“Sanctions are the new FCPA.” So declared the Deputy Attorney General Lisa A. Monaco last year and on a number of occasions since then. But many lawyers were left to ponder exactly what that means. It has been clear for years that doing business with Specially Designated Nationals (or SDNs) was fraught with peril—the rules even preclude U.S. legal representation absent a license, which the Treasury Department has not been quick to grant. In the last year, however, the government’s reinvigorated sanctions enforcement program has relied increasingly on the Export Control Reform Act and associated Export Administration Regulations. As a result, a regulatory regime that was once primarily the bailiwick of international trade dealmakers has vaulted to the forefront of the white-collar and government litigation world. And based on the growing allocation of resources, the institution of interagency and international task forces, and a recent spate of enforcement actions, all indications are that companies engaged in international commerce will continue to face scrutiny—and will need to remain vigilant—for the foreseeable future.
What are the Export Control Reform Act and the Export Administration Regulations? The United States export control regime dates as far back as World War II, when Congress passed the Export Control Act of 1940 in anticipation of the United States’ entrance in the War. A series of subsequent legislation—the Export Control Act of 1949, the Export Administration Act of 1979, and others—augmented the original legislation and gave rise to the Export Administration Regulations, 15 C.F.R. §§ 730-774, or the EAR. Mostly recently, Congress passed the Export Control Reform Act of 2018, which provided permanent statutory authority for the EAR.
The EAR govern the export of “dual-use goods”—primarily commercial goods that may have a military use or application. The Commerce Department’s Bureau of Industry and Security is responsible for administering and enforcing the EAR. The EAR thus are distinct from the International Traffic in Arms Regulations (also known as ITAR), which relate to articles, services, and related technical data that are inherently military in nature and are administered by the State Department. The EAR are also distinct from economic and trade sanctions administered by the Treasury Department’s Office of Foreign Asset Control (often referred to as OFAC).
Violations of the EAR can result in administrative fines, denial of export privileges, and even imprisonment. Monetary penalties imposed by the Commerce Department can reach $353,534 or twice the value of the transaction. See 50 U.S.C. § 4819(c)(1); 88 Fed. Reg. 3. As discussed further below, the Commerce Department recently fined one offender $300 million as part of a negotiated resolution. Willful violations of the EAR can result in a criminal fine of $1 million per violation, asset forfeiture, and up to 20 years’ imprisonment. 50 U.S.C. § 4819(b), (d).
What kinds of activities and products are subject to these rules? The EAR are an extraordinarily complex set of rules, a complete explanation of which is beyond the scope of this article. Generally speaking though, the EAR regulate “exports” and “reexports” of certain commodities, software, and technology. An “export” includes not only a physical shipment or transmission of an item out of the United States, but also the disclosure or other transfer of technology, source code, or related information to a foreign person within the United States (a so-called “deemed export”). A “reexport” is the shipment from one foreign country to another foreign country, and a “deemed reexport” a disclosure within a foreign country to a person from another foreign country. 15 C.F.R. §§ 734.13-14.
The EAR apply not only to all items that are located or originated in the United States, but also to a number of foreign-made and -produced items. For example, foreign-made commodities, software, and technology that contain more than a defined amount of U.S.-origin products can be regulated by the EAR. 15 C.F.R. § 734.3. For example, a foreign-made computer could be subject to the EAR if it incorporates U.S.-origin circuit board technology that itself is subject to the EAR. The EAR thus, by their terms, apply extraterritorially: non-U.S. persons acting abroad can be subject to liability so long as their conduct violates the regulations.
The EAR are organized primarily based on certain kinds of items and certain destinations of export, and the Commerce Department’s Bureau of Industry and Security (or BIS) maintains two corresponding lists: the Commerce Control List and the Commerce Country Chart. The Control List categorizes items in nine broad categories (for example, “Electronics,” “Computers,” “Navigation and Avionics”), each of which consists of five groups (“Equipment, Assemblies and Components;” “Test, Inspection and Production Equipment;” “Materials;” “Software;” and “Technology). The Control List also incorporates the reason for the control (for example, “Encryption Items,” “Surreptitious Listening,” “Missile Technology”) and ultimately provides an alphanumeric code for each kind of commodity, software, or technology subject to the EAR. The Commerce Country Chart then explains, for every country, whether a license is required to export specific kinds of items to that country.
The EAR also contain certain “general prohibitions” that apply beyond the Control List and Country Chart. For example, General Prohibition Five prohibits exports and reexports to certain end-users and end-uses (for example, military end uses in Burma, Cambodia, China, Russia, and Venezuela; and a long list of designated persons). General Prohibition Six requires a license for any export or reexport to embargoed countries such as Cuba, Iraq, Iran, North Korea, Russia, Belarus, and Syria. There are ten General Prohibitions in all. 15 C.F.R. Part 736.
What new tools does the government have to increase enforcement of these rules? Through a combination of expanded resources, interagency and international partnerships, and new and updated enforcement policies, the Biden Administration has ramped up export control enforcement and created a number of new risks for manufacturers, shippers, and other participants in the economy for high-tech goods and services.
Expanded resources. Galvanized by the war in Ukraine, ongoing tensions with China, and other geopolitical threats, the Justice Department announced that it would add 25 additional prosecutors to the National Security Division, which prosecutes criminal export control violations. The Department also signaled that a key focus would be on corporate enforcement, including by appointing a Chief Counsel for Corporate Enforcement on September 11, 2023. On the civil side, the Commerce Department’s budget for export control enforcement has increased, as well. For fiscal year 2023, Congress increased funding for the Commerce Department’s BIS by more than 25%.
Interagency and international partnerships. BIS has also been at the center of a number of interagency and international partnerships. Chief among these has been the Disruptive Technology Strike Force. Announced in February 2023, this initiative brings together agents from BIS, prosecutors from the DOJ National Security Division, agents from the FBI and Homeland Security, and prosecutors and investigators from 14 United States Attorney’s Offices around the country. The Strike Force is co-chaired by the Assistant Secretary for Export Enforcement, Matt Axelrod, and the Assistant Attorney General for National Security, Matt Olsen. Within just three months, the Strike Force announced five coordinated enforcement actions across the country that included multiples arrests, indictments, and temporary denial orders. The cases related to conduct such as supplying parts and components to Russian commercial airline companies, misappropriating code from U.S. technology companies and providing it to Chinese competitors, and providing sensitive technology to Russian military and intelligence services.
Task Force KleptoCapture, announced shortly after fighting began in Ukraine, brings together resources from the Commerce, State, and Treasury Departments, as well as the FBI, U.S. Marshals Service, U.S. Secret Service, Homeland Security Investigations, IRS Criminal Investigation, the U.S. Postal Inspection Service, and others to enforce the sweeping sanctions, export restrictions, and economic countermeasures that the United States and other countries imposed in response to the Russian attack in Ukraine.
In July 2023, BIS and OFAC signed a formal agreement memorializing the two agencies’ cooperation. The agreement is designed to ensure that BIS and OFAC enforcement teams work together even more closely and seek to enter into joint resolutions with sanctions and export control violators.
Similar efforts can be seen on an international level. In June 2023, the “Five Eyes” alliance members—Australia, Canada, New Zealand, the United Kingdom, and the United States—agreed to formal coordination on export control enforcement. The agreement provides for enhanced information-sharing related to control violators, evasion and similar problematic practices, and other trends and data collected by each country’s enforcement apparatus. BIS also announced that it expected to conduct joint investigations and coordinated enforcement actions with other Five Eyes members. Commerce Department officials are working toward similar agreements among G7 members, as well.
New and updated enforcement policies. Three key policy changes within the Commerce Department have contributed to increased enforcement activity. Most controversially, BIS adopted a policy that penalizes a company’s failure to self-report potential violations. Many companies are familiar with Justice Department and other regulatory policies that encourage leniency where a company voluntarily self-discloses violations of law. But in what has come to be called the “Axelrod Memo”—named for Assistant Secretary of Export Enforcement Matt Axelrod, who implemented the policy—BIS took that a step further by announcing that not only would voluntary self-disclosure would continue to be a mitigating factor, but a company’s failure to self-disclose would be an aggravating factor justifying a harsher penalty. This increases the stakes for companies that have discovered potential violations and are considering how to proceed. And that is especially true because the Axelrod Memo provides additional benefits to companies that report competitors’ and other companies’ violations. Specifically, companies who report violations by others will be deemed to have provided “extraordinary cooperation”—and further leniency—if they later find themselves in BIS’s crosshairs. So a company that discovers potential violations not only faces additional penalties if it chooses not to self-disclose, but its competitors and others in the market may actively be volunteering evidence to BIS.
Two other changes have enabled BIS to increase pressure on companies. First, BIS now publicly announces charges at the beginning of a case rather than waiting until it has reached a resolution with the violator to issue a charging letter. As a result, companies will face greater pressure to reach quicker resolutions with BIS so that they can lift the cloud of uncertainty created by a public accusation. Second, BIS policy no longer permits companies to enter into no-admit-no-deny settlements. Unlike many civil regulatory agencies like the SEC, FTC, and others, BIS now requires companies to admit to the conduct as part of a negotiated resolution.
How is the government using these new tools? Export control enforcement has been extremely active in the last year. In addition to the Disruptive Technology Strike Force arrests mentioned above, the Justice Department has made a number of arrests and obtained a number of convictions in cases involving export control violations. For example, on August 31, 2023, law enforcement agents in Cyprus—acting at the request of the United States—arrested a dual Russian-German citizen on allegations of obtaining U.S.-sourced microelectronics for a company that supplies electronics components for use by the Russian military. United States v. Petrov, No. 23 Mag. 6023 (S.D.N.Y.). In another case, a California-based electronics distribution company and its president and owner pleaded guilty where they had concealed information from BIS agents and Customs officers as part of a scheme to export chemicals used in semiconductor manufacturing to a company in China. United States v. Jiang, No. 20 Cr. 43 (D.R.I.).
BIS, for its part, has entered into some key resolutions too, including one that involved a $300 million penalty. In that case, California-based data storage company Seagate Technology and its Singapore affiliate shipped millions of hard drives to Huawei, the Chinese manufacturing company that has been a target of U.S. sanctions and export controls. In re Seagate Technology LLC, Bureau of Industry Security (Apr. 19, 2023). In another case, BIS reached a settlement with a 3D printing company based in South Carolina for exporting certain technology to Germany and certain aerospace technology and metal alloy powder to China. In re 3D Systems Corp., Bureau of Industry and Security (Feb. 27, 2023).
What can companies do to mitigate the risk of export control violations and enforcement actions? Export regulations and the broader sanctions regime are constantly evolving, and companies dealing in sensitive technologies and other potential dual-use goods must create a strong record of vigilant efforts to comply. The key mitigation strategy for companies that find they have violated export control laws is similar to any criminal violation: timely and voluntary self-disclosure, full cooperation with government investigations, and full and effective remediation. Under policy that the DOJ National Security Division implemented in March 2023, companies that take these three steps will—absent aggravating circumstances—presumptively receive a non-prosecution agreement and no fine. As a result, companies thus should consider taking the following prophylactic steps:
Conduct a risk assessment. Consider things like the location of your operations, the industry sector, the competitiveness of the market, potential clients and business partners, and transactions with foreign governments. Assess the policies, procedures, and controls currently in place and whether they are suited to the current risks the company faces. Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk, such as sales of nuclear technology or exports to hot-button jurisdictions such as Russia? Make sure the company has a process for tracking and integrating lessons learned from both the company’s own prior issues and from similarly situated companies. And make sure to document the methodology you use to conduct these analyses and to identify and address the particular risks the company faces.
Review and refresh policies and procedures. Timely and voluntary self-disclosure often is not possible without sensible, effective policies and procedures that will detect export control violations or at a minimum alert company management to potential issues. Based on the risk assessment, consider whether the company’s process for designing and implementing new policies and procedures, and updating existing policies and procedures, is effective. Ensure the right company personnel have been involved in the design of policies and procedures and the right business units been consulted prior to rolling them out. Consider whether the company has been effective in communicating its policies and procedures to employees. And make sure to document the efforts the company has taken to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces.
Ensure training and compliance systems are suited to the company. Make sure employees receive training on the key risks relevant to their roles, that the training is interactive and effective, and that there are adequate mechanisms to ensure employees internalize the information covered in training. Collect and preserve attendance sheets, post-training quizzes, employee acknowledgements, and other evidence of the company’s training efforts.
Document the commitment of middle and senior management to compliance. Identify and document concrete actions management has taken to demonstrate the importance of the company’s compliance and remediation efforts.
Ensure adequate resources are available to compliance efforts. Company personnel responsible for ensuring compliance should have seniority and independence, experience and ability, funding and resources, access within the company, and autonomy to ensure they effectively can police the company’s adherence to export control laws.
Implement measures to ensure preservation of documents and other evidence. Not only does an effective compliance program need such preservation to detect potential issues, but full cooperation with government investigations requires timely and voluntary preservation, collection, authentication, and disclosure of relevant documents and information.
And if a potential issue does arise, immediately engage experienced counsel to assess the company’s exposure and develop a response strategy.
Author:
Daniel Koffmann
danielkoffmann@quinnemanuel.com
+1 212-849-7617