by Brent Carlson and Michael Huneke

We have written recently about liability pitfalls caused by misperceived “loopholes” in sanctions and export controls regimes.[1] We have also written about the meaning and practical implications of the U.S. government’s emphasis on sanctions enforcement as the “new FCPA,” discussing how to identify and respond to circumstances posing a high probability of sanctions or export controls evasion.[2]

Having identified these new priority issues, what is the first step towards a solution? Risk assessments are the starting point.[3] Assess your own risk, but do so in an updated—and more effective—manner that reflects the evolving economic sanctions and export controls enforcement environment. Here are some suggestions to help with the assessment.

Start at the End(-User)

An assessment of both economic sanctions and export controls risk should begin with the identification of end-users and their jurisdictions. While this seems immediately intuitive for economic sanctions—and regulators have clearly indicated its importance in their guidance on conducting risk assessments[4]—this approach also is a more effective way to capture the sprawling nature of potential export controls risk.[5] As explained previously,[6] export controls regimes are broader than the mechanical classification of goods or services being provided—not all lists are exhaustive, and the regimes’ anti-evasion frameworks deliberately extend the controls more broadly. Parsing the minutiae of products’ classification numbers is complicated work—it still has to be done, but should be prioritized according to the customers and jurisdictions posing the greatest risks; classification should not be the cart leading the horse.

Starting with the end-users and jurisdictions also helps to assess more quickly the reliability of the information you have been provided. If customers look more like distributors or freight forwarders in a jurisdiction with a high risk of diversion or transshipment risk, this increases the risk that the ultimate end-users and jurisdictions are being obscured.

Risk—Like the World—Is Dynamic, Not Static. Assess It as Such

The facts relevant to economic sanctions and export control risks are not static. This is particularly so given the high sophistication of many countries and actors targeted by sanctions, some of which were well-prepared for the recent application of new, or extension of existing, sanctions. If a customer in a high-risk jurisdiction changed its ownership since your last KYC check, you should ask why and critically evaluate the response. How and why ownership or location, or even company structure (such as in the Inspur example discussed previously[7]), changed over time is a critical factor to assessing risk.

It is important to take a holistic view of all relevant facts and circumstances, including timing. For example, a static KYC check that finds no sanctioned owners of a proposed customer or counterparty will not be sufficient if it fails to recognize that before Russia’s February 24, 2022 further invasion of Ukraine, the ownership included Russian persons who were later sanctioned. Knowing that the ownership previously included now-sanctioned individuals allows you to identify any risks prior to the transfer of ownership and assess whether the transfer mitigated or resolved those risks. Furthermore, in evaluating risk dynamically, it would be prudent to adopt a presumption that sanctioned persons do not (or perhaps cannot) abandon their interests in assets that are of strategic importance. It is unlikely that the announcement of economic sanctions caused specially designated nationals to concede defeat and abandon such strategic assets.

Risk Is Not One-Dimensional: Include Yourself in Assessing Risk

Economic sanctions and export control risks live in economic relationships between two or more parties. The risks posed by these relationships are to be viewed from your unique perspective. The risks a customer poses to you are neither generic nor ubiquitous. To know your customer, you must also know yourself.

To illustrate this, consider several aspects of a typical due diligence process:  You perform due diligence and ask questions. You receive specific information from the purported customer about your relationship with them and what they want from you. They have given you information that they might or might not have given other sellers, or that may or may not be relevant to other sellers’ relationships with the same customer. Maybe you received different information (even if by mistake). Misinformation might even have been deliberately seeded into corporate records. What might appear to be a static situation to another seller might appear dynamic to you as a result.

In evaluating the risk posed to you by a customer, the importance of your unique perspective vis-à-vis the customer poses a major gap in off-the-shelf screening solutions. Although still a necessary first step (particularly when faced with thousands of counterparties), rote KYC screening software does not factor in unique information about you, even though what we might call “know you, the seller” (“KYS”) information. For relationships with a higher risk of diversion or evasion due to the end-user or jurisdiction, yours is the critical perspective from which you need to assess customer risk. Make sure you assess potential customer risk with this “know yourself” KYS perspective in mind.

The Battlefield Effect: Don’t Become a Casualty of Ever-Evolving Evasion Risks

The largest land war in Europe since World War II is underway. The battlefield is littered with evidence of sanctions and export controls evasion. This dramatically increases the consequences for companies whose products are found in recovered Russian weaponry, including drones and guided missiles that not only kill Ukrainian solders but also civilians. Two recent real-world examples demonstrate these risks.

On August 26, 2023, at the request of the United States, Cypriot authorities arrested Arthur Petrov, a dual German-Russian citizen. He is charged in the U.S. with falsely representing to unnamed U.S. exporters that dual-use microelectronics were for commercial end-use by purported customers in Cyprus, Latvia, and Tajikistan, when in fact these customers were freight forwarders supplying Russia’s Electrocom VPK (“VPK” means “Military Industrial Complex”). The microelectronics are of a type found in recovered Russian drones and guided missiles. Petrov and his network were also the subject of a Temporary Denial Order (“TDO”) by the Department of Commerce.

The U.S. exporters requested and received information about Petrov’s purported customers. There is no allegation that they knew that Electrocom VPK was the actual end-user. But several aspects of the alleged facts would today counsel greater scrutiny under the current messaging by U.S. authorities:  Petrov’s Cypriot company was incorporated in Cyprus in November 2021, only three months before Russia’s further invasion of Ukraine. And why would customers in such diverse locations as Latvia and Tajikistan need to source microelectronics through Cyprus?

In December 2022, Reuters reported a similar situation.[8] U.S. companies had shipped “sophisticated amplifiers” and $274,000 in circuit boards to IK Tech, a company in southeast Florida owned by a dual U.S.-Russian citizen who was arrested and pleaded guilty. Both components are of the type later found in Russian drones.

For its part, the amplifiers’ manufacturer told Reuters that the “declared destination” of the parts was a distributor in Florida and the products were “exported and used without our knowledge.” Although as of the date of this article, based on open-source information, there have been no allegations of wrongdoing by the manufacturers, this example carries some important points to keep in mind as enforcement evolves. The lesson for assessing economic sanctions and export controls risk is that even for sales within the U.S., the risks can be very high if the end-user and -use are not known and the sale is to a self-declared distributor (i.e., someone who is by definition not the actual end-user) who holds Russian citizenship or similar connections with Russia’s allies.

To evaluate and mitigate the risk that your products are recovered from Russian weapons on the battlefield, manufacturers of dual-use items should consult the U.S. government’s public “List of Common High-Priority Items,” which “highlight[s] for industry that these items pose a heightened risk of being diverted illegally to Russia because of their importance to Russia’s war efforts.”[9] This highlights the need to stay abreast of authorities’ guidance, enforcement activity, and public statements. All signs point to increased enforcement activity ahead, directed at all participants in the supply chain—not just individuals or small distributors but also high-profile corporate targets.

Corporate Directors’ Role:  Are We Prepared?

Failing to identify, correctly assess, and mitigate the highest economic sanctions and export controls risks facing a company not only carries the risk of steep fines and penalties. Such actions—or more precisely, inaction—also carries the risk of shareholder litigation and, potentially, litigation by those harmed or the families of those killed in Ukraine by weapons used by Russia that are built with U.S. components. This is not the time or place for “clever” or “technical” workarounds to sanctions or export controls compliance as these actually may open the door to disastrous liability, including potential criminal liability for willful evasion. Believing that such “loopholes” or workarounds exist is also a failure to recognize the longstanding anti-evasion provisions in these regulatory regimes, present before the recent guidance and statements emphasizing their importance, and a failure to appreciate U.S. authorities’ oft-repeated emphasis of the importance of economic sanctions and export controls to national security.

Corporate boards and audit committees should accordingly ensure that company management and compliance professionals are identifying and weighing economic sanctions and export controls risks in a manner that reflects the current geopolitical context. Directors and audit committees should ensure that the methodology for assessing such risk is not simply a mechanical (“check-the-box”), static, and/or one-dimensional KYC exercise. This is particularly so as sanctioned parties or industries continue to expand and where export controls take on sanctions’ clothing (e.g., presumptions of denial, or temporary denial orders). Instead, your company’s KYC work needs to be complemented with your own “KYS” self-assessment and your risks viewed in the context of your business relationships. As noted above, risk assessments should be dynamic, multidimensional, and continuously refreshed. Certain assumptions and practices—that, as practical matter, might have been commonly assumed to be sufficient—have become not only obsolete but are increasingly landmines that could trigger significant liability.

U.S. authorities’ public statements about sanctions and export controls, coupled with increases in enforcement resources and a sustained U.S. policy of deploying these tools aggressively for national security and foreign policy objectives, are all warnings that companies need to be applying today a risk-based methodology to economic sanctions and export controls compliance. You first need to properly identify and assess evasion risks to do so. The failure to do so, particularly in the face of information that authorities’ have highlighted as evidence of a higher risk of evasion, could expose companies to severe consequences; deliberately avoiding, rather than directly confronting, such risks further carries the risk of being perceived as acting with willful blindness to these risks.

Accordingly, now is the time to stress-test your organization’s capabilities to assess—and mitigate—sanctions and export controls evasion risks in this era of the “new FCPA,” before U.S. or other regulatory authorities—and potentially even the plaintiffs’ bar—come knocking.

Footnotes

[1] Brent Carlson, When Loopholes Create Liability Pitfalls:  A Fresh Look at Export Controls, NYU Compliance & Enforcement Blog (Aug. 25, 2023), https://wp.nyu.edu/compliance_enforcement/2023/08/25/29814/ (“Carlson, Liability Pitfalls”).

[2] Michael Huneke & Jan Dunin-Wasowicz, Converging Practices for Bribery, Export Controls and Sanctions Anti-Evasion Regimes, Westlaw Today, Part 1 (June 22, 2023) & Part 2 (July 6, 2023).

[3] See U.S. Department of Justice, Evaluation of Corporate Compliance Programs (Updated March 2023) (https://www.justice.gov/criminal-fraud/page/file/937501/download)

[4] See Department of the Treasury, A Framework for OFAC Compliance Commitments (https://ofac.treasury.gov/media/16331/download?inline).

[5] Department of Commerce, Bureau of Industry and Security, Export Compliance Guidelines:  The Elements of an Effective Export Compliance Program (https://www.bis.doc.gov/index.php/documents/pdfs/1641-ecp/file).

[6] Carlson, Liability Pitfalls.

[7] Id.

[8] Reuters, The global supply trail that leads to Russia’s killer drones (Dec. 15, 2022), https://www.reuters.com/world/europe/global-supply-trail-that-leads-russias-killer-drones-2022-12-15/.

[9] Department of Commerce, Bureau of Industry and Security, Russia Export Controls – List of Common High-Priority Items (July 10, 2023) (https://www.bis.doc.gov/index.php/all-articles/13-policy-guidance/country-guidance/2172-russia-export-controls-list-of-common-high-priority-items).

Brent Carlson is a Director at the Berkeley Research Group, LLC. Michael Huneke is a partner in the Anti-Corruption & Internal Investigations and Sanctions, Export Controls, and Anti-Money Laundering practice groups at Hughes Hubbard & Reed LLP. 

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).