by Brent Carlson

Export controls penalties that were previously peanuts compared to FCPA penalties are now becoming more like elephants, with the “high probability” standard driving the stampede.

On July 28, 2025, DOJ and BIS announced a $140 million resolution with an electronic design automation (“EDA”) exporter via a guilty plea[1] and BIS settlement[2] over exports to China.

The BIS settlement turned on what the exporter had “reason to know, including awareness of a high probability” (aka the “high probability” standard), and not just actual knowledge—an escalation in BIS’s use of the full definition of “knowledge” under the U.S. Export Administration Regulations (“EAR”).[3] Recent BIS guidance in July 2024, October 2024, and May 2025 foreshadowed this shift,[4] as did an August 15, 2025, $5.8 million settlement.[5]

For practical guidance on the “high probability” standard, see prior “Fresh Looks” posts.[6]

This recent case also warrants an update of the November 14, 2023, comparison of export controls and FCPA enforcement, which likewise leveraged the “high probability” standard.[7]

What Facts Created “High Probability” Awareness?

Regulators expect companies to learn from prior resolutions. Here, that means understanding what facts were considered sufficient to create “reason to know, including awareness of a high probability.”

On February 18, 2015, China’s National University of Defense Technology (“NUDT”) was placed on BIS’s “Entity List,” thereby requiring a license for any exports, reexports, or in-country transfers to NUDT of items subject to the EAR. However, after NUDT was placed on the Entity List, unlicensed business continued via another purchaser, Central South CAD Center (“CSCC”).

That the exporter had “reason to know, or awareness of circumstances that should have prompted further due diligence, that” CSCC was in fact “an alias of” NUDT[8] was indicated by:

• The address for CSCC “closely matches” an address on the NUDT campus.[9]
• Certain of the exporter’s local employees in China “sometimes used the acronym ‘CSCC’ together with the Chinese characters for NUDT (国防科技大学) in correspondence, indicating a link between the two.”[10]
• Sales personnel at the exporter’s local subsidiary in China had “familiarity and interaction” with CSCC personnel because CSCC was a “key account” for them; “certain personnel within [the exporter’s local subsidiary in] China across multiple roles had reason to know that CSCC was an alias for NUDT.”[11] This included sending invitations and documents to CSCC employees via NUDT email addresses.[12] Sales personnel also associated CSCC with supercomputers made by NUDT (for nuclear explosives).[13] Similarly, certain CSCC employees were communicating using @phytium.com.cn email addresses, associated with another front company, Phytium Technology Co. Ltd. (“Phytium”); such email addresses were associated with CSCC contacts in the exporter’s customer database.[14]
• Technical personnel at the China subsidiary had meetings with CSCC personnel whom they had previously identified as NUDT personnel, communicated via an NUDT email address, and installed the hardware at NUDT locations.[15]
• Finance personnel “periodically weighed in on credit concerns with CSCC” and noted that CSCC had no Internet presence (in English or Chinese) and no discernable credit history.[16] These concerns, specifically the “inability to verify information about CSCC in connection with its check of CSCC’s credit,” “should have prompted further due diligence.”[17]
• Legal personnel involved in discussing the reassignment of CSCC contracts to Phytium “provided a now-former sales group director in China with draft assignment letters for the IP and asked her to obtain relevant contact and location information from Phytium, noting, ‘of course the email addresses should all be @phytium.com.cn corporate addresses.’”[18] The same personnel wrote, “I know it’s two different parties, CSCC and Phytium, but we also know they are related with respect to all these transactions.”[19]
• Engineering personnel explained to the same legal personnel that they would move “the ‘enterprises’ in our system from CSCC to Phytium” and that they would “ensure all the appropriate Phytium contacts are moved in [the customer database] to Phytium (many are CSCC now).”[20]
• Materials personnel sent audit letters for both CSCC and Phytium as attachments to a single email “to a Phytium representative known by [the exporter’s local subsidiary in] China to be associated with both CSCC and NUDT.”[21]

The Impact of General Prohibition 10

Further violations were committed when, after the exporter stopped sales to CSCC, the exporter transferred—in violation of General Prohibition 10 (“You may not . . . transfer . . . any item subject to the EAR. . . with knowledge that a violation of the [EAR] . . . has occurred . . . in connection with the item.”)—CSCC’s hardware, software and technology to Phytium.[22]

Beware the Collective Knowledge Doctrine

The above facts illustrate the “collective knowledge doctrine” under U.S. white-collar corporate enforcement. Under this doctrine, it is permissible to infer “corporate” knowledge of facts—but not “intent”—“through the accumulation of individual knowledge” across employees.[23]

There is no allegation that the exporter’s one-person trade compliance team was aware of the above facts.[24] Instead, it was the collective knowledge of sales, technical, finance, legal, engineering, and materials personnel that gave the exporter “reason to know, including awareness of a high probability” of the violations.

Practically speaking, trade compliance personnel cannot survey their entire company’s knowledge regarding every transaction in international commerce. But when “red flags” indicate a potential violation of U.S. export controls, trade compliance personnel should consider who else is reasonably likely to have information relevant to the assessment and potential mitigation of such red flags.

The Insufficiency of Letters of Assurance / End-Use Certifications in the Face of “Red Flags”

In the face of the above “red flags,” traditional self-certifications were not sufficient.

For example, “When confronted with export compliance-related issues, [the exporter] undertook additional due diligence to address such red flags, including requesting a Letter of Assurance from CSCC in January 2019 to confirm that there was no prohibited end-use and/or end-user involved in transactions with CSCC.”[25]

Additionally, “[the exporter] sought and received from Phytium confirmation that its products were not military items, used to support a military item, or used to support or contribute to the operation, installation, repair, refurbishing, development, or production of a military item. Phytium also confirmed that it would not allow any person connected with or employed by an entity on the Entity List to use [the exporter’s] products in violation of U.S. law.”[26]

Neither of the above was sufficient to avoid or reduce the $140 million penalty.

Software Downloads by Customers after Listing

Several customers continued to download controlled software even after they were placed on the Entity List, “due to certain system-level gaps” in “established compliance processes and procedures for terminating transactions with companies who were later designated on the Entity List.” Because no license was sought (and received) to permit these software downloads, these downloads also violated U.S. export controls.[27]

Updated Comparison between U.S. Export Controls & FCPA Penalties

By leveraging the “high probability” standard, BIS stands poised to bring more enforcement actions, resolve them faster, and levy much higher penalties. Below is an update to the November 2023 comparison between FCPA and export controls penalties. Export controls penalties still lag far behind, but the new BIS enforcement playbook indicates that penalties will continue to increase.

Key Takeaways

1. The era of “high probability” enforcement and compliance has arrived. The July 28, 2025 resolution is another step by the government in following an “FCPA playbook” in export controls enforcement.
2. Other exporters should review the above facts and consider whether they have similar risks. Neither BIS nor DOJ should be expected to assume that, given the volume of sales to China and the importance to Chinese companies of obtaining controlled items and technology, that the indirect sales to NUDT through CSCC and Phytium are isolated incidents.
3. In the face of “red flags” suggesting that a purchaser is an “alias” or a front company for a restricted end-use or end-user, reliance on traditional self-certifications by counterparties is likely to exacerbate, rather than mitigate, the compliance and enforcement risks. This has important implications for the new “Affiliates Rule,” announced by BIS with immediate effect on September 29, 2025, which is covered in detail in a two-part podcast.[28]

Footnotes

[1] Plea Agreement, U.S. v. Cadence Design Systems, Inc., CR 25-00217-EJD (SVK) (N.D. Cal. July 28, 2025).

[2] U.S. Dept. of Comm., Bureau of Indus. & Security, Settlement Agreement, In the Matter of Cadence Design Systems, Inc. (July 28, 2025).

[3] See p. 2 of the BIS Settlement Agreement: “Pursuant to Section 772.1 of the EAR, ‘knowledge of a circumstance (the term may be a variant, such as “know,” “reason to know,” or “reason to believe”) includes not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence.’ 15 C.F.R.§772.1. This awareness may be inferred from evidence of a person’s conscious disregard of known facts or a person’s willful avoidance of facts.”

[4] BIS, Guidance to Industry on BIS Actions Identifying Transaction Parties of Diversion Risk (July 10, 2024); BIS, Bureau of Industry and Security Issues New Guidance to Financial Institutions on Best Practices for Compliance with the Export Administration Regulations (Oct. 9, 2024); BIS, Department of Commerce Announces Rescission of Biden-Era Artificial Intelligence Diffusion Rule, Strengthens Chip-Related Export Controls (May 13, 2025) (collecting three guidance documents).

[5] U.S. Dept. of Comm., Bureau of Indus. & Security, BIS Imposes $5.8 Million Penalty Against Pennsylvania Company for Shipments of Low-Level Items to Parties Tied to the PRC’s Hypersonics, UAV, and Military Electronics Programs (Aug. 15, 2024).

[6] Collected at https://wp.nyu.edu/compliance_enforcement/tag/brent-carlson/; see, e.g., Brent Carlson, When Loopholes Create Liability Pitfalls: A Fresh Look at Export Controls, NYU Program on Corporate Compliance & Enforcement (“PCCE”) Blog (Aug. 25, 2023); Brent Carlson & Michael Huneke, Know Your Customer, But Also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA,” NYU PCCE Blog (Sept. 28, 2023); Brent Carlson & Michael Huneke, Slow is Smooth, Smooth is Fast: A Fresh Look at Planning and Executing Internal Investigations into Allegations of Sanctions or Export Controls Evasion, NYU PCCE Blog (Oct. 30, 2023); Brent Carlson & Michael Huneke, How Not to Stand Out Like a Sore Thumb (Part 2): A Fresh Look at the “High Probability” Definition of Knowledge Applied to Export Controls and Sanctions Enforcement, NYU PCCE Blog (Feb. 21, 2024); and Brent Carlson & Michael Huneke, Avoid Kicking the Hornet’s Nest: A Fresh Look at How to Anticipate, Avoid, and Respond to BIS Administrative Subpoenas (Part 1), NYU PCCE Blog (Sept. 19, 2024).

[7] Brent Carlson & Michael Huneke, From Peanuts to Prison Time – A Fresh Look at the Evolution of Export Controls Penalties, NYU PCCE Blog (Nov. 14, 2023).

[8] BIS Settlement Agreement at p.2.

[9] Id. at ¶ 6.

[10] Id. at ¶ 7.

[11] Id. at ¶ 8.

[12] Id. at ¶¶ 11–15.

[13] Id. at ¶¶ 11–15.

[14] Id. at ¶ 30.

[15] Id. at p.4 & ¶¶ 23–24.

[16] Id. at ¶¶ 26–27.

[17] Id. at ¶¶ 22 & 27.

[18] Id. at ¶ 31.

[19] Id. at ¶ 32.

[20] Id. at ¶ 33.

[21] Id. at ¶ 34.

[22] Id. at p.3.

[23] See, e.g., U.S. v. SAIC, 626 F.3d 1257, 1275–76 (D.C. Cir. 2010) (citing and distinguishing U.S. v. Bank of New England, 821 F.2d 844, 856 (1st Cir. 1987)).

[24] See also Plea Agreement, Attachment A1 (Statement of Facts) ¶ 30, U.S. v. Cadence Design Systems, Inc., CR 25-00217-EJD (SVK) (N.D. Cal. July 28, 2025) (“During the relevant time period through 2019, Cadence employed one export control officer with responsibility over Cadence’s export control compliance program.”).

[25] BIS Settlement at ¶ 22.

[26] Plea Agreement, Attachment A1 (Statement of Facts) ¶ 41.

[27] BIS Settlement at ¶¶ 39–40.

[28] See Episodes 28 and 29 of the “Red Flags Rising” podcast available at Apple, Spotify, and RSS.

Brent Carlson is the founder of Red Flags Rising Solutions LLC. The views expressed herein are the author’s own and do not reflect the views of his organizations, or of the partners or employees thereof.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).