by Brent Carlson and Michael Huneke

Anticipating, avoiding, and responding to administrative subpoenas pose the next in a long line of challenges facing U.S. companies and their legal and compliance teams as the new wave of export controls enforcement unfolds.

The Department of Commerce’s Bureau of Industry & Security (“BIS”) has primed the corporate enforcement engine[1] through (1) public guidance identifying “red flags” indicating a “high probability” of diversion in violation of U.S. export controls, (2) successful criminal prosecutions in partnership with the U.S. Department of Justice (“DOJ”) in the Disruptive Technology Strike Force of intermediaries facilitating diversion,[2] and (3) “supplier list” and “red flag” letters warning companies of the risks of diversion posed by certain counterparties.[3]

BIS has recently taken important steps that clearly signal an enforcement sweep is underway. On July 10, 2024, BIS published guidance regarding its expectations for companies’ interpretation and assessment of “supplier list” and “red flags” letters.[4] These expectations include risk-based due diligence and, where diversion risks cannot be resolved, either refraining from the transaction or applying for a license.[5] On August 15, 2024, BIS announced a settlement with a U.S. company for $5.8 million in which the “high probability” standard and various catch-all provisions of the Export Administration Regulations (“EAR”) were featured.[6] In parallel, BIS is continuing longstanding practices of informing companies of diversion risk, including outreach visits by agents and its Project Guardian efforts to inform companies when they are the targets of diversion schemes.

BIS’s next enforcement steps likely will include administrative subpoenas. But administrative subpoenas are often avoidable if the initial interactions with BIS are properly appreciated and managed. After administrative subpoenas are issued, missteps in the response, overall approach, and communications with BIS can exacerbate the risks to companies, their managers and directors, and employees.

In this two-part “Fresh Look” post we offer practical tips to help companies and their compliance teams manage these risks. In Part 1, we discuss the current enforcement “playbook” being used, how to anticipate an administrative subpoena by recognizing the circumstances in which they might arise, and then begin our discussion of how to best avoid administrative subpoenas by dissuading BIS from having to resort to issuing them in the first place. Part 2 will conclude the discussion on avoiding administrative subpoenas and conclude with thoughts how best to respond to administrative subpoenas if they cannot be avoided.

First Principles: Understand the High-Probability “Playbook”—for both Enforcement and Compliance

Recent BIS guidance, enforcement, and outreach may be particularly challenging for legal and compliance teams that have not fully appreciated their implications in the context of U.S. export controls’ full definition of “knowledge,” which includes not only actual knowledge “but also an awareness of a high probability of its existence or future occurrence” that “is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person’s willful avoidance of facts.”[7]

These recent actions by BIS track closely the prior two decades’ enforcement “playbook” used by the DOJ in U.S. Foreign Corrupt Practices Act (“FCPA”) cases, where the law employs the same “high probability” standard. We saw in that context that U.S. regulators’ guidance and enforcement activity—past and present—essentially created a prosecutorial common law that informed both government decisions on investigations or settlements and, accordingly, companies’ internal assessments of compliance and enforcement risk.

As this “high probability” standard becomes a point of emphasis for BIS in its export controls guidance and enforcement efforts, U.S. companies need to view BIS requests and outreach through the same lens—otherwise they risk misunderstandings and misinterpretations—even if unintentional—that will lower their credibility with the regulators.

Anticipate: Recognizing the Precursors to Administrative Subpoenas

To avoid administrative subpoenas, it is first necessary to be aware of the circumstances in which they might arise.

The EAR provides BIS with subpoena authority in two contexts. First, BIS administrative subpoenas are authorized in administrative enforcement proceedings.[8] Second, BIS also has authority to request information required to be maintained under the EAR,[9] and in that context “[w]hen voluntary cooperation is not forthcoming,” the Office of Export Enforcement (“OEE”) is “authorized to issue subpoenas requiring persons to appear and testify, or to produce books, records, and other writings.”[10]

In the first context, administrative enforcement proceedings begin when OEE sends a formal charging letter.[11] The seriousness of the risks facing the responding companies or individuals is evident upon receipt of the letter.

In the second context, however, recipients might not fully appreciate the seriousness of the circumstances or the risks they face. The contact from BIS could be quite informal, or even if formal it could occur initially as proactive, educational outreach by BIS. In this regard, it is important to recognize the forms of contact BIS may utilize and their implications for both further enforcement scrutiny and potential liability.

Outreach Program

OEE has a longstanding Outreach Program in which its agents make one-on-one contact with representatives of companies, including manufacturers, exporters, and freight forwarders.[12] In the 2023 BIS fiscal year alone, OEE agents conducted more than 1,700 outreach visits.[13] Although the Outreach Program’s purpose is to educate industry,[14] shared information can trigger investigations.[15]

For in-house legal and compliance teams, it is important to recognize that any information provided in an “outreach visit” may be used for further enforcement actions and would be compared against the company’s public statements and other information available to BIS (including through other agencies’ whistleblower initiatives).

Project Guardian

BIS also warns companies of specific threats of which BIS is aware. Under the Project Guardian initiative, OEE alerts companies “of suspicious parties that may be seeking to obtain sensitive items” as an “advance warning system . . . meant to help . . . identify otherwise unforeseen risks in potential transactions.”[16] OEE initiated over 35 Project Guardian leads in its 2023 fiscal year.[17]

“Supplier List” and “Red Flag” Letters

Recently, BIS has warned companies of potential diversion risks via “supplier list” letters identifying foreign “parties of diversion concern”[18] and “red flag” letters that “inform a company that one of their customers may have, in violation of the [Export Administration Regulations (“EAR”)], reexported or transferred (in-country) the same type of item that the company previously exported to that customer.”[19]

These letters have engendered confusion among some recipients because of a misplaced analogy with so-called “is informed” letters. Under catch-all provisions of the EAR, “is informed” letters impose a formal license requirement.[20] Because the “supplier list” and “red flag” letters are not “is informed” letters, they by themselves do not create—under the catch-all provisions—a license obligation. But this position misses both the purpose and effect of these letters. The purpose and effect of such letters are best understood in the context of the “high probability” definition of knowledge described above, as explained by BIS in guidance published on July 10, 2024.

In response to a “supplier list” letter, BIS expects industry to assess whether “red flags” of diversion risk are present and, if so, proceed with the transaction only if additional due diligence resolves the “red flags.”[21]

In response to receiving either a “red flag” letter or a Project Guardian request, BIS considers such notification to trigger “knowledge of a high probability that a violation may occur” and, accordingly, expects additional due diligence to be conducted to determine whether the “red flags” can be resolved before proceeding.[22]

BIS expects companies that receive “red flag” letters to develop, before proceeding with the transaction, “affirmative information that the party is no longer engaged in . . . activities in violation of the EAR,” and to “keep detailed records of the information received, the steps taken to verify such information, and documentation of the decision-making process that led to the conclusion that the customer’s activities with respect to the proposed transaction was explained or justified.”[23] In sum, these new forms of notice from BIS are viewed by BIS as creating “high probability” awareness—“knowledge”—of diversion, and accordingly pose equal if not greater risks—if not handled properly—than do “is informed” letters.

Avoid: How to Dissuade BIS from Resorting to Administrative Subpoenas

Now being aware of the precursors for administrative subpoenas, we are ready to discuss how to avoid them.

All of these pre-subpoena exchanges of information are valuable data points in companies’ own efforts to comply with U.S. export controls and minimize the risk of their products’ diversion. At the same time, each interaction—even if “informal” or educational—creates a risk of BIS later issuing an administrative subpoena if BIS believes that the information is not being properly acted upon. In addition to changing the tenor of discussions with BIS, an administrative subpoena might also raise a difficult question of whether receipt of the subpoena needs to be discussed with external auditors and disclosed to the market. These are all reasons companies should prefer to avoid BIS issuing an administrative subpoena.

Do not be lulled into an informal response

Companies should not be lulled into providing a casual response to an informal outreach. Internal efforts to gather relevant information should be methodical and well documented with any eye towards consistency and defensibility. This is especially important when the trade compliance team needs information from other functions such as sales, customer service, accounting, and finance. Requests from BIS are not going to be limited to whatever data has been made previously available to or otherwise shared with the trade compliance team.[24]

We will continue the discussion on steps to avoid “kicking the hornet’s nest” in Part 2.

Footnotes

[1] Brent Carlson & Michael Huneke, BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare, NYU Program on Corporate Compliance & Enforcement (“PCCE”) Blog (May 30, 2024).

[2] See, e.g., DOJ, FACT SHEET: Disruptive Technology Strike Force Efforts in First Year to Prevent Sensitive Technology from Being Acquired by Authoritarian Regimes and Hostile Nation-States (Feb. 16, 2024).

[3] See BIS, Guidance to Industry on BIS Actions Identifying Transaction Parties of Diversion Risk (July 10, 2024).

[4] Id.

[5] Id. at 3.

[6] BIS, BIS Imposes $5.8 Million Penalty Against Pennsylvania Company for Shipments of Low-Level Items to Parties Tied to the PRC’s Hypersonics, UAV, and Military Electronics Programs (Aug. 15, 2024).

[7] 15 C.F.R. § 772.1.

[8] 15 C.F.R. § 766.10.

[9] The scope of information required to be maintained under the EAR—and therefore amenable to administrative subpoena—is quite broad. It includes memoranda, correspondence, contracts, financial records, and a catch-all reference to any “other records pertaining” to covered transactions, 15 C.F.R. § 762.2(a), except for specifically enumerated exemptions, 15 C.F.R. § 762.3(a).

[10] 15 C.F.R. § 762.7(a).

[11] 15 C.F.R. § 766.3(a).

[12] OEE Mission Statement, “Outreach Program.”

[13] See BIS, Don’t Let This Happen to You (July 1, 2024), at 22.

[14] Id.

[15] See id. at 28 (describing an individual’s guilty plea following an investigation launched based on information provided by a manufacturer during an outreach visit).

[16] Id. at 23.

[17] Id.

[18] See BIS, Guidance to Industry on BIS Actions Identifying Transaction Parties of Diversion Risk, at 1 (July 10, 2024).

[19] See id. at 3.

[20] See Gaspard le Dem, Companies frustrated by new US strategy to prevent technology leaks to Russia, lawyers say, Global Investigations Review (May 31, 2024).

[21] BIS, Guidance to Industry on BIS Actions Identifying Transaction Parties of Diversion Risk, at 5 (July 10, 2024).

[22] Id.

[23] Id. at 3.

[24] See, e.g., Brent Carlson & Michael Huneke, Know Your Customer, But Also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA”, NYU PCCE Blog (Sept. 28, 2023).

Brent Carlson is a Director at Berkeley Research Group, LLC. Michael Huneke is a Partner at Hughes Hubbard & Reed LLP. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).