Photo courtesy of the author
In 2008, when Siemens AG and three subsidiaries pleaded guilty to Foreign Corrupt Practices Act (FCPA) violations and agreed to pay $450 million in combined criminal fines, the resolution put the world on notice.[1] Violating the FCPA – including through corrupt payments, falsified records, and weak internal controls – would result in significant penalties. Paying bribes to foreign officials now carried enterprise risk. While that seems obvious today – after a number of subsequent multi-billion-dollar FCPA settlements – it wasn’t always the case. Through the work of a small but dedicated group of prosecutors at the U.S. Department of Justice, the FCPA developed from an esoteric and underappreciated area of the law into one of the top risk and compliance areas for large companies. Export enforcement is now travelling a similar path.
In the past, companies may have viewed compliance with export controls as a technical necessity, something that required the attention not of the C-Suite or General Counsel, but of only a compliance officer or two well-versed in federal export regulations. Since the Office of Export Enforcement was first created over forty years ago, the world has shifted and we’ve gone from the Cold War and the Sony Walkman to renewed great power competition and artificial intelligence. And that shift has significantly amplified the national security risk posed by nation-state adversaries who seek to obtain sensitive U.S. technologies – such as quantum computing, advanced semiconductors, and hypersonics – to modernize their militaries, commit human rights abuses, and advance their weapons-of-mass-destruction programs. That heightened national security risk for our country is now increasingly paired with heightened reputational and enforcement risk for companies.
Export controls have always been used as a national security and foreign policy tool, dating back to the American Revolution, when restrictions were placed on the export of “any merchandize or commodity whatsoever to Great Britain, Ireland, or the West Indies, except rice to Europe.”[2] And they have played a role, in one fashion or another, in almost every major conflict since. Yet the core mission of the enforcement team I lead at the Commerce Department’s Bureau of Industry and Security (BIS) – keeping our country’s most sensitive items out of the world’s most dangerous hands – has never been a more important national security imperative than right now. As National Security Advisor Jake Sullivan highlighted last year, a fundamental connection exists between our country’s scientific and technological advantages, on the one hand, and our national security on the other.[3] We must ensure that advanced American technologies do not reach those who would use such technologies to modernize their military capabilities or commit human rights abuses. And by “we,” I mean both government and industry alike. Failure to prevent our adversaries from obtaining advanced U.S. technologies brings not only a grave threat to our collective national security but also significant reputational and enforcement risk for companies. To protect against these risks, an export compliance program must now form a cornerstone of any effective corporate compliance structure.
Enhanced Export Enforcement Policies
Given the increased national security importance of export controls, we launched new policies last year to strengthen the power of our administrative enforcement tools.[4] In June 2022, I issued a policy memorandum instituting four policy changes:
- Imposing significantly higher penalties when cases are deemed “egregious” and ensuring that the existing penalty factors are applied more uniformly;
- Using non-monetary resolutions for less serious violations;
- Eliminating “no admit, no deny” settlements; and
- Dual-track processing of voluntary self-disclosures (VSDs), to ensure that the minor or technical disclosures are fast-tracked to a resolution within 60 days, while more serious disclosures are assigned to an agent and an attorney in Commerce’s Office of Chief Counsel for Industry and Security.
In addition, we published a regulatory change making charging letters public when initially filed rather than when a matter is ultimately resolved.[5] Making enforcement actions public at the outset gives industry insight into the consequences that can result from alleged misconduct in much closer to real time. As a result, companies are incentivized to invest in compliance.
In April of this year, I issued a memorandum clarifying our policy on voluntary self-disclosures and disclosures concerning others.[6] The policy aims to shift the risk calculus on disclosures in two ways: first, a deliberate non-disclosure of a significant possible violation of the Export Administration Regulations (EAR) will now be considered an aggravating factor under our penalty guidelines.[7] That is, if someone affirmatively chooses not to file a VSD after uncovering a significant possible violation, they run a substantial risk of a sharply increased penalty if BIS uncovers the conduct. The second part of the policy, in turn, concerns disclosures about the conduct of others. If an entity becomes aware that another party is potentially violating the EAR, tells us, and that tip then leads to an enforcement action, we will consider that successful tip a mitigating factor under the penalty guidelines if the disclosing entity faces an enforcement action (even if unrelated) in the future. We don’t want companies who are complying to suffer in silence if their competitors are gaining an unfair advantage by continuing to sell in violation of our rules. But we can’t act on information we don’t have. Companies should reach out to us, or use the confidential reporting form, if they suspect that a competitor is potentially violating the EAR.
Increased Corporate Enforcement Actions for Export Violations
Just as DOJ’s resolution with Siemens in 2008 marked a ramp up in corporate enforcement of the FCPA, so too have recent actions by BIS and our partners marked the beginning of a new era of corporate enforcement of export violations.
In April, we announced the largest standalone administrative penalty in BIS history.[8] The penalty – $300 million – was imposed against Seagate Technology LLC and Seagate Singapore International Headquarters Pte. Ltd. to resolve alleged violations of U.S. export controls for selling hard disk drives (HDDs) to Huawei Technologies Co. Ltd. Huawei was placed on our Entity List in May 2019 for posing a risk to U.S. national security and foreign policy interests and subjected to expansive controls on foreign-produced items for its continued malign activities in August 2020. A month later, in September 2020, the two other companies capable of making HDDs promptly—and publicly—indicated that they had ceased sales to Huawei. Despite this, Seagate announced it would continue to do business with Huawei. Subsequently, Seagate entered into a three-year Strategic Cooperation Agreement with Huawei, naming Seagate as “Huawei’s strategic supplier” and granting the company “priority basis over other Huawei suppliers.” Of the three competitors, only Seagate refused to stop sales and transactions involving Huawei. This resulted in Seagate becoming the monopoly supplier of HDDs to Huawei, giving the company an unfair competitive advantage.
To address this behavior, BIS imposed a $300 million monetary penalty; more than twice the net profits Seagate made through their conduct. The resolution demonstrates to companies globally that we will aggressively enforce the foreign-direct product rule and penalize companies that seek to gain market share and profits at the expense of those that implement effective export compliance programs.[9]
In addition to the enforcement actions we bring ourselves, we also work closely with partners like the Office of Foreign Assets Control (OFAC) to impose coordinated administrative penalties. Together, we recently announced a $3.3 million combined export controls and sanctions enforcement action against Microsoft Corporation following the company’s voluntary self-disclosure to both BIS and OFAC. As part of our settlement, Microsoft admitted that Microsoft Russia sold software licensing agreements to Russian companies on the Entity List, including a company responsible for developing and building warships for the Russian Navy.
And, of course, our most powerful enforcement tools remain our criminal ones. In February, the Commerce Department and the Department of Justice (DOJ) launched the Disruptive Technology Strike Force, an interagency partnership between the agencies which aims to protect critical technological assets from being acquired or used by nation-state adversaries. The Strike Force brings together experts from BIS, FBI, Homeland Security Investigations at the Department of Homeland Security, and U.S. Attorneys’ Offices in 14 locations across the country, with additional support from an analytical cell in Washington, DC. Shortly after the creation of the Strike Force, DOJ announced that it will hire an additional 25 prosecutors to investigate and prosecute export controls and sanctions violations, as well as related crimes. The creation of the Strike Force and the priority and attention it is bringing to export enforcement cases, as well as the increase in DOJ prosecutors, portends increased corporate enforcement actions for export violations.
The enhanced focus is already yielding results. In May, DOJ and BIS announced the first five enforcement actions brought by the Strike Force.[10] The cases, which spanned the country, involve everything from alleged procurement networks created to help the Russian military and intelligence services obtain sensitive U.S. technology, to defendants allegedly stealing source code from U.S. tech companies in order to market it to Chinese competitors. One case, out of the Southern District of New York, alleges that a Chinese procurement network worked to provide Iran with materials used in weapons of mass destruction and ballistic missiles.
The results speak for themselves. But they’re just the beginning. On both administrative and criminal actions, you can expect to see more frequent and more significant penalties against companies who violate our export rules.
The Need for Strengthened Corporate Compliance
When Siemens pleaded guilty and agreed to pay $450 million in combined criminal fines to resolve FCPA violations, practitioners everywhere took notice. Companies could no longer consider the potential penalties that might result from FCPA violations as just the “cost of doing business.” The same is true today for export violations. Our recent enforcement actions send a clear signal: companies need to evaluate their compliance programs to ensure they are robust and effective, lest they face multimillion dollar penalties for violating our rules.
The Seagate and Microsoft resolutions demonstrate the importance of a strong compliance program, especially one that results in voluntary disclosures. Microsoft, for example, voluntarily disclosed its alleged violations, cooperated with the joint investigation, and took remedial measures after discovering the conduct at issue, which resulted in a significant reduction in penalty. Seagate, on the other hand, did not submit a voluntary disclosure to BIS and paid a $300 million penalty.
A strong export compliance program is a critical component of an effective corporate compliance structure. Having such a program in place protects both the company by mitigating risk, as well as our collective national security by keeping sensitive American technology out of the wrong hands. Our website contains detailed Export Compliance Guidelines to help companies create and maintain a robust export compliance program. Our Export Administration colleagues at BIS even have a program where you can request to have a Senior Export Compliance Specialist review your company’s export compliance program and evaluate how it measures up under our guidelines.[11]
In addition, as compliance questions arise, I encourage you to reach out to your local Office of Export Enforcement field office. We would much rather work with companies to prevent violations on the front end than enforce violations on the back end, after the technology has been shared with our adversaries and the national security harm has already occurred. It’s one of the reasons we publish Don’t Let This Happen to You, a compendium of actual investigations that resulted in enforcement actions – to help companies understand what type of conduct violates our rules and what the consequences are for those violations. You can also sign up to receive e-mail alerts whenever we post an enforcement action to our enforcement website. All of us at BIS are committed to helping industry understand both the importance of our export controls and the mechanics of how to comply with them.
Conclusion
It used to be that the consequences of corporate crime typically manifested in the form of defrauded shareholders, lost pensions, or other financial loss. The stakes now also include serious national security concerns. When companies violate our export laws, they risk helping foreign adversaries advance their aim of shifting the balance of power in the world. We must work together, in partnership, to ensure that companies have strong and effective export compliance programs. Without such high-performing programs, companies are running not only a significant reputational and enforcement risk for themselves, but also a significant risk to our collective national security.
After the Siemens resolution in 2008, companies and their counsel quickly came to recognize the need for strong FCPA compliance programs due to the substantial potential monetary risk for failing to obey the law. When it comes to export controls, that Siemens moment is now. The new era of export enforcement has begun. Companies should invest in their compliance programs accordingly.
Footnotes
[1] Siemens AG and Three Subsidiaries Plead Guilty to Foreign Corrupt Practices Act Violations and Agree to Pay $450 Million in Combined Criminal Fees (Dec. 15, 2008), available at https://www.justice.gov/archive/opa/pr/2008/December/08-crm-1105.html.
[2] Articles of Association (Oct. 20, 1774), available at U.S. National Archives (https://catalog.archives.gov/id/6277397).
[3] Remarks by National Security Advisor Jake Sullivan at the Special Competitive Studies Project Global Emerging Technologies Summit (Sep. 16, 2022), available at https://www.whitehouse.gov/briefing-room/speeches-remarks/2022/09/16/remarks-by-national-security-advisor-jake-sullivan-at-the-special-competitive-studies-project-global-emerging-technologies-summit/
[4] Further Strengthening Our Administrative Enforcement Program (Jun. 30, 2022), available at https://www.bis.doc.gov/index.php/documents/enforcement/3062-administrative-enforcement-memo/file
[5] Commerce Revises Russia and Belarus Export Controls, Enhances Transparency of Future Enforcement Proceedings (Jun. 2, 2022), available at https://www.bis.doc.gov/index.php/documents/about-bis/newsroom/press-releases/3005-2022-06-02-bis-press-release-russia-revisions-and-clarifications-rule/file.
[6] Clarifying Our Policy Regarding Voluntary Self-Disclosures and Disclosures Concerning Others (April 18, 2023), available at https://www.bis.doc.gov/index.php/documents/enforcement/3262-vsd-policy-memo-04-18-2023/file.
[7] See Section III.E to Supplement No. 1 to Part 766 of the EAR.
[8] BIS Imposes $300 Million Penalty Against Seagate Technology LLC Related to Shipments to Huawei (April 19, 2023), available at https://www.bis.doc.gov/index.php/documents/about-bis/newsroom/press-releases/3264-2023-04-19-bis-press-release-seagate-settlement/file
[9] More information on the foreign-direct product rule can be found here.
[10] Justice Department Announces Five Cases as Part of Recently Launched Disruptive Technology Strike Force (May 16, 2023), available at https://www.justice.gov/opa/pr/justice-department-announces-five-cases-part-recently-launched-disruptive-technology-strike.
[11] This is a free program, but companies are generally limited to just one submission. You can submit your request for an ECP review here: https://www.bis.doc.gov/index.php/all-articles/24-compliance-a-training/export-management-a-compliance/628-submit-your-emcp.
Matthew S. Axelrod is the Assistant Secretary of Commerce for Export Enforcement at the U.S. Department of Commerce’s Bureau of Industry and Security.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).