Category Archives: Sanctions

Department of Commerce, Department of the Treasury, and Department of Justice Tri-Seal Compliance Note: Obligations of foreign-based persons to comply with U.S. sanctions and export control laws

by the Department of Commerce, Department of the Treasury, and Department of Justice

Photos of authors

OVERVIEW

Today’s increasingly interconnected global marketplace offers unprecedented opportunities for companies around the world to trade with the United States and one another, contributing to economic growth. At the same time, malign regimes and other bad actors may attempt to misuse the commercial and financial channels that facilitate foreign trade to acquire goods, technology, and services that risk undermining U.S. national security and foreign policy and that challenge global peace and prosperity. In response to such risks, the United States has put in place robust sanctions and export controls to restrict the ability of sanctioned actors to misuse the U.S. financial and commercial system in advance of malign activities.

These measures can create legal exposure not only for U.S. persons, but also for non-U.S. companies who continue to engage with sanctioned jurisdictions or persons in violation of applicable laws. To mitigate the risks of non-compliance, companies outside of the United States should be aware of how their activities may implicate U.S. sanctions and export control laws. This Note highlights the applicability of U.S. sanctions and export control laws to persons and entities located abroad, as well as the enforcement mechanisms that are available for the U.S. government to hold non-U.S. persons accountable for violations of such laws, including criminal prosecution. It further provides an overview of compliance considerations for non-U.S. companies and compliance measures to help mitigate their risk.

Continue reading →

“Expect Some Illumination”: A Fresh Look at U.S. Congressional Hearings in the Era of Sanctions and Export Controls as the New FCPA

by Brent Carlson and Michael Huneke

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

The 118th U.S. Congress has taken an active and bipartisan interest in U.S. sanctions and export controls. With reports that U.S. executives have been asked to testify before the U.S. House Select Committee on the Chinese Communist Party[1] and recent hearings before a U.S. Senate subcommittee previewing further questions for both companies and regulators,[2] U.S. companies whose products might require a license for export to China or that might be found in Russian or Iranian weapons should prepare for congressional scrutiny—and congressional pressure on the U.S. Executive Branch departments to deliver enforcement results. Continue reading →

President Biden Issues Executive Order Granting Authorities to Regulate the Transfer of Sensitive U.S. Data to Countries of National Security Concern

by Eric J. Kadel Jr., Sharon Cohen Levin, Nicole Friedlander, Anthony J. Lewis, Andrew J. DeFilippis, Joshua Spiegel, and George L. McMillan

Top left to right: Eric J. Kadel Jr., Sharon Cohen Levin, Nicole Friedlander, Anthony J. Lewis.
Bottom left to right: Andrew J. DeFilippis, Joshua Spiegel and George L. McMillan. (Photos courtesy of Sullivan & Cromwell LLP).

SUMMARY

On February 28, 2024, President Biden issued Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Executive Order”), delegating new authorities to the U.S. Department of Justice (“DOJ”) and other agencies to regulate the transfer of sensitive U.S. data to countries of national security concern. The Executive Order focuses primarily on personal and other sensitive information, such as U.S. persons’ financial information, biometric data, personal health data, geolocation data, and information relating to government personnel and facilities.[1]

Continue reading →

Commerce Department Proposes Cybersecurity/AI Reporting and “KYC” Requirements for Certain Cloud Providers

by Robert Stankey, K.C. Halm, Michael T. Borgia, Andrew M. Lewis, and Assaf Ariely

Left to right: Robert Stankey, K.C. Halm, Michael T. Borgia, Andrew M. Lewis, and Assaf Ariely (photos courtesy of Davis Wright Tremaine LLP)

IaaS providers would need to verify foreign users’ identities (aka “know your customer”) and report certain AI model training activities under the proposed rules

The U.S. Department of Commerce’s (“Commerce”) Bureau of Industry and Security (“BIS”) has issued a proposed rule (the “Proposed Rule”) that would impose significant diligence, reporting, and recordkeeping requirements on U.S. providers of Infrastructure as a Service (IaaS) and their foreign resellers. IaaS is generally considered to be a cloud computing model that provides users with remote access to servers, storage, networking, and virtualization.

The Proposed Rule would require U.S. IaaS providers to:

Implement and maintain a “Customer Identification Program” (CIP), which must include detailed know-your-customer (KYC) procedures for identifying and reporting foreign customers to Commerce; and
Report transactions involving foreign persons that “could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.”

Continue reading →

How Not to Stand Out Like a Sore Thumb (Part 2): A Fresh Look at the “High Probability” Definition of Knowledge Applied to Export Controls and Sanctions Enforcement

by Brent Carlson and Michael Huneke

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

Media coverage concerning the widespread use of U.S. or Western microelectronics in recovered Russian- or Iranian-manufactured missiles and drones is putting pressure on governments, manufacturers, and exporters to consider ways to reduce more effectively the flows of such items to prohibited end-users. Even considering that many of the items are ubiquitous consumer electronics, the discovery of such items after mass-casualty events—including fatalities—on the front lines puts manufacturers and exporters on the front pages and in the crosshairs of U.S. regulators, prosecutors, media, and congressional committees. However the items arrived on the battlefield, their presence begs the questions of how and through whom they arrived. Continue reading →

How Not to Stand Out Like a Sore Thumb (Part 1): A Fresh Look at the “Willful” Intent Standard for Criminal Liability in Export Controls and Sanctions Corporate Enforcement

by Brent Carlson and Michael Huneke

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

“The ‘willfulness’ standard for criminal prosecutions appears nearly insurmountable to reach.”

So concluded a “90-Day Review Report” issued January 2, 2024 by the Chairman of the Foreign Affairs Committee of the U.S. House of Representatives, following congressional hearings in May and December 2023.[1] The report further contended that “the statutory requirement to prove ‘willfulness’” for there to be a criminal violation of U.S. export controls (and sanctions) is a “high bar” that “often results in [the Department of Commerce’s Bureau of Industry & Security (“BIS”)] export enforcement personnel pursuing administrative enforcement actions with lower penalties,” compared to the alternative (unstated but implied by the report) of U.S. Department of Justice (“DOJ”) personnel pursuing criminal penalties.[2]

This conclusion is not accurate. BIS is not itself responsible for criminal enforcement, yet it has partnered closely with the DOJ’s National Security Division—including by co-leading the inter-agency Disruptive Technology Strike Force launched on February 16, 2023—to bring several high-profile convictions or resolutions. Nor is the requirement to prove willfulness “insurmountable” for U.S. federal prosecutors, whose cases achieve the standard regularly and can do so not only with direct evidence of intent but also indirect evidence, i.e., the relevant facts and circumstances. Such facts and circumstances often—especially in the eyes of jurors—make the willful nature of criminal evasion schemes stand out like a sore thumb. Continue reading →

SEC Continues to Elevate its Enforcement of Rule 21F-17(a)

by Benjamin Calitri

Benjamin Calitri (photo courtesy of Kohn, Kohn, and Colapinto LLP)

In January 2024, the SEC announced an $18 million settlement with J.P Morgan Securities for violations of Rule 21F-17(a), demonstrating its increased enforcement of the whistleblower rule, which prohibits any person from “tak[ing] any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement.” This follows a $10 million enforcement against D.E. Shaw, showing the SEC’s new stance of Rule 21F-17(a): sanctions that are actually large enough to deter illegal NDAs.

The SEC Enforcement Order found that J.P. Morgan Securities (JPMS) typically requested certain clients sign a Release if they received a credit or settlement of over $1,000, regardless of whether JPMS admitted or denied any error or wrongdoing in connection with the credit or settlement.

Continue reading →

Creating A European Union-Wide Anti-Money Laundering/Counter Financing of Terrorism Regime (Part I): The Anti-Money Laundering Authority

by Jonathan J. Rusch

Photo courtesy of the author

Introduction

Since 2018, when the then-European Commissioner for Justice Věra Jourová described the Danske Bank money-laundering catastrophe[1] as “the biggest scandal in Europe”[2], the European Commission (EC), as the politically independent executive arm of the European Union (EU)[3], has worked assiduously to repair the substantial defects in Europe’s anti-money laundering and counter-financing of terrorism (AML/CFT) mechanisms.

Continue reading →

Matthew Axelrod, Assistant Secretary for Export Enforcement, Delivers Remarks on Enhancements to Voluntary Self-Disclosure Policies for Export Control Violations at PCCE Event on January 16, 2024

On January 16, 2024, the NYU Law Program on Corporate Compliance and Enforcement hosted Matthew Axelrod, Assistant Secretary for Export Enforcement at the Bureau of Industry and Security (BIS) at the U.S. Department of Commerce, to deliver remarks on enhancements to BIS’s corporate enforcement policy for voluntary self-disclosures of export control violations. Assistant Secretary Axelrod’s speech was accompanied by the release of an enforcement policy memo, available here. After Secretary Axelrod’s remarks, he participated in a fireside chat and took questions from the audience. The event also featured a panel of experts on export control enforcement policy. A full agenda of the event is available here.

Continue reading →

Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement

by Brent Carlson and Michael Huneke

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

In this era of heightened geopolitical tensions with a renewed focus on national security, a perfect storm of liability risk is brewing for boards of directors.

Sanctions and export controls violations can be costly and dangerous, with multi-billion-dollar fines and jail sentences imposed in 2023.

For companies engaged in international trade, these events engage directors’ fiduciary duties. Looking to bellwether Delaware corporate law, Delaware’s Chancery Court recently reiterated in the McDonald’s shareholder litigation that directors’ Caremark duty of oversight is a function of their duty of loyalty. As such, this reinforces the limits of the protections directors would otherwise have if it were instead a function of the duty of care—under both the business judgment rule and “exculpation,” i.e., the option corporations have to excuse in their certificates of incorporation directors’ liability for breaches of their duty of care (but not of loyalty).[1] Directors’ duty of oversight further requires ensuring that they receive information regarding any “central compliance risks,” not just “mission critical” risks, and that there is an appropriate response to red flags. Continue reading →