In conjunction with the Group of Seven (G7) leaders meeting in Italy earlier this month, key jurisdictions issued the latest in a series of coordinated economic restrictions on Russia in light of its invasion of Ukraine in February 2022. The United States unveiled a sweeping series of sanctions and export controls to further curtail economic activity with Russia and Belarus, with notable impacts on information technology (IT) services, and foreign financial institutions, among others. While most of the new actions are specific to Russia, the United States has, for the first time, adapted the Entity List to restrict exports to specific addresses, as opposed to named entities. The EU countries also agreed to a 14th sanctions package to counter Russia, targeting Russia’s natural gas industry for the first time. The United Kingdom issued many parallel measures. This alert highlights the most salient US, EU and UK actions companies should be mindful of in their cross-border activities.

US Sanctions Designations and Export Control Actions

On June 12, 2024, the US Department of the Treasury’s (Treasury) Office of Foreign Assets Control (OFAC) and the State Department announced significant new sanctions against Russia, including expanding the risk of secondary sanctions for foreign financial institutions, restricting access to certain US software and IT services, and limiting revenue from liquefied natural gas.

The action also added more than 300 individuals and entities within and outside of Russia on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) List.¹ These include identifying the foreign locations of certain designated Russian banks and designating key elements of the Russian financial infrastructure, namely the Moscow Exchange (MOEX), which “operates Russia’s largest public trading markets for equity, fixed income, derivative, foreign exchange, and money market products”; the Non-Bank Credit Institution Joint Stock Company National Settlement Depository (NSD), which is “Russia’s central securities depository”; and the National Clearing Center (NCC), Russia’s largest clearing service provider.² OFAC simultaneously issued General Licenses (GLs) 98, 99 and 100, which authorize wind downs involving some of the blocked entities; transactions related to the debt or equity of MOEX, NCC or NSD, or derivative contractors involving MOEX, NCC or NSD; and transactions related to the debt or equity or the conversion of currencies involving MOEX, NCC or NSD. 

Additional key designations include the Gas Industry Insurance Company Sogaz (Sogaz), the Joint Stock Company Russian National Reinsurance Company (RNRC), and entities related to three liquefied natural gas (LNG) projects: Obsky LNG, Arctic LNG 1 and Arctic LNG 3.³

Complementing OFAC’s actions, the US Department of Commerce’s Bureau of Industry and Security (BIS) announced new export restrictions, which were published as a final rule in the Federal Register on June 18, 2024 (the Final Rule).⁴ The Final Rule targeted Russia’s attempts to circumvent US export controls by restricting the trade of additional items destined for Russia and Belarus, designating a number of entities on its Entity List, and, among other things, making certain ministerial changes to the rules.⁵ BIS expanded controls on Russian and Belarusian industry by adding various items to supplement no. 4 to part 746 of the Export Administration Regulations (EAR). These restrictions take the form of 522 new Harmonized Tariff Schedule (HTS)-6 Code entries that should “further limit Russia’s access to items of potential military significance and expand the economic impact of controls that will deny Russia additional resources it needs to continue waging war.”⁶ BIS noted that “[m]ost remaining trade with Russia is limited to agricultural or medical sectors.”⁷ This is consistent with License Exception “MED,” which provides an avenue to export medical devices to Russia without an export license under certain conditions, as detailed in a prior WilmerHale client alert.⁸

Meanwhile, BIS narrowed the scope of the License Exception Consumer Communications Devices (CCD) to clarify which commodities and software are eligible for export to Belarus, Russia, and Cuba, and which are eligible for export only to Cuba.⁹ Notably, items such as lower-level graphic processing units are now no longer eligible for export to Russia or Belarus under this exception.¹⁰

Secondary Sanctions Risk Expanded for Foreign Financial Institutions

Under Section 11(a)(ii) of Executive Order (EO) 14024, as amended, Treasury previously could impose secondary sanctions on a foreign financial institution for conducting or facilitating a “significant transaction” for or on behalf of any person designated for operating or having operated in “Russia’s military-industrial base.”¹¹ In its June 12 action, OFAC expanded the definition of “Russia’s military-industrial base” to include not only “any person operating in the technology, defense and related materiel, construction, aerospace, and manufacturing sectors of the Russian Federation economy” but also any service involving any of the over 1,000 persons and entities blocked pursuant to EO 14024, including designated Russian banks such as VTB Bank Public Joint Stock Company (VTB) and Public Joint Stock Company Sberbank of Russia (Sberbank).¹² Available GLs however, still apply.

In conjunction with this action, OFAC released an updated sanctions advisory for foreign financial institutions, warning them that “conduc[ting] or facilitat[ing] significant transactions or provid[ing] any service involving Russia’s military-industrial base run[s] the risk of being sanctioned by OFAC.”¹³ The advisory includes examples of specific activity that could expose foreign financial institutions to sanctions risks, how they can identify and mitigate such sanctions risks, examples of high-risk foreign financial institutions, reminders of past sanctions, and export controls evasion guidance, as well as transactions considered permissible (i.e., covered by existing OFAC GLs). This advisory has particular import for Chinese financial institutions.

New Regulations Governing the Sale and Export of IT and Software Services

OFAC issued a new determination pursuant to Section 1(a)(ii) of EO 14071 targeting the provision of certain IT services (the “IT and Software Services Determination”) to Russia.¹⁴ The action prohibits “[t]he exportation, reexportation, sale, or supply, directly or indirectly, from the United States, or by a United States person, wherever located, of IT consultancy and design services or of IT support services or cloud-based services” to Russia.¹⁵ The prohibitions are intended to restrict the Russian military-industrial base’s access to certain software and IT-related services and will take effect on September 12, 2024. Excluded from the scope of the prohibitions are services provided to an entity in Russia owned or controlled by a US person, in conjunction with a wind down or divestiture of an entity owned or controlled by a Russian person, and for software licensed, otherwise authorized or eligible for a license exception by BIS.¹⁶  

OFAC also updated certain GLs authorizing transactions related to trade in agricultural commodities, medicine, medical devices, telecommunications and certain internet-based communications in light of the IT and software services restrictions noted above.

In conjunction with OFAC’s action, BIS imposed a license requirement for the export, reexport or transfer (in-country) to or within Russia or Belarus of certain EAR99-designated software:¹⁷  enterprise resource planning (ERP); customer relationship management (CRM); business intelligence (BI); supply chain management (SCM); enterprise data warehouse (EDW); computerized maintenance management system (CMMS); project management software, product lifecycle management (PLM); building information modelling (BIM); computer aided design (CAD); computer-aided manufacturing (CAM); and engineering to order (ETO).¹⁸ These types of software are consistent with those targeted by OFAC in the abovementioned determination.¹⁹ The Final Rule, however, carves out an exception for “entities engaged exclusively in the agriculture or medical industries.”²⁰ The Final Rule also incorporates exceptions listed under the revised EAR § 746.8(a)(12)(ii) and the case-by-case exceptions articulated under the revised § 746.8(b)(3).²¹ This new licensing requirement is effective September 16, 2024.²²

The combination of OFAC’s and BIS’ actions effectively restricts the export or transfer of day-to-day IT software used by entities in Russia outside the agricultural and medical sectors. Essentially, every other business operating in Russia with a US ERP system and other covered software would require a license to operate its software after 90 days. Such a restriction would accompany those imposed in the European Union’s 12th package of sanctions adopted in December 2023 to restrict these activities.²³ Ultimately, multinationals and banks subject to US and EU controls and operating in Russia will likely need to have all IT services licensed to continue to operate in Russia.

Requiring Entity-Independent Address Screening for the Entity List

While BIS made some additions to the Entity List, including Chinese entities that have furnished assistance to Russia, it also made a significant structural change to the Entity List by revising the regulations such that it can now add specific addresses—without an accompanying entity—to the Entity List.²⁴ BIS reasoned that shell companies “can easily be dissolved and reformed to evade sanctions and export controls” and often rely on service providers to provide them physical assets to undertake illicit trade.²⁵ BIS thus noted that “[t]he goal of this rule is to more effectively combat unlawful diversion and to incentivize a stronger awareness of export compliance among the corporate service provider industries that facilitate trade through shell companies.”²⁶ BIS modified its regulations so that it “may identify by address an entity (or multiple entities) on the Entity List that presents a high risk of diversion without an associated entity name.”²⁷ BIS utilized its revised regulations to designate several addresses in China and Russia, noting that “[t]hese addresses are associated with significant transshipment of sensitive goods to Russia. BIS verified that these addresses are associated with a significant number of entities, whose activities risk violating the EAR.”²⁸

This structural revision poses serious compliance challenges, as screening tools and controls used by companies typically screen for entity names, not physical addresses. BIS itself has noted that “[t]his new rule requires enhanced client screening by the foreign corporate services industry.”²⁹ Many businesses need to consider expanding their controls to capture not only restricted entities but also restricted addresses in order to ensure compliance with the Final Rule.

New Ban on Kaspersky Products and Services

These are not the only actions targeting dwindling US-Russia trade ties: on June 24, 2024, the US government outlined a ban to become effective September 29, 2024, on future US sales of software, upgrades and services from the Russia-based Kaspersky Lab, under Commerce Department rules empowering the agency to exclude items from the US information and communication technology sector upon determining that the items present an unacceptable national security risk.³⁰ Kaspersky products and services have been banned from US government contracts since 2018.

Adoption of the 14th EU Sanctions Package

On June 24, the European Union adopted a 14th package of sanctions against Russia.³¹ In the package, the European Union expanded its asset freeze list to cover an additional 116 individuals and entities.³² This package also includes, for the first time, a ban on reloading services of Russian LNG in EU territory for transshipment to third countries, covering both ship-to-ship and ship-to-shore transfers.³³ New investments and the provision of goods, technology and services for the completion of Russian LNG projects, such as Arctic LNG 2 and Murmansk LNG, are prohibited, dovetailing with the US restrictions noted above.³⁴ There are also detailed phase-in and wind down provisions for certain related contracts.³⁵

The EU’s 14th sanctions package provides new targeted measures and aims to maximize the impact of existing sanctions by closing loopholes.  EU parent companies must ensure their third-country subsidiaries do not engage in activities that circumvent EU sanctions.³⁶ The EU’s 12th sanctions package, adopted in December 2023 already required EU operators selling battlefield goods or other sensitive goods and technology that are critical to the development, production or use of Russian military systems to third countries to contractually prohibit the reexportation of such goods to Russia or for use in Russia. The 14th sanctions package strengthens this obligation by explicitly providing that EU operators must also implement due diligence mechanisms capable of identifying and assessing risks of exportation to Russia and mitigating such risks.³⁷ Contracts involving the transfer of industrial know-how for the production of such goods must include provisions to prevent use by Russia.³⁸ The 14th sanctions package also requires EU operators to use best efforts to ensure that any entity established outside the European Union that they own or control does not participate in activities that undermine EU sanctions.³⁹

The adopted measures also restrict helium imports from Russia as well as Russian access to additional dual-use technologies.⁴⁰ The 14th package bans Putin’s so-called dark fleet and banking network abroad.  Specifically, 27 specific vessels contributing to Russia’s warfare against Ukraine are banned from EU ports, including tankers and vessels transporting military equipment or stolen Ukrainian grain.⁴¹ The 14th package also prohibits EU entities from using the “System for Transfer of Financial Messages” (SPFS), a financial messaging service developed by the Central Bank of Russia to neutralize the effect of sanctions.⁴² The prohibition on EU entities connecting to the SPFS does not apply to payments under contracts performed before March 24, 2024.⁴³

The package also enhanced the EU ban on flights to and from Russia and on overflying EU territory to include nonscheduled flights where a Russian individual or entity is in a position to determine the place or time for the takeoff or landing of the flight (e.g., to reach a business meeting or a holiday destination). The prohibition on road transport by EU operators with significant Russian ownership is also broadened to include EU operators that are owned 25% or more by a Russian natural or legal person.⁴⁴ The package expands intellectual property restrictions to prohibit the registration of certain intellectual property rights by Russian nationals and companies in the European Union.⁴⁵ Lastly, the European Union prohibited trade in Ukrainian cultural property goods suspected to have been unlawfully removed from Ukraine.⁴⁶

UK Continues to Target Facilitation and Circumvention

Recent UK sanctions developments have also focused on combating circumvention.

On June 13, the United Kingdom announced 50 new sanctions designations in lockstep with its G7 allies.⁴⁷ As of May 28, the United Kingdom had expanded the scope of categories of persons whom the government could designate under the Russia sanctions regulations.⁴⁸ Previously, the designations applied to persons involved in “obtaining a benefit from or supporting the Government of Russia,” or “destabilizing Ukraine or undermining its territorial integrity, sovereignty or independence.”⁴⁹ These definitions were broadened to include persons providing financial services, or making available funds, economic resources, goods or technology, to those falling within the existing definitions, enabling the UK government to directly sanction entities supporting Russia’s war effort through facilitation or circumvention. Using its expanded designation powers, the government sanctioned 21 suppliers of munitions, machine tools, microelectronics and logistics to Russia’s military, including entities based in China, Israel, Kyrgyzstan and Turkey.  In coordination with the United States, the United Kingdom also sanctioned key institutions within Russia’s financial system, including MOEX.

Furthermore, previously, on May 28, the Office of Financial Sanctions Implementation (OFSI) implemented a new General Licence permitting non-sanctioned individuals to utilize retail banking services of a credit or financial institution designated under the United Kingdom’s Russia sanctions, subject to certain conditions.⁵⁰ These conditions include that any payments must be for the personal use of the individual, and their totality must not exceed £50,000 during the term of the license (which expires on May 27, 2026). This change will reduce the burden on OFSI’s licensing regime, allowing it to focus resources on more complex licensing cases.

Key Takeaways

The US, EU and UK actions outlined above strongly indicate that the universe of permissible transactions with Russia continues to contract significantly.  Global companies and financial institutions should continue to evaluate their direct and indirect exposure to these multi-jurisdictional Russia-related sanctions risks.