-wide level, are important tools to ensure that the program is working as designed and weaknesses are promptly remediated." - Michael Volkov

Resources:

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group