by Brent Carlson and Michael Huneke
In Part 2 we pick up where we left off in Part 1 to continue our discussion of how best to avoid an administrative subpoena. We then discuss how best to respond, if and when they cannot be avoided, and conclude with some practical guidance.
Avoid: How to Dissuade BIS from Resorting to Administrative Subpoenas (Continued)
Prepare well for outreach visits
Companies should prepare for outreach visits. Persons who will be meeting or speaking with OEE agents should be well prepared to do so with an eye toward and an awareness of the implications of the information and representations they are providing to BIS. Any and all information that company representatives provide to BIS representatives is fair game for future enforcement and for sharing with other U.S. agencies.
Take BIS warnings seriously—and prepare for the follow-up request . . . or subpoena
Companies should also take seriously any form of warning from BIS of diversion risks. BIS issues those warnings for a reason, with the greater goal to prevent diversion and promote compliance with the EAR. Therefore, it is important to design and implement a methodology for responding consistently to such warnings and document such efforts. BIS will later inquire (if it has not already) about companies’ actions in response to its warnings.
For example, any companies that choose to continue to transact, directly or indirectly, with entities identified in a “supplier list” letter, in a “red flag” letter, or in a Project Guardian alert, should expect BIS to request information and documentation about the due diligence undertaken and decision-making processes followed that led the companies to determine that such transactions did not pose a “high probability” of diversion. Companies that develop and consistently implement a “red flags assessment methodology” process will be best positioned to defend their decisions to proceed with transactions with listed entities or ones that appear later.
Ensure the legal and compliance teams are involved every step of the way
Legal and compliance teams should always be fully involved to ensure thorough and complete preparation of any information to be shared with BIS, especially in response to questions from BIS about specific diversion risks previously shared by BIS. Recall that the EAR impose preservation requirements beyond the normal five-year retention period for any information that is the subject of either an informal or formal request by BIS.[1] The first principal of white collar criminal enforcement—what defense lawyers tell their children before bed every night—is to remember it’s not the crime, but the cover-up that often trips up companies and individuals. The perception of a “cover up” that can be created by a procedural or communication misstep creates exposure to allegations of concealment[2] or failure to comply with recordkeeping requirements,[3] as a recent BIS enforcement action demonstrates.[4] These all are entirely avoidable if requests for information are handled properly, thoughtfully, and strategically.
Do not ignore pre-subpoena requests
Above all, companies should not ignore pre-subpoena requests for information. There is no quicker way to trigger the issuance an administrative subpoena than to ignore BIS requests. Ignoring pre-subpoena information requests is kicking the hornet’s nest, with a delayed and more painful reaction.
Respond: How to Respond to an Administrative Subpoena
The best strategies for self-defense are awareness and avoidance, discussed in Part 1 and above.
Nevertheless, the situation may come where an administrative subpoena arrives, either because the risks of prior informal information exchanges were not fully appreciated or the company’s interpretation of the EAR was not aligned with that of BIS. Even at this stage, however, by following several core principles companies can respond to administrative subpoenas effectively, with an overall more positive impact on the company, its business, and its people.
Recognize that the voluntary self-disclosure window is closed . . .
Receipt of an administrative subpoena forecloses eligibility for voluntary disclosure credit with BIS, and likely for other federal enforcement or regulatory agencies as well, like the DOJ and the U.S. Securities & Exchange Commission (“SEC”). Rushing an initial voluntary self-disclosure (“VSD”) to BIS on the heels of an administrative subpoena will be viewed by OEE as, at best, a serious misunderstanding of the VSD requirements.
. . . but that the cooperation door is now wide open
Even though the subpoena closes the VSD window, it does open the door towards demonstrating “exceptional cooperation” with OEE’s investigation going forward, for companies that choose to do so. Cooperation is a factor affecting OEE’s view of the appropriate administrative sanctions to impose and can have a significant impact on outcomes.[5]
Ensure the preservation of potentially relevant information
Upon receipt of an administrative subpoena, it is essential that recipients map out and preserve sources of potentially responsive information. This should include the issuance of a formal litigation hold—the roll-out of which should be implemented to minimize the ability of individuals to delete or modify—even inadvertently—relevant data.
Engage with OEE in a proactive, thoughtful manner
Administrative subpoenas will be written broadly, which presents an opportunity to constructively engage with OEE to discuss their priorities for production. Rather than attempt to delay, go right in. This is an opportunity to engender goodwill and cooperate with enforcement officials to review the information being collected and to help identify for them what information—at least in the view of the company and its advisors—might be most useful. This will not only help demonstrate a company’s cooperation but allow the company to get a head-start on identifying the root causes of any potential violations of the EAR and on identifying any necessary enhancements to existing trade compliance efforts (particularly in light of the new emphasis on “high probability” enforcement discussed above).
Know that OEE might have more information than you—including from whistleblowers
Do not assume that OEE’s information about your company’s awareness of diversion risks is restricted to what you have chosen to previously provide to OEE. This is especially so given recent, public efforts by DOJ and other agencies to enhance their whistleblower programs.
Appreciate the national security implications for challenges to BIS’ authority
No U.S. administrative agency is above the law, but challenges to BIS’ authority can face significant uphill battles—especially in the current geopolitical environment and concerning any transaction that may involve the People’s Republic of China in particular. Prior to challenging BIS authority, companies should consider the national security implications involved in evaluating such approach to challenge, and risks arising from, BIS administrative subpoenas.
The Export Controls Reform Act of 2018 (“ECRA”) exempts the Department of Commerce’s functions under that act from the judicial review provisions of the Administrative Procedure Act (“APA”), leaving challengers only with a much more difficult ultra vires claim that must show that “the agency plainly act[ed] in excess of its delegated powers and contrary to a specific prohibition in the statute that is clear and mandatory.”[6] Under this standard, for example, a federal appellate court recently confirmed the authority of BIS to impose administrative fines on a strict-liability basis (i.e., without a showing of intent), and in so holding noted—after explaining the principal reasons for this conclusion—that “the coup de grâce for [the appellant’s] ultra vires argument would be the well-established rule of judicial deference to the Executive Branch in matters that involve foreign policy and national security,” which it held “applies in full force” in the context of the ECRA and the EAR.[7]
This is not to say that companies should abandon legitimate arguments about overreach or misapplied authorities, if they are appropriate. But companies—and their management teams and directors—should have a clear-eyed view of the hurdles facing them if they choose to challenge BIS’ authority, especially on any issues with national security implications.
Practical Steps for Companies, In-House Legal and Compliance Teams, and Boards of Directors
1) Appreciate that even informal outreach efforts need to be managed properly to reduce the risk of later administrative subpoenas
Remember that behind the informality of some approaches that BIS might make to your company lies the ultimate purpose of ensuring compliance with U.S. export controls. Informality on the part of BIS should never be taken as acquiescence to imprecision or incompleteness in what information you provide.
2) Anticipate that BIS will follow-up on its informational outreach
You should never presume that a dialogue with BIS will remain purely informational or one-sided. If you receive any warning by OEE of diversion—potential or actual—via “supplier list” letters, “red flag” letters, Project Guardian outreach, or otherwise, take action on such warnings by following a documented, consistent methodology. Companies must anticipate BIS will follow-up with a request or subpoena information regarding the actions taken in response to the warning.
Also, beware that once a BIS administrative subpoena hits, other regulatory agencies—like the DOJ or the SEC—may pile on with their own enforcement actions. This is where the old adage of an ounce of prevention is worth a pound of cure rings true.[8]
3) If you proceed with transactions with foreign counterparties about which you have been warned, be sure that you have followed and documented the July 10, 2024 guidance—or at least that you do so going forward
Any company that proceeds with transactions, directly or indirectly, with entities BIS identifies as posing diversion risk (or as having engaged in actual diversion), should expect intense scrutiny of the process by which it has decided to proceed with those transactions. The July 10, 2024 guidance explains what steps BIS expects you to have taken, as noted above and as we have written about previously.
If your company has proceeded with such transactions but did not heed the July 10, 2024 guidance’s expectations, the company will be at significant risk of becoming the target of an administrative proceeding or worse; in fact, BIS will likely deem such actions as an aggravating factor in an enforcement action. But it is never too late to design a red flags assessment methodology going forward and at least attempting to apply it retroactively to transactions already taken to determine if a high risk of diversion was present (or if diversion actually occurred)—before BIS presumes such diversion and adopts a more rigid and hostile posture vis-à-vis the company.
Footnotes
[1] 15 C.F.R. § 762.6(b).
[2] 15 C.F.R. § 764.2(g) (misrepresentation or concealment of facts).
[3] 15 C.F.R. § 764.2(i) (failure to comply with reporting, recordkeeping requirements).
[4] Order, In the Matter of Scott Communications, Inc., et al., Case No. 22-BIS-0007, 88 Fed. Reg. 19913 (Apr. 4, 2023); see BIS, Don’t Let This Happen to You (July 1, 2024), at 18 (“The Scott Communications, Inc. investigation is a good example of the potential outcome of making false statements. In March 2023, Scott Communications, Inc., Mission Communications LLC, and Kenneth Peter Scott, all of St. Ignatius, Montana, agreed to a 20-year denial order to settle charges that they attempted to export two portable Motorola radios, controlled for anti-terrorism reasons, to Jordan with knowledge that they would be reexported to Iran, and engaged in false statements in subsequent interviews with OEE.”).
[5] See 15 C.F.R. Part 766, Suppl. 1 (“Guidance on Charging and Penalty Determinations in Settlement of Administrative Enforcement Cases”).
[6] Federal Express Corp. v. Dep’t of Comm., 39 F.4th 756, 763 (D.C. Cir. 2022) (internal quotations and citations omitted).
[7] Id. at 769–70.
[8] See Brent Carlson & Michael Huneke, An Ounce of Prevention is Worth a Pound of Cure . . . or an Imposed Compliance Monitorship: A Fresh Look at the DOJ’s Corporate Enforcement Toolkit Applied to Sanctions and Export Controls Enforcement, NYU PCCE (Dec. 4, 2023).
Brent Carlson is a Director at Berkeley Research Group, LLC. Michael Huneke is a Partner at Hughes Hubbard & Reed LLP. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).