Key Takeaways:

  • BIS and OFAC collectively imposed over $3.3 million in civil penalties against Microsoft as part of settlement agreements stemming from violations of U.S. export controls and sanctions laws.
  • The enforcement actions emphasize the importance of U.S. entities monitoring the activities of foreign subsidiaries to detect and prevent violations of U.S. sanctions and export controls, as well as having a robust, company-wide restricted party screening program.
  • The severity of the BIS penalty in the face of a voluntary disclosure by Microsoft along with the tenor and content of the Axelrod Memorandum means companies appear to face a much more difficult risk calculus when deciding whether to make voluntary disclosures to BIS.

On April 6, 2023, Microsoft Corporation ("Microsoft") agreed to pay $3.3 million to the Department of Commerce's Bureau of Industry and Security ("BIS") and the Department of the Treasury's Office of Foreign Assets Control ("OFAC"), based on its violations of U.S. sanctions and export control laws. The OFAC penalty amounted to $2,980,265.86 while the BIS fine was set at a maximum of $624,013, but BIS agreed to give Microsoft a $276,382 credit if it meets the OFAC settlement requirements. The settlement agreements and underlying violations, which Microsoft voluntarily self-disclosed and that occurred prior to the imposition of sanctions and export controls following Russia's further invasion of Ukraine in February 2022, are explored below. The announcement of the settlement agreement was followed less than two weeks later by a memorandum from Matthew Axelrod, Assistant Secretary for Export Enforcement at the United States Department of Commerce clarifying BIS' policy related to voluntary self-disclosures ("VSDs") and disclosures concerning others.

A. Microsoft's Settlement with OFAC

With respect to the sanctions violations, OFAC found that Microsoft, MS Rus and Microsoft Ireland (together, the "Microsoft Entities") engaged in 1,339 apparent violations of multiple OFAC sanctions programs between July 2012 and April 2019 by selling software licenses, activating software licenses and/or providing related services from servers to systems located in the U.S. and Ireland to SDNs, block persons, and other unauthorized end users located in Cuba, Iran, Syria, Russia and the Crimea region of Ukraine. The total value of these sales and related services was about $12.1 million. Microsoft Entities appeared to have engaged in 54 apparent violations of § 515.201(b)(2) of the Cuban Assets Control Regulations, 30 apparent violations of § 560.204 and § 560.206(a)(2) of the Iranian Transactions and Sanctions Regulations, 3 apparent violations of § 542.207 of the Syrian Sanctions Regulations, and 1,252 apparent violations of § 589.207 of the Ukraine-/Russia Related Sanctions Regulations. Despite the number of violations and sanctions programs involved, OFAC agreed to a significantly reduced penalty (the statutory maximum civil monetary penalty was over $400 million) based on a determination that the conduct of the Microsoft Entities was "non-egregious," voluntarily disclosed, and followed by significant remedial measures upon discovery of the violations.

OFAC highlighted two reasons why Microsoft Entities were vulnerable to violating OFAC sanctions programs:

First, Microsoft Entities operated through third-party distributors and resellers without having complete or accurate information on the identities of the end customers of Microsoft products. For instance, Microsoft Entities negotiated bulk sales agreements with, and billed third-party distributors, who then negotiated the final sales price and directly billed end users. The Microsoft Entities did not obtain complete or accurate information on the ultimate end users. In some instances, employees apparently intentionally circumvented Microsoft's screening controls to prevent others from knowing the identity of the ultimate end users.

Second, restricted-party screening conducted by the Microsoft Entities was insufficient. Microsoft's screening architecture did not aggregate information known to Microsoft across its databases to help identify restricted parties. Microsoft also sometimes failed to rescreen pre-existing customers to keep up with changes to the Specially Designated Nationals and Blocked Persons List ("SDN" List). Microsoft's screening system also did not identify entities owned 50 percent or more by SDNs, nor did it search for SDNs using their names in Cyrillic or Chinese characters. As a result, Microsoft missed common variations of the restricted party names.

OFAC indicated that the settlement amount involved consideration of the "General Factors" under OFAC's Enforcement Guidelines. Aggravating factors highlighted by OFAC were:

  1. "A reckless disregard for U.S. sanctions by failing to identify that, over a seven-year period, more than $12,000,000 worth of software and services were exported from the U.S. through Microsoft systems and servers" and the violations "were not isolated or atypical in nature, and the Microsoft Entities had reason to know that such conduct was occurring;"
  2. U.S. foreign policy objectives were harmed by providing U.S. software and related services that benefitted sanctioned persons, including major Russian companies; and
  3. The fact that Microsoft is a major multi-national company.

Mitigating factors cited by OFAC include:

  1. No evidence that Microsoft management in the U.S. was aware of the violations during the period they were occurring;
  2. Microsoft identified the issues during an internal review and conducted an extensive internal investigation;
  3. Microsoft voluntarily disclosed the violations and cooperated with OFAC's investigation;
  4. Microsoft terminated the accounts of the sanctioned persons and updated internal procedures for disabling access to its products and/or services when a sanctioned party is identified; and
  5. Microsoft undertook significant corrective actions including:
    1. Improving the governance structure of its sanctions compliance program and increasing its resources;
    2. Implementing an "end-to-end" screening system that gathers data when an outside party makes its first contact with the company; collects risk-based, compliance-oriented data to improve restricted-party screening; and screens its data on a recurring basis rather than transactionally;
    3. Improving the methods by which it researches screening hits, modifying its procedures to respond to matches, and expanding the scope and volume of data screened;
    4. Providing detailed sanctions compliance training for certain employees and jurisdictions;
    5. Adopting a new "Three Lines of Defense" model to govern its trade compliance program, where the first line of defense is Microsoft personnel responsible for sales transactions who are tasked with day-to-day responsibility for ensuring compliance. The second line of defense consists of oversight of the first line by Microsoft's legal compliance, high-risk, financial integrity, and tax and trade units, which respond to questions or escalated issues and conduct quarterly testing. The third line of defense consists of Microsoft's internal audit team, which performs regular independent audits and reports to Microsoft's leadership and board of directors; and
    6. Terminating or otherwise disciplining Microsoft Russia employees involved in the activities that led to sanctions violations.

OFAC concluded by highlighting several lessons learned and actions that other companies should take to enhance their sanctions compliance programs.

OFAC began by noting that cloud computing and global demand for software applications has expanded the potential user base of technology, software, or services exported from the U.S. (implying that companies may not be fully appreciating the resulting U.S. nexus this creates from a U.S. sanctions enforcement perspective). OFAC warned that companies with sophisticated technology operations and a global customer base should ensure that their sanctions compliance controls match the risks posed by such complex operations including the use of technology compliance solutions sophisticated enough to manage the compliance risks. OFAC also recommended that such companies, especially ones with touch points in high-risk jurisdictions, conduct a holistic risk assessment and remediate any issues identified.

OFAC also indicated that the enforcement action serves to highlight the importance of companies having visibility into ultimate end users when conducting business through foreign-based subsidiaries, distributors, and resellers, to avoid engaging in business dealings with prohibited parties. OFAC stressed the importance of recurring screening to identify changes to the SDN List.

In order to ensure company employees, including those located outside of the U.S., are following a company's sanctions compliance program, OFAC emphasized the need to engage in periodic auditing. Finally, OFAC said the action highlights ongoing efforts by individuals in Russia to evade U.S. sanctions, including by obscuring the identity of the actual end user.

B. Microsoft's Settlement with BIS

As to the settlement with BIS, Microsoft engaged in several violations of the Export Administration Regulations ("EAR") from December 2016 to December 2017, through its subsidiary Microsoft Rus LLC ("MS Rus"). Specifically, on seven occasions during this period, employees of MS Rus caused another Microsoft subsidiary to sell software subject to the EAR to two Russian companies— FAU Glavgosekspertiza Rossii ("FAU GR") and United Shipbuilding Corporation Joint Stock Company ("USC")—included on BIS's Entity List, without the necessary export authorization. Both FAU GR and USC had already been sanctioned years prior to Russia's further invasion of Ukraine in February 2022. The settlement agreement curiously characterized the classification of the software as "classified under Export Control Classification Number 5D992.c, which is controlled for anti-terrorism reasons, and designated as EAR99." It is, of course, impossible for software to be classified as both 5D992.c and EAR99 (perhaps multiple software products were involved some classified as 5D992.c and others as EAR99), but, either way, the software was subject to among the least restrictive export controls under the EAR.

As part of an internal investigation, Microsoft discovered that MS Rus employees had express email communications, internally and/or with third-party distributors, about providing the listed entities with "access to Microsoft software." In particular, the employees contemplated selling license agreements to affiliates that are not on the Entity List, who could then provide them to USC and FAU GR. As to USC, to conceal the access to, and use of, this "software by prohibited parties, . . . an increased number of licenses were added under the affiliates' enterprise agreements." For FAU GR, "licenses were ordered through one of Microsoft's Open sales programs in the names of parties not on the Entity List."

Microsoft voluntarily disclosed these violations. Although we do not know when the voluntary disclosure was submitted, it is worth noting that by the time of the settlement agreement, all of the violations would have been past the statute of limitations period.

Unlike OFAC, BIS did not highlight any lessons learned or compliance recommendations for companies, nor did the settlement agreement require Microsoft to take specific actions beyond paying a monetary penalty to BIS and complying with the OFAC settlement terms, which also only require payment of a monetary penalty. This likely implies that both BIS and OFAC thought the corrective actions taken by Microsoft were sufficient to address compliance risks going forward.

BIS Assistant Secretary for Export Enforcement, Matthew Axelrod, made clear that "U.S. companies will be held accountable for the activities of their foreign subsidiaries." Though the conduct of the MS Rus employees appears to have been intentional, there was no claim that Microsoft employees outside of Russia were aware of the conduct or approved of it.

C. The Axelrod Memorandum

In an extraordinary document unprecedented in tenor and scope, Assistant Secretary Axelrod issued a memo (the "Axelrod Memo") on April 18, 2023, "Clarifying Our Policy Regarding Voluntary Self-Disclosures and Disclosures Concerning Others" that made clear that not only does BIS expect parties to disclose "significant" possible violations of the EAR, but that those who fail to do so will have the lack of a voluntary disclosure counted as an aggravating factor should BIS otherwise find out about the violation.

Axelrod stated that BIS is "not focused on increasing the number of minor or technical VSDs we receive" and indeed invited those who have multiple minor or technical violations to disclose to combine them into a single VSD. Rather, BIS would like to see an increase in the number of VSDs disclosing "significant possible violations" and it seeks to use a stick, not just a carrot (i.e. substantially reduced penalties), to incentivize such disclosures, "when someone affirmatively chooses not to file a VSD, however, we want them to know that they risk incurring concrete costs." Specifically, the Axelrod Memo notes that the settlement guidelines provide that BIS' Office of Export Enforcement will consider "'whether the Respondent has taken steps to address compliance concerns raised by the violation, to include the submission of a VSD and steps to prevent reoccurrence of the violation that are reasonably calculated to be effective.' Because this factor is a 'General Factor,' it is designed to be 'either mitigating or aggravating.' In the past, we have consistently applied it is a mitigating factor when a VSD has been filed after a potential violation was uncovered. Going forward, we will also consistently apply this factor as an aggravating factor when a significant possible violation has been uncovered by a party's export compliance program, but no VSD has been submitted."

As if this aggressive new posture was not warning enough for exporters, the Axelrod Memo goes further by encouraging persons with knowledge that others have violated the export control laws to notify BIS of the violations of third parties in exchange for mitigation "if a future enforcement action, even for unrelated conduct, is ever brought against the disclosing party." In other words, exporters can earn mitigation credits for future use should the party ever get into trouble itself by informing on the violations of others (the Axelrod Memo even notes that informers can earn monetary awards from FinCEN if the violations disclosed also involve potential sanctions violations). It remains to be seen whether this policy change will have the intended effect of encouraging additional VSDs or create a climate of suspicion within supply chains that results in companies being much less willing to work collaboratively to address issues and instead concealing potential problems from business partners.

D. Impact on the VSD Calculus Going Forward

In the past, disclosing violations to BIS was routine and, almost always (absent the most serious cases that typically involved willful conduct), VSDs were met with a cautionary letter and no penalty. Exporters must now more carefully weigh the costs and benefits of submitting VSDs

First, an assessment has to be made as to whether the violation would be viewed as "significant" by BIS. This is a fact-specific inquiry and will likely need to be evaluated on a case-by-case basis absent further guidance from BIS. The current touchstone of "violations that reflect potential national security harm" is extremely broad and BIS' assessment may not match those of exporters.

Second, the costs of disclosing (including civil penalties) must be weighed against the benefits, including mitigation of civil penalties. As the Microsoft settlement illustrates, cases that may previously have been closed without further action may now be subject to fines running into the hundreds of thousands of dollars (even after credit is given for voluntarily disclosing the violations and cooperating with BIS' investigation). For its part, BIS would argue that Microsoft could have been assessed civil penalties running into the millions of dollars and the penalty imposed thus represents a steep discount only afforded due to Microsoft's VSD. Part of this calculus will likely include an assessment of the risks of detection, including whether third parties are aware of the violation. Depending on the nature of the relationship with the third party, the VSD process may be a race to file a VSD first or a more coordinated effort to bring the violation(s) to BIS' attention.

Finally, companies will now want to consider (or reconsider) a VSD policy. For example, some companies may now view BIS' voluntary disclosure program to essentially be a mandatory disclosure policy and require disclosure of all violations of the EAR. Some companies may also choose to add VSD expectations to contracts with suppliers, customers, or other third parties.

Now more than ever, companies faced with choosing whether to voluntarily disclose violations of the export control laws should carefully consider their options and engage counsel when in need of guidance. Attorneys from Foley Hoag's International Trade & National Security team have been involved in hundreds of investigations related to export controls and sanctions laws, and are able to provide comprehensive, practical support to exporters who find themselves in violation of those laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.