On December 2, 2024, the Department of Commerce, Bureau of Industry and Security (BIS) issued a new set of regulations targeting semiconductors manufacturing equipment (SME) and high-bandwidth memory (HBM) chips. The updates are a part of BIS’s ongoing efforts to target semiconductors in attempt to slow down China’s advancement of AI. In the race to artificial general intelligence, advanced-node semiconductors play an outsized role in a country or company’s ability to progress.
However, the rules may have an have an outsized impact on the United States’ foreign partners in the semiconductor industry.
1. Overview
The majority of the updates appear in an Interim Final Rule that creates two new rules related to the Foreign Direct Product Rule (FDPR) and conforming changes to the de minimis rule; new classifications for semiconductor manufacturing equipment (SME) and tools, SME software, and High Bandwidth Memory (HBM); a couple of new license exceptions, clarification on software keys, and a handful of new red flags. The other portion of the rulemaking updates the Entity List with 140 new designations and removed the Validated End User (VEU) Program.
There are three key components to AI development: building the AI model itself, using data to train the model, and obtaining the hardware performance needed to drive the AI function. The hardware performance requires critical logic and memory elements. U.S. Export controls target each of the component listed above. However, for the hardware component, export controls have been focused on the logic element—the processing units.[1] Until now. The new rule targets the memory side of the hardware component for AI, capturing more of the physical components necessary for making AI hardware.
2. New Foreign Direct Product Rules
2.1 How the Rules Work
There are two inter-related updates to the FDPR targeting SME. For the uninitiated, the FDPR creates extraterritorial jurisdiction for BIS over foreign-made products that are the direct product of U.S.-origin software or technology. That’s right. A thing is made entirely outside the United States with no U.S. origin content, and does not travel into or through the United States. However, because that thing is based on a U.S. design, or is the product of U.S. design software, or even if that thing is made on equipment[2] that was designed in the United States(!), the foreign-made item is controlled as the “foreign direct product” of the U.S. origin technology, software, or equipment.
While that essential FDPR proposition is a pretty long reach for jurisdiction, the new FDPR rules go much further—capturing any foreign-made SME that contains any U.S.-origin integrated circuit (IC). When paired with the new Red Flag 26, which presumes all SME to contain U.S.-origin ICs, the new FDPR touches on virtually every piece of SME in the world. All of them.[3]
The first of these new FDPR, the SME FDPR, captures a narrower subset of SME and restricts the export of those foreign-made SME broadly to China. Inversely, the Footnote 5 FDPR captures virtually all other SME on the Commerce Control List (CCL) but only restricts the export of those foreign-made SME to entities on the Entity List with a Footnote 5 designation. Those Footnote 5 entities are SME fabs those determined by BIS to be involved in, or soon-to-be involved in, advanced-node IC production. Conforming changes were made to the de minimis rule.
- The SME FDPR targets an enumerated subset of SME (ECCN 3B001.a.4, c, d, f.1, f.5, k to n, p.2, p.4, r, or 3B002.c) and restricts the export to the PRC (Country Group D:5 and Macua)
- The Footnote 5 FDPR targets almost all other SME (ECCN 3B001 (except 3B001.a.4, c, d, f.1, f.5, g, h, k to n, p.2, p.4, r), 3B002 (except 3B002.c), 3B903, 3B991 (except 3B991.b.2.a or 3B991.b.2.b), 3B992, 3B993, or 3B994) and restricts the export to Footnote 5 designated Entities.
2.2 Effect on Foreign SME Manufacturers
The breadth of this rule is likely to have an outsized effect on non-U.S. manufacturers of SME. The presumption created by Red Flag 26—that all SME containing an IC, contains an U.S. origin IC—will create vast new compliance obligations for those SME manufacturers with business in China or any other D:5 country.
First, that red flag is practically a red blanket. It states that if SME contains an IC, then that IC will be presumptively U.S. origin . . . which begs the question of whether BIS might propose any examples of SME that do not contain an IC. Next, a foreign SME manufacturer selling to a D:5 country will be required to overcome that presumption. That will be a heavy task as the foreign SME manufacturer will need to conduct an FDPR and de minimis review of every single IC within its SME or otherwise prove that their manufacturing facility has no U.S. origin technology. Even if that were possible, those foreign SME manufacturers would likely face some questions from BIS should they continue their business with a prohibited company or country.
Semiconductor fabs purchases SME will also feel the effects of the rule through those manufacturers’ increased compliance efforts.
3. High Bandwidth Memory (HBM) Controls
3.1 How the Rule Works
The new rulemaking adds High Bandwidth Memory (HBM) controls to the Commerce Control List under ECCN 3A090.c. This addition controls all HBM with a “memory bandwidth density” greater than 2GB/mm2. The control also notes that any DRAM with conforming memory bandwidth density will also be controlled.
There is an HBM license exception for exporters, reexporters, or transferors with a headquarters in the United States (without an ultimate parent in D:5 or Macau) for HBM with a “memory bandwidth density” up to 3.3GB/mm2. However, that point only really carves out an exception for HBM2, and only for U.S. headquartered companies (where some of the largest HBM manufacturers are South Korean).
It is interesting to note that ECCN 3A090.c “does not cover co-packaged integrated circuits with both HBM and logic integrated circuit where the dominant function of the co-packaged integrated circuit is processing.” That could mean that where a chip contains both HBM and a logic IC on a single chip, the chip would be subject to export controls based on the logic component. As a result, in analyzing the controls on the chip, one would only need to examine the chip’s Total Processing Performance (TPP) and Performance Density (PD).
3.2 Effect on Korean Semiconductor Fabs
The majority of the world HBM is manufactured by a small group of South Korean companies. Those companies may bear the brunt of the new rules, particularly when collaborating with U.S. companies. Those manufactures are doubly affected by the rulemaking as they likely obtain their SME from foreign SME manufacturers subject to the new FDPR. They may face a raft of new compliance obligations, including supply chain reviews and increasing end-use validation.
4. Software Keys
The new rulemaking also clarifies that issuing a software key and software license keys that unlock software or renew existing software, is considered an export event. Therefore, if a license were required for the software, a license will be required for the software key. This applies to source code as well as object code. This does not apply to keys that unlock “dormant functionality” in a controlled item.
Notably, this does not close the SaaS and IaaS loophole in the current export regime—though we are likely to see an attempt to address that loophole in a forthcoming rule on the control of AI services. Currently, a gap exists because the provision of SaaS or IaaS is not considered an export, so companies may provide access to the AI computing services performed by controlled hardware in the United States, through SaaS or IaaS arrangements.
5. Conclusion
The new semiconductor rules are indicative of the nuanced and targeted approached that has characterized BIS under the Biden administration. However, nuance on top of nuance can breed complexity—and there is no doubt these rules are complex! At the same time, the targeted precision of the rules has also created gaps in the coverage of the restrictions that has left some scratching their head as to whether these are intentional.
Is there another strategy? We may see one in the next administration. A blanket approach—imposing restrictions on every company in China or even all D:5 countries—would relieve some of the complexity and close off loopholes. But the cost to industry of that sort of full decoupling could be debilitating. Under the shadow of that option, the compliance costs associated with complexity may not look so bad.
As we have written before, the balance in semiconductor export controls is the most difficult regulatory line to walk. The purpose of the controls is to protect U.S. national security and the capacity of semiconductors to aid or harm our national security is enormous. But the conundrum that regulators face with semiconductors regulation remains the item’s ubiquity.[4] As the advance chips continue to advance, it becomes harder and harder to draw lines between those we need to guard for security purposes and those that should be freely shared for the enhancement of nearly every product we use.
We will, of course update as new regulations develop, including one specific to AI technology that we hear may be released before the change in the U.S. presidential administration.
FOOTNOTES
[1] While GPUs are typically used in AI development for their parallel processing capabilities, the regulations will capture any integrated circuit that meets the performance thresholds.
[2] The term is actually “plant or major component of a plant”, but that gets a little wordy, even for us, so we use “equipment” as a shorthand, sacrificing precision for pith . . . sort of.
[3] We don’t even have a self-deprecating footnote explaining that we’ve exaggerated. That is really more or less it. All of the SME!
[4] As the famous says of semiconductors: “nothing so common is as tightly controlled, and nothing so tightly controlled is as common.” – Socrates, probably.