BIS Sets Higher KYC Standards for Companies and Universities Over Russia Diversion Concerns 

BIS Sets Higher KYC Standards for Companies and Universities Over Russia Diversion Concerns 

Client Alert

Authors

Summary

On July 10, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) released new guidance (the “July 10 Release”) outlining different types of precautionary letters (“supplier list” letters, “Project Guardian” requests, “red flag” letters, and “is informed” letters) that BIS may send to “companies and universities” to notify them of “parties of national security concern, such as those that present a risk of diverting [Export Administration Regulations (“EAR”)] items to restricted end uses or end users in Russia.”1 While BIS identifies “companies and universities” as the target audience of the July 10 Release, the heightened diligence requirements would likely apply to any entity whose activities implicate the broadly noted national security risks.  There are three additional key takeaways:  First, BIS’s use of these precautionary letters suggests the rise of “grey area” restrictions—export restrictions that do not appear in the regulations but that nevertheless impose diligence and other requirements on exporters.  Second, BIS has created a novel and unprecedented “new recommended best practice” of requiring companies and universities to review parties not only against publicly available U.S. government  screening lists but also against a list managed by a United Kingdom-based non-governmental organization (“NGO”), the Open-Source Centre, known as the Trade Integrity Project (TIP).2 Amid increased coordination among allied countries on sanctions and export controls enforcement, the use of “supply list” letters and reference to the TIP list signal heightened scrutiny of exporters’ screening responsibilities.  Finally, these “grey area” restrictions may lead to more enforcement of General Prohibition 10, the EAR prohibition on engaging in actions with knowledge that an export violation has occurred, is about to occur, or is intended to occur in connection with an exported item.  While the July 10 Release focuses on BIS’s expectations with respect to certain business involving Russia, it is notable because it could be a harbinger of expanded U.S. government’s diligence expectations for other key markets like China.

I. Background

Since Russia’s invasion of Ukraine in February 2022, the Department of Commerce’s Bureau of Industry and Security (“BIS”) has implemented an array of incrementally tightening export controls to restrict Russia’s access to technologies and items that it needs to sustain the war in Ukraine.3 Along with the European Union, Japan, and the United Kingdom, BIS developed the Common High Priority List (“CHPL”), which includes 50 items that pose a heightened risk of illegal diversion to Russia due to their importance to the Russian military.4 The CHPL is not an exhaustive list of all items that Russia may try to procure, but includes critical items that have been found in various Russian weapons systems used against Ukraine.5 Concerned that Russia is using evasive methods to acquire these items, BIS has increasingly designated parties known or suspected of circumventing export controls to restricted party lists, such as the Entity List.6

In response to requests from industry for more information regarding Russian front companies in third countries, Assistant Secretary Matthew Axelrod explained at BIS’s 2024 Update Conference that BIS “initiated an effort to identify customers of U.S. companies and distributors within supply chains that were continuing to ship high-priority items to Russia.”7 Part of that effort resulted in BIS sending “red flag” letters to “more than 20 U.S. companies, each containing a list of more than 600 suspect foreign parties identified in [commercially available] datasets.”8 Assistant Secretary Axelrod encouraged recipients of these letters to “use heightened due diligence” and to “further augment their export screening efforts by purchasing commercially available datasets of Russian imports and screening against them.”9

II. BIS Guidance on Additional Mechanisms to Alert Companies and Universities About Risks of Diversion to Russia

On July 10, BIS issued guidance for “companies and universities” regarding its key mechanisms for informing exporters of varying degrees of violations or potential violations of export controls rules: supplier list letters, Project Guardian requests, red flag letters, and is-informed letters. While BIS identifies “companies and universities” as the target audience of the Release, the heightened diligence requirements would likely apply to any entity whose activities implicate the broadly noted national security risks. Each of these letters imposes different requirements on entities, and noncompliance with the different obligations carries different risks.  Recipients must therefore pay careful attention to what type of letter they receive and its attendant obligations to ensure full compliance.

In addition, the July 10 Release prescribes a “new recommended best practice” requiring entities involved in the export, reexport or transfer (in-country) of CHPL items to screen transaction parties against a list compiled by the TIP.  The TIP is operated by the UK-based Open-Source Centre and filters public global trade data from 2023 to include only transactions involving goods listed under CHPL Tier 1 and Tier 4.B.10 Although the TIP list does not exhaustively address CHPL items, and TIP acknowledges that the “public data sources used to inform TIP may contain errors, inconsistencies, and blank fields,”11 BIS “strongly encourages” screening against this list as a best practice. It is not clear whether BIS intends to incorporate this data into the Consolidated Screening List maintained by the U.S. Department of Commerce’s International Trade Administration.  Moreover, while it is plausible that commercial screening software providers will begin to incorporate this data, such providers will need time to make these changes. Therefore, entities should determine whether their existing screening processes currently include this data, and, if not, implement a new step in their screening protocols to reflect this guidance.

1. Supplier List Letters

BIS relies on a wide array of public and nonpublic sources to identify potential entities of diversion concern.  As part of its efforts to aid industry and academia in restricting diversion of US technology and items to Russia, BIS may issue supplier list letters to companies or universities identifying entities that BIS has become aware present diversion risks, even if the recipients had not previously engaged in transactions with those entities.12 BIS began sending such letters in March 2024, to identify foreign parties diverting CHPL items to Russia.13

Entities in receipt of such a letter are advised to “closely scrutinize” any transactions with the identified parties to determine whether any red flags, such as those provided in Supplement No. 3 to Part 732 – BIS’s “Know Your Customer” Guidance and Red Flags, are present.”14 Under this prior guidance, entities already had a “duty to check out the suspicious circumstances” to comply with the “know” or “reason to know” standard and not “self-blind” – i.e., cut off the flow of information that comes in during the ordinary course of business in an effort to avoid knowledge of potential red flags.15 The July 10 guidance appears to go further.

While a “supplier list” letter does not impose additional diligence requirements, it is a form of “red flag” in and of itself, imposing a requirement to inquire further regarding an entity on whom the recipient might not otherwise have pursued additional diligence.

2. Project Guardian Requests and Red Flag Letters

BIS “continuously reviews” open-source information, such as industry and news reports, and government data to identify entities of diversion concern, and two ways it shares this information is through so-called “Project Guardian”16 requests and “red flag” letters.17 As Assistant Secretary Axelrod noted in his speech at BIS’s 2024 Update Conference, over the past year, BIS “initiated an effort to identify customers of US companies and distributors within supply chains that were continuing to ship high-priority items to Russia,” and this effort came in the form of red flag letters sent to US companies.18

In a red flag letter, BIS alerts a recipient entity that a particular customer may have reexported or transferred (in-country) an item to a third party in violation of export controls, and the letter recipient had previously exported that same type of item to that named customer.19 In other words, a red flag letter informs a recipient that transacting with the identified customer creates a higher risk that an export violation may occur.  Recipients should conduct additional diligence to resolve red flags before filling any orders from an identified customer.20

In a Project Guardian request, BIS asks the recipient to pay heightened attention to transactions with a specific party or to inquiries about a particular item.21 If the recipient receives an order from a party identified in the request, BIS further asks the recipient to deny or suspend filling of the order, and to contact their local Export Enforcement field office for guidance.22

Importantly, unlike with supplier list letters, if the recipient of a Project Guardian request or red flag letter fails to address or resolve the red flag and engages in the transaction, BIS may consider such failure an aggravating factor in any subsequent BIS enforcement action.23 Conversely, if the recipient cooperates with BIS in response to a Project Guardian request or red flag letter, BIS will consider this cooperation a mitigating factor in any ensuing enforcement action against the recipient, even for unrelated conduct.24

3. Is-Informed Letters

In September 2022, BIS expanded its regulations to include a new is-informed provision under 15 C.F.R. § 744.11.25 Specifically, this expansion allows BIS to “provide specific notice that the export, reexport, or transfer (in-country) of specified items to an identified party requires a license because there is reasonable cause to believe . . . that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States or that an entity is acting on behalf of such entity.”26 The regulations now allow BIS to issue is-informed letters identifying parties that present a “high diversion risk,” including a “high diversion risk of being used to divert items subject to the EAR to end-uses or end-users inconsistent with U.S. foreign policy or national security interests.”27

BIS may issue these is-informed letters to alert recipients of “supplemental license requirements applicable to specific items going to specific entities or destinations, or to specific activities of US persons” due to national security or foreign policy concerns.28 In addition to the scope of the license requirements, the letter specifies “the license review policy that BIS will apply in reviewing such license applications, and the process for submitting such license applications to BIS.”29 Non-compliance with an “is informed” letter is treated the same as non-compliance with any other license requirement under the EAR and may lead to administrative and/or criminal penalties.30

III. Key Takeaways

1. BIS’s Use of These Mechanisms Suggests the Rise of Gray Area Restrictions—Restrictions That Do Not Appear in the Regulations but Nevertheless Impose Diligence and Other Requirements.

While the supplier list letters impose only a requirement to engage in additional diligence, others, like the Project Guardian and red flag letters, impose penalties for failure to comply, including BIS treating such failure as an aggravating factor in a subsequent, even unrelated, enforcement action.  Depending on the target of a letter, no requirement outside the letter and this guidance may exist in the regulations.

With respect to “is informed” letters, even though BIS has regulatory authority to issue such letters, an “is informed” letter imposes heightened export restrictions only on the recipients of the letters, creating a situation where some parties are subject to additional obligations, while others may operate under less stringent export controls simply because they have not received a letter.  Thus, activities that might otherwise be allowed under the regulations—and which some entities are engaging in—are suddenly prohibited to recipients of the “is informed” letter, creating disparate requirements.

However, these actions also signal that BIS is taking more proactive measures to deter illegal diversion of U.S. technologies and items to foreign entities that are of concern but for some reason have not yet been designated to BIS’s public screening lists.  While a gray area, this is an opportunity for recipients to expand their knowledge of potential diversion risks and incorporate that knowledge into their compliance programs.

2. The Supplier List Letters and TIP Website Highlight a New Compliance Obligation and an Enhanced Aspect of Coordination Among Allied Countries.

In addition to the “supplier list” letters, BIS is now “recommending” that entities involved in the export, reexport, or transfer (in-country) of CHPL items screen transaction parties against a list not administered by the U.S. government.

The U.S. Government has a history of using information compiled by NGOs in a variety of compliance-related areas; however, we are not aware of prior instances where BIS has issued guidance recommending screening against lists maintained by an NGO.  This is an example of how BIS is increasingly turning to sources in not only the U.S. but also allied countries for information about possible diversion networks, indicating greater coordination not just in enforcement, as we have seen over the past year, but in evaluating risks and establishing best practices.

Although BIS “strongly encourages” screening against the TIP website and increasing vigilance for transactions involving parties listed in supplier list letters, BIS has not imposed any affirmative requirements or potential penalties for failure to comply with this guidance.  For entities that are used to relying on standard screening processes, reference to these new sources—which draw on input from allied countries—increases diligence burdens.  It also raises the question of what other public sources compiled by parties all over the world might become the next “recommended” source of information and how to incorporate such information into standard compliance procedures.

3. We May See an Increase in Violations of General Prohibition 10 Based on Gray Area Restrictions.

General Prohibition 10, 15 C.F.R. § 736.2(b)(10), prohibits proceeding with a transaction with knowledge that a violation has occurred or is about to occur with respect to the item that is the subject of the transaction. BIS defines “knowledge” to be “positive knowledge that the circumstance exists or is substantially certain to occur” as well as an “awareness of a high probability of its existence or future occurrence.”31 BIS may also infer awareness when there is “evidence of the conscious disregard of facts known to a person” and from “a person’s willful avoidance of facts.”32

Based on these definitions, entities may be hard pressed to disprove knowledge once in receipt of any of the foregoing types of precautionary letters, opening companies to the risk of an increasing number of General Prohibition 10 violations.

Moreover, BIS’s recommendation to consider public sources to identify evasive efforts by foreign adversaries to illegally acquire EAR items could also be read as an awareness rising to the level of knowledge with respect to transactions involving persons identified on those lists.  It remains to be seen whether BIS will take this approach in enforcement, but as entities incorporate this new guidance into their compliance programs, they should be aware of and consider the possibility that BIS will take this position.  Entities should have good recordkeeping and documentation of the decision-making process in case BIS decides to enforce.

IV. Conclusion

Global companies and entities should be vigilant if they receive any of these letters, and determine whether any compliance program enhancements may be required.  While this release focuses on BIS’s expectations with respect to certain activities with Russia, it is notable because it could be a harbinger of the U.S. government’s broader third-party diligence expectations for other key markets like China.  WilmerHale continues to monitor these policy changes closely and is prepared to advise clients on how to respond to these latest developments.

Authors

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.