New BIS Guidance Raises the Stakes for Financial Institutions: Safeguarding Against Export Control Violations

On October 9, 2024, the US Commerce Department’s Bureau of Industry and Security (BIS) published guidance (the Guidance) outlining export control compliance expectations for financial institutions (FIs), and putting FIs on notice that they may be held liable for processing financial transactions related to violations of the Export Administration Regulations (EAR).

US export controls generally apply to items that are subject to the EAR, even where such items do not involve any US persons or other US nexus. US regulators have cautioned that banks may face US export control liability under General Prohibition 10 (GP 10) if they process a transaction that involves an item subject to the EAR and where the FI has knowledge or reason to know that the item was previously, is about to be, or is intended to be, implicated in a violation of the EAR. As stated in BIS’s press release accompanying the Guidance, “every export—every single one—has a related financial transaction.” Accordingly, the Guidance outlines BIS’s expectation that FIs monitor transactions for parties on export control restricted party lists and red-flag lists and consider whether such transactions may have involved exports in violation of the EAR.

FIs may wish to consider BIS’s expectations and the Guidance’s recommendations when implementing or reviewing their AML and compliance programs. Additionally, companies with export control exposure may want to consider preparing for increased scrutiny from FIs that are implementing BIS’s due diligence recommendations. 

Export control compliance risks for FIs

US export control jurisdiction attaches to controlled items and technology and follows them around the world. This can be the case even where the item was not manufactured in the territorial United States, and there are no US persons or other US nexus involved.[1] Accordingly, the Guidance is directed to FIs regardless of location or nationality. In particular, BIS highlights the GP 10 risk to FIs if they finance or otherwise provide a service connected to any item subject to the EAR with knowledge that a violation of the EAR has occurred, is about to occur, or is intended to occur in connection with the item. Note that the EAR defines “knowledge” broadly to include not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. 

GP 10 risk may arise for FIs because, for example as the Guidance states, FIs should be aware that items shipped from the United States are generally subject to the EAR. Additionally, GP 10 risk may be particularly acute under BIS’s foreign direct product rules that extend US export control jurisdiction to nearly all foreign-produced microelectronics and integrated circuits when destined for Russia, Belarus, Iran, or a Russia/Belarus Military End User or Procurement entity worldwide.

EAR compliance has traditionally been a greater concern for exporters relative to FIs processing financial transactions related to exports. BIS acknowledges in the Guidance that exporters generally have more information than FIs about whether an item may be subject to the EAR. The Guidance, however, states that FIs’ responsibilities have increased significantly following Russia’s 2022 invasion of Ukraine and the heightened national security and foreign policy imperative to restrict China’s military modernization efforts and commission of human rights violations. 

BIS’s export control compliance expectations for FIs

According to the Guidance, BIS’s expectations begin with FIs screening parties involved in financial transactions against export control restricted party lists and red-flag lists. Depending on the outcome of those screenings, BIS expects FIs to monitor and scrutinize those transactions to determine whether they may relate to potential violations of the EAR.

Based on the Guidance, FIs might consider incorporating the following into their transaction due diligence and compliance programs:

1. Screen customers against lists of persons subject to BIS’s end-user restrictions, such as the Unverified List, Entity List, Military End-User List, and Denied Persons List. FIs would not necessarily be prohibited from processing or otherwise servicing a transaction that involves a party subject to BIS’s end-user restrictions. However, BIS encourages FIs to “heavily weigh” a customer’s presence on such a list to determine the customer’s overall risk profile.  Where an FI is instructed to process a financial transaction involving a party that is on an end-user restricted list, BIS recommends that FIs determine whether the transaction involves items subject to the EAR. If so, BIS recommends that FIs ask the party instructing them to process the transaction to certify that it has sufficient controls in place to comply with the EAR. Such controls might include screening transactions against BIS’s restricted end-user lists, exercising heightened due diligence for exports to embargoed or high-risk destinations, and engaging in enhanced due diligence for items included on the Commerce Control List (CCL).
2. Screen customers against the Consolidated Screening List. BIS recommends that FIs use the CSL to screen against relevant export-related US government restricted-party lists, including persons listed by BIS, the US Treasury Department’s Office of Foreign Assets Control (OFAC), and the US State Department’s Directorate of Defense Trade Controls (DDTC). 
3. Screen customers against lists of entities that have shipped Common High Priority List (CHPL) items. BIS recommends that, as part of their due diligence into a transaction, FIs screen customers that have shipped CHPL items to Russia since 2023.  Such lists may be obtained from commercial service providers or for free from the Trade Integrity Project.  If an FI determines that a financial transaction it is asked to process involves a party that has shipped a CHPL item to Russia since 2023, BIS recommends scrutinizing the entities and addresses involved in the transaction for red flags that could indicate export control evasion and diligencing whether the transaction involves items subject to the EAR.  If the transaction involves items subject to the EAR, BIS recommends that FIs ask the party instructing them to process the transaction to certify that it has sufficient controls in place to comply with the EAR.
4. Monitor transactions in real-time where possible[2] and conduct post-transaction red flag reviews. BIS recommends that FIs review transactions on an ongoing basis for red flags.  BIS acknowledges that FIs may not have sufficient information to individually assess every transaction for potential EAR violations before proceeding with the transaction; however, FIs may learn of red flags after it has processed a transaction, which BIS notes may give rise to “knowledge” for purposes of a GP 10 violation for future transactions involving the same customer or counterparties. Accordingly, the Guidance recommends that FIs implement risk-based procedures to conduct post-transaction reviews for red flags. The implication of the Guidance appears to be that FIs could face GP 10 liability if they continue to engage in transactions with an entity that has previously raised red flags that the FI was unable to satisfactorily resolve. The Guidance describes the following red flags in particular:
   1. A customer refuses to provide details to banks, shippers, or third parties, including details about end-users, intended end-use(s), or company ownership;
   2. The name of one of the parties to the transaction is a “match” or similar to one of the parties on a restricted-party list; 
   3. Transactions involving companies that are physically co-located with a party on the Entity List or the SDN List or involve an address BIS has identified as an address with high diversion risk; and/or
   4. Transactions involving a last-minute change in payment routing that was previously scheduled from a country of concern but is now routed through a different country or company.

Companies may face additional scrutiny from FIs

To the extent that FIs enhance their procedures in response to the Guidance, we expect that they will more heavily scrutinize companies with export control exposure. In particular, companies that have business involving higher-risk or restricted countries, end-uses, or end-users may experience additional questions from FIs processing their transactions in light of the Guidance’s recommendation that FIs conduct pre- and post-transaction red flag reviews. 

For transactions of concern, the Guidance states that FIs should (i) ask companies whether the items involved in the transaction are subject to the EAR; and (ii) seek certification that the company has sufficient controls to comply with the EAR.  It is also possible that FIs may ask for further information on the customers, end-users, and end-uses related to a particular transaction. Companies may face delays as a result of the additional due diligence BIS expects FIs to conduct. Further, to the extent that companies or individuals intentionally provide misinformation to their banks, they risk not only enforcement for underlying export control violations but also criminal prosecution for defrauding a financial institution.

Companies may therefore wish to be pro-active in communicating with FIs, particularly with respect to lawful transactions related to exports that may involve higher-risk or restricted countries, end-uses, or end-users.

Conclusion

The Guidance complements prior interagency publications urging FIs to be vigilant against efforts to evade export controls against Russia, including joint notices from June 2022 and May 2023 issued by BIS and the Financial Crimes Enforcement Network (FinCEN), and a tri-seal compliance note from March 2023 issued by the US Departments of Commerce, State, and Justice. 

The Guidance should also be read in tandem with BIS’s earlier guidance on identifying diversion risk in transactions and the issuance of a Final Rule increasing incentives for voluntary self-disclosures (VSDs).

Finally, the Guidance is the latest of many examples of regulators’ articulating their expectation that FIs as well as corporates serve as gatekeepers to mitigate crime and aid enforcement efforts.  Issued the same week that the US Department of Justice and FinCEN announced a record setting $3 billion resolution with TD Bank for its failures to prevent money laundering, the Guidance sets the stage for future potential enforcement against FIs who facilitate export control violations and may be interpreted as a warning shot to those who do not bring sufficient rigor to their compliance efforts. 

Accordingly, FIs may wish to review their AML and internal export controls compliance policies and procedures and, as appropriate, enhance their existing programs with a particular eye to export control compliance. 

[1] In addition, in certain cases, such as the semiconductor restrictions imposed in Fall 2023 against China, US export controls may apply to conduct by US persons even in the absence of items subject to the EAR.

[2] BIS recommends that for cross-border payments and other transactions likely to involve exports from the United States, FIs conduct real-time screening against certain lists, including (i) the Denied Persons List; (ii) Burmese, Cambodian, Cuban, Chinese, Iranian, North Korean, Russian, Syrian, Venezuelan, or Belarusian Military-intelligence end users identified in 15 CFR 744.22(f)(2); and (iii) the Entity List.