But before we look at the Microsoft case, it's essential to remember this: Sanctioning bodies with the ability to impose multi-million dollar regulatory fines are ratcheting up the pressure on businesses and organizations to get sanctions compliance under control.
And it doesn't matter if your company is big or small, regulated or non-regulated. If you break sanctions laws, then you run the risk of being on the receiving end of severe punitive action and reputational damage.
Microsoft's 2023 Sanctions Penalty: Here's What Happened
On April 6, 2023, the US Treasury announced that Microsoft will pay a combined penalty of $3.3 million to resolve alleged and apparent violations of US export controls and sanctions. The US Department of Commerce's Bureau of Industry and Security (BIS) and the Department of the Treasury's Office of Foreign Assets Control (OFAC) issued the joint fine.
So what did Microsoft allegedly do?
According to a spokesperson from the Redmond-based technology giant, this happened: "Microsoft takes export control and sanctions compliance very seriously, which is why after learning of the screening failures and infractions of a few employees, we voluntarily disclosed them to the appropriate authorities."
The statement highlights three compliance issues and processes:
- Screening failures
- Employee infractions
- Reporting sanctions violations
We'll be addressing them in the learning points below. But first, here is additional background information, according to a US Treasury press release, the majority of the alleged violations involved blacklisted Russian entities in Crimea but also blacklisted entities in Cuba, Iran, and Syria. The US Treasury also stated that most violations occurred between 2012 and 2019 in Crimea (Russia annexed Crimea in 2014, resulting in sanctions).
Regarding Microsoft's alleged sanctions violations, OFAC said: "Microsoft Russia employees appear even to have intentionally circumvented Microsoft's screening controls to prevent other Microsoft affiliates from knowing the identity of the ultimate end customers."
This statement reveals another significant facet of compliance that we will address: Know Your Customer (KYC) processes and the relationship with sanctions compliance.
5 Key Learning Points from the Microsoft Sanctions Penalties
Like all business processes, continuous improvement is critical to getting sanctions compliance right. As we now understand the Microsoft case better, let's examine the key learning points. We will cover the following:
- Lesson 1: Promptly Respond to Potential Sanctions Violations
- Lesson 2: Implement Effective Sanctions Screening Processes
- Lesson 3: Foster a Compliance Culture
- Lesson 4: Ensure Effective Communication Across the Organization
- Lesson 5: Have Robust KYC Processes in Place
Lesson 1: Promptly Respond to Potential Sanctions Violations
Although Microsoft received a combined $3.3 million penalty, it could have been worse. Sanctions issuers are known to be more lenient with companies and organizations that apply prompt voluntary self-disclosure.
As Microsoft said in its public statement regarding the case, as soon as it learned of the screening failures, it performed voluntary disclosure. The US Treasury press release also states that Microsoft's report was "non-egregious and voluntarily self-disclosed."
It's also vital that compliance teams carefully document compliance efforts to prove what they are reporting is accurate. Because sanctioning bodies investigate the paper trail when deciding punitive measures against companies and organizations with sanctions breaches.
Lesson 2: Implement Effective Sanctions Screening Processes
Microsoft's statement mentioned screening failures. We don't know the specifics of this case, but in general, we do know this: Any screening, including sanctions screening, is only as effective as the processes and people that support it.
For example, a company may use the most expensive, extensive, enterprise-ready sanctions screening product on the market - but it will only prevent breaches if a resilient sanctions screening process is in place. Poorly trained personnel and rogue employees threaten the success of all screening programs.
All companies and organizations need to implement robust and effective sanctions screening processes that are transparent and accountable.
Lesson 3: Foster a Compliance Culture
No one is suggesting that Microsoft doesn't have a culture of complying with sanctions laws. The reality is that it's a vast global organization with hundreds of thousands of employees. But sometimes, core values slip through the net - especially because employees are humans.
And people are prone to mistakes and may make poor judgment calls (as well as conduct illicit behavior for personal financial gain).
To reduce the likelihood of employees making errors or acting illegally, it's fundamental that compliance and internal communications teams collaboratively build in-house programs that foster a culture of compliance.
Ways to achieve this may include:
- Leadership setting the compliance culture (top-down approach)
- Incentivizing ethical behavior
- Embracing compliance technology
- Training & testing sanctions screening processes
Lesson 4: Ensure Effective Communication Across the Organization
We alluded to internal communication processes in lesson three. Compliance and internal communications teams should also work together to create a culture of sanctions compliance by ensuring that essential sanctions compliance messages are communicated effectively across the business.
For massive multinational organizations like Microsoft, delivering consistent key messages in multiple languages to thousands of employees can be difficult. It also requires significant investment to get it right.
But now for some good news for many of you reading.
SMEs and startups have an advantage: Ensuring effective communication across the business is far more manageable. For example, to inform employees of the importance of sanctions compliance, you can do the following:
- Integrate sanctions compliance into an internal communications plan
- Develop sanctions compliance key messages
- Produce engaging content to deliver the key messages
- Identify communication channels (internal newsletters etc.)
Lesson 5: Have Robust KYC Processes in Place
As mentioned earlier, OFAC said Microsoft employees in Russia appeared to intentionally circumvent screening controls to prevent affiliates from knowing the identity of the ultimate end customers.
This statement from OFAC emphasizes the importance of strong Know Your Customer (KYC) and Know Your Customer's Customer (KYCC) processes that support sanctions compliance.
Weak compliance programs that allow employees to circumvent protocols, such as criminal watchlists and sanctions screening, may result in severe legal and reputational risks for the organization, potential financial losses, and damage to customer trust.
Microsoft wasn't the first famous company to receive a multi-million dollar penalty for alleged sanctions violations in 2023. A week before, the US Federal Reserve and the US Treasury Department fined Wells Fargo a whopping $97.8 million for sanctions breaches.
And there are going to be many more penalties this year. As sanctions.io reported, there is increasing scrutiny on sanctions evasion. The stakes are high for both regulated and non-regulated industries. And it's essential companies and organizations do everything they can to stay sanctions compliant.
Here are some more tips:
- Stay up-to-date on changing regulations
- Implement effective internal controls
- Conduct periodic risk assessments
- Document compliance efforts
For ways to detect and prevent sanctions violations within your organization, contact sanctions.io for an obligation-free discussion. You can read sanctions.io's Ultimate Sanctions Screening Guide to learn more about sanctions screening.