Category Archives: U.S. Department of Commerce (Commerce)

From Peanuts to Elephant-Sized Penalties:  A Fresh Look at Recent U.S. Export Controls Enforcement Developments & Future Trends

by Brent Carlson

Photo courtesy of the author

Export controls penalties that were previously peanuts compared to FCPA penalties are now becoming more like elephants, with the “high probability” standard driving the stampede.

On July 28, 2025, DOJ and BIS announced a $140 million resolution with an electronic design automation (“EDA”) exporter via a guilty plea[1] and BIS settlement[2] over exports to China.

The BIS settlement turned on what the exporter had “reason to know, including awareness of a high probability” (aka the “high probability” standard), and not just actual knowledge—an escalation in BIS’s use of the full definition of “knowledge” under the U.S. Export Administration Regulations (“EAR”).[3] Recent BIS guidance in July 2024, October 2024, and May 2025 foreshadowed this shift,[4] as did an August 15, 2025, $5.8 million settlement.[5]

For practical guidance on the “high probability” standard, see prior “Fresh Looks” posts.[6]

This recent case also warrants an update of the November 14, 2023, comparison of export controls and FCPA enforcement, which likewise leveraged the “high probability” standard.[7]

Continue reading

It May Not Be Worth the Paper (or Pixel) It’s Written On (Part 1): A Fresh Look at Letters of Assurance Used to Bolster Sanctions and Export Controls Compliance

by Brent Carlson and Michael Huneke

photos of the authors

Left to right: Brent Carlson and Michael Huneke (Photos courtesy of the authors)

“The world has changed. And we must change with it.” So stated Assistant Secretary of Commerce for Export Enforcement Matt Axelrod at a recent summit in California.[1] This simple statement reflects the increasingly complex challenges companies now face in navigating export controls and sanctions in a world driven by new geopolitical realities.

These challenges call into questions past assumptions about compliance programs. The foundation of a robust compliance program starts with the reliability of the inputs relied upon to make informed, risk-based decisions. In the halcyon days of the post-Cold War era, export controls took on an administrative character. In that environment, certifications from counterparties—themselves the targets of the due diligence—were taken largely at face value. Yet today passive reliance, without more, carries profound risks because export controls and sanctions enforcement has already become more of a white-collar corporate enforcement environment driven by Russia’s continued ability to secure U.S.-brand microelectronics (both legacy and new production). Certifications alone accordingly may not be worth the paper they are written on—or the pixels of which they are made—especially when other data includes “red flags” that cast doubt on certifications’ veracity.

Continue reading

Department of Commerce, Department of the Treasury, and Department of Justice Tri-Seal Compliance Note: Obligations of foreign-based persons to comply with U.S. sanctions and export control laws

by the Department of Commerce, Department of the Treasury, and Department of Justice

Photos of authors

OVERVIEW

Today’s increasingly interconnected global marketplace offers unprecedented opportunities for companies around the world to trade with the United States and one another, contributing to economic growth. At the same time, malign regimes and other bad actors may attempt to misuse the commercial and financial channels that facilitate foreign trade to acquire goods, technology, and services that risk undermining U.S. national security and foreign policy and that challenge global peace and prosperity. In response to such risks, the United States has put in place robust sanctions and export controls to restrict the ability of sanctioned actors to misuse the U.S. financial and commercial system in advance of malign activities.

These measures can create legal exposure not only for U.S. persons, but also for non-U.S. companies who continue to engage with sanctioned jurisdictions or persons in violation of applicable laws. To mitigate the risks of non-compliance, companies outside of the United States should be aware of how their activities may implicate U.S. sanctions and export control laws. This Note highlights the applicability of U.S. sanctions and export control laws to persons and entities located abroad, as well as the enforcement mechanisms that are available for the U.S. government to hold non-U.S. persons accountable for violations of such laws, including criminal prosecution. It further provides an overview of compliance considerations for non-U.S. companies and compliance measures to help mitigate their risk.

Continue reading

Commerce Department Proposes Cybersecurity/AI Reporting and “KYC” Requirements for Certain Cloud Providers

by Robert Stankey, K.C. Halm, Michael T. Borgia, Andrew M. Lewis, and Assaf Ariely

Photos of authors

Left to right: Robert Stankey, K.C. Halm, Michael T. Borgia, Andrew M. Lewis, and Assaf Ariely (photos courtesy of Davis Wright Tremaine LLP)

IaaS providers would need to verify foreign users’ identities (aka “know your customer”) and report certain AI model training activities under the proposed rules

The U.S. Department of Commerce’s (“Commerce”) Bureau of Industry and Security (“BIS”) has issued a proposed rule (the “Proposed Rule”) that would impose significant diligence, reporting, and recordkeeping requirements on U.S. providers of Infrastructure as a Service (IaaS) and their foreign resellers. IaaS is generally considered to be a cloud computing model that provides users with remote access to servers, storage, networking, and virtualization.

The Proposed Rule would require U.S. IaaS providers to:

  • Implement and maintain a “Customer Identification Program” (CIP), which must include detailed know-your-customer (KYC) procedures for identifying and reporting foreign customers to Commerce; and
  • Report transactions involving foreign persons that “could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.”

Continue reading