According to the Treasury, the company was not thorough in verifying the destination of its software, but eventually discovered and resolved the problem.
Microsoft has been fined over $3 million for violating US sanctions by selling software to individuals and entities in Cuba, Iran, Syria, and Russia between 2012 and 2019. The US Department of the Treasury found that Microsoft sold its products to companies that it could legally deal with, but these intermediaries then resold the products to companies that were under sanction.
The Treasury found that the majority of the apparent violations involved blocked Russian entities or persons located in the Crimea region of Ukraine, with Microsoft netting around $12 million from these sales. Microsoft has agreed to pay around $2.98 million to the Treasury’s Office of Foreign Assets Control (OFAC) and $347,631 to the Department of Commerce. While the company settled for $624,013, it will receive a credit for its agreement with the Treasury.
According to an enforcement notice from OFAC, Microsoft, Microsoft Ireland, and Microsoft Russia failed to oversee who was buying the company's software and services through third-party partners. The company did not obtain complete information on the end-users of its products, and in certain volume-licensing programs involving sales by intermediaries, Microsoft was not provided, nor did it otherwise obtain, complete or accurate information on the ultimate end customers for its products.
The enforcement notice also found that Microsoft had some other gaps in its compliance procedures. There were instances when it had information that should have alerted it to the fact that a sanctioned party was using its products, but it did not catch it for a variety of reasons. For example, its lists did not include companies that were majority-owned by a sanctioned company, nor did it include Cyrillic or Chinese names, which are often what customers gave when applying to purchase the software, according to the Treasury.
Microsoft Russia employees may have also intentionally tried to defeat the company’s due diligence efforts. The release includes details about a Russian oil and gas infrastructure company that Microsoft screened and rejected before certain Microsoft Russia employees successfully used a pseudonym for that subsidiary to arrange orders on behalf of the company. Those employees were fired, but OFAC says the fact “underscores the persistent efforts of actors in the Russian Federation to evade U.S. sanctions.”
Despite the Treasury saying that Microsoft "demonstrated a reckless disregard for US sanctions," it appears to be lenient on the company due to how it handled the situation. Microsoft discovered the violations, investigated them, and self-reported them to the government. Additionally, the company has made significant changes to bulk up its enforcement policies and measures.
All of this happened before Russia’s most recent invasion of Ukraine, but since early 2022, the number of sanctions against the country has increased, and many of them deal with selling technology. Microsoft is not the only one facing consequences for selling restricted tech to Russia; earlier this week, the Department of Justice charged an Estonian national for allegedly selling US electronics and hacking tools to the Russian military.