by Brent Carlson and Michael Huneke

“The world has changed. And we must change with it.” So stated Assistant Secretary of Commerce for Export Enforcement Matt Axelrod at a recent summit in California.[1] This simple statement reflects the increasingly complex challenges companies now face in navigating export controls and sanctions in a world driven by new geopolitical realities.

These challenges call into questions past assumptions about compliance programs. The foundation of a robust compliance program starts with the reliability of the inputs relied upon to make informed, risk-based decisions. In the halcyon days of the post-Cold War era, export controls took on an administrative character. In that environment, certifications from counterparties—themselves the targets of the due diligence—were taken largely at face value. Yet today passive reliance, without more, carries profound risks because export controls and sanctions enforcement has already become more of a white-collar corporate enforcement environment driven by Russia’s continued ability to secure U.S.-brand microelectronics (both legacy and new production). Certifications alone accordingly may not be worth the paper they are written on—or the pixels of which they are made—especially when other data includes “red flags” that cast doubt on certifications’ veracity.

This creates significant challenges for U.S. design and manufacturing companies, who often have tens or hundreds of thousands of direct or indirect customer relationships. Bespoke, heightened due diligence is simply not possible across each and every one of those relationships. Certifications and supporting documentation from distributors and resellers are accordingly the fundamental building blocks of any trade compliance program. In response to warning signals coming from the Commerce Department’s Bureau of Industry and Security (“BIS”), many U.S. design or manufacturing companies have accordingly sought “letters of assurance” from their distributors and resellers.

Obtaining and filing away these letters of assurance, however, without further scrutiny could expose recipients to enforcement risk. When the letters themselves, or other data available, indicate the presence of “red flags” identified repeatedly by U.S. agencies in public guidance over the past several years (and earlier), the letters’ assurances may not be sufficient to disprove the recipients’ awareness of a “high probability” of diversion—the standard of knowledge under the Export Administration Regulations (“EAR”). In fact, based on enforcement actions in other contexts, they might be seen as evidence of such an awareness. Fortunately, smart and strategic risk-based solutions are available to navigate the new white collar enforcement minefield.

Do Assurances Help Resolve BIS “Red Flag” Letters?

In the face of increasing diversion of high-priority items (such as semiconductors and microelectronics) to Russia following its invasion of Ukraine, BIS adopted a new strategy by issuing “red flag” letters to U.S. manufacturers and distributors. These letters highlighted specific foreign third parties that were identified in commercially available datasets as continuing to export to Russia in violation of applicable sanctions and export controls. BIS also “identified a list of over 600 foreign parties who continue to ship these high-priority items to Russia . . . that continue to be found in recovered missiles and drones inside Ukraine.”[2] We described the BIS “red flag” letters and their implications in a recent “Fresh Looks” post.[3]

In response to these “red flag” letters, many manufacturers are requesting “letters of assurance” from their distributors. These letters seek assurances that the distributors are taking appropriate steps to prevent potential illegal diversion of the manufacturers’ products to Russia.

Beware the Fox Who Certifies the Chicken Coop

Like other self-representations such as end-user certificates and statements, letters of assurance are only as reliable as the entities issuing them, who are—at least in some cases—the very same actors who have no interest at all in abiding by them.

While major (e.g., “Tier 1”) distributors based in the U.S. can safely be assumed to take such letters of assurance seriously, distributors who intend to engage in diversion are equally likely to sign them. Additionally, assurances from distributors in countries that ignore diversion are also of limited value. On a recent podcast, for example, Department of Commerce Under Secretary for Industry & Security Alan F. Estevez shared that his counterpart at China’s Ministry of Commerce (“MOFCOM”) asserted that products going from China to Russia were for “Game Boys and washing machines”—rather than missiles and drones.[4]

Distributors and resellers in jurisdictions with higher transshipment risks are commercially incentivized to continue such activities while facing little to no risk of negative consequences for doing so, thus placing serious doubts on the reliability of any letter of assurance they might provide. It’s like asking the fox to provide assurances regarding the security of the chicken coop.

Accordingly, placing undue reliance on letters of assurance could be useless or even counterproductive:  rather than absolving the recipient of knowledge of a “high probability” of diversion, accepting such letters in the face of unresolved evidence of a “high probability” of diversion could expose the company and its employees to enforcement risk. We described the “high probability” standard in the EAR’s definition of “knowledge”—and its parallels with the U.S. Foreign Corrupt Practices Act—in an earlier post.[5]

Recent BIS guidance emphasizes the centrality of the “high probability” standard of “knowledge” in resolving red flags from a BIS “red flag” letter. The language is clear: “. . . a “red flag” letter lets a company know that it needs to beware of dealing with a particular customer because the customer’s reexport or in-country transfer history creates a high probability that an export violation may occur.”[6]  BIS’s guidance further states: “A company that receives a “red flag” letter should conduct additional due diligence to resolve and overcome the red flag identified by BIS before filling an order from the identified customer.”[7]

A Way Forward: Trust But (Selectively) Verify

Clearly, letters of assurance on their own are insufficient to protect the company and its personnel. How then to deploy increasingly strained and limited compliance time and resources to demonstrate and defend reasonable reliance on letters of assurance?

U.S. design and manufacturing companies could do so by adopting a risk-based methodology to select a targeted subset of distributors or resellers for a more in-depth verification of whether the letters of assurance received could be taken at face value and reasonably relied upon.

A first-tier distributor publicly traded in the U.S. who does not itself present the “red flags” previously identified in U.S. agency guidance would not require additional verification.

But—at the other extreme—assurances received from a distributor whose name appears on a list that BIS has provided to the U.S. design or manufacturing company indicating that they continue to divert products to Russia would require a substantial amount of enhanced due diligence before any letter of assurance could be relied upon.

In between, manufacturers and other exporters will need to make inherently subjective judgments but do so according to a written, repeatable, and consistently applied process that is well documented. This will best justify ongoing reliance on what by necessity will be tens or hundreds of thousands of letters of assurance and best position the U.S. company to defend such reliance later if necessary.

Practical Steps for Companies, In-House Legal and Compliance Teams, and Boards of Directors

1) Recognize that the sanctions and export controls world has totally changed due to national security concerns and apply a new, while-collar corporate enforcement mindset to stay ahead of the profound and rapid changes underway.

Beware that BIS also has set the stage for a corporate enforcement sweep. Understand what BIS’s “red flag” letters really convey and what they trigger, especially as geopolitical pressures increase.[8]

Applying a new mindset to corporate compliance provides the critical first step to opening the door to new, more effective solutions, especially as corporate enforcement increasingly becomes driven by the “high probability” standard of “knowledge.” We discuss core principles that can guide the framework for mitigating new and increasing risks in an earlier “Fresh Looks” post,[9] as well as risk assessments and planning for investigations.[10]

2) Leverage the “high probability” standard of “knowledge” to deploy risk-based, repeatable, and well-documented solutions to best protect the company.

Anticipate corporate criminal enforcement driven by the “high probability” standard of “knowledge” and use this to your advantage.[11] Leverage the logic of this standard to mitigate risks and focus the compliance team’s limited resources on what truly matters.

When BIS calls for conducting “some extra screening,” leveraging the “high probability” standard of “knowledge” allows for the proper assessment of holistic and dynamic factors that better support subjective risk-based decisions, which in turn help to protect the company and its people in the increasingly likely event of an enforcement action.

Leveraging the “high probability” standard of “knowledge” in the EAR also helps prevent liability pitfalls from misperceived loopholes.[12]

3) Boards of directors and executive officers should stay abreast of the evolving compliance challenges and make sure the company maintains a robust compliance program and is responding timely and effectively to red flags as they arise.

As always, tone at the top remains crucial. Export controls and sanctions now pose not only a central compliance risk but also an enterprise risk for many companies. Directors and officers need to be aware of the evolution of their fiduciary duties considering the recent McDonald’s cases in Delaware. Be aware that the typical liability protections of the business judgement rule and exculpation provisions are not available as commonly assumed.[13]

Footnotes

[1] “Assistant Secretary for Export Enforcement Matthew S. Axelrod Delivers Remarks at the Semiconductor Summit in Los Angeles, California _ Bureau of Industry and Security,” https://www.bis.gov/speeches/assistant-secretary-export-enforcement-matthew-s-axelrod-delivers-remarks-semiconductor (May 8, 2024)

[2] BIS, Assistant Secretary for Export Enforcement Matthew S. Axelrod Delivers Remarks at the Semiconductor Summit in Los Angeles, California, (May 8, 2024).

[3] Id.

[4] Center for a New American Security (“CNAS”), Derisky Business Podcast, How to Regulate Smart, not Dumb, with Alan Estevez (June 27, 2024).

[5] Brent Carlson & Michael Huneke, How Not to Stand Out Like a Sore Thumb (Part 2): A Fresh Look at the “High Probability” Definition of Knowledge Applied to Export Controls and Sanctions Enforcement, NYU Program on Corporate Compliance & Enforcement (“PCCE”) Blog (Feb. 21, 2024).

[6] U.S. Department of Commerce, Bureau of Industry and Commerce, Guidance to Industry on BIS Actions Identifying Transaction Parties of Diversion Risk (July 10, 2024) (emphasis added).

[7] Id.

[8] See Brent Carlson & Michael Huneke, BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare, NYU PCCE Blog (May 30, 2024).

[9] See Brent Carlson & Michael Huneke, BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare, NYU PCCE Blog (May 30, 2024).

[10] See Brent Carlson & Michael Huneke, Know Your Customer, But Also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA”, NYU PCCE Blog (Sept. 28, 2023); Brent Carlson & Michael Huneke, Slow is Smooth, Smooth is Fast: A Fresh Look at Planning and Executing Internal Investigations into Allegations of Sanctions or Export Controls Evasion, NYU PCCE Blog (Oct. 30, 2023).

[11] See Brent Carlson & Michael Huneke, How Not to Stand Out Like a Sore Thumb (Part 2): A Fresh Look at the “High Probability” Definition of Knowledge Applied to Export Controls and Sanctions Enforcement, NYU Program on Corporate Compliance & Enforcement (“PCCE”) Blog (Feb. 21, 2024).

[12] See Brent Carlson, When Loopholes Create Liability Pitfalls: A Fresh Look at Export Controls, NYU Program on Corporate Compliance & Enforcement (“PCCE”) Blog (August 25, 2023).

[13] See Brent Carlson & Michael Huneke, Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement, NYU PCCE Blog (Jan. 12, 2024).

Brent Carlson is a Director at Berkeley Research Group, LLC. Michael Huneke is a Partner at Hughes Hubbard & Reed LLP. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).