What Happened:
US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the US Department of Commerce’s (Commerce) Bureau of Industry and Security (BIS) and the US Department of Justice (DOJ), collectively issued guidance regarding the obligations of non-US based companies and persons to comply with US sanctions (Tri-Seal Compliance Note: Obligations of foreign-based persons to comply with US sanctions and export control laws) (Compliance Note).
The Bottom Line:
The Compliance Note provides key guidance on the legal exposure of non-US persons arising from US sanctions and export controls, describing the applicability of these restrictions to persons and entities located outside of the United States, as well as the enforcement mechanisms that are available for US authorities to hold non-US persons accountable for violations of sanctions and export control laws. Global business organizations and others who participate in international trade should take appropriate steps to understand how these laws may apply to them, what risks are posed by their business operations and how they can mitigate these risks.
The Compliance Note is the third collaborative (i.e., tri-seal) effort by the three agencies to provide guidance to the business community on compliance with US sanctions and export control laws, following a tri-seal compliance note issued in March 2023 and a tri-seal compliance note issued in July 2023.
The Full Story:
On March 6, 2024, OFAC, BIS and DOJ collectively issued the Compliance Note to highlight the applicability of US sanctions and export control laws to persons and entities located abroad, as well as the enforcement mechanisms that are available to US authorities to hold non-US persons accountable for non-compliance with these laws, including criminal prosecution. The Compliance Note further provides an overview of compliance considerations for non-US companies and compliance measures to help mitigate their risk.
Compliance Considerations for non-US Persons
The Compliance Note provides key guidance for non-US persons seeking to implement compliance measures to comply with US sanctions or export control laws. Specifically, the Compliance Note advises any company participating in the global marketplace to:
- employ a risk-based approach to sanctions compliance by developing, implementing and routinely updating a US sanctions compliance program;
- establish strong internal controls and procedures to govern payments and the movement of goods involving affiliates, subsidiaries, agents or other counterparties;
- ensure that know-your-customer information (such as passports, phone numbers, nationalities, countries of residence, incorporation, operations and addresses) and geolocation data are appropriately integrated into compliance screening protocols and information is updated on an ongoing basis based on its overall risk assessment and specific customer risk rating;
- ensure that subsidiaries and affiliates are trained on US sanctions and export controls requirements, can effectively identify red flags, and are empowered to escalate and report prohibited conduct to management;
- take immediate and effective action when compliance issues are identified, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated;
- identify and implement measures to mitigate sanctions and export control risks prior to merging with or acquiring other enterprises, especially where a company is expanding rapidly and/or disparate information technology systems and databases are being integrated across multiple entities; and
- if a party believes that they may have violated sanctions or export control laws, consider voluntarily self-disclosing the conduct to the relevant agency. Our coverage of a prior tri-seal compliance note regarding the benefits of voluntary self-disclosure (including DOJ’s current policy with respect to criminal enforcement) is available here.
Agency-Specific Guidance on the Applicability and Enforcement of US Sanctions and Export Control Laws
The Compliance Note provides agency-specific guidance for each of OFAC, BIS and DOJ, with key insights to these agencies’ interpretation of the application of US sanctions and export control laws to non-US persons.
OFAC: Economic Sanctions
OFAC is responsible for investigating and bringing civil enforcement actions for violations of US economic sanctions. As summarized in the Compliance Note, OFAC sanctions take various forms, including “blocking” specific individuals and entities and their property (i.e., freezing assets or other property subject to US jurisdiction and imposing across-the-board prohibitions against transfers or dealings of any kind with regard to the blocked person and its property), restricting a narrower range of dealings with specified actors, and prohibiting transactions involving an entire jurisdiction or country, such as through a trade embargo or sanctions related to particular economic sectors.
Although US persons—including all US citizens and permanent resident aliens regardless of where they are physically located in the world, all persons present within the United States, and all US-incorporated entities and their foreign branches—must comply with OFAC regulations, certain sanctions programs also require that foreign entities owned or controlled by US persons comply with sanctions prohibitions. For example, US sanctions on Iran, Cuba and North Korea extend prohibitions to foreign entities owned or controlled by US persons as well as financial institutions. Certain sanctions programs also extend prohibitions to foreign persons in possession of US-origin goods.
Non-US persons are also subject to certain OFAC prohibitions. For example, many sanctions programs prohibit non-US persons from causing or conspiring to cause US persons to wittingly or unwittingly violate US sanctions or engaging in conduct that evades US sanctions prohibitions.
In the Compliance Note, OFAC notes that it has actively employed its enforcement authorities against foreign financial institutions and other non-US persons who have, among other things, caused US persons to violate OFAC sanctions, conspired to do so, indirectly exported services from the United States, or otherwise engaged in conduction in violations of US sanctions. OFAC’s examples of this conduct include when a non-US person obscures or omits reference to the involvement of a sanctioned party or jurisdiction, misleads a US person into exporting goods ultimately destined for a sanctioned jurisdiction, and routes a prohibited transaction through the United States or the US financial system, thereby causing a US financial institution to process the payment in violation of OFAC sanctions.
OFAC cites several examples of recent sanctions enforcement actions against non-US companies, including the settlement agreements for Toll Holdings Limited (Toll) and Swedbank Latvia AS (Swedbank Latvia), which resulted in the identified entity paying penalties ranging from $415,000 to more than $6,000,000. Toll was found to have sent or received payments through the US financial system in connection with shipments involving sanctioned persons and jurisdictions, which caused US financial institutions to violate US sanctions. Swedbank Latvia was found to have sent payments to persons located in Crimea through US correspondent banks, which caused those banks to violate US sanctions. In a third example, a foreign company was found to have conspired with an Iranian national to cause a US company to ship US-origin goods indirectly through a third country to Iran.
Foreign companies should note that OFAC generally enforces sanctions on a strict liability basis (with limited, program-specific exceptions), but that OFAC’s civil penalty guidelines consider compliance efforts as a mitigating factor in assessing penalties. OFAC has previously issued guidance describing its perspective on an effective compliance program.
BIS: Export Controls
BIS administers and enforces export controls on dual-use and certain munitions items through the Export Administration Regulations (EAR) under the authority of the Export Control Reform Act of 2018 (ECRA). As noted in the Compliance Note, unlike many other countries, where export-related authorities are limited to direct exports from the source country, US export control laws have extraterritorial applicability and extend to items subject to the EAR regardless of where in the world the item is located and extends to foreign persons who deal with the export controlled items. In addition to the export of US-origin items, the EAR applies to reexports (i.e., the shipment of the EAR item from one foreign country to another foreign country) and in-country transfers (i.e., the transfer of an item subject to the EAR from one party to another within a foreign country) of US-origin items as well as goods that incorporate a certain percentage of controlled US-origin content and certain foreign-made items produced using US software, technology or production equipment (and thus subject to a foreign direct product rule (FDPR)).
BIS actively enforces US export control laws, regardless of where the offending party is located. As BIS notes in the Compliance Note, BIS considers that anyone involved in the movement of items subject to the EAR must adhere to US export control laws, including foreign persons. BIS explains that an exporter cannot bypass the US embargo against Iran, for example, by shipping an item to a distributor in the United Arab Emirates (UAE) and asking the distributor to transship the item to a customer in Iran. Under US export control law, this would be considered a reexport to Iran, even though it does not go directly to that country, and both the US exporter and the UAE distributor could be liable for violating US law. Additionally, parties cannot bypass the EAR by changing the end use or end user of an item within a foreign country. Similarly, foreign parties to an export transaction cannot bypass EAR requirements because the item is located outside the United States and was not shipped directly to the foreign party recipient.
BIS also explains in the Compliance Note that the EAR is also relevant to non-US companies that manufacture items containing US-origin components or software. The factor that determines EAR applicability to such items is the value of the controlled content (e.g., US-origin components, software) within the overall item: If the value exceeds the applicable de minimis threshold, it is subject to the EAR. The de minimis threshold varies by applicable export control, including on export to certain destinations.
In addition, under the EAR, certain foreign-produced items located outside of the United States that are produced using certain US-controlled technology, software or production equipment are subject to the EAR when exported from abroad, reexported or transferred in-country to certain countries or parties on the Entity List. As BIS explains in the Compliance Note, this means that foreign-produced items—even if they never enter the US stream of commerce and no US person is involved in the transaction—may still be subject to US export control jurisdiction if they meet certain conditions.
BIS cites several examples illustrating the severity of recent enforcement actions against non-US companies for export control violations, including the issuance of a Temporary Denial Order (TDO) against certain companies. TDOs are some of the most significant protective measures BIS can issue, cutting off not only the right to export items subject to the EAR from the United States, but also the right to receive or participate in exports from the United States or reexports of items subject to the EAR. In the examples highlighted by BIS, the foreign companies now subject to TDOs were penalized for acting as procurement agents for parties seeking to evade export controls or for ignoring US export controls altogether (e.g., foreign airlines operating US and foreign aircraft subject to the EAR on flights into and out of Russia). BIS also cites its recent $300 million settlement agreement with Seagate Technology LLC and Seagate Singapore International Headquarters Pte. Ltd. (Seagate) for continuing to ship hard disk drives to Huawei after BIS’s foreign direct product rule (FDPR) prohibiting Huawei from receiving such items took effect. In addition to the $300 million monetary penalty, Seagate is subject to a suspended five-year denial order that allows BIS to cut off their export privileges if they violate key terms in the settlement agreement.
DOJ: Criminal Enforcement
The International Emergency Economic Powers Act (IEEPA) and ECRA authorize DOJ to bring criminal prosecutions for willful violations of US sanctions and export control laws. The Compliance Note provides several recent examples of DOJ pursuing criminal penalties against foreign companies for allegedly seeking to unlawfully transfer US-manufactured technology to prohibited destinations. Notably, two such examples involved the defendants making false representations to US suppliers in the course of procuring US items for shipment to prohibited destinations. DOJ also cited the November 2023 guilty plea by Binance Holdings Limited (Binance), a large cryptocurrency exchange, in which Binance agreed to a $4.3 billion financial penalty. Binance additionally agreed to pay $968,618,825 to settle its potential civil liability for processing 1,667,153 transactions that violated US sanctions laws. Notably, Binance was found to be aware that some of its users were in sanctioned jurisdictions and aware that US persons would be caused to transact with them, and that Binance failed to implement a compliance program to mitigate this risk.