The Commerce Department’s Bureau of Industry and Security (“BIS”) issued new guidance on October 9, 2024 aimed at financial institutions (“FIs”), which highlights best practices for compliance with the Export Administration Regulations (the “EAR”).[1] Although BIS has not issued any new regulatory requirements, the guidance is notable for its expanded focus on FIs and their compliance with U.S. export controls. While exporters themselves are the traditional focus of BIS’s enforcement efforts, the guidance makes clear that FIs have their own export control obligations under the EAR’s General Prohibition 10 (“GP 10”) and implicitly raises the bar for their export controls compliance obligations.
General Prohibition 10 and FI Diligence
GP 10 prohibits parties from participating in transactions related to the export of controlled items if they know that a violation of U.S. export controls “has occurred, is about to occur, or is intended to occur in connection with” the export, re-export, or in-country transfer of an EAR-controlled item.[2] GP 10 can therefore significantly expand the scope of export controls liability, including to FIs that might finance or otherwise service export transactions. In its latest guidance, BIS offers recommended due diligence practices and identifies specific red flags that FIs should be aware of to avoid violating GP 10. We expect that, going forward, BIS will refer to these due diligence procedures in future enforcement actions when establishing whether an FI had “knowledge”[3] of a potential GP 10 violation.
BIS’s guidance identifies three areas where FIs’ due diligence procedures should proactively align with their obligations in relation to GP 10: (1) onboarding customers, (2) real-time screening of transactions, and (3) post-transaction review. Specifically:
- Onboarding customers. FIs should review potential new customers against restricted party lists, including those maintained by BIS. But, BIS also recommends FIs screen against certain open source data, such as the Trade Integrity Project’s database, which we discussed in a July 2024 client alert. Being subject to end-user restrictions does not prohibit FIs from offering services to these individuals or entities. However, FIs should consider seeking a certification from such customers to confirm they have sufficient controls to comply with the EAR.
- Real-time transaction screening. FIs should leverage their automated screening procedures to screen cross-border payments and other transactions likely to be associated with exports from the United States. When a party to a transaction appears on certain BIS lists,[4] FIs should verify that the underlying transaction complies with the EAR before proceeding. BIS emphasizes that FIs are not expected to request the names of all parties involved in a transaction to complete a real-time screening, but should screen all parties that they have actual knowledge of during the ordinary course of business.
- Ongoing review of transactions. FIs should review transactions on an ongoing basis for red flags related to potential export control violations. In addition to the various red flags identified in prior alerts, BIS highlights several factors for FIs to consider in their review: (1) refusal to provide details about end users and uses, (2) party name matches with restricted party lists, (3) companies that share an address with a restricted party or sanctioned person, or an address associated with a high diversion risk, and (4) last minute changes in payment routing to avoid countries of concern. Facilitating additional transactions after becoming aware of export control-related red flags may risk GP 10 violations.
BIS’s guidance to FIs – which supplements previous alerts jointly issued with the Treasury Department’s Financial Crimes Enforcement Network in November 2023 and June 2022[5] – should function as a warning to such institutions that BIS expects to increase its oversight of financial transactions linked to exports and that it expects to make use of GP 10 as an enforcement tool. This is consistent with BIS having previously signaled its intention to prioritize enforcement against corporate actors.[6] While the BIS guidance establishes a baseline for what BIS expects from FIs that it will likely apply in the enforcement context, many practical challenges remain for FIs attempting to identify EAR violations conducted by others while simultaneously processing large volumes of transactions, often with limited information. Nonetheless, we recommend that FIs use the guidelines as a starting point in reviewing and enhancing their export controls compliance programs.
Click here to download this article.
[1] Bureau of Industry and Security Issues New Guidance to Financial Institutions on Best Practices for Compliance with the Export Administration Regulations, October 9, 2024, https://www.bis.gov/media/documents/guidance-financial-institutions-best-practices-compliance-export-administration.
[2] 15 CFR 736.2(b)(10).
[3] Knowledge of an EAR violation “includes not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness may be inferred from evidence of the conscious disregard of facts known to a person or from a person’s willful avoidance of facts.” 15 CFR 772.1.
[4] Specifically, the BIS Denied Persons List, see 15 CFR Part 764, Supplement No. 1; Burmese, Cambodian, Cuban, People’s Republic of China (PRC), Iranian, North Korean, Russian, Syrian, Venezuelan, or Belarusian Military-intelligence end users identified in 15 CFR 744.22(f)(2); and certain persons designated on the Entity List, namely entities subject to the Entity List Foreign Direct Product (FDP) rule, 15 CFR 734.9(e), and designated with a footnote 4 in the license requirement column of the Entity List in supplement no. 4 to part 744 of the EAR; entities subject to the Russia/Belarus-Military End User and Procurement FDP rule, 15 CFR 734.9(g), and designated with a footnote 3 in the license requirement column of the Entity List in supplement no. 4 to part 744 of the EAR; and other persons included on the Entity List and subject to the license review policy set forth in 15 CFR 744.2(d) (related to certain nuclear end uses), 15 CFR 744.3(d) (related to certain rocket systems and unmanned aerial vehicles end uses), and 15 CFR 744.4(d) (related to certain chemical and biological weapons end uses).
[5] FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Announce New Reporting Key Term and Highlight Red Flags Relating to Global Evasion of U.S. Export Controls, November 6, 2023, https://www.fincen.gov/sites/default/files/shared/FinCEN_Joint_Notice_US_Export_Controls_FINAL508.pdf; FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Urge Increased Vigilance for Potential Russian and Belarusian Export Control Evasion Attempts, June 28, 2022, https://www.fincen.gov/sites/default/files/2022-06/FinCEN%20and%20Bis%20Joint%20Alert%20FINAL.pdf.
[6] See, e.g., “Commerce Implements Regulatory Changes to Voluntary Self-Disclosure Process and Penalty Guidelines; Names Raj Parekh as First-Ever Chief of Corporate Enforcement,” U.S. Dept. of Commerce (Sept. 12, 2024) (announcing creation of “Chief of Corporate Enforcement” position within BIS); available at https://www.bis.gov/press-release/commerce-implements-regulatory-changes-voluntary-self-disclosure-process-and-penalty.