New U.S. Guidance Raises the Export Controls Due Diligence Bar for Financial Institutions under the “High Probability” Standard

U.S. agencies have been priming the enforcement engine by, among other things, issuing export controls and economic sanctions guidance at a high frequency since Russia’s further invasion of Ukraine. They have also been seeking to leverage all available enforcement tools, including emphasizing in guidance issued July 10, 2024, the “high probability” standard under the definition of “knowledge” that runs through the entire Export Administration Regulations (“EAR”).

On October 9, 2024, the U.S. Department of Commerce’s Bureau of Industry & Security (“BIS”) released its latest guidance, this time directed at financial institutions (“FIs”).

The key takeaways are:

1. BIS takes a literal, broad view of the fallback catch-all General Prohibition 10 (“GP 10”) which, among other things, prohibits knowingly financing or “otherwise” servicing items subject to the Export Administration Regulations (“EAR”) “with knowledge that a violation of the [EAR], the Export Control Reform Act of 2018, or any order, license, license exception, or other authorization issued thereunder has occurred, is about to occur, or is intended to occur in connection with the item.”
   
   
2. As we have written previously (see www.hugheshubbard.com/fresh-looks), the same “high probability” standard of knowledge that has driven the past two decades of U.S. Foreign Corrupt Practices Act (“FCPA”) enforcement exists also under the EAR and is propelling the current export controls enforcement engine—but it equally creates opportunities for innovative, risk-based approaches to compliance.
   
   
3. Although FIs have historically devoted enormous efforts and resources to compliance with economic sanctions, the U.S. government’s new emphasis on export controls compliance likely requires FIs to reassess their export controls enforcement risk and corresponding mitigation measures.
   
   
4. BIS provides guidance on its expectations for the due diligence that FIs should perform, including under what circumstances there is a “high probability” of EAR violations absent risk-based due diligence concluding otherwise. FIs should benchmark their current due diligence efforts against these expectations.

We analyze below the October 9 guidance, in what context the guidance should be read and understood, and what expectations the guidance sets for FIs’ export controls due diligence.

Analysis

The GP 10 Catch-All

The October 9 guidance primarily focuses on the applicability of GP 10 on FIs. GP 10 blocks all FIs and other persons from financing or otherwise servicing in any capacity an item subject to the EAR “with knowledge that a violation of the [EAR], the Export Control Reform Act of 2018, or any order, license, license exception, or other authorization issued thereunder has occurred, is about to occur, or is intended to occur in connection with the item.”

Fully understanding the “knowledge” element of GP 10 is critical to avoiding inadvertent violations of the EAR. BIS emphasized throughout the October 9 guidance that the definition of “knowledge” not only includes positive or actual knowledge that diversion exists but also includes the awareness of a “high probability” of its existence or future occurrence.

BIS Best Practices for EAR Due Diligence

The October 9 BIS guidance addresses EAR-related due diligence when FIs onboard new customers and “as part of regular risk-based due diligence thereafter.”

Onboarding New Customers: Making a (Due Diligence) List and Checking it Twice

BIS recommends that FIs’ due diligence begin with the review of new and existing customers against lists of persons subject to BIS’s end user restrictions (including the Unverified list, Entity List, Military End-User List, and Denied Persons List). FIs can screen customers through the publicly available Consolidated Screening List (“CSL”), which includes persons of risk identified by BIS, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), and the Department of State’s Directorate of Defense Trade Controls (“DDTC”).

BIS now also recommends that FIs also check for “red flags” of prior export control evasion by reviewing both new and existing customers against lists of entities that have shipped Common High Priority List (“CPHL”) items to Russia or Belarus since 2023 which can be accessed through the open-source trade data of the Trade Integrity Project (“TIP”).

A particular challenge for FIs will be that BIS further recommends that FIs review—“where appropriate”—customers’ customers. The guidance does not specify the circumstances in which review of customers’ customers would be appropriate; to draw from other “high probability” enforcement regimes, FIs would be well-advised in the absence of such specificity to develop a methodology through which to make and defend the subjective judgments necessary to draw the line between when they do, and when they do not, apply enhanced, EAR-related due diligence to their customers’ customers.

BIS also separately recommends that real-time screening “include all parties to a transaction of which an FI has actual knowledge in the ordinary course of its business, including the ordering customer and beneficiary customer in an interbank financial message.” Although BIS does not expect FIs to request additional names in the context of real-time screening, BIS warns that “FIs may not willfully self-blind or deliberately avoid becoming aware of facts or circumstances,” because “doing so may itself demonstrate ‘knowledge’ for purposes of GP 10.” Here, “knowledge” is defined to include an awareness of a “high probability” of diversion. Documenting and executing a risk-based methodology for determining when to conduct real-time screening and how far it should go in looking for “all parties” to the transaction will be another challenge for FIs.

Ongoing, Post-Transaction Review – Now is Great, But Later Isn’t Too Late

Given the constant evolution of existing restricted party lists and trade data, BIS recommends that FIs regularly check those lists and update their customers’ risk profiles accordingly. While BIS understands that it is unrealistic for FIs to be able to monitor every customer transaction for red flags in real time, it does expect FIs to apply any lessons learned from later-discovered red flags to inform future assessments of risk. BIS warns that such post-transaction discoveries of potential issues “may give rise to ‘knowledge’ for purposes of GP 10 for future transactions involving the same customer or counterparties”—with knowledge defined to include an awareness of a “high probability” of diversion.

Accordingly, BIS recommends that “FIs have risk-based procedures in place to detect and investigate red flags post-transaction and, if necessary, take action to prevent violations of the EAR before proceeding with any transactions involving the same customer or counterparties.” BIS then points to prior guidance that BIS and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) have issued identifying examples of export red flags that are more likely to indicate export controls evasion.

BIS acknowledges that the presence of “certain” red flags would not by themselves indicate a “high probability” of a violation of the EAR, but also warns that certain other red flags might themselves “demonstrate a high probability of evasion.” It provides the following four, non-exhaustive examples of the latter:

• A customer refuses to provide details to banks, shippers, or third parties, including details about end-users, intended end-use(s), or company ownership.
• The name of one of the parties to the transaction is a “match” or similar to one of the parties on a restricted-party list.
• Transactions involving companies that are physically co-located with a party on the Entity List or the SDN List or involve an address BIS has identified as an address with high diversion risk.
• Transactions involving a last-minute change in payment routing that was previously scheduled from a country of concern but is now routed through a different country or company.

While FIs will now want to flag for enhanced due diligence review transactions involving these four scenarios, because the list is not exhaustive it will be necessary for FIs to think holistically and dynamically about the diversion risks they and their customers face. While typical tools and controls might easily flag some of the four specified examples, others might be more difficult to identify—especially if the inputs from customers are provided in “unstructured” data or if country-based screening tools used by FIs do not yet include countries of particular concern under export controls because of their reputation as transshipment hubs.

Real-Time Screening Expectations

The October 9 guidance recognizes that real-time screening of all customers and counterparties is not going to be possible and advises that FIs focus on the EAR-related onboarding and ongoing review measures described above, with one significant exception: BIS does “recommend real-time screening against certain BIS-administered restricted-party lists in certain circumstances to avoid potential violations of GP 10. . . . Specifically, for cross-border payments and other transactions that are likely to be associated with exports from the United States (or re-exports or in-country transfers outside the United States),” The October 9 guidance recommends real-time screening of all parties to a transaction against the names and addresses on the following lists:

• The BIS Denied Persons List, see 15 CFR Part 764, Supplement No. 1;
• Burmese, Cambodian, Cuban, People’s Republic of China (PRC), Iranian, North Korean, Russian, Syrian, Venezuelan, or Belarusian Military-intelligence end users identified in 15 CFR 744.22(f)(2); and
• Certain persons designated on the Entity List, namely:
  • Entities subject to the Entity List Foreign Direct Product (FDP) rule, 15 CFR 734.9(e), and designated with a footnote 4 in the license requirement column of the Entity List in supplement no. 4 to part 744 of the EAR;
  • Entities subject to the Russia/Belarus-Military End User and Procurement FDP rule, 15 CFR 734.9(g), and designated with a footnote 3 in the license requirement column of the Entity List in supplement no. 4 to part 744 of the EAR; and
  • Other persons included on the Entity List and subject to the license review policy set forth in 15 CFR 744.2(d) (related to certain nuclear end uses), 15 CFR 744.3(d) (related to certain rocket systems and unmanned aerial vehicles end uses), and 15 CFR 744.4(d) (related to certain chemical and biological weapons end-uses).

Again, such screening comes with a wrinkle. On the one hand, “BIS does not expect FIs to request additional names of parties for the sole purpose of conducting this real-time screening.” But on the other hand, “FIs may not willfully self-blind or deliberately avoid becoming aware of facts or circumstances, as doing so may itself demonstrate ‘knowledge’ for purposes of GP 10.”

How to respond?

FIs will need to develop methodologies and protocols to make and defend the inherently subjective decisions required to identify—and stay on the right side of—the lines drawn by BIS.

The stakes are high. “In circumstances where there is a match to a party on one of the lists set forth above, BIS recommends that FIs decline to proceed with a transaction until the FI can determine that the underlying export, reexport, or transfer (in-country) is authorized under the EAR (or alternatively not subject to the EAR). Failure to do so risks liability for a knowing violation of the EAR under GP 10.”

* * * *

At Hughes Hubbard, we have extensive experience helping companies to design and implement methodologies through which they can make and defend subjective judgments in “high probability” enforcement regimes. Please contact us for assistance.