Microsoft has agreed to pay over $3 million in fines for selling software to sanctioned entities and individuals in Cuba, Iran, Syria, and Russia from 2012 to 2019. The US Department of the Treasury says that “the majority of the apparent violations involved blocked Russian entities or persons located in the Crimea region of Ukraine” and that the company will be paying around $2.98 million to the Treasury’s Office of Foreign Assets Control (or OFAC) and $347,631 to the Department of Commerce. (It settled for $624,013 but will receive a credit for its agreement with the Treasury.)

According to an enforcement notice from OFAC, Microsoft, Microsoft Ireland, and Microsoft Russia failed to oversee who was buying the company’s software and services through third-party partners. Basically, Microsoft sold things to companies that it could legally deal with, but then those companies turned around and sold them to companies that shouldn’t have been able to get a hold of Microsoft products. “In certain volume-licensing programs involving sales by intermediaries, Microsoft was not provided, nor did it otherwise obtain, complete or accurate information on the ultimate end customers for its products,” says the notice.

Microsoft Russia employees may have also intentionally tried to defeat the company’s due diligence efforts. The release includes details about a Russian oil and gas infrastructure company that Microsoft screened and rejected before “certain Microsoft Russia employees successfully used a pseudonym for that subsidiary to arrange orders on behalf” of the company. Those employees were fired, but OFAC says the fact “underscores the persistent efforts of actors in the Russian Federation to evade U.S. sanctions.”

The Treasury also says that Microsoft had some other gaps in its compliance procedures. There were apparently instances when it had information that should have alerted it to the fact that a sanctioned party was using its products, but it didn’t catch it for a variety of reasons. Those include a failure to properly aggregate its information and the fact that it wasn’t scanning for all of the restricted parties — its lists didn’t include companies that were majority-owned by a sanctioned company, nor did it include Cyrillic or Chinese names, which are often what the customers gave when they were applying to purchase the software, according to the Treasury.

The fines may seem like a small drop in the bucket for Microsoft, especially when the Treasury says the company netted around $12 million from the sales. However, despite the Treasury saying that Microsoft “demonstrated a reckless disregard for U.S. sanctions,” it seems to be cutting the company a fair amount of slack because of how it handled the situation. According to the announcement, it was Microsoft that discovered the violations, investigated them, and then self-reported them to the government, and the company has made “significant” changes to bulk up its enforcement policies and measures.

“Microsoft takes export control and sanctions compliance very seriously, which is why after learning of the screening failures and infractions of a few employees, we voluntarily disclosed them to the appropriate authorities,” said David Cuddy, a spokesperson for the company. “We cooperated fully with their investigation and are pleased with the settlement.”

Microsoft’s changes to its policies may be important in the future. All of this happened before Russia’s most recent invasion of Ukraine (it invaded and annexed Crimea in 2014), but since early 2022, the number of sanctions against the county has ballooned, and many of them deal with selling technology. Microsoft isn’t the only one facing consequences for selling restricted tech to Russia; earlier this week, the Department of Justice charged an Estonian national for allegedly selling US electronics and hacking tools to the Russian military.

Update April 7th, 8:49PM ET: Added statement from Microsoft about the settlement.