Microsoft will pay more than $3.3 million to settle charges from two federal agencies its subsidiaries violated sanctions laws and export controls across their dealings in four sanctioned countries and Ukraine’s Crimea region, which is under Russian control.

The Treasury Department’s Office of Foreign Assets Control (OFAC) and Commerce Department’s Bureau of Industry and Security (BIS) combined to penalize Microsoft for 1,339 apparent sanctions violations and seven transactions with entities under export control restrictions. The apparent violations included sales to prohibited jurisdictions in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine, the agencies said Thursday in separate press releases.

Microsoft self-reported the apparent violations to both agencies, cooperated with the investigations, and remediated issues that predated Russia’s 2022 invasion of Ukraine and the sanctions that followed. OFAC judged the lapses to be non-egregious.

The details: From 2012-19, Microsoft sold more than $12.1 million worth of software licenses, activated software licenses, and/or provided related services from servers and systems located in the United States and Ireland to entities in the sanctioned jurisdictions, OFAC said.

Microsoft entities in Ireland and Russia used an indirect resale model through third-party vendors called licensing solution partners (LSPs) in Russia.

Microsoft Russia negotiated bulk sales agreements with end customers, but the LSPs would negotiate the final price and sign a commercial supply agreement, OFAC said. Microsoft Ireland would bill the LSPs annually for the sales licenses, and the LSPs would separately bill and collect payment from end users.

The end users would then access, activate, and manage Microsoft software through downloads, license activations, product key verifications, and subsequent usages that at least in part relied on access to U.S.-based servers and systems managed by U.S.-based employees, according to OFAC.

Microsoft erred by not obtaining complete and accurate information about the end users for its products, leading to usage in sanctioned jurisdictions, OFAC said.

The BIS said between 2016-17, Microsoft engaged in seven transactions with entities its Russian-based employees knew or should have known were under export control restrictions.

Compliance considerations: While Microsoft’s subsidiaries showed a “reckless disregard” for U.S. sanctions by selling services to end users in sanctioned jurisdictions, the company’s U.S. operations were apparently unaware of the violations as they were occurring via Microsoft Russia, OFAC said.

Microsoft discovered the issue during a “self-initiated lookback, after which it conducted a comprehensive investigation to discover the causes and extent of the conduct leading to the apparent violations,” OFAC said. Its remediation efforts included a retrospective review of thousands of past transactions, “extensive” ownership research and data analysis, and a thorough internal investigation.

The company terminated the end user accounts at issue, deactivated the users’ license keys, and updated its “suspension and shutdown” procedures to disable access to its products and services when a sanctioned party is discovered, OFAC said. The Microsoft Russia employees involved in the apparent violations were terminated.

Microsoft also enhanced its trade compliance program, improved the governance of its sanctions compliance program, and added an additional layer of review for all Russia-related transactions before the company ceased doing business in the country in March 2022 following its invasion of Ukraine.

“Companies with sophisticated technology operations and a global customer base should ensure that their sanctions compliance controls remain commensurate with that risk and leverage appropriate technological compliance solutions,” OFAC said.

The regulator added such firms should consider conducting a holistic risk assessment to identify where they might engage with entities in sanctioned jurisdictions. Such companies should also have sufficient visibility into the end users of their products when conducting sales through foreign-based subsidiaries, distributors, and resellers, the regulator said.

Company response: “Microsoft takes export control and sanctions compliance very seriously, which is why after learning of the screening failures and infractions of a few employees, we voluntarily disclosed them to the appropriate authorities,” a company spokesperson said in an emailed statement. “We cooperated fully with their investigation and are pleased with the settlement.”