by Brent Carlson and Michael Huneke

On March 27–29, 2024, the U.S. Department of Commerce’s Bureau of Industry & Security (“BIS”) hosted an Update Conference on Export Controls & Policy. The event was a major outreach effort by the U.S. government. Nearly 100 BIS and other U.S. agency officials engaged with 1,200 attendees over three days.

As was appropriate for an event coinciding with Opening Day of the U.S. Major League Baseball season, BIS officials emphasized that they—and those they regulate—are playing a whole new national security ballgame. This theme ran through every topic. It also drives the key practical takeaways that we highlight below for in-house compliance professionals assessing evasion and diversion risks and responding to reports of the same—particularly reports that some U.S. companies recently received directly from the U.S. government.

More Than Twenty U.S. Companies Have Recently Received “Red Flag” Letters Listing More than 600 Foreign Parties in Third Countries that Have Continued to Sell Dual-Use Items to Russia—Arguably Putting Those Companies on Notice of a High Probability of Evasion or Diversion

Assistant Secretary for Export Enforcement Matthew S. Axelrod described the efforts by BIS to help non-governmental organizations (“NGOs”), trade associations, and semiconductor companies to identify Russian front companies in third countries.[1]

In 2023, BIS “initiated an effort to identify customers of U.S. companies and distributors within supply chains that were continuing to ship high-priority items to Russia.” BIS “then sent the U.S. companies ‘red flag’ letters identifying specific customers of theirs who had been identified in customs data as continuing to export to Russia.” BIS “encouraged the companies receiving those letters both to use heightened due diligence for their identified customers and to further augment their export screening efforts by purchasing commercially available datasets of Russian imports and screening against them as well.”

Additional steps were very recently taken. “In the last several weeks,” he announced, “we’ve sent letters to more than 20 American companies, each containing a list of more than 600 foreign parties identified in the datasets.” These parties “have continued to sell dual-use items to Russia.” BIS has “requested that the American companies voluntarily stop shipping to these parties due to the high risk of transshipment to Russia.” BIS even provided attendees with a sample of the letter sent (dated February 7, 2024) and an excerpt of the list provided:

The sample letter includes an alert “that one or more of your foreign customers may have exported items subject to the EAR to Russia” in violation of applicable sanctions, warned that “When you have knowledge that items you ship through third countries are in fact destined for Russia” a license is required (emphasis in original), and “In light of these circumstances, we are emphasizing information to help you avoid becoming involved in illegal diversion to Russia.”

Yet, according to an official from the BIS Office of Enforcement Analysis, some companies’ initial responses reflected legacy export controls thinking by asking whether a license was now required to export to the identified third-country parties. The official—with some incredulity—observed that the companies should be considering the broader impact of having been told, by the U.S. government, that such third parties were transshipping components to Russia.

The broader impact relates to companies’ knowledge. Are companies now aware of actual evasion or diversion for shipments involving the listed third-country parties? Alternatively, are they regardless now aware—absent risk-based due diligence showing the contrary—of the equally problematic “high probability” of evasion of diversion, which allows the government to prosecute without proving actual knowledge?[2] And how should they evaluate the risks when they are presented with substitute parties for the same trade flows?

The Assistant Secretary noted publicly the “high risk of transshipment to Russia” posed by such third-country parties. Companies choosing to continue transactions involving these parties—directly or indirectly—should now anticipate that BIS (and the U.S. Department of Justice’s National Security Division (“NSD”)) would likely consider them to be aware of a high probability of evasion or diversion, unless they can demonstrate the contrary through credible, risk-based due diligence.

Battlefield Recoveries and Trade Data Remain Top Areas of Focus

U.S. officials remain deeply concerned about Russia’s continued ability to obtain items for military use and are focused on evidence recovered from the battlefield.

U.S. officials highlighted the significance of recent hypersonic missile attacks by Russia against civilian targets in Ukraine. They noted that several hypersonic missiles have been recovered and that they contain significant amounts of U.S.-designed or -manufactured components—just as do the Iranian-manufactured unmanned aerial vehicles (“UAVs”) and North Korean-manufactured ballistic missiles that have already been the subject of media and NGO reports.

Regarding trade data, the BIS Office of Technology Evaluation shared with attendees the chart below, showing a significant spike in Russia’s import of certain Common High Priority List (“CHPL”) goods from China and Hong Kong in December 2023. U.S. officials flagged the spike as a major problem that they are focused on addressing.

The December 2023 spike is exceeded only by a spike in December 2021, a few months before Russia’s further invasion of Ukraine on February 24, 2022.

Companies should accordingly remain vigilant regarding CHPL exports to China and Hong Kong.

BIS Emphasized that Front-End Investments in Compliance Efforts are Better than Back-End Fines through Enforcement Actions—and that Companies Should Expect Current Enforcement Trends to Continue

Assistant Secretary Axelrod highlighted that “front-end compliance and back-end enforcement are linked.” He cautioned that companies that “choose not to invest in compliance” will “significantly increase [their] risk that an item will be unlawfully exported and that we will aggressively enforce. Mitigating national security risk costs money, one way or the other.”

Although some have previously reacted to BIS (and NSD) warnings of increased enforcement with caution and skepticism,[3] Assistant Secretary Axelrod warned, “Lest you be tempted to dismiss this as just ‘tough talk,’ last year saw our highest number ever of convictions, temporary denial orders (TDOs), and post-conviction denial orders.” BIS officials pointed to last year’s record standalone administrative penalty of $300 million against Seagate Technologies and previewed that multiple penalties of this magnitude are forthcoming—doubling-down on the “big game hunting” that January 2024 policy changes suggested.[4]

Compliance professionals should point to these statements—and to the actual increased enforcement in 2023—to justify front-end investments now in compliance.[5]

BIS Officials Repeatedly Emphasized that Traditional Due Diligence is Not Sufficient—Risk-Based Due Diligence is Required beyond Traditional Screening Tools

BIS officials emphasized that traditional due diligence such as Know-Your-Customer (“KYC”) screening, while still necessary, is not sufficient to address the risks of evasion and diversion posed by Russia, China, Iran, and North Korea. Under Secretary of Commerce for Industry & Security Alan F. Estevez noted that “Traditional due diligence is not sufficient—especially if your company or your clients have complicated distribution networks.”[6] He further cautioned that enhanced compliance was necessary across industry, i.e., not just at the twenty U.S. companies who received letters in the past weeks. “We are asking the private sector to step up more than it has,” he said, “even if you have not heard from us directly, we need you to be part of the solution.”

We have previously provided practical advice on both risk assessments[7] and internal investigations[8] that respond to the tectonic shifts underway today.

Practical Steps for Companies, In-House Legal and Compliance Teams, and Boards of Directors

1) Appreciate that BIS views itself today as a U.S. agency with a national security mission—not commercial facilitation—and recalibrate risk assessments accordingly.

The Update Conference began with a presentation of the U.S. flag by a military color guard and the singing of the U.S. National Anthem by a staff sergeant. Under Secretary Estevez emphatically noted in his Keynote Remarks, “I want to be clear:  Export controls are a national security tool, not an economic protectionist tool.” Assistant Secretary Axelrod observed, “Given the global threat environment we currently face, our enforcement efforts have never been more central to America’s national security strategy.”

In this context, responding to the BIS “red flag” letters by asking how best to continue business with the listed parties signals a failure to appreciate the new national security ballgame. Additionally, assessments of evasion and enforcement risk that take a legacy perspective focused on commercial interests will fail to identify and assess today’s risks.

2) Before responding to questions from the media, the U.S. Congress, investors, or activist shareholders, consider how the data and the messaging will be (mis)perceived.

As with many things in life, it is not what you say but how you say it. Taking a combative or dismissive approach that in other times might be accepted commercial practice is out-of-touch with a national security effort to reduce our adversaries’ ability to manufacture and use weapons to kill friendly nations’ military personnel and civilians.

Consider whether there are creative, sincere ways to engage with media, Congress, and shareholders that protect the company’s interests (and its managers’ and directors’ interests) while still respecting and considering the national security context.

3) There is still time to reduce enforcement risk by making front-end investments in compliance, but the window for doing so may be closing.

Assistant Secretary Axelrod stressed that BIS’s preference that companies invest in front-end compliance program enhancements rather than paying fines to U.S. agencies. Such investments will be more effective by targeting the root causes of evasion highlighted in U.S. agency guidance documents.

Remember, these guidance documents are relevant not only to front-end compliance efforts. They also form the U.S. agencies’ views as to what circumstances might indicate an awareness of a high probability of evasion or diversion, or even of willful conduct. It would be dangerous to assume that the U.S. agencies must find a “smoking gun” to bring enforcement actions—they do not. Both knowledge and willfulness can be proven by circumstantial evidence.[9]

Footnotes

[1] BIS, Remarks as Prepared for Delivery by Assistant Secretary for Export Enforcement Matthew S. Axelrod at BIS’s 2024 Update Conference on Export Controls and Policy (Mar. 28, 2024).

[2] Brent Carlson & Michael Huneke, How Not to Stand Out Like a Sore Thumb (Part 2): A Fresh Look at the “High Probability” Definition of Knowledge Applied to Export Controls and Sanctions Enforcement, NYU Program on Corporate Compliance & Enforcement (“PCCE”) Blog (Feb. 21, 2024).

[3] See Michael Huneke, The Blind Men & The Elephant (Dec. 18, 2023) (referring to same) (updated version forthcoming in WorldECR (April 2024)).

[4] See PCCE Blog, Export Controls Experts Comment on Enhancements to Voluntary Self-Disclosure Policies for Export Control Violations (Feb. 7, 2024) (comment by Michael Huneke).

[5] Brent Carlson & Michael Huneke, An Ounce of Prevention is Worth a Pound of Cure . . . or an Imposed Compliance Monitorship: A Fresh Look at the DOJ’s Corporate Enforcement Toolkit Applied to Sanctions and Export Controls Enforcement, PCCE Blog (Dec. 4, 2023).

[6] BIS, Under Secretary of Commerce for Industry and Security Alan F. Estevez Keynote Remarks, BIS Update Conference 2024 (Mar. 27, 2024) (as prepared for delivery).

[7] Brent Carlson & Michael Huneke, Know Your Customer, But Also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA”, PCCE Blog (Sept. 28, 2023).

[8] Brent Carlson & Michael Huneke, Slow is Smooth, Smooth is Fast: A Fresh Look at Planning and Executing Internal Investigations into Allegations of Sanctions or Export Controls Evasion, PCCE Blog (Oct. 30, 2023).

[9] Brent Carlson & Michael Huneke, How Not to Stand Out Like a Sore Thumb (Part 1): A Fresh Look at the “Willful” Intent Standard for Criminal Liability in Export Controls and Sanctions Corporate Enforcement, PCCE Blog (Feb. 13, 2024).

Brent Carlson is a Director at the Berkeley Research Group, LLC. Michael Huneke is a Partner in the Anti-Corruption & Internal Investigations and Sanctions, Export Controls, and Anti-Money Laundering practice groups at Hughes Hubbard & Reed LLP. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).