Key Takeaways:
- BIS and OFAC collectively imposed over
$3.3 million in civil penalties against Microsoft as part of settlement agreements stemming from violations ofU.S. export controls and sanctions laws. -
The enforcement actions emphasize the importance of
U.S. entities monitoring the activities of foreign subsidiaries to detect and prevent violations ofU.S. sanctions and export controls, as well as having a robust, company-wide restricted party screening program. - The severity of the BIS penalty in the face of a voluntary disclosure by Microsoft along with the tenor and content of the Axelrod Memorandum means companies appear to face a much more difficult risk calculus when deciding whether to make voluntary disclosures to BIS.
On
A. Microsoft's Settlement with OFAC
With respect to the sanctions violations, OFAC found that Microsoft, MS Rus and Microsoft Ireland (together, the "Microsoft Entities") engaged in 1,339 apparent violations of multiple OFAC sanctions programs between
OFAC highlighted two reasons why Microsoft Entities were vulnerable to violating OFAC sanctions programs:
First, Microsoft Entities operated through third-party distributors and resellers without having complete or accurate information on the identities of the end customers of Microsoft products. For instance, Microsoft Entities negotiated bulk sales agreements with, and billed third-party distributors, who then negotiated the final sales price and directly billed end users. The Microsoft Entities did not obtain complete or accurate information on the ultimate end users. In some instances, employees apparently intentionally circumvented Microsoft's screening controls to prevent others from knowing the identity of the ultimate end users.
Second, restricted-party screening conducted by the Microsoft Entities was insufficient. Microsoft's screening architecture did not aggregate information known to Microsoft across its databases to help identify restricted parties. Microsoft also sometimes failed to rescreen pre-existing customers to keep up with changes to the Specially Designated Nationals and Blocked Persons List ("SDN" List). Microsoft's screening system also did not identify entities owned 50 percent or more by SDNs, nor did it search for SDNs using their names in Cyrillic or Chinese characters. As a result, Microsoft missed common variations of the restricted party names.
OFAC indicated that the settlement amount involved consideration of the "General Factors" under OFAC's Enforcement Guidelines. Aggravating factors highlighted by OFAC were:
- "A reckless disregard for
U.S. sanctions by failing to identify that, over a seven-year period, more than$12,000,000 worth of software and services were exported from theU.S. through Microsoft systems and servers" and the violations "were not isolated or atypical in nature, and the Microsoft Entities had reason to know that such conduct was occurring;" U.S. foreign policy objectives were harmed by providingU.S. software and related services that benefitted sanctioned persons, including major Russian companies; and- The fact that Microsoft is a major multi-national company.
Mitigating factors cited by OFAC include:
- No evidence that Microsoft management in the
U.S. was aware of the violations during the period they were occurring; - Microsoft identified the issues during an internal review and conducted an extensive internal investigation;
- Microsoft voluntarily disclosed the violations and cooperated with OFAC's investigation;
- Microsoft terminated the accounts of the sanctioned persons and updated internal procedures for disabling access to its products and/or services when a sanctioned party is identified; and
-
Microsoft undertook significant corrective actions including:
- Improving the governance structure of its sanctions compliance program and increasing its resources;
- Implementing an "end-to-end" screening system that gathers data when an outside party makes its first contact with the company; collects risk-based, compliance-oriented data to improve restricted-party screening; and screens its data on a recurring basis rather than transactionally;
- Improving the methods by which it researches screening hits, modifying its procedures to respond to matches, and expanding the scope and volume of data screened;
- Providing detailed sanctions compliance training for certain employees and jurisdictions;
- Adopting a new "Three Lines of Defense" model to govern its trade compliance program, where the first line of defense is Microsoft personnel responsible for sales transactions who are tasked with day-to-day responsibility for ensuring compliance. The second line of defense consists of oversight of the first line by Microsoft's legal compliance, high-risk, financial integrity, and tax and trade units, which respond to questions or escalated issues and conduct quarterly testing. The third line of defense consists of Microsoft's internal audit team, which performs regular independent audits and reports to Microsoft's leadership and board of directors; and
- Terminating or otherwise disciplining Microsoft Russia employees involved in the activities that led to sanctions violations.
OFAC concluded by highlighting several lessons learned and actions that other companies should take to enhance their sanctions compliance programs.
OFAC began by noting that cloud computing and global demand for software applications has expanded the potential user base of technology, software, or services exported from the
OFAC also indicated that the enforcement action serves to highlight the importance of companies having visibility into ultimate end users when conducting business through foreign-based subsidiaries, distributors, and resellers, to avoid engaging in business dealings with prohibited parties. OFAC stressed the importance of recurring screening to identify changes to the SDN List.
In order to ensure company employees, including those located outside of the
B. Microsoft's Settlement with BIS
As to the settlement with BIS, Microsoft engaged in several violations of the Export Administration Regulations ("EAR") from
As part of an internal investigation, Microsoft discovered that MS Rus employees had express email communications, internally and/or with third-party distributors, about providing the listed entities with "access to Microsoft software." In particular, the employees contemplated selling license agreements to affiliates that are not on the Entity List, who could then provide them to
Microsoft voluntarily disclosed these violations. Although we do not know when the voluntary disclosure was submitted, it is worth noting that by the time of the settlement agreement, all of the violations would have been past the statute of limitations period.
Unlike OFAC, BIS did not highlight any lessons learned or compliance recommendations for companies, nor did the settlement agreement require Microsoft to take specific actions beyond paying a monetary penalty to BIS and complying with the OFAC settlement terms, which also only require payment of a monetary penalty. This likely implies that both BIS and OFAC thought the corrective actions taken by Microsoft were sufficient to address compliance risks going forward.
BIS Assistant Secretary for Export Enforcement,
C. The Axelrod Memorandum
In an extraordinary document unprecedented in tenor and scope, Assistant Secretary Axelrod issued a memo (the "Axelrod Memo") on
Axelrod stated that BIS is "not focused on increasing the number of minor or technical VSDs we receive" and indeed invited those who have multiple minor or technical violations to disclose to combine them into a single VSD. Rather, BIS would like to see an increase in the number of VSDs disclosing "significant possible violations" and it seeks to use a stick, not just a carrot (i.e. substantially reduced penalties), to incentivize such disclosures, "when someone affirmatively chooses not to file a VSD, however, we want them to know that they risk incurring concrete costs." Specifically, the Axelrod Memo notes that the settlement guidelines provide that
As if this aggressive new posture was not warning enough for exporters, the Axelrod Memo goes further by encouraging persons with knowledge that others have violated the export control laws to notify BIS of the violations of third parties in exchange for mitigation "if a future enforcement action, even for unrelated conduct, is ever brought against the disclosing party." In other words, exporters can earn mitigation credits for future use should the party ever get into trouble itself by informing on the violations of others (the Axelrod Memo even notes that informers can earn monetary awards from FinCEN if the violations disclosed also involve potential sanctions violations). It remains to be seen whether this policy change will have the intended effect of encouraging additional VSDs or create a climate of suspicion within supply chains that results in companies being much less willing to work collaboratively to address issues and instead concealing potential problems from business partners.
D. Impact on the VSD Calculus Going Forward
In the past, disclosing violations to BIS was routine and, almost always (absent the most serious cases that typically involved willful conduct), VSDs were met with a cautionary letter and no penalty. Exporters must now more carefully weigh the costs and benefits of submitting VSDs
First, an assessment has to be made as to whether the violation would be viewed as "significant" by BIS. This is a fact-specific inquiry and will likely need to be evaluated on a case-by-case basis absent further guidance from BIS. The current touchstone of "violations that reflect potential national security harm" is extremely broad and BIS' assessment may not match those of exporters.
Second, the costs of disclosing (including civil penalties) must be weighed against the benefits, including mitigation of civil penalties. As the Microsoft settlement illustrates, cases that may previously have been closed without further action may now be subject to fines running into the hundreds of thousands of dollars (even after credit is given for voluntarily disclosing the violations and cooperating with BIS' investigation). For its part, BIS would argue that Microsoft could have been assessed civil penalties running into the millions of dollars and the penalty imposed thus represents a steep discount only afforded due to Microsoft's VSD. Part of this calculus will likely include an assessment of the risks of detection, including whether third parties are aware of the violation. Depending on the nature of the relationship with the third party, the VSD process may be a race to file a VSD first or a more coordinated effort to bring the violation(s) to BIS' attention.
Finally, companies will now want to consider (or reconsider) a VSD policy. For example, some companies may now view BIS' voluntary disclosure program to essentially be a mandatory disclosure policy and require disclosure of all violations of the EAR. Some companies may also choose to add VSD expectations to contracts with suppliers, customers, or other third parties.
Now more than ever, companies faced with choosing whether to voluntarily disclose violations of the export control laws should carefully consider their options and engage counsel when in need of guidance. Attorneys from
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Tel: 6178321000
Fax: 617 8327000
E-mail: ACallanan@foleyhoag.com
URL: www.foleyhoag.com
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source