Member Search

OFAC and BIS Announce Microsoft Settlement of Sanctions and Export Control Violations

Published: 03 May 2023

By  Derrick  Kyle,  Senior  Associate

Veronica Ochoa,  Paralegal

On  April  6,  2023,  the  Department  of  Treasury  Office of  Foreign  Assets Control  (“OFAC”)  and  the  Department of  Commerce  Bureau of  Industry  and  Security  (“BIS”) announced  a  settlement  with  Microsoft  Corporation (“Microsoft”)  and  issued a  combined  $3.3  million  in  civil  penalties to  settle  potential violations  of  sanctions and  export  control laws  pertaining  to  Russia  and  other  sanctioned jurisdictions.  According  to  the  enforcement release,  Microsoft  filed  a  voluntary self-disclosure  to  both  OFAC  and  BIS  and  took  remedial measures  after  discovering the  alleged  violations.

The  Alleged  Violations

From  2012  to  2019,  Microsoft Corporation  and  its  subsidiaries,  Microsoft Ireland  Operations  Ltd.  and  Microsoft Rus  LLC  (collectively “Microsoft  Entities”),  engaged in  apparent  violations of  OFAC  sanctions programs  by  selling software  licenses  and  providing  related services  to  end  users  that  included  persons listed  on  OFAC’s Specially  Designated  Nationals List  (“SDN  List”) and  blocked  persons located  in  Cuba,  Iran,  Syria, Russia  and  the  Crimea  region of  Ukraine.  These  violations  involved Microsoft’s  volume  licensing sales  and  incentive programs  whereby  the  Microsoft  Entities utilized  third-party  distributors and  resellers  to  sell  Microsoft software  products.  The  Microsoft  Entities relied  on  an  indirect  resale model  in  Russia through  third-party  licensing solution  partners  (“LSPs”). Using  this  sales  model,  Microsoft Rus  worked  with  LSPs  to  develop  sales  leads  and  negotiate  bulk  sales  agreements with  end  customers. Thereafter,  the  LSPs  would  negotiate final  sales  and  sign  supply agreements  with  the  end  customers. While  Microsoft  Ireland Operations  billed  the  LSPs  annually for  licenses  it  supplied,  the  LSPs  would  separately  bill  and  collect payment  from  the  end  customer. Under  the  sales  model,  an  end  customer would  download  and  install  the  Microsoft  software and  activate  the  product  key.  The  end  customer  would  then  have  access  to  activate  and  manage  the  Microsoft  software that  relied,  at  least  in  part,  on  U.S.  based  servers  and  U.S.  personnel managed  systems.

Therefore,  when  the  Microsoft  Entities engaged  in  these  third-party  sales, Microsoft  provided  prohibited software  and  services to  SDNs  and  end  customers in  sanctioned  jurisdictions.  The  software  and  related  services sold  to  end  customers  were  not  eligible for  any  general licenses  or  other  exemptions.  According to  OFAC,  end  users  blocked pursuant  to  the  Ukraine  sanctions program  particularly  benefitted from  Microsoft  services through  its  U.S.-based servers  and  systems.

Why  Did  These  Violations  Occur?

According  to  OFAC,  the  apparent violations  were  caused by  the  lack  of  complete or  accurate  information on  the  identities of  the  end  customers  who  bought  Microsoft products  from  LSPs.  OFAC  also  noted  additional weaknesses  in  Microsoft’s restricted-party  screening  regime. Microsoft  failed  to  timely  screen and  reevaluate  existing customers  against  the  continually updated OFAC  SDN  List.  Microsoft  additionally failed  to  implement appropriate  corrective  measures to  avoid  continued dealings  with  SDNs  or  blocked persons.  Furthermore,  Microsoft’s screening  did  not  identify  blocked parties  not  specifically listed  on  the  SDN  List  but  owned  50%  or  more  by  SDNs.

The  Remedial  Actions

In  calculating  Microsoft’s final  civil  monetary penalty  amount,  OFAC  considered  as  mitigating  factors Microsoft’s  voluntary  self-disclosure,  cooperation with  OFAC  and  BIS  investigations  and  “significant  remedial measures”  once  the  violations  were  discovered.  BIS  credited  Microsoft with  $276,382[1]  to  fulfil its  commitments  under  the  OFAC  settlement  agreement.

Upon  learning  of  its  apparent violations,  Microsoft  took  remedial  measures to  enhance  its  sanctions  compliance programs  while  also  making  structural changes.  Microsoft’s  remedial measures  included  the  following:

·        Enhancing its  trade  compliance program.

·        Increasing its  resources  by  rectifying  its  screening  technology and  methodology.

·        Requiring Russian  service  contracts to  be  cleared by  Microsoft’s  High  Risk  Deal  Desk,  a  new  function that  provides  additional compliance  screening.

·        Implementing an  “end-to-end”  screening system  that  gathers data  when  an  outside  party  makes  its  first  contact with  the  company and  screens  its  data  on  a  recurring basis.

·        Implementing an  internal  team  to  assist its  contractors  and  employees  in  reviewing  and  researching  potential restricted  parties.

·        Expanding its  detailed  sanctions compliance  training  for  certain  employees and  jurisdictions.

·        Adopting a  new  “Three Lines  of  Defense” model  to  supervise its  trade  compliance program,  which  emphasizes management  oversight  and  compliance  monitoring.

·        Terminating or  disciplining  the  Microsoft  Russia employees  engaged  in  the  apparent violations.

Lessons  Learned:  Compliance Considerations

This  settlement  echoes U.S.  regulatory  agencies’ continued  pursuit  of  companies  and  individuals  who  violate  sanctions and  export  controls. Companies  should  revisit and  update  their  compliance  programs to  minimize  the  risk  of  violating  these  regulations.  Businesses that  do  not  have  a  compliance  program should  prioritize  the  development  and  implementation  of  one.  Exporters of  U.S.  technology, software,  or  services should  consider  performing an  internal  audit  to  assess, identify,  and  remediate any  risks.  If  the  internal audit  uncovers  possible violations,  the  voluntarily disclosure  of  suspected violations  will  be  considered  a  mitigating  factor  by  OFAC  or  BIS.

In  addition,  companies should  monitor  changes to  the  SDN  List  by  proactively  screening and  reviewing  their  end  customers. BIS  and  OFAC  have  made  it  clear  that  they  will  hold  U.S.  companies accountable  for  the  activities  of  their  foreign subsidiaries,  distributors,  and  resellers.  It  is  a  company’s  responsibility,  no  matter  how  big  or  small,  to  ensure  its  foreign  affiliates and  sales  teams  adhere  to  all  sanctions and  export  control regulations  under  U.S.  law.  Companies should  also  be  vigilant  against Russian  efforts  to  evade  U.S.  sanctions,  including attempts  to  obscure actual  end  users  to  bypass U.S.  restrictions.



For  additional guidance  on  voluntary self-disclosures,  due  diligence screening,  international  company investigations,  or  any  other  trade  topic,  feel  free  to  contact  us  at


[1] Microsoft  to  Pay  over  $3.3M  in  Total  Combined Civil  Penalties  to  BIS  and  OFAC  to  Resolve  Alleged and  Apparent  Violations of  U.S.  Export Controls  and  Sanctions; Bureau  of  Industry and  Security    (Apr. 6,  2023),  available at

Olga Torres
Torres Trade Law, PLLC
Washington DC, USA
Practice Area:
International Trade & National Security
Phone Number:
Olga Torres is the Founder and Managing Member of Torres Trade Law and its affiliate advisory firm Torres Trade Advisory, LLC. A dynamic and experienced attorney, she regularly guides clients – businesses in the hi-tech, defense contracting, telecommunications, aerospace, semiconductor, and satellite industries as well as highly regulated technology start-ups, blue-chip investment funds, and private equity groups – through a broad range of complex strategic and regulatory trade controls and national security matters, including developing effective strategies and conducting negotiations with U.S. regulatory agencies and, when needed, other regulators around the world. Ms. Torres works with clients to identify and respond to a variety of supply-chain risks and issues related to due diligence, foreign investment, sustainability and ESG, export control, and national security. She has particular strengths helping them create operational efficiencies, develop strategy, and keep their companies compliant and prosperous. Clients with operations around the globe turn to Ms. Torres for assistance in ascertaining legal risks and improving legal compliance, and to manage complex investigative and administrative enforcement cases involving U.S. federal agencies. They also seek out her experience and guidance to obtain clearance of transactions that are subject to review by the Committee on Foreign Investment in the United States (CFIUS), and to identify and negotiate measures to mitigate Foreign Ownership, Control, or Influence (FOCI). In addition to her representation of private and public companies based throughout the world, Ms. Torres also advises the U.S. Department of State on defense trade matters as part of her appointment, by the Assistant Secretary of State for Political-Military Affairs, to the Defense Trade Advisory Group (DTAG). Ms. Torres regularly counsels clients on compliance with the Foreign Corrupt Practices Act (FCPA) and other anti-bribery laws, and has broad experience developing compliance programs, providing training, and conducting sensitive internal FCPA compliance investigations in English and Spanish for companies large and small. Ms. Torres is a widely recognized attorney, public speaker, writer, and subject-matter expert on strategic trade risks. She brings a diverse perspective to both domestic and international companies in sensitive and hi-tech industries on highly regulated, technical, and complex areas of the law. She regularly represents companies before, and coordinates on behalf of her clients with, multiple federal agencies, including U.S. Department of Defense, U.S. Department of State, U.S. Department of Treasury, U.S. Department of Commerce, U.S. Customs and Border Protection, U.S. Department of Energy, and the Defense Counterintelligence and Security Agency, to name a few. Ms. Torres frequently lectures on export controls and international trade for organizations, universities, and government agencies in different countries, including in the United Kingdom, the Netherlands, Mexico, Thailand, France, Canada, and the United States. She is the author of several chapters on international trade in the WorldECR's Export Compliance Manager's Handbook, the Society of International Affairs Export Voluntary Disclosure Handbook, and other global publications. Throughout her career, Ms. Torres has been selected for recognition in multiple attorney ranking guides and publications including in Chambers and Partners USA (2018, 2019, and 2021), Who’s Who Legal (2017-2021), and SuperLawyers Rising Stars (2015-2018). Prior to founding Torres Trade Law, she was an attorney in the International & Cross Border Transactions group at an Am 100 Law Firm in Washington, D.C. In her spare time, Ms. Torres likes to travel, work out, attend the opera, eat spicy Indian, Thai, and Mexican food, and spend quality time with her family and sons.

Member Introduction

The Lawyer Network in numbers


Members Firms




Practice Areas


Member Firms
Total Staff