by Brent Carlson and Michael Huneke

Export controls have risen to a top corporate compliance priority in recent years, and now even pose enterprise risk for many companies.[1] The combination of new rules and enforcement signals from the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) and increasing bipartisan congressional scrutiny, means that in-house legal and compliance teams face enormous challenges. New, innovative tools and techniques are necessary to stay ahead of the game, and this includes making upgrades to keep a company’s audits effective.

At the same time as the need for effective audits has grown, new geopolitical, regulatory, and business realities have undermined the inputs audits traditionally relied upon. Approaches that may have worked in the past no longer prove reliable. “Trust, but verify,” as the Russian proverb (doveryai, no proveryai) goes. But what, and how, to verify? Reliance on evidence that fails to differentiate risks substantively leads to deception, and danger. Therein lies the rub—and the pitfalls in relying on outdated assessments of compliance risks not adapted for today’s geopolitical environment.

Audits can become more effective by taking a “fresh look” at underlying inputs and making judgments about compliance risk from those inputs that are both relatively verifiable (or reliable) and determinative—while discounting or ignoring others. This will help protect companies, their people, and their legitimate core businesses from increasing government scrutiny, enforcement risk, and material disruptions—risks to which non-determinative inputs will blind them until it is too late.

Past Assumptions Produce Current Pitfalls

In a recent report, the U.S. Senate’s Permanent Subcommittee on Investigations (“PSI”) criticized semiconductor companies for not performing enough audits of their export compliance programs and those of their distributors.[2] The PSI noted that “each [company] presently lacks sufficient internal auditing and distributor auditing related to export controls compliance.”[3] The PSI goes on to make several recommendations to these companies “to prevent their products from being used by hostile adversaries.”

One recommendation addresses the companies themselves:  “Semiconductor manufacturers should annually audit their entire export controls compliance programs, and audit targeted processes more frequently—particularly when problems arise or regulations change.”  

Another recommendation focuses on their distributors: “Semiconductor manufacturers should implement . . . yearly auditing of all their distributors’ export controls compliance.”[4]

In responding to these demands, companies need to avoid being caught between adopting risk-based practices and feeling political pressure to adopt expensive and likely ineffective practices. While acceding to the current demands might seem the most expedient way to deflect further political pressure, it opens the door to significant risks if obsolete, legacy assumptions drive how those audits are planned, managed, and executed.[5]

For example, the PSI report quoted an unnamed audit official who “acknowledged that distributor audits are ‘not difficult’ and are ‘scripted,’ . . . .”[6] This same company also informed PSI that it “intends to audit end-user assessments (i.e., to whom its distributors sell and their policies and procedures) across all its distributors at some point in 2024.”[7]

It would be dangerous for either the PSI or U.S. companies to draw false comfort from quantity without quality. Given the sophistication of state-backed diversion and evasion schemes and such schemes’ purpose to achieve foreign adversaries’ intelligence and military objectives, audits that are openly acknowledged as easy and “scripted” could lead nation-state adversaries to conclude that such audits are merely U.S. domestic political window-dressing.

The objective of U.S. national security policy is not to perpetuate perfunctory audits. Instead, audits should be directed—via a risk-based methodology—towards the greatest risks and be qualitatively robust. Assuming that a form of the 80/20 rule is at work in export diversion—i.e., that a significant percentage of diversion is run through a small percentage of bad actors—easy, scripted audits uniformly applied across complete distributor populations will fail to have any appreciable impact on diversion.

Substance Drives Form, Not the Other Way Around

Substance should always drive form. This makes risk assessments a critical first step in planning an audit tailored to each company’s own risks. BIS compliance program guidelines also advise that “The audit module is a tool to help exporters develop or revise their Export Compliance Program,” and “each organization has unique requirements and will need to assess their own export activities and export programs.”[8]

As BIS primes the corporate enforcement engine,[9] companies should also incorporate the broader principles of the U.S. Department of Justice’s (“DOJ”) Evaluation of Corporate Compliance Programs.[10] In particular, risk assessments emerge as a fundamental starting point in DOJ’s evaluation of whether the corporation’s compliance program is well designed.[11]

A well-designed compliance program—including audits of it—are best thought of as ever-evolving to anticipate and adapt to new risks to the business as they emerge.

The Reliability of Inputs Requires a Reality Check…Especially in Today’s World

The classic saying from the early computing days (as then applied to military intelligence), “garbage in, garbage out,” applies well to audits of any kind. The reliability of the inputs gathered for an audit proves critical. Evaluate who may be supplying information and the sources of original supporting documentation. What incentives or pressures may they have that could compromise or erode reliability—or even veracity—in their representations and materials provided?

Examples include end-use certificates and letters of assurance. These are—essentially—self-representations. If bad actors wish to engage in export controls evasion and diversion, they will not admit as much. Such self-representations require additional effective due diligence to corroborate the information provided.[12] New tools on the market have commercially available datasets to help compliance teams address this. BIS and congressional committees already use such tools; accordingly, companies need to use them even more.[13]

Who conducts audits and gathers due diligence information also has become a critical concern amid rising geopolitical tensions and related developments in certain jurisdictions. For example, regarding audits into alleged forced labor in the People’s Republic of China (“PRC”), the U.S. Department of Homeland Security takes the following position: “As discussed in the updated Xinjiang Supply Chain Business Advisory (issued July 2021), audits, including third-party audits, are not alone sufficient to demonstrate due diligence and may not be a credible source of information for indicators of forced labor in Xinjiang.”[14]

Given that the Xinjiang Supply Chain Business Advisory is a joint seal document issued by the U.S. Department of Homeland Security but also the Commerce Department (among other federal agencies), there is a risk that Commerce will apply the same standard to export controls compliance audits for entities and operations in the PRC as national security concerns invariably increase. The PRC government also has placed challenges on its own nationals’ involvement—even  beyond the PRC’s borders—in furthering regulatory compliance requirements by other countries (like the U.S.).[15]

New challenges require new solutions. Compliance teams can leverage data analytics to help overcome audit and due diligence challenges in the following ways:

• Mapping a series of data points over relevant time periods (e.g., before and after certain sanctions or export controls were imposed) can help to both draw conclusions as to compliance risk and demonstrate the apparent reliability (or not) of the data sources. Data gathered at a particular moment may have limited reliability or value, especially when viewed in isolation.
• Taking a holistic approach (e.g., by conducting a dynamic data analysis across geographies and customers) can further buttress the reliability of such dynamic data analysis. Which new customers, and new customer locations, “picked up the slack” after certain sales had to be abandoned due to sanctions or export controls?
• Look beyond only the responsive information provided by the audit subjects themselves to see what other or additional data exists across company functions. Remember that U.S. law generally adopts a “collective knowledge doctrine” that attributes to the corporation an aggregation of employees’ knowledge.

Relatedly, BIS issued guidance on July 10, 2024, that signals an acceptance of risk-based approaches to due diligence. This signal is echoed in the October 9 BIS guidance issued to financial institutions that cites to the “high probability” standard under the U.S. Export Administration Regulations and stratifies BIS’ expectations for risk-based due diligence between what is reasonably achievable in real time and what would only realistically be achievable in response to indications of diversion.

Practical Steps for Companies, In-House Legal and Compliance Teams, and Boards of Directors

1) Recognize that the world has changed and apply new mindsets, methodologies, and tools

Apply to export controls compliance audits a mindset that recognizes the enforcement approach has changed. This will help overcome new challenges and potential pitfalls in today’s new environment. In addition to BIS guidance, incorporate the DOJ’s as well.

Instead of simply relying on representations or assurances at face value, “trust but verify” by using new datasets and tools, and assess data points over time, to corroborate information and documentation provided.

2) Use the “substance over form” approach to drive effective audits

Ask yourself, “What is really happening here?” Watch the signals from BIS (and the DOJ). A tectonic shift is occurring in export controls as BIS reemphasizes the full definition of “knowledge” under the Export Administration Regulations, which parallels the FCPA.[16]

3) Export controls now present a central compliance risk. Engage the board of directors’ duties of oversight for compliance, including audits

Following recent court cases, the duty of oversight for officers and directors derives from the fiduciary duty of loyalty, not the duty of care as commonly assumed; accordingly, liability protections may not be available.[17] Officers and directors need to jump on the compliance oversight bandwagon. Compliance teams can leverage these duties to justify appropriate levels of attention and resources.

Footnotes

[1] ACAMS Today Podcast, Matthew S. Axelrod on the Critical Importance of Export Controls. (April 18, 2024).

[2] See United States Senate Permanent Subcommittee on Investigations, Majority Staff Report: The U.S. Technology Fueling Russia’s War in Ukraine: Examining Semiconductor Manufacturers’ Compliance with Export Controls. (Sept.10, 2024).

[3] Id. at 3.

[4] Id. at 4.

[5] U.S. Department of Commerce Bureau of Industry and Security, Export Compliance Guidelines: The Elements of an Effective Compliance Program. (Jan. 2017).

[6] United States Senate Permanent Subcommittee on Investigations, Majority Staff Report: The U.S. Technology Fueling Russia’s War in Ukraine: Examining Semiconductor Manufacturers’ Compliance with Export Controls. (Sept. 10, 2024), at 31.

[7] Id. p. 32.

[8] U.S. Department of Commerce Bureau of Industry and Security, Export Compliance Guidelines: The Elements of an Effective Compliance Program. (Jan. 2017), at 35.

[9] See Brent Carlson & Michael Huneke, BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare, NYU PCCE Blog (May 30, 2024).

[10] See U.S. Department of Justice Criminal Division, Evaluation of Corporate Compliance Programs. (Updated Sept. 2024).

[11] Ibid. p. 2–3.

[12] See Brent Carlson & Michael Huneke, It May Not Be Worth the Paper (or Pixel) It’s Written On (Part 1): A Fresh Look at Letters of Assurance Used to Bolster Sanctions and Export Controls Compliance, NYU PCCE Blog (Aug. 2, 2024).

[13] See Brent Carlson & Michael Huneke, A Whole New National Security Ballgame: Key Practical Takeaways for Export Control Compliance from the 2024 BIS Update Conference, NYU PCCE Blog (Apr. 5, 2024).

[14] U.S. Department of Homeland Security, Office of Strategy, Policy, and Plans: Strategy to Prevent the Importation of Goods Mined, Produced, or Manufactured with Forced Labor in the People’s Republic of China, Report to Congress June 17, 2022, at 44. See also the joint seal Xinjiang Supply Chain Business Advisory (July 13, 2021).

[15] See Regulations of the People’s Republic of China on Export Control of Dual-Use Items (Sept. 30, 2024), and China’s Anti-Foreign Sanctions Law (June 10, 2021).

[16] See BIS, Guidance to Industry on BIS Actions Identifying Transaction Parties of Diversion Risk, at 1 (July 10, 2024).

[17] See Brent Carlson & Michael Huneke, Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement, NYU PCCE Blog (Jan. 12, 2024).

Brent Carlson is a Director at the Berkeley Research Group and Michael Huneke is a Partner at Hughes Hubbard & Reed LLP. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).