On March 6, 2024, the Department of Commerce’s Bureau of Industry and Security (“BIS”), the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), and the Department of Justice (“DOJ”) issued their most recent Tri-Seal Compliance Note on the obligations of foreign-based individuals and entities to comply with U.S. economic sanctions and export control laws (the “Guidance Note”). While the Guidance Note does not impose any new legal obligations, it formalizes OFAC’s position that non-U.S. persons can violate U.S. sanctions both by causing a U.S. person to violate sanctions and by evading sanctions, identifies recent examples of civil and criminal enforcement actions against non-U.S. persons, and provides an overview of compliance measures that non-U.S. companies should consider to mitigate risks associated with noncompliance.
Potential Applicability of U.S. Sanctions to Non-U.S. Persons
The Guidance Note underscores that OFAC, which administers and enforces economic sanctions programs, can impose penalties on non-U.S. persons for “causing or conspiring to cause U.S. persons to wittingly or unwittingly violate U.S. sanctions, as well as engaging in conduct that evades U.S. sanctions.” While U.S. sanctions typically apply to U.S. persons, non-U.S. persons and entities are also required to comply in situations where there is a U.S. nexus, such as involvement by U.S. persons, U.S. financial institutions, or transaction taking place within the U.S. For example, a non-U.S. person violates U.S. sanctions if they obscure or omit references to the involvement of sanctioned parties which involve a U.S. person in the financial transaction, mislead a U.S. person into exporting items ultimately destined for a sanctioned jurisdiction, or cause U.S. bank to route a prohibited transaction through the U.S. financial system. Additionally, while practitioners have generally understood for many years that OFAC could take, and has taken, enforcement actions against a non-U.S. person for engaging in entirely extraterritorial conduct so long as the requisite U.S. nexus exists, the Guidance Note makes clear that OFAC will continue to pursue such claims actively in the future.
The Guidance Note provides a number of recent OFAC enforcement actions targeting such conduct, illustrating its expansive view of the requisite U.S. nexus for a sanctions violation. For example, Swedbank Latvia AS, a subsidiary of a Sweden-based international financial institution, agreed to remit $3,430,900 to settle its potential civil liability for 386 apparent violations of OFAC sanctions on Crimea. OFAC found that between February 2015 and October 2016, a customer used its e-banking platform from an internet protocol address in Crimea to send payments to persons in Crimea through U.S. correspondent banks. Violations of OFAC regulations may result in civil and criminal penalties.
Potential Applicability of U.S. Export Control Laws to Non-U.S. Persons
The Guidance Note emphasizes that export controls administered by the BIS extend to all items subject to the Export Administration Regulations (“EAR”) anywhere in the world and any person, U.S. or foreign, who deal with these items must comply with the EAR. Notably, U.S. export controls apply not only to the initial exports from the U.S., but also to re-exports from one foreign country to another and in-country transfers of items subject to the EAR. In addition, certain foreign-produced items, even if they never enter the U.S. stream of commerce and even if no U.S. person is involved, may still be subject to U.S. export control jurisdiction. For example, foreign-produced items (e.g., commodities, software, or technology) that incorporate more than a certain de minimis threshold of controlled U.S. content are subject to the EAR, and so are certain foreign-made items produced using U.S. software, technology, or production equipment.
The Guidance Note also discusses recent export controls enforcement actions against non-U.S. persons, including the record $300 million fine against Seagate Technology LLC and its Singapore subsidiary for violating U.S. export controls against Huawei. Civil penalties for export control violations can include not only monetary fines but also the issuance of denial orders, which would essentially cut the entity off from the right to export items subject to the EAR from the U.S. and the right to receive or participate in exports from the U.S. or re-exports of items subject to the EAR.
Criminal Enforcement
In addition to the civil enforcement of sanctions and export controls by OFAC and BIS, the Guidance Note warns that DOJ is authorized to bring criminal prosecutions for “willful” violations of U.S. sanctions and export control laws. The Guidance Note lists a number of recent cases in which DOJ brought charges against “foreign-based actors for allegedly seeking to unlawfully transfer U.S.-manufactured technology to prohibited destinations.” For example, in November 2023, the DOJ announced a guilty plea by Binance, the world’s largest cryptocurrency exchange company, for violations of U.S. sanctions, among other offenses, on the ground that it causes U.S. persons to violate sanctions. According to DOJ, Binance “admitted to knowing that it had a significant number of users from comprehensively sanctioned jurisdictions, such as Iran, as well as a significant number of U.S. users,” and “further knew that its system would cause U.S. users to transact with users in sanctions jurisdictions.”
Compliance Considerations for Non-U.S. Companies
As the U.S. government increases its scrutiny of attempts to evade sanctions and export controls, the Guidance Note highlights key compliance considerations for non-U.S. persons and entities participating in international trade. While the Guidance Note does not, itself, have the force of law, it plainly emphasizes that non-U.S. persons “must ensure that they have robust compliance measures in place to avoid violating U.S. sanctions or export control laws.” This includes taking a risk-based approach by designing, implementing and routinely updating a sanctions and export controls compliance program; establishing strong internal controls and procedures; integrating know-your-customer and geolocation data into compliance screening; training subsidiaries and affiliates to understand relevant regulations and identify red flags; and taking immediate and effective action when issues are identified.