by Brent Carlson and Michael Huneke

New export controls rules recently issued by the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) have set the corporate compliance world abuzz, as export controls continue to increase everywhere amid accelerating economic and geopolitical competition. Multinational companies are placed in an increasingly precarious position, caught between superpowers in a “disordered,” multipolar world. The consequences of failing to navigate successfully through myriad export controls regimes are only going to grow more severe, with the U.S. government signaling that a wave of increasing enforcement activity is on the way.

In this installment of our Fresh Looks series, we examine the evolution of export controls penalties, from where they are today to where they are heading tomorrow. The U.S. Department of Justice (“DOJ”) has called export controls and economic sanctions the “new FCPA” and included both among America’s national security enforcement priorities. This provides an important—and unambiguous—signal of the directional trends underway for export controls enforcement.

Enacted in 1977, the Foreign Corrupt Practices Act (“FCPA”) was (at least in hindsight) an area of modest enforcement until the early 2000s, when what was once an arguably underenforced law became one of the main drivers for white collar enforcement over the past two decades, with monetary penalties reaching into the billions of dollars. By contrast, penalties for export controls violations have lagged far behind—until now. We expect that will soon change, driven by new geopolitical realities, charged domestic political environments, and stated enforcement priorities (with commensurate increases in resources and prioritization).

Enforcement before April 2023: Comparison of Top Ten Penalties for Export Controls Compared with Those for the FCPA

Costs drive compliance. When costs increase to the point of a material impact on financial reporting, boards of directors and management teams take notice and take action to avoid costly liability. Looking at FCPA enforcement over the past two decades, it is no surprise that many multinationals today devote considerable time and effort to identifying, analyzing, and mitigating corruption risks.

For export controls, however, penalties have remained low in comparison with FCPA matters; thus, one would expect that a commensurately lower level of time and effort for export controls has ensued as well. This is consistent with what we have observed anecdotally, in that export controls teams tend to appear overstretched and underfunded.

Viewed historically, it is not surprising that certain multinationals would not consider export controls evasion to present as significant a compliance or enforcement risk as corruption. Apart from a few isolated cases involving the oil and gas sector for transactions in the Middle East, as well penalties imposed on the PRC telecom company ZTE for selling to Iran, this misperception has some basis in historical data, as the penalties for export controls violations appear quite low when compared to FCPA penalties. The chart below compares the top ten export controls penalties with those of the FCPA (prior to April 19, 2023).[1]

This side-by-side chart displays the vast gap between the two. At the top end, the highest FCPA penalty to date towers at three times the size of the highest export controls penalty. (Note however, that the ZTE case stands out as an anomaly from other export controls cases. This case also came prior to the PRC’s Anti-Foreign Sanctions Law promulgated in 2021.) Export controls penalties drop quickly, and the differences stand out even more starkly as one proceeds down the top ten. At the number ten spot the FCPA penalty comes in at a completely different scale: 406 times (not percent) greater than the export controls one.

Further, as seen in the chart above, penalties for export controls violations for companies in the tech sector—which sits at the core of the new geopolitical rivalries of the 21^st century—have been extremely low in comparison. On the export controls side, this represents peanuts.

A Sea Change with Seagate

Tectonic changes are underway though. As export controls and economic sanctions constitute the “new FCPA,” the penalty gap will close quickly. On April 19, 2023, the U.S. government announced a $300 million settlement with Seagate Technology due to alleged export controls violations for sales to China.[2] Although this puts the Seagate settlement at the new number two spot, the corresponding amount on the FCPA side still stands nearly nine times greater. Nevertheless, the Seagate penalty represents a new paradigm. As the “new FCPA” follows the old, expect penalty amounts to rise. The same trend is also already emerging regarding economic sanctions; on April 25, 2023, six days after the Seagate export controls settlement was announced, the DOJ and the Office of Foreign Assets Control announced $1.1 billion in penalties against British American Tobacco for alleged sanctions violations.

Additional Cost Considerations

In addition to the direct costs of penalties, the indirect costs for related investigations and remediation may be substantial, especially when incurred in a reactive mode (such as in response to a whistleblower or government inquiry). These costs can exceed the actual civil and criminal monetary penalties. For example, for its FCPA matter Siemens reportedly spent approximately $1 billion on investigative costs,[3] and for its export controls case SAP incurred $27 million in remediation costs.[4] Both proved significantly higher than the monetary penalties applied (as shown above).

Finally, with increased enforcement and penalties, corporate directors and management teams should anticipate that shareholder class actions will follow, bringing additional costs. The plaintiffs’ bar announced investigations of Seagate within days following its $300 million settlement announcement.[5]

We also expect the DOJ to increasingly impose independent corporate monitors in export controls and economic sanctions cases, which will be the subject of our next Fresh Looks post.

And Then There’s Prison Time

In addition to increasing monetary penalties, the DOJ’s stated policy is to increase prosecutions of individuals and require certifications from CEOs and chief compliance officers prior to companies’ release from settlements.[6] The Export Controls Reform Act of 2018 carries criminal penalties of up to $1 million and up to twenty years imprisonment per violation.

This all comes on top of increasing direct monetary penalties on par with the FCPA experience, as well as costs from investigations, remediation, and shareholder litigation.

The Stakes Are Even Higher in a Multipolar World

In June 2021, the Biden administration designated FCPA enforcement as a national security priority[7]; similarly export controls are front-and-center in today’s geopolitical rivalries. BIS responses to public commentary acutely recognize the national security risks posed by dual-use technologies. China’s military modernization and military-civil fusion strategies pose export controls diversion risks and broader national security concerns for the U.S. and its allies.

These powerful geopolitical and national security tailwinds raise the stakes for export controls and sanctions enforcement above and beyond FCPA concerns.

Finally, increases in resources and new leadership positions signal an uptick in enforcement actions on the way. Earlier this year, the DOJ’s National Security Division (“NSD”) formed its new Disruptive Technology Task Force with BIS and announced twenty-five new, dedicated prosecutors.[8] In September the NSD appointed the first-ever chief counsel and deputy chief counsel for Corporate Enforcement.[9] All of this signals an increase in inter-agency cooperation and a focus on corporate criminal prosecutions.

Getting and Staying Ahead of the Wave

Pay attention to the strong signals coming out of Washington. If experience over the past twenty years of FCPA enforcement is any guide, increased levels of enforcement—including industry sweeps—should be expected. Here are some practical steps to get ahead of the new wave of export controls enforcement:

1) Apply fresh perspectives to export controls

The entire export controls world is going through a tectonic shift. Past assumptions carried over into current practices may well walk many people over a liability cliff. Apply fresh perspectives to your company’s operations and compliance program’s policies and procedures. Our recent articles can help in this regard.[10], [11]

2) Update your risk assessments

Risk assessments need to keep up with the changing times. The days of running simple screens against sanctioned party lists (including the BIS Entity List) are over—the DOJ has repeatedly stated this in so many words. A new approach is needed. We have addressed this in another article you may find helpful.[12]

3) Prepare for the coming wave of investigations

The DOJ has signaled that increased enforcement is coming. For many professionals in the export controls world accustomed to dealing only with BIS regulators, this wave of investigations will provide new challenges and new experiences. We have provided some tips in a previous article in our Fresh Looks series.[13]

Conclusion

The breathless pace of change in the export controls and sanctions world over the past couple of years represents only the beginning; enforcement is typically at the tail end of policy and regulatory changes, and much more enforcement is likely to come. The time is now to take action to get ahead of the new enforcement wave, before it engulfs you, your company, and shareholder value.

Footnotes

[1] For export control penalties, we have referred to the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”), Don’t Let This Happen To You!: Actual Investigations of Export Control and Antiboycott Violations (October 2022) https://www.bis.doc.gov/index.php/component/docman/?task=doc_download&gid=1005; plus two U.S. Department of Justice press releases, Three Subsidiaries of Weatherford International Limited Agree to Plead Guilty to FCPA and Export Control Violations (November 26, 2013); and Fokker Services B.V. Agrees To Forfeit $10.5 Million For Illegal Transactions With Iranian, Sudanese, And Burmese Entities-Company Will Pay Additional $10.5 Million In Parallel Civil Settlement-(June 5, 2014).

For “FCPA” penalties, recognizing that there is some debate regarding what offenses count as FCPA offenses (e.g., anti-bribery violations, or also books and records and internal accounting controls violations) and how to count them (e.g., in the context of resolutions by corporate groups), we have referred to the Stanford Law School Foreign Corrupt Practices Act Clearinghouse, “Largest U.S. Monetary Sanctions By Entity Group” (2023). https://fcpa.stanford.edu/statistics-top-ten.html.

[2] See BIS, “BIS imposes $300 million penalty against Seagate Technology LLC related to shipments to Huawei,” press release (April 19, 2023). https://www.bis.doc.gov/index.php/documents/about-bis/newsroom/press-releases/3264-2023-04-19-bis-press-release-seagate-settlement/file.

[3] Nathan Vardi, “Feds Charge Former Siemens Executives With Bribery,” Forbes (December 13, 2011). https://www.forbes.com/sites/nathanvardi/2011/12/13/feds-charge-former-siemens-executives-with-bribery/?sh=19b40bad14d5.

[4] See DOJ, “SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and Enters into Non-Prosecution Agreement with DOJ,” press release (April 29, 2021). https://www.justice.gov/opa/pr/sap-admits-thousands-illegal-exports-its-software-products-iran-and-enters-non-prosecution#:~:text=All%20News-,SAP%20Admits%20to%20Thousands%20of%20Illegal%20Exports%20of%20its%20Software,Non%2DProsecution%20Agreement%20with%20DOJ&text=here.,.justice.gov%2Fnsd.

[5] GlobeNewswire, “Seagate Technology Holdings Investigated by Block & Leviton For Potential Securities Law Violations; Investors Who Have Lost Money Are Encouraged to Contact the Firm” (April 21, 2023), https://www.globenewswire.com/en/news-release/2023/04/21/2651987/23044/en/Seagate-Technology-Holdings-Investigated-by-Block-Leviton-For-Potential-Securities-Law-Violations-Investors-Who-Have-Lost-Money-Are-Encouraged-to-Contact-the-Firm.html; and Business Wire, “Glancy Prongay & Murray LLP, a Leading Securities Fraud Law Firm, Announces Investigation of Seagate Technology Holdings plc (STX) on Behalf of Investors” (April 26, 2023), https://www.businesswire.com/news/home/20230426006056/en/Glancy-Prongay-Murray-LLP-a-Leading-Securities-Fraud-Law-Firm-Announces-Investigation-of-Seagate-Technology-Holdings-plc-STX-on-Behalf-of-Investors.

[6] See, e.g., DOJ, “Deputy Attorney General Lisa O. Monaco Delivers Remarks on Corporate Criminal Enforcement” (September 15, 2022), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-remarks-corporate-criminal-enforcement.

[7] The White House, Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest (June 3, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/03/memorandum-on-establishing-the-fight-against-corruption-as-a-core-united-states-national-security-interest/.

[8] DOJ, “Justice and Commerce Departments Announce Creation of Disruptive Technology Strike Force,” press release (February 16, 2023), https://www.justice.gov/opa/pr/justice-and-commerce-departments-announce-creation-disruptive-technology-strike-force.

[9] DOJ, “Justice Department’s National Security Division Announces Key Corporate Enforcement Appointments,” press release (September 11, 2023), https://www.justice.gov/opa/pr/justice-departments-national-security-division-announces-key-corporate-enforcement.

[10] Brent Carlson, “When Loopholes Create Liability Pitfalls: A Fresh Look at Export Controls,” NYU Compliance & Enforcement Blog (August 25, 2023), https://wp.nyu.edu/compliance_enforcement/2023/08/25/29814/.

[11] Michael Huneke & Jan Dunin-Wasowicz, “Converging Practices for Bribery, Export Controls and Sanctions Anti-Evasion Regimes,” Westlaw Today, Part 1 (June 22, 2023) and Part 2 (July 6, 2023).

[12] Brent Carlson & Michael Huneke, “Know Your Customer, but also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the ‘New FCPA,’” NYU Compliance & Enforcement Blog (September 28, 2023), https://wp.nyu.edu/compliance_enforcement/2023/09/28/know-your-customer-but-also-yourself-a-fresh-look-at-sanctions-export-controls-risk-assessments-in-the-era-of-the-new-fcpa/.

[13] Brent Carlson & Michael Huneke, “Slow is Smooth, Smooth is Fast: A Fresh Look at Planning and Executing Internal Investigations into Allegations of Sanctions or Export Controls Evasion,” NYU Compliance & Enforcement Blog (October 30,2023), https://wp.nyu.edu/compliance_enforcement/2023/10/30/slow-is-smooth-smooth-is-fast-a-fresh-look-at-planning-and-executing-internal-investigations-into-allegations-of-sanctions-or-export-controls-evasion/.

Brent Carlson is a Director at the Berkeley Research Group, LLC. Michael Huneke is a Partner in the Anti-Corruption & Internal Investigations and Sanctions, Export Controls, and Anti-Money Laundering practice groups at Hughes Hubbard & Reed LLP.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).