BIS, OFAC, and DOJ Highlight That Sanctions and Export Controls Apply to Non-U.S. Companies and Individuals

On March 6, the Department of Commerce’s Bureau of Industry and Security (“BIS”), the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), and the Department of Justice (“DOJ”) issued their most recent ”tri-seal” compliance note (the “Compliance Note” or “the Note”).[1]

The Compliance Note highlights that U.S. sanctions and export controls apply to non-U.S. persons, both companies and individuals, in a variety of circumstances.

The Note does not create any new legal obligations—the obligations of non-U.S. persons have been reasonably well established in the law, regulations, and various court decisions, and, in fact, many of the largest sanctions and export control criminal and civil resolutions over the last decade have been against non-U.S. financial institutions and technology companies. The issuance of the Compliance Note, however, underscores that violations by non-U.S. persons is a priority area for enforcement agencies, and it is clearly intended to signal to non-U.S. companies that the government is giving increased scrutiny to their compliance with these laws.

In announcing the Note, DOJ’s Assistant Attorney General for National Security Matthew G. Olsen emphasized that “[a]ny person or company participating in the global marketplace has an obligation to comply with our sanctions and export control laws, regardless of where they are located. Today’s advisory makes clear that the global business community must ensure that they are educated about how these laws apply and take steps to mitigate any risks they may face as a result of their business operations.”[2]

Sanctions

OFAC is responsible for civil enforcement of U.S. sanctions programs, consistent with OFAC’s Enforcement Guidelines.[3]

The Compliance Note states that non-U.S. persons are “subject to certain OFAC prohibitions.” For example, “non-U.S. persons are prohibited from causing or conspiring to cause U.S. persons to wittingly or unwittingly violate U.S. sanctions, as well as engaging in conduct that evades U.S. sanctions.”[4] Additionally, under certain sanctions programs “foreign entities owned or controlled by U.S. persons also must comply with applicable restrictions.”[5]

OFAC has brought enforcement actions against foreign-based persons and non-U.S. companies, including both financial institutions and non-financial companies, for “causing” U.S. persons to violate U.S. sanctions.[6] The Compliance Note provides a non-exhaustive list of instances where OFAC has brought an enforcement action against a non-U.S. person, including where the non-U.S. person “obscures or omits reference to the involvement of a sanctioned party or jurisdiction to a financial transaction involving a U.S. person in transaction documentation; [m]isleads a U.S. person into exporting goods ultimately destined for a sanctioned jurisdiction; or [r]outes a prohibited transaction through the United States or the U.S. financial system[.]”[7] In bringing these enforcement actions against non-U.S. persons, OFAC has taken an expansive view of what constitutes the requisite U.S. nexus for a sanctions violation.

Additionally, OFAC has brought a number of enforcement actions against U.S. parent companies for actions taken by their foreign subsidiaries in violation of the Iran sanctions programs.[8]

Export Controls

BIS is responsible for civil enforcement of export controls on dual-use and certain munitions items under the Export Administration Regulations (“EAR”). The Compliance Note emphasizes that “U.S. export control laws may extend to items subject to the EAR anywhere in the world and to foreign persons who deal with them. To put it simply, the law follows the goods.”[9]

The Compliance Note states that, beyond the initial transfer, the EAR also apply to (i) reexports (“the shipment of the EAR item from one foreign country to another foreign country”) and (ii) in-country transfers (“the transfer of an item subject to the EAR within a foreign country”). Additionally, the EAR may apply to non-U.S. companies that produce “goods that incorporate a certain percentage of controlled U.S. content” (based on de minimis thresholds).[10]

Furthermore, under a Foreign Direct Product Rule (“FDPR”), the EAR may also apply to “foreign-made items produced using U.S. software, technology, or production equipment.”[11] BIS has imposed a number of FDPRs in recent years, which have included controls on certain items destined to Russia, Belarus, and Iran, as well as on certain defense-related entities. The Compliance Notes explains that “[g]iven the ubiquity of U.S. semiconductor manufacturing equipment in foreign semiconductor fabrication facilities, these controls generally result in a license requirement for any semiconductor destined to specific entities or locations subject to one of these FDPRs.”[12] The Compliance Note also emphasizes that BIS will enforce violations of the FDPRs. In fact, in 2023, BIS imposed a $300 million penalty—the largest standalone penalty in its history—against a company, Seagate, that shipped millions of foreign-made hard drives to Huawei in violation of the Huawei FDPR.[13]

The Compliance Note underscores that “BIS actively enforces U.S. export control laws, regardless of where the offending party is located. Anyone involved in the movement of items subject to the EAR must adhere to U.S. export control laws.”[14]

Criminal Enforcement

In addition to the civil enforcement of sanctions and export controls by OFAC and BIS, respectively, the Compliance Note explains that DOJ may bring criminal prosecutions for “willful” violations of U.S. sanctions and export control laws.[15] To highlight this point, the Note discusses several recent cases in which DOJ brought charges against “foreign-based actors for allegedly seeking to unlawfully transfer U.S.-manufactured technology to prohibited destinations.”

Implications

The Compliance Note does not announce any new legal obligations for non-U.S. companies, but it does underscore that bringing enforcement actions against non-U.S. persons is a priority for BIS, OFAC, and DOJ. The Note concludes with a reminder that “[g]lobal business organizations and others who participate in international trade should take appropriate steps to understand how these laws may apply to them, what risks are posed by their business operations, and how they can mitigate these risks.”[16] The Compliance Note provides a number of “compliance considerations” that non-U.S. companies may wish to consider, including the development of a compliance program that covers these regimes.[17]

Additionally, U.S. companies with foreign subsidiaries should review whether their foreign subsidiaries are taking appropriate measures to comply with U.S. sanctions. U.S. companies with global operations may consider adopting a uniform global sanctions policy.[18]

                                                                                                          *       *       *

[1]       Dep’t of Commerce, Dep’t of the Treasury, and Dep’t of Justice Tri-Seal Compliance Note, Obligations of foreign-based persons to comply with U.S. sanctions and export control laws (Mar. 6, 2024), available here. This is the third tri-seal compliance note from the three agencies since Russia’s invasion of Ukraine in February 2022. See Dep’t of Commerce, Dep’t of the Treasury, and Dep’t of Justice Tri-Seal Compliance Note, Voluntary Self-Disclosure of Potential Violations (July 26, 2023), available here; Dep’t of Commerce, Dep’t of the Treasury, and Dep’t of Justice Tri-Seal Compliance Note, Cracking Down on Third-Party Intermediaries Used to Evade Russia-Related Sanctions and Export Controls (Mar. 2, 2023), available here.

[2]       Dep’t of Justice, Department of Justice, Commerce and Treasury Issue Joint Advisory on Compliance of Foreign-Based Persons with Sanctions and Export Laws (Mar. 6, 2024), available here.

[3]       Appendix A to Part 501, Title 31, Economic Sanctions Enforcement Guidelines, available here.

[4]       Compliance Note at 2; see 50 U.S.C. § 1705(a) (“It shall be unlawful for a person to violate, attempt to violate, conspire to violate, or cause a violation of any license, order, regulation, or prohibition issued under this chapter.”).

[5]       Compliance Note at 2, n.1 (discussing the Cuba, Iran, and North Korea sanctions programs).

[6]       The Compliance Note cites OFAC enforcement actions against a number of non-U.S. companies, including Swedbank Latvia (2023), Toll Holdings (2022), and Alfa Laval (2021). In our 2022 Year in Review, we highlighted the enforcement action against Toll and noted that it serves as a reminder that non-U.S. companies can be subject to enforcement actions by OFAC based on “virtually any U.S. nexus to transactions can trigger a sanctions enforcement action.” Paul, Weiss, Economic Sanctions and Anti-Money Laundering Developments: 2022 Year in Review (March 1, 2023), available here. OFAC’s enforcement of sanctions against non-U.S. non-financial companies for “causing” violations dates to 2017 with the enforcement action against TransTel. See Paul, Weiss,  OFAC Breaks New Ground By Penalizing Non-U.S. Companies for Making U.S. Dollar Payments Involving a Sanctioned Country (July 28, 2017), available here.

[7]       Compliance Note at 3.

[8]       See, e.g., Paul, Weiss, OFAC Once Again Warns of Potential Liability of U.S. Parent Companies for Sanctions Violations Committed by Foreign Subsidiaries (Oct. 4, 2023), available here; Paul, Weiss, OFAC Takes Enforcement Action Against U.S. Parent Company for its Recently Acquired Chinese Subsidiary’s Iran Sanctions Violations (Apr. 1, 2019), available here; Paul, Weiss, In Unprecedented Move, OFAC Takes Enforcement Action Against U.S. Parent Company for Turkish Subsidiary’s Iran Sanctions Violations and Simultaneously Sanctions the Subsidiary’s Ex-Managing Director (Feb. 11, 2019), available here. These restrictions on foreign subsidiaries also apply in the context of the Cuba sanctions program. Under the Cuba sanctions program, the prohibitions apply to any person subject to the jurisdiction of the United States, including “[a]ny corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by” a U.S. person. 31 C.F.R. § 515.329.

[9]       Compliance Note at 4 (emphases added).

[10]     According to the Compliance Note, generally, “a non-U.S.-made item is subject to the EAR if the value of the U.S.-origin controlled content exceeds 25% of the total value of the finished item. For certain destinations (i.e., Cuba, Iran, North Korea, and Syria), the threshold is 10%.” Compliance Note at 5.

[11]     Compliance Note at 5 (emphasis added).

[12]     Compliance Note at 6.

[13]     Compliance Note at 7. The hard disk drives were made overseas, but BIS determined that Seagate had used equipment subject to the EAR in producing the drives and, as such, the sales to Huawei violated the FDPR. See Paul, Weiss, BIS Imposes $300 Million Penalty Against Seagate for Export Control Violations and Makes Controversial Changes to Voluntary Self-Disclosure Program (May 1, 2023), available here.

[14]     Compliance Note at 5.

[15]     Compliance Note at 7, n.17.

[16]     Compliance Note at 9.

[17]     Compliance Note at 10.

[18]     See Paul, Weiss, OFAC Once Again Warns of Potential Liability of U.S. Parent Companies for Sanctions Violations Committed by Foreign Subsidiaries (Oct. 4, 2023), available here.