Bankers Worldwide: You May Not Be Interested in Export Controls, But They Are Interested in You

On October 9, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) released a six-page guidance statement (the Guidance) to financial institutions (FIs) regarding best practices under the Export Administration Regulations (EAR). Many FIs are well acquainted with U.S. economic sanctions and anti-money laundering laws and regulations, but few have invested in more than the most rudimentary export controls compliance functions. The Guidance highlights the risks to and expectations of FIs under the EAR and applies equally to both U.S. and foreign banks and other FIs engaging in cross-border activity. Below, we provide the context, risks, and, most importantly, our thoughts on the expectations that the Guidance articulates.

I. The Steady March Toward Greater Export Controls Expectations of FIs

While the bases for regulation of FIs under the EAR have been on the books for many years, FIs have not traditionally had to contend with intense scrutiny by BIS. Russia’s further invasion of Ukraine, as in many areas of trade regulation, prompted greater collaboration and creativity between and among U.S. and partners’ international trade agencies. In the first-ever joint alert by BIS and FinCEN in 2022, the agencies requested FIs use the key term “FIN2022-RUSSIABIS” in Suspicious Activity Reports (SARs) for suspected Russia-related export controls evasion, and provided a list of 16 “commodities of concern.” In May 2023, BIS and FinCEN provided supplemental guidance on the Russia-related effort, and in a November 2023 joint guidance, the agencies provided the key term “FIN-2023-GLOBALEXPORT” for inclusion on SARs for all non-Russia-related suspected evasion. Each of those joint notices provides significant commentary on potential red flags FIs should look out for, to supplement the non-exhaustive list at 15 C.F.R. Part 732 Supplement No. 3. Finally, BIS worked with allies to construct the Common High Priority List (CHPL) in February 2024, a list of items by six-digit Harmonized Tariff Schedule code that are at a high risk for diversion to Russia.

II. Extraterritorial Scope of U.S. Export Controls

The EAR and other U.S. export controls focus primarily on the global movement or transmission, physically or electronically, of goods, software, and technology/technical data (collectively, “Items”). In addition to exports from the United States, subsequent “reexports” or “in-country transfers” occurring wholly outside the United States remain within BIS’s jurisdiction, and even some Items produced outside the United States can come under BIS’s jurisdiction due to the incorporation of more than a de minimis amount of U.S.-origin controlled content or due to being produced using U.S. software, technology, or equipment under certain circumstances. Such Items and transactions are referred to as “subject to the EAR.” Interestingly, the Guidance casually included one of its most explicit written statements ever on EAR jurisdiction over foreign-produced microelectronics and integrated circuits (i.e., semiconductors), BIS stated that “nearly all” such Items fall under its jurisdiction.

It is also worth noting that the EAR and U.S. military export controls under the International Traffic in Arms Regulations (ITAR) contain restrictions on certain “activities” or “defense services,” respectively, by U.S. persons. Even non-U.S. persons activities and services occurring outside the United States, regardless of currency, can be regulated, as illustrated by examples such as General Prohibition Ten (GP 10) under the EAR, or arms-brokering controls imposed on non-U.S. persons owned or controlled by U.S. persons under the ITAR.

III. Export Controls Risks to FIs

The primary export controls risk to FIs is a GP 10 violation. GP 10 prohibits “[p]roceeding with transactions with knowledge that a violation has occurred or is about to occur.” Specifically, no person (including individuals and entities, domestic and foreign) may:

sell, transfer, export, reexport, finance, order, buy, remove, conceal, store, use, loan, dispose of, transport, forward, or otherwise service, in whole or in part, any item subject to the EAR and exported, reexported, or transferred (in-country) or to be exported, reexported, or transferred (in-country) with knowledge that a violation of the Export Administration Regulations, the Export Control Reform Act of 2018, or any order, license, license exception, or other authorization issued thereunder has occurred, is about to occur, or is intended to occur in connection with the item. 15 C.F.R. § 736.2 (emphases added).

“Knowledge” under the EAR includes not only actual knowledge but also “an awareness of a high probability of [a circumstance’s] existence or future occurrence” where “[s]uch awareness is inferred from evidence of the conscious disregard of facts known” or a “willful avoidance” of facts.

The Guidance also highlights the EAR’s prohibitions on certain “activities” by U.S. persons (which include foreign branches of U.S. entities). These controls can prohibit U.S. persons from facilitation activities relating to some Items not “subject to the EAR.”

Most EAR violations are subject to civil penalties under the of the Export Control Reform Act of 2018 (ECRA) of the greater of $364,992 and twice the transaction value. While there is a “knowledge” requirement for some EAR violations – such as GP 10 – the EAR operate a strict liability regime (no intent required) for civil violations. Criminal violations under ECRA are subject to penalties of up to $1 million, imprisonment for 20 years, or both, per violation.

IV. Expectations of FIs Arising from the Guidance

The Guidance appears calculated to push FIs’ export controls compliance postures forward through onboarding and periodic heightened due diligence (HDD) and targeted “real-time” compliance measures. Additionally, the Guidance aims to enlist FIs in BIS’s intelligence-gathering activities through post-transaction red flag identification, mitigation, and reporting. While the Guidance appears to have been written with wire transfers in mind, where FIs have exceedingly little access to information or ability to identify red flags in real time, it does not necessarily illuminate BIS’s thinking on how the obligations might increase in a trade finance transaction – such as issuance of a letter of credit – where the FI is still providing an ancillary service to the underlying export, reexport, or transfer, albeit more actively involved than in a wire transaction.

A. Periodic Heightened Due Diligence

At onboarding and periodically thereafter, the Guidance asks FIs to conduct HDD for both list-based and CHPL Russia evasion reasons:

• List-Based: The Guidance asks FIs to “heavily weigh” a customer’s presence on a BIS restricted-party list when determining the EAR violation risk profile of the customer. While FIs, including many foreign FIs, are already comfortable screening against economic sanctions lists, such as the Specially Designated Nationals and Blocked Persons List (SDN List), export controls lists present a different set of restrictions that depend less on the nexus to a U.S. person and instead rely more on the U.S. jurisdiction over the underlying Item. Such lists include the BIS Entity List, Military End-User (MEU) List, Military-Intelligence End-User (MIEU) List, Denied Persons List, and Unverified List, as well as the Directorate of Defense Trade Controls’ Debarred Parties List.
• Russia Evasion: The Guidance asks FIs to employ publicly available trade intelligence to determine whether customers’ past transactions (looking back to 2023) have been identified as involving CHPL Items going to Russia. Consistent with BIS’s increasing separation of the entity-based and location-based screening functions with its first-ever designation of addresses (with no party names) on the Entity List in June, the Guidance indicates addresses with a publicly available CHPL Item history deserve close scrutiny. The Guidance also indicates reviews of customers’ customers may even be appropriate, depending on the circumstances.

If one or both are triggered, and if the Items are “subject to the EAR,” the Guidance recommends FIs require their customer to certify that it:

• has sufficient controls in place to comply with the EAR, including screening transactions against lists of persons subject to BIS’s end-user restrictions;
• exercises HDD for exports, reexports, or transfers to destinations subject to BIS-administered embargoes or broad trade restrictions, such as Russia; and
• engages in HDD processes for Items included on the Commerce Control List or the CHPL.

B. “Real-Time” Screening

In recognition of the extreme difficulty of “real-time” screening for export controls purposes, especially in the case of wire transactions where a FI might process millions of transfers in a day, the Guidance states that as a baseline starting point, “BIS does not expect FIs to engage in real-time screening of parties to a transaction to prevent violations of GP 10.”

However, the exception to that default under the Guidance is that FIs perform real-time screening of the ordering customer and the beneficiary customer in a SWIFT message involving cross-border payments for a targeted set of problematic transaction parties under the EAR, including parties on the:

• Denied Persons List;
• MIEU List (contrast with the much larger MEU List); and
• Entity List, but only if designated as a footnote 3 or 4 entity, or subject to nuclear, chemical and biological, and/or rocket systems or unmanned aerial vehicle end-use license review policies (collectively, with the Denied Persons List and the MIEU List, the “FI Real-Time Screening Lists”).

BIS is apparently comfortable with FIs continuing to process, in the very first instance, cross-border wires for “less” risky but otherwise problematic parties under the EAR (e.g., all persons on the Unverified List or the MEU List who are not otherwise listed in the FI Real-Time Screening Lists above). Of course, BIS’s “real-time” screening expectations are in addition to and do not supplant all the pre-existing economic sanctions and other screening an FI is already performing.

C. Post-Transaction Reviews

The Guidance instructs that FIs should not consider the exercise over after a transaction clears. The onboarding and real-time screening notwithstanding, BIS also expects FIs to conduct risk-based post-transaction reviews and to mitigate red flags identified or else risk incurring “knowledge” for purposes of GP 10 for any future transactions involving the relevant party. The Guidance suggests the reviews would include resolving matches to parties on the full suite of U.S. export controls restricted-parties lists (and not just the FI Real-Time Screening Lists above). Following up on such negative screening results for mere wire transfers could grind the system to a halt or increase costs beyond tolerable levels.

The Guidance also highlights red flags involving refusals by a customer to provide information upon a request, identification of addresses co-located with a party on the Entity List or SDN List, and/or last-minute changes in payment routing away from a country of concern as red flags that can’t arise twice for the same party without satisfactory mitigation by the FI.

Most likely, BIS intends to target foreign FIs it has reason to believe are continuously processing questionable transactions for enforcement. However, U.S. FIs or foreign FIs that closely adhere to U.S. regulatory requirements will have a particularly uncomfortable dilemma deciding how far to go (and how much money and time to spend) on satisfying BIS’s expectations.

V. The Updated BIS Voluntary Self-Disclosure Process

The Guidance should be viewed in the context of recent policy announcements and regulatory changes by the BIS Office of Export Enforcement (OEE). In particular, on September 12, 2024, BIS memorialized in the EAR how the OEE will process voluntary self-disclosures (VSDs) involving minor or technical violations within 60 days with either a no-action or warning letter. The amendments also describe a more abbreviated narrative requirement for such minor/technical violations, endorse bundling into quarterly submissions, and clarify that disclosure of other persons’ conduct leading to an enforcement counts as “exceptional cooperation” for any future violations by the discloser. FI compliance departments should become familiar with the EAR’s VSD process at 15 C.F.R. § 764.5, as it may become standard practice to routinely disclose.

VI. Conclusion

FIs have never known more clearly where they stand with BIS than they do now. But with that clarity comes increased expectations. Given its already stretched resources, BIS likely does not want to be in the business of constantly pursuing FIs – particularly well-behaved ones – for GP 10 violations, as opposed to the underlying transaction parties BIS already investigates. However, it will behoove FIs to build an additional layer into their export controls compliance and establish a practice of periodically feeding BIS, through VSDs, a healthy diet of investigation-worthy transactions. Showing robust compliance through documented processes and VSDs may be even more important for foreign FIs than domestic ones as the former are probably more likely, depending on a variety of factors, to be targeted for heavy-handed enforcement or sanctions.

Please contact the authors or your Winston & Strawn relationship attorney if you have any questions or need further information.