Who would violate OFAC sanctions? Few intentionally. Perhaps a company already doing business with a foreign company before a sanction is put in place. Or just a company without an adequate program to review sanction lists regularly, whether against vendors or customers. (And maybe there are a very few too anxious to grow business in the wrong way.)
If only you had more resources? How about a household name? Microsoft. If even well-resourced Microsoft can fall afoul of OFAC, what are the chances for your organization?
The software giant just settled with the Department of Treasury’s Office of Foreign Assets Control (OFAC). Microsoft agreed to pay three million dollars after self-reporting violations between 2012 and 2019. The violations pre-date Russia’s recent invasion of Ukraine in 2022, when the U.S. put a host of new sanctions in place.
This settlement covered several violations. They included transactions with black-listed entities in Syria, Iran, Cuba and Russia. But the bulk of the violations involved Russian entities in Crimea. The fine could have been exponentially worse (see below) but for several mitigating factors to Microsoft’s credit, starting with self-discovery and reporting.
How did it happen? The charges are straightforward: “Between July 2012 and April 2019, the Microsoft Entities engaged in apparent violations of multiple OFAC sanctions programs when they sold software licenses, activated software licenses and provided related services from servers and systems located in the United States and Ireland to SDNs, blocked persons and other end users located in Cuba, Iran, Syria, Russia and the Crimea region of Ukraine.” That’s according to OFAC’s release.
Where Microsoft Slipped
In this case, the sanctioned entities were customers as opposed to suppliers. But a look at this provides critical takeaways.
Microsoft’s sales model for Russia was indirect. Under Microsoft’s volume licensing sales and incentive programs, the Microsoft Entities engaged with third-party distributors and sellers. Licensing Solution Partners (LSPs) developed sales leads and negotiated sales agreements with end customers. Microsoft’s offices in Ireland billed the LSPs for licenses, and the LSPs would bill the end customers.
According to the OFAC release, the LSPs did not provide, and Microsoft did not obtain complete or accurate information on end customers. And some Microsoft Russia employees deliberately circumvented screening controls to prevent Microsoft Ireland and other affiliates from knowing who the end customers were.
For all Microsoft’s resources, there were shortcomings in Microsoft’s systematic sanction screening program. For example, while Ireland did have information on some customers, its screening program did not aggregate information across Microsoft databases to identify SDNs or blocked persons.
The company also neglected to screen and evaluate existing customers timely following changes to OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”). Nor did the company have measures in place to avoid continued dealings with newly identified SDNs or blocked persons.
Mitigations – What Microsoft Did Well
“Microsoft has agreed to pay $2,980,265.86 to settle its potential civil liability relating to the exportation of services or software from the United States to comprehensively sanctioned jurisdictions and Specially Designated Nationals (“SDNs”) or blocked persons in violation of OFAC’s Cuba, Iran, Syria and Ukraine-/Russia-Related sanctions programs.”
If $3 million sounds like a lot, consider that the statutory maximum civil monetary penalty applicable in its case was $404.6 million! But Microsoft did a lot of things right. It voluntarily self-disclosed the apparent violations, and the violations constituted a non-egregious case. Consequently, under OFAC’s Economic Sanctions Enforcement Guidelines the base civil monetary penalty amount that could be applied in this case is $5,960,531.72, or one-half the transactional value for each of the apparent violations.
The settlement amount of $2.9 million reflects OFAC’s consideration of the General Factors under the Enforcement Guidelines. The mitigating factors included:
- Evidence demonstrated that persons in Microsoft’s U.S. offices or management were not aware of the possible violation activity at the time. The company discovered it in its own lookback, after which it conducted a comprehensive investigation of the causes and extent of conduct leading to the apparent violations.
- Microsoft voluntarily disclosed the apparent violations to OFAC and cooperated with OFAC’s investigation.
- Microsoft terminated the accounts of sanctioned entities and deactivated their licenses.
- Microsoft took several significant remedial actions to enhance its compliance program.
- And according to the OFAC release, the company “implemented an end-to-end screening system that gathers data when an outside party makes its first contact with the company; collects risk-based, compliance-oriented data to enable accurate and reliable restricted-party screening; and screens its data on a persistent, rather than a transactional, basis.”
- Firing or disciplining Microsoft Russia employees engaged in circumventing screening.
These mitigating factors comprise a positive and responsible approach, and consequently, Microsoft faced a much lower fine than was possible.
OFAC’s release includes this counsel: “Companies with … a global customer base should ensure that their sanctions compliance controls remain commensurate with that risk and leverage appropriate technological compliance solutions.”
It is vital to understand that sanction lists are dynamic, and organizations must have systems to account for that. As covered in OFAC: Are You Compliant or Just Think You Are?, there are three critical aspects to keeping clear of sanctioned entities. Initially, you much check all your existing relationships—customers and vendors—against sanction lists. Next, you must also review all new parties. Finally, but critically, you must also keep up with all newly identified sanctioned entities and ensure they do not include any of your existing partners.
The OFAC release reminds: “… because OFAC’s SDN List is dynamic, when changes to OFAC’s SDN List are implemented, companies should evaluate their pre-existing trade relationships to avoid dealings with prohibited parties.”
Sanction lists can and do change at any time. Therefore, the only way to ensure compliance is to have a program that checks your master databases against sanctions daily. That is why organizations increasingly engage a third-party vendor to handle daily OFAC sanction reviews.
This story is your periodic reminder that the sanctions apply to all U.S. “persons,” which includes all entities organized in the United States. To avoid OFAC sanctions violations, your organization must implement effective compliance programs that include screening your customers, partners and suppliers against OFAC lists, such as the Specially Designated Nationals (SDN) List and the Consolidated Sanctions List.
You also need to clearly understand the regulatory environment in the countries where you operate and ensure that you train your staff on compliance policies and procedures.
Furthermore, you should conduct due diligence on your business partners and third-party vendors to ensure they do not deal with sanctioned entities. You should also monitor transactions and financial activities to identify potential OFAC violations.
Compliance with OFAC sanctions is crucial. Violations of these sanctions can result in severe financial penalties, damage to reputation and legal consequences. Therefore, companies must implement effective compliance programs and stay updated with the regulatory environment to avoid violations and ensure compliance.
Microsoft’s experience serves as a reminder of the importance of effective compliance measures. By implementing strong compliance programs, companies can avoid costly penalties and damage to their reputations while maintaining their commitment to ethical business practices.
Learn how VendorInfo helps all kinds of organizations keep compliant with OFAC and other critical watch lists–contact us.