by Brent Carlson and Michael Huneke

U.S. economic sanctions and export controls serve a wide range of national security interests. When hostile actors rely on U.S.-designed or -manufactured components in weapons used in fatal attacks on U.S. and coalition military personnel and civilian populations, there is an acute need to quickly identify the illicit trade flows and stop those components from reaching the battlefield.

In the public sector, U.S. military and government agencies are making significant efforts, often at great risk. On January 11, 2024, U.S. Navy SEALs interdicted a vessel in the Arabian Sea containing Iranian-made ballistic and cruise missile components, with the loss of two SEALs at sea.[1] On February 27, 2024, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) sanctioned mid-voyage a vessel en route to China, its owner, and its operator for providing material support to Iran’s drone (“UAV”) program.[2] These are just two out of numerous examples of such efforts.

In the private sector, U.S. companies have an important role to play. In prior posts, we have provided practical tips for risk assessments[3] and internal investigations.[4] With reports of ongoing investigations, both government and industry will likely be negotiating resolutions to these investigations that will include post-resolution oversight of a company’s sanctions and export controls compliance program.

In this post, we propose how government and industry can best structure such post-resolution oversight to target the greatest risks of diverting U.S. components to the battlefield. Doing so requires taking a fresh look at traditional post-resolution oversight both in sanctions and export controls enforcement and in U.S. Foreign Corrupt Practices Act (“FCPA”) enforcement.

Traditional Post-Resolution Oversight

Corporate monitorships imposed by the U.S. Department of Justice (“DOJ”) are contemplated under the National Security Division’s (“NSD”) Voluntary Disclosure Policy.[5] With the DOJ having declared sanctions to be the “new FCPA,” the experience of monitorships imposed to resolve FCPA-related corporate investigations provides a useful reference point; yet post-resolution oversight is not new in the context of sanctions and export controls enforcement. That oversight has come in various forms, from OFAC-appointed[6] independent compliance monitors, to U.S. Department of State, Directorate of Defense Trade Controls (“DDTC”)-appointed Independent Special Compliance Officers (“ISCOs”),[7] to U.S. Department of Commerce Bureau of Industry & Security (“BIS”)-required “unaffiliated third-party consultants,”[8] to self-reporting obligations.

Such resolutions have frequently included three-year reviews of item classifications, license applications, and internal recordkeeping systems. These areas are an important baseline for sanctions and export controls compliance—particularly for companies that lacked such controls beforehand.

The Problem

Traditional post-resolution oversight will, however, both miss the mark and be too late. Russian and Iranian circumvention networks are highly sophisticated and aware of how Know-Your-Customer (“KYC”) screening tools work—and those tools’ limitations. That traditional oversight would not target the actual root causes of today’s evasion schemes: no one is alleging that U.S. companies are exporting semiconductors or other components to the battlefield with actual knowledge of their intended lethal use, that they are ignoring adverse KYC screening results, that they are knowingly using false information in license applications, nor that they are suffering from widespread, good-faith item misclassifications.

Government and industry need to find a solution soon. Based on public disclosures by one U.S. company, for example, we should anticipate government charges and resulting settlements with companies arising from circumvention of the sanctions or export controls on semiconductors, as least regarding sales of semiconductors ostensibly to Chinese customers.[9] These disclosures indicate not only enforcement activity by DOJ and BIS, but also by the U.S. Securities & Exchange Commission (“SEC”), which also has a longstanding practice of imposing post-resolution oversight.

The Proposal

We offer some suggestions below to consider in negotiating post-resolution oversight with a scope, timing, and focus to best overcome the limitations of traditional oversight.

Focus on Critical Battlefield Components

Resolutions of sanctions and export controls evasion related to “critical components”[10] should include targeted, prioritized assessments of such “battlefield risk,” focused on the many U.S. agency guidance documents available.[11]

Reward (or Even Require) Battlefield Risk Assessments Launched Pre-Resolution

Such battlefield risk assessments could even be launched during an ongoing investigation prior to reaching the final resolutions. In other contexts, several companies have leveraged pre-settlement remedial actions and compliance program enhancements successfully to reduce post-settlement obligations or to demonstrate that a resolution (rather than prosecution) would be appropriate. A March 7, 2024, update to the NSD’s VSD Policy further incentivizes pre-resolution compliance enhancements through a presumption against imposing an external monitorship for a company that “at the time of resolution, demonstrates it has implemented and tested an effective compliance program.”[12]

Shortened Timeframes (Three-Month and Six-Month Milestones)

Whether it’s Ukraine’s defenders today—or the U.S. military somewhere tomorrow—warfighters do not have unlimited ammunition or manpower to wait three years for the typical oversight efforts to be effective.

Key battlefield risks areas could be targeted with two months of fact-finding and one month for the implementation of immediate remedial actions. A follow-up review could be undertaken six months after implementation, with release from the external post-resolution oversight obligation after 12 months if the course of remedial actions were satisfactorily completed. Other, less lethal aspects of post-resolution remediation could run on a longer timeframe.

Direct Heightened Effort Towards the Greatest Risks

Identifying and remedying evasion “red flags” should be the priority for post-resolution oversight. In a prior post,[13] we identified the key drivers of evasion risk as (i) end-user names and locations, (ii) appreciating how and why relationships change over time is important to identifying dynamic evasion risks, and (iii) accepting that the “battlefield effect” lays bare successful evasion schemes that otherwise would rest undisclosed in warehouses in St. Petersburg, Isfahan, or Pyongyang.

Challenge Common (Mis-)Perceptions of What Is Possible

It has been suggested that recovered U.S. components are common, consumer electronics and that tracing such components is impossible. Even U.S. agencies have assumed the “ubiquitous nature” of many items used, for example, in Iran’s UAV program and reported an “observed prevalence” of “methods used to obscure the sources of components found in Iranian UAVs, such as lasering off of serial numbers and other identifying information.”[14]

Available information now casts serious doubt on these assumptions.

On February 27, 2024, the Permanent Subcommittee on Investigations (“PSI”) of the U.S. Senate’s Committee on Homeland Security & Government Affairs heard testimony on these topics. James Byrne, a Director at the U.K.’s Royal United Services Institute (“RUSI”), testified that recovered components include “very specialized pieces of equipment, particularly focused on the facilitation of artificial intelligence computations as a counter to prevalent electronic warfare.”[15] Damien Spleeters of Conflict Armament Research (“CAR”) testified that such assumptions “couldn’t be further from the truth.”[16] Regarding a North Korean missile recently recovered in Ukraine, “CAR documented more than 290 components . . . . Seventy-five per cent of [which] are linked to companies incorporated in the United States.”[17] CAR further reported that “Half the components documented bore identifiable date codes, and more than 75 per cent of those codes indicated production between 2021 and 2023.”[18]

Maintain Oversight Independence

Post-resolution oversight needs to be free of any actual or perceived conflicts of interest. Given the widely reported lobbying by U.S. firms on behalf of Chinese companies linked to China’s military, there could be a perceived conflict if those same firms monitored U.S. companies’ export control compliance.[19] This perception would be difficult to overcome; the U.S., for example, does not accept forced labor audits performed in China because of reported instances of intimidation and interference.[20]

Practical Steps for Companies, In-House Legal and Compliance Teams, and Boards of Directors

1) Adopting a Business-as-Usual Approach is Dangerous

What might not have put your company on awareness of a high probability of evasion in 2021 might do so today. The dramatic, exponential increase in sales of semiconductors to Kazakhstan, according to U.S. companies’ own data that they have provided to the U.S. Senate, could be seen by regulators as an example of this. Boards should routinely ask management, and management should routinely ask legal and compliance personnel, What do we know today? What do we think is really happening?

2) Perception is Reality—Or At Least, Misperceptions Impose Real Costs

Boards and management need to request and receive advice about how their current positions are perceived by both investors and regulators. Those perceptions will impact share value, whether an agency (or multiple agencies) launch investigations, and the obligations imposed in a negotiated resolution of such investigations. Acknowledge head-on the impact of U.S. sanctions and export controls—they are meant to have impacts—and tackle the need to do a battlefield risk assessment to identify and resolve the root causes of evasion that allows bad actors to cause lethal harm.

3) Don’t Lose Sight of the Forest for the Trees

Government and industry should work together, both outside of investigations and within, to avoid getting lost in unimportant details. The overall objective should be to identify and stop the bad actors who are fueling Russia’s war machine and Iran’s proxies and allowing both to kill and harm U.S. and friendly military personnel and civilians. This will be difficult, but as Mr. Byrne testified to the U.S. Senate on February 27, 2024, “We should do our utmost best to prevent our technology being used in weapons that are designed to kill us and our friends.”[21]

Footnotes

[1] Sam Lagrone, Two Missing Navy SEALs Helped Interdict Ship Transporting Weapons to Houthis, USNI News (Jan. 16, 2024).

[2] U.S. Department of the Treasury, Treasury Targets Vessel Shipping Iranian Commodities Valued at over $100 Million for Iran’s Ministry of Defense (Feb. 27, 2024).

[3] Brent Carlson & Michael Huneke, Know Your Customer, But Also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA”, NYU Program on Corporate Compliance & Enforcement (“PCCE”) Blog (Sept. 28, 2024).

[4] Brent Carlson & Michael Huneke, Slow is Smooth, Smooth is Fast: A Fresh Look at Planning and Executing Internal Investigations into Allegations of Sanctions or Export Controls Evasion, NYU PCCE Blog (Oct. 30, 2024).

[5] DOJ, NSD Enforcement Policy for Business Organizations (Mar. 7, 2024) (“NSD VSD Policy”).

[6] See, e.g., OFAC, Settlement Agreement with Binance Holdings, Ltd. (Nov. 21, 2023).

[7] See, e.g., DDTC, Consent Agreement, In the Matter of The Boeing Company (Feb. 29, 2024).

[8] See, e.g., BIS, Settlement Agreement, In the Matter of Seagate Technology LLC (Apr. 18, 2024).

[9] Applied Materials, Inc. Form 10-Q, at 27, 48 (Feb. 27, 2024).

[10] We borrow the term “critical components” from the Kyiv School of Economics (“KSE”) Institute’s report, Challenges of Export Controls Enforcement: How Russia Continues to Import Components for Its Military Production, at 8 (Jan. 11, 2024).

[11] Brent Carlson & Michael Huneke, How Not to Stand Out Like a Sore Thumb (Part 2): A Fresh Look at the “High Probability” Definition of Knowledge Applied to Export Controls and Sanctions Enforcement, NYU PCCE Blog (Feb. 21, 2024)

[12] NSD VSD Policy at 3.

[13] Brent Carlson & Michael Huneke, Know Your Customer, But Also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA”, NYU PCCE Blog (Sept. 28, 2023).

[14] BIS, DOJ, DDTC, and OFAC, Guidance to Industry on Iran’s UAV-Related Activities (unclassified), at 3 (June 9, 2023).

[15] PSI, “The U.S. Technology Fueling Russia’s War in Ukraine:  How and Why,” Hearing Video at 00:58:56 (Feb. 27, 2024).

[16] Damien Spleeters, Deputy Director of Operations, CAR, Written Testimony (Feb. 27, 2024).

[17] Conflict Armament Research, North Korean Missile Relies on Recent Electronic Components (Feb. 2024).

[18] Id.

[19] See Caitlin Oprysko, “The China Lobbying Terminations Continue,” Politico (Feb. 23, 2024); Daniel Lippman & Caitlin Oprysko, “Lawmakers Weigh Blacklist for Firms Lobbying for Chinese Military-Linked Companies,” Politico (Feb. 14, 2024).

[20] Departments of State, the Treasury, Commerce, and Homeland Security, Xinjiang Supply Chain Business Advisory (July 1, 2020), at 9.

[21] PSI, “The U.S. Technology Fueling Russia’s War in Ukraine:  How and Why,” Hearing Video at 00:37:35 (Feb. 27, 2024).

Brent Carlson is a Director at the Berkeley Research Group, LLC. Michael Huneke is a Partner in the Anti-Corruption & Internal Investigations and Sanctions, Export Controls, and Anti-Money Laundering practice groups at Hughes Hubbard & Reed LLP. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).