SaaS Onboarding Must Include Export-Control Screening

In April 2023, the U.S. Department of the Treasury announced that Microsoft would pay more than $3.3 million in combined civil penalties to resolve export-control and sanctions matters involving software sales and related transactions routed through foreign subsidiaries.

Treasury said the OFAC component covered 1,339 apparent violations involving Ukraine/Russia, Cuba, Iran, and Syria, while BIS imposed a separate administrative penalty tied to Microsoft Russia. That case mattered beyond one company. It showed that software licensing, account provisioning, and subsidiary activity can produce the same enforcement exposure that firms once associated mainly with physical exports.

For software-as-a-service providers, the compliance question now begins far earlier in the customer relationship, often at the point of account creation. The legal logic is straightforward. U.S. sanctions rules can bar the provision of services to blocked persons and certain jurisdictions, and OFAC can apply civil liability without requiring proof that a company intended to violate the rules.

For cloud businesses that accept global sign-ups, an unscreened account, support interaction, or subscription renewal can create risk before any sales team reviews the customer manually.

How software access entered the sanctions perimeter

OFAC made the software point especially clear in guidance issued on June 12, 2024. In FAQ 1186, the agency said the Russia IT and Software Services Determination prohibits the exportation, reexportation, sale, or supply of certain IT support services and cloud-based services for covered software to a person located in the Russian Federation.

The same guidance states that cloud-based services include the supply of software and associated services via the internet or the cloud, including through Software-as-a-Service. The examples in that FAQ are operational rather than theoretical.

OFAC lists a cloud-based enterprise resource planning subscription sold to a Russian company, customer support provided by a U.S. employee of a third-country company to a Russian company using human resources software, and a software patch for computer-aided design tools as prohibited examples when they involve covered software and a person in Russia.

Those examples narrow the room for treating SaaS as separate from export-control and sanctions practice. A cloud subscription, a troubleshooting session, and a product update can all qualify as regulated conduct when the user, location, or end use falls inside a restricted category.

The result is that onboarding design, IP checks, and user screening have become part of legal compliance rather than product hygiene alone.

Recent enforcement widened the practical burden

In April 2023, Microsoft agreed to a $2.98 million OFAC civil penalty and a separate $624,013 BIS penalty, totaling roughly $3.3 million.

Treasury also quoted Assistant Secretary for Export Enforcement Matthew S. Axelrod saying, "U.S. companies will be held accountable for the activities of their foreign subsidiaries." That statement is important for SaaS companies that sell through resellers, overseas affiliates, or regional support hubs.

The compliance issue does not stop at the place where a subscription is provisioned or where a support ticket is answered. Parent companies can still face enforcement when internal controls do not prevent restricted transactions carried out through affiliated entities.

A December 2025 Descartes article describes a U.S. FinTech settlement tied to Iran-related customer support. The article says OFAC announced a $3.1 million settlement, with $2.47 million to be paid within 15 days and $630,000 suspended pending investment in a formal sanctions compliance program.

Corporate Compliance Insights reported that OFAC issued 14 public enforcement actions in 2025 and described a continued focus on gatekeepers and service providers. That does not by itself prove a SaaS-specific crackdown, but it does support the view that services activity and intermediary roles remain central to current sanctions enforcement.

Rule changes made screening more complex

The compliance burden also expanded because direct name screening is no longer enough in some cases. A BIS rule published in the Federal Register on September 30, 2025 under the title "Expansion of End-User Controls To Cover Affiliates of Certain Listed Entities" extended end-user controls to certain affiliates of listed entities. The document states that the rule became effective on September 29, 2025.

That change matters for software companies because screening against a visible party name may miss a restricted affiliate. If a provider sells to a business customer whose ownership links it to a controlled entity covered by the rule, a basic sign-up check may not surface the real compliance issue.

The operational implication is that screening can require ownership review for higher-risk accounts, not just exact or fuzzy matching against public names. Civil penalties for violations can be substantial under the applicable statutory frameworks.

What a screening program changes inside onboarding

For SaaS providers, the central design problem is not whether to screen but where to place the controls. If a company waits until payment review, contract signature, or enterprise procurement, a restricted user may already have received software access, support, or a trial environment.

The earlier the check runs, the lower the chance that the product itself creates the violation. A practical onboarding sequence usually starts with location and identity signals collected at account creation.

Name screening against OFAC and BIS lists, IP geolocation, domain review for business users, and country-based restrictions can be run before a full account is provisioned. When the user falls into a high-risk category, the system can pause activation pending review rather than allowing access first and investigating later.

Why support teams and product teams now share the risk

Sanctions exposure is not limited to initial software delivery. OFAC’s 2024 FAQ explicitly includes customer support and software patches among prohibited examples for covered software in Russia.

The reported FinTech case in the Descartes article likewise centers on customer-support activity rather than a conventional export shipment. That shifts part of the compliance burden into teams that many startups do not treat as export-control actors.

Product support, customer success, trust and safety, and growth operations may all handle interactions that amount to regulated services when the user is restricted. If those teams work from tools that do not display sanctions or jurisdiction flags, the company can continue serving a prohibited account long after the original signup.

For that reason, onboarding screening works best when it is connected to later controls. Existing users need periodic re-screening because sanctions lists and ownership structures change.

Support systems also need escalation paths so that a flagged account cannot continue receiving help, patches, credits, or manual account changes while the legal status remains unresolved. Recordkeeping follows from the same logic.

If a company blocks an account, clears a possible match, or offboards a customer after a sanctions update, those decisions should be logged in a form that compliance and legal teams can later review.

A product decision with legal and commercial consequences

The business consequence is that export-control screening has moved into product architecture. A company that wants instant self-serve sign-up for users around the world now has to decide which checks run synchronously, which users are blocked automatically, and which cases route to manual review.

Those choices affect conversion, support load, and legal exposure at the same time. The compliance cost is real, but enforcement risk now reaches routine cloud operations that many software firms once treated as low-risk.

Microsoft’s settlement showed the exposure tied to software transactions through foreign subsidiaries. OFAC’s 2024 Russia guidance showed that SaaS, patches, and support can all fall within prohibited software-services activity for covered use cases.

BIS’s 2025 affiliates rule increased the need to understand who a customer is connected to, not just what name appears on the signup form. That combination leaves SaaS companies with a narrower margin for informal processes.

Manual review after onboarding is often too late. A defensible system starts when the account is created, continues through support and billing workflows, and adjusts as sanctions lists and ownership data change.

For cloud providers, the unresolved question is no longer whether export-control and sanctions rules apply to software delivery in meaningful ways. The more immediate question is how much operational friction a company is willing to add before access is granted, and whether that friction is lower than the cost of discovering the problem after the service has already been delivered.

Sources

• U.S. Department of the Treasury. "Microsoft to Pay Over $3.3M in Total Combined Civil Penalties to BIS and OFAC to Resolve Alleged and Apparent Violations of U.S. Export Controls and Sanctions." U.S. Department of the Treasury, 2023.
• Office of Foreign Assets Control. "1186." U.S. Department of the Treasury, 2024.
• Bureau of Industry and Security. "Expansion of End-User Controls To Cover Affiliates of Certain Listed Entities." Federal Register, 2025.
• Descartes Systems Group. "U.S. FinTech Fined $3M for OFAC Compliance Gaps in Iran-Related Customer Support." Descartes, 2025.
• Jessica Carey, Roberto Gonzalez, Nicole Succar, and Sam Kleiner. "The State of OFAC Sanctions Enforcement in 2025-26." Corporate Compliance Insights, 2026.
• Visual Compliance. "How Integrated Sanctions Screening Software Accelerates Sales and Enhances Compliance." Visual Compliance, 2026.