BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare

by Brent Carlson and Michael Huneke 

Photos of the authors.

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

The risk of corporate criminal enforcement actions for export controls evasion or diversion is significantly increasing. Recent actions and statements by the Department of Commerce’s Bureau of Industry & Security (“BIS”) suggest that, beyond saber-rattling, BIS is deliberately priming the corporate enforcement engine with the fuel for an enforcement wave that will follow the Foreign Corrupt Practices Act (“FCPA”) “playbook” that the U.S. Department of Justice (“DOJ”) has successfully deployed for the last two decades.

The fuel comes in the form of official, multiagency guidance documents and other actions that describe circumstances indicating a “high probability” of misconduct, which as we have previously written is a freestanding basis for enforcement actions under both the FCPA and the Export Administration Regulations (“EAR”).[1] Such agency actions by BIS notably include the issuance to U.S. companies of lists of counterparties under cover of what BIS officials describe as “red flag” letters. Since our prior analysis,[2] BIS has reemphasized the significance of such letters and underscored the importance of how U.S. companies respond.

BIS Continues to Emphasize the Significance of the “Red Flag” Letters Listing Counterparties that Continue to Ship to Russia

On Wednesday, May 8, Department of Commerce Assistant Secretary for Export Enforcement Matthew Axelrod spoke at a semiconductor summit in Los Angeles organized by three of the U.S. Attorneys for California.[3] He reemphasized what he and other Commerce officials have stressed, including at the 2024 BIS Update Conference in Washington, DC[4]: that the “red flag” letters are significant and that BIS expects companies to respond to them by not engaging in transactions where there is a high risk of transshipment or diversion to Russia. In a prior post, we included a screenshot of a sample letter shared by BIS at the Update Conference.[5]

Axelrod stressed that the Disruptive Technology Strike Force (a/k/a the “Joint Strike Force”) has been active, to date resulting in “16 criminal indictments against 26 defendants.” He added that 14 of the 26 defendants “have been charged with crimes related to their procurement of electronic components, including semiconductors.”

Regarding the “red flag” letters specifically, he stated:

  • “Last year, we sent U.S. microelectronics companies ‘red flag’ letters identifying specific customers of theirs who had been identified in customs data as continuing to ship semiconductors and other microelectronics to Russia.”
  • “We’ve since gone further. We’ve now identified a list of over 600 foreign parties who continue to ship these high-priority items to Russia and have sent this list to U.S. manufacturers and distributors who make and sell products – like semiconductors – that continue to be found in recovered missiles and drones inside Ukraine.”
  • “We’ve asked the American companies to stop shipping to these 600 foreign parties due to the high risk of transshipment to Russia.” (emphasis added)

He concluded, “The world has changed. And we must change with it.”

This is not the language of traditional civil or administrative enforcement, based on deeply technical item classifications and strict-liability enforcement in which intent—good or bad—did not matter. Instead, this is the language of white-collar corporate criminal (“FCPA-like”) enforcement based on assessments of risk and the credibility of frameworks in which those risks are assessed.

If there was any doubt about the FCPA’s influence on BIS’s going-forward enforcement strategy, Axelrod was quoted as observing that the DOJ’s FCPA enforcement was a “reference point” because of “how successfully the agency has persuaded companies to invest in anti-bribery compliance,” with “only around 20 prosecutors in the DOJ’s FCPA unit.”[6] He noted such results were “an incredible return on investment” and are “what we need to do.”[7]

All companies that have received such “red flags” letters should anticipate, accordingly, the first question in any enforcement “sweep” to be: “What did you do after receiving the BIS letter?” It would be fair to expect that “We continued to ship because this was not formally an ‘is-informed’ letter…”[8] is likely to be the wrong answer (as would be, “What letter?”). But what to do?

Apply a New Mindset to Anticipate Corporate Criminal Enforcement Driven by the “High Probability” Standard

A new mindset is required to identify and assess corporate criminal enforcement risks, for both internal risk assessments and also external interactions—be they with BIS, the DOJ, the Joint Strike Force, U.S. Congress,[9] or even shareholders.[10] Once data is shared with any external party, the company loses control over how that data is shared and interpreted by others.

The following core principles can guide the creation of a framework for mitigating risks based on this new mindset:

  • Start with available documents and information. Take stock of information your company has at hand and what risks can be identified from that. Answers may be hidden in plain sight. This might lead you to request additional information from internal colleagues or counterparties as the framework matures. But given the urgency of national security–related risks, it is better to start from what is already available.
  • Focus on conduct most likely to carry criminal enforcement risk. Honest, good-faith mistakes in item classification are not going to trigger criminal prosecution. Proceeding with transactions in the face of a high probability of evasion will. The new framework should look at bigger-picture risks (e.g., large increases in sales to countries widely believed to be transshipment points for onward sales to Russia).
  • Compliance time and resources are finite. The new framework must save your compliance team’s time—and mental health—by identifying and focusing on the highest risks. For any international company of even modest size, applying the same level of due diligence to every counterparty will result in too much effort spent on too many counterparties that do not drive your risks, and not enough on those that do.
  • Determine enhanced due diligence steps with the “high probability” standard in mind (using a trust-but-verify approach). For counterparties flagged for enhanced due diligence, the “high probability” standard can help determine what enhanced steps might be. Enhanced review should include a thoughtfully constructed mosaic of circumstantial data points, such as how and when the relationship has changed over time, whether those changes appear to reflect underlying economic realities and plausibly for legitimate reasons, and whether any aspects appear to touch on the “red flags” identified by the enforcement agencies in public guidance.[11] Apply the classic “trust but verify” approach. Note that it is unlikely BIS or DOJ would accept as sufficient any certifications or data provided by counterparties that (in the eyes of enforcement officials) pose a high probability of evasion or diversion.
  • Risk-based decision-making is inherently subjective yet still may be done with a consistent methodology. Protect decision-making from later criticism by designing and consistently implementing a framework in which subjective decision-making can be made repeatedly based on the same criteria, with any evolutions based on documented experience. Otherwise, ad hoc decision-making will be vulnerable to later allegations of bias.

Applying the above principles has proven an effective and defensible way of managing counterparty risk in the context of FCPA enforcement, which shares the “high probability” standard with the EAR (which also is a close cousin to the “reason to know” standard applied under U.S. economic sanctions programs).

Practical Steps for Companies, In-House Legal and Compliance Teams, and Boards of Directors

1) Remember:  it’s more about how, through whom, and to whom you’re shipping and less about what you’re shipping that drives criminal enforcement risk.

In the normal course, export controls and sanctions are applied through highly technical regulations. But good-faith mistakes under such regulations are not where companies’ risk of corporate criminal prosecution lies. Given the “catch-all” end-use and end-user restrictions and broad-based sectoral sanctions, it is important to focus on the fundamentals and avoid the temptation to rely on misperceived loopholes or technicalities.[12]

2) Frame assessments of risk—which are inherently subjective—with a consistent and defensible methodology.

Some risks you will assess correctly. Others you will not. There will be mistakes. But as long as you are consistently applying your judgment to the same criteria in assessing counterparties’ evasion or diversion risk, you will be in a good position to defend the decisions made in the event of scrutiny later by skeptical (or outright hostile) enforcement agencies or plaintiffs.

3) Apply the Goldilocks Principle:  Approaches that do too much or too little will both miss the mark.

Defaulting to program-wide “gap analyses” or a “boiling the ocean” approach invariably spreads resources too thinly to truly drill down into your highest-risk counterparties. Similarly, relying on self-certifications by the same counterparties will not be seen as going beyond traditional screening practices where heightened risks are present. The right approach depends on each company’s business processes and how they engage with end users; companies are well advised to use the core principles outlined above to design and apply an approach that fits their risk and counterparty profile.

Footnotes

[1] Brent Carlson & Michael Huneke, How Not to Stand Out Like a Sore Thumb (Part 2): A Fresh Look at the “High Probability” Definition of Knowledge Applied to Export Controls and Sanctions Enforcement, NYU Program on Corporate Compliance & Enforcement (“PCCE”) Blog (Feb. 21, 2024).

[2] Brent Carlson & Michael Huneke, A Whole New National Security Ballgame: Key Practical Takeaways for Export Control Compliance from the 2024 BIS Update Conference, NYU PCCE Blog (Apr. 5, 2024).

[3] BIS, Assistant Secretary for Export Enforcement Matthew S. Axelrod Delivers Remarks at the Semiconductor Summit in Los Angeles, California (May 8, 2024).

[4] Brent Carlson & Michael Huneke, A Whole New National Security Ballgame: Key Practical Takeaways for Export Control Compliance from the 2024 BIS Update Conference, NYU PCCE Blog (Apr. 5, 2024).

[5] Id.

[6] Max Fillion, Matt Axelrod Wants You to Worry about His Work (Global Investigations Review, May 10, 2024).

[7] Id.

[8] See, e.g., 15 C.F.R. §744.3, the catch-all provision for ballistic missiles and unmanned aerial vehicles (“UAVs”), which imposes a license requirement for any item subject to the EAR—including EAR99—when knowingly exported for such end use, plus a license requirement for any party identified by BIS in an “is informed” letter as presenting an unacceptable risk of diversion for such use.

[9] See Brent Carlson & Michael Huneke, “Expect Some Illumination”: A Fresh Look at U.S. Congressional Hearings in the Era of Sanctions and Export Controls as the New FCPA, NYU PCCE Blog (Mar. 14, 2024).

[10] See Brent Carlson & Michael Huneke, Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement, NYU PCCE Blog (Jan. 12, 2024).

[11] See Brent Carlson & Michael Huneke, Know Your Customer, But Also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA”, NYU PCCE Blog (Sept. 28, 2023); Brent Carlson & Michael Huneke, Slow is Smooth, Smooth is Fast: A Fresh Look at Planning and Executing Internal Investigations into Allegations of Sanctions or Export Controls Evasion, NYU PCCE Blog (Oct. 30, 2023).

[12] See Brent Carlson, When Loopholes Create Liability Pitfalls: A Fresh Look at Export Controls, NYU PCCE Blog (Aug. 25, 2023).

Brent Carlson is a Director at the Berkeley Research Group, LLC. Michael Huneke is a Partner in the Anti-Corruption & Internal Investigations and Sanctions, Export Controls, and Anti-Money Laundering practice groups at Hughes Hubbard & Reed LLPThe views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).