Microsoft coughs up some change after allegedly selling software to no-no companies

Microsoft will pay more than $3.3 million to settle allegations it busted US sanctions by selling software and services to blacklisted companies and individuals in Russia, Iran, and other countries.

(That figure is about 25 minutes of quarterly profit for Microsoft; it banked $17.4 billion in net income in just the final three months of 2022.)

The settlement, announced by the US Treasury Department and negotiated with Microsoft, covers 1,339 instances between 2012 and 2019 in which Redmond and two subsidiaries, Microsoft Ireland and Microsoft Russia, apparently sold products and services to blocked parties not only in Russia and Iran but also Cuba and Syria, in violation of US export controls.

The bulk of the 1,252 claimed sanction-busting sales involved deals with Russians and Russian companies in Crimea, a portion of Ukraine that Russia illegally annexed in 2014. With war in Ukraine continuing to rage almost 14 months after Russia's full-on invasion, Ukrainian officials are demanding Russia return Crimea.

There were 54 instances cited of sales to Cuba, followed by 30 attributed to Iran and three to the Syrian government.

Redmond will pay the US Treasury Department more than $2.9 million and the Commerce Department $347,631 following a joint investigation. In all, more than $12 million in software and services were sold to more than 100 of these blacklisted entities, it was claimed. Microsoft admits no guilt in the settlement.

'Reckless disregard'

Treasury officials in their ironically named enforcement notice [PDF] this week pointed to a "reckless disregard for US sanctions" by the Microsoft's subsidiaries. They also noted that Microsoft managers in America were not aware of the violations, and when discovering them during a "self-initiated look back," investigated the sales and then disclosed them to Treasury's Office of Foreign Assets Control (OFAC).

Redmond also terminated accounts linked to the blocked entities, and improved its sanctions compliance program, according to a company spokesperson.

"Microsoft takes export control and sanctions compliance very seriously, which is why after learning of the screening failures and infractions of a few employees, we voluntarily disclosed them to the appropriate authorities," the spokesperson said in a statement to The Register.

"We cooperated fully with their investigation and are pleased with the settlement."

• Trade ministers flag researchers as possible vector of tech sanction-busting
• US chip sanctions may push Brazil, others right into China's arms
• US bans good for Chinese chipmakers, and bad for us, says Taiwanese rival
• No 'decoupling' here: Apple, Samsung, and Qualcomm sing China's praises

In the enforcement statement, OFAC outlined a case that illustrated how complex the business operations of a sprawling multinational company like Microsoft can be. It involved Redmond's volume licensing sales and incentive program through which Microsoft's overseas subsidiaries sold software products via third-party distributors and resellers.

In Russia, the indirect resale model ran through third-party licensing solution partners (LSPs), which Microsoft Russia would work with to develop sales leads and negotiate bulk sales agreements with buyers. The LSP and the buyer would negotiate the final sales price and sign the agreement.

Microsoft Ireland would bill the LSPs annually for licenses supplied, with the LSPs billing end customers. Sometimes those end customers included the blacklisted organizations and individuals.

Identity problems

Problems arose because of incomplete or inaccurate information about the identities of the customers, according to OFAC. Resellers didn't always provide the full information and Microsoft Russia employees at times "intentionally circumvented Microsoft's screening controls to prevent other Microsoft affiliates from knowing the identity of the ultimate end customers," the agency said.

In one case, after OFAC in 2014 designated Russian oil-and-gas biz Stroygazmontazh as off limits, Microsoft initially rejected a sale after screening it. After that, some Microsoft Russia employees gave the subsidiary a pseudonym so it could buy Microsoft software.

The agency also said there were holes in Microsoft's screening of restricted parties and added that the Azure giant didn't always evaluate existing customers to see if they'd been put on OFAC's blocked list.

OFAC Director Andrea Gacki said in a statement that the Microsoft case "further underscores the risks technology companies may face when engaging through foreign subsidiaries, distributors, and resellers and the importance of maintaining effective controls."

OFAC also pointed to the rise of cloud computing as a factor in international business, saying that the "increased use of internet-based computing and global demand for software applications has expanded the potential user base of technology, software, or services exported from the United States." ®