14 March 202414 minute read

US government reminds non-US companies of requirement to comply with US sanctions and export controls

On March 6, 2024, the US Departments of Commerce, Treasury, and Justice jointly issued a Tri-Seal Compliance Note putting non-US companies on notice that US sanctions and export controls may apply to them and that they must comply with applicable US sanctions and export controls or face severe penalties.[1]

At a recent conference in San Francisco, the Assistant Attorney General for National Security at the Justice Department (DOJ) explained, “the global business community must ensure that they are educated about how these laws apply and take steps to mitigate any risks they may face as a result of their business operations.”[2] The Assistant Secretary of Export Enforcement at the Commerce Department’s Bureau of Industry and Security (BIS) added that “it doesn’t matter where in the world you’re located – if you’re dealing in items subject to the [Export Administration Regulations] EAR, you must comply with U.S. export controls . . .,”[3] and the Director of the Office of Foreign Assets Control (OFAC) emphasized that OFAC would continue to enforce sanctions “in the United States or abroad.”[4]

The Tri-Seal Compliance Note provides background on how non-US parties become subject to US sanctions and export control laws, highlights recent civil and criminal enforcement actions against non-US parties, and advises on appropriate compliance controls to reduce the risk of a violation.

US sanctions and export control laws apply to non-US parties

There are several circumstances in which the operations of a non-US party may be subject to US sanctions, US export controls, or both.

US sanctions

US sanctions assert jurisdiction over US persons wherever in the world located. However, in practice, US sanctions can be applied more broadly to certain conduct by non-US persons. For example, OFAC may assert jurisdiction over non-US persons to enforce US sanctions in the following circumstances:

  • Transactions that have a US nexus are subject to US sanctions jurisdiction, including transactions involving US persons at any stage of the transaction, US goods, or US dollars.

  • Foreign subsidiaries of US companies also may be subject to restrictions under certain US sanctions programs, including US sanctions on Iran, Cuba, and North Korea. In addition, parent companies that exert control over the activities of their foreign subsidiary may themselves become subject to US sanctions because of the actions of the foreign subsidiary with sanctioned countries or persons.

  • A non-US person that causes a US person to violate US sanctions or engage in conduct that evades US sanctions may itself become subject to US sanctions.

Even where there is no US nexus, a non-US person also risks being designated as a Specially Designated National (SDN) if they are determined to have materially assisted, sponsored, or provided financial, material, technological or other support for sanctioned persons or sanctionable activities. This includes any non-US person that is owned 50 percent or more or controlled by a blocked person. Being designated as an SDN would result in being completely cut off from the US economy (US persons are prohibited from all transactions with the SDN and the SDN will be restricted from virtually all transactions that have a US nexus).

Export controls

The US applies its export control laws to goods subject to US export controls regardless of where they are in the world and how many times they have been exported, not just to direct exports from the US. “To put it simply, the law follows the goods,” as the Tri-Seal Compliance Note explains.

US export controls are regulated pursuant to the EAR. Items subject to the EAR include commodities, software, and technology that are located in the United States (including foreign items moving in transit through the United States); all US‐origin items, wherever located in the world; and foreign‐produced items made using certain US controlled technology or equipment. The EAR also restricts certain activities of US persons and US-person involvement in transactions that violate the EAR. The Tri-Seal Compliance Note notes the following:

  • Any person involved in the movement of commodities, software, and technology subject to the EAR must comply with the EAR.

  • The EAR applies to exports of items from the United States and reexports from one country to another and to any in-country transfer between different end-users.

  • Items manufactured outside the United States are subject to the requirements of the EAR if the item contains more than a de minimis amount of controlled US content. “In most situations, a non-U.S.-made item is subject to the EAR if the value of the U.S.-origin controlled content exceeds 25% of the total value of the finished item. For certain destinations (i.e., Cuba, Iran, North Korea, and Syria), the threshold is 10%.”[5]

  • Items manufactured outside the United States are subject to the requirements of the EAR if the item is manufactured using certain US-controlled technology, software, or production equipment (known as the foreign direct product rule) – even if the items never enter US commerce and no US person is involved in the transaction.[6]

Ramped-up enforcement against non-US companies

Over the past two years, BIS, OFAC, and DOJ have led a whole-of-government effort to increase the effectiveness of the US government’s sanctions and export control programs against the governments and certain parties in Iran, Russia, and China, among other countries, through strict enforcement against violators. Individual actions by the agencies and collaborative efforts, including the Disruptive Technology Strike Force, co-led by DOJ and BIS, and DOJ’s Task Force KleptoCapture, have resulted in a significant increase in recent enforcement actions. The Tri-Seal Compliance Note summarizes several illustrative examples of penalties imposed against non-US companies.

Violations of US sanctions and export controls are subject to strict liability – which means a company or individual may face penalties even if the violation was unintentional or unknown at the time. Civil penalties can include fines ranging up to roughly $370,000 per violation or twice the amount of the transaction that is the basis of the violation, whichever is greater. Criminal penalties for intentional violations can be up to $1 million per violation and imprisonment for up to 20 years. Significantly, BIS can prohibit certain business activities, including by issuing a Temporary Denial Order (TDO) suspending the ability for a company to export from the United States, to receive or participate in exports from the US or reexport items subject to the EAR.

The Tri-Seal Compliance Note reinforces the US government’s focus and commitment to compliance with sanctions and export controls broadly, and we understand from recent US government actions that the focus for enforcement continues to be related to Russia’s invasion of Ukraine, the embargo on Iran, and the export controls on critical technology to China.

Among the examples cited was a $300 million settlement with a US data storage company and its affiliate in Singapore for shipping millions of hard disk drives to Huawei (a Chinese entity restricted under US export controls) – the largest BIS standalone administrative settlement in its history. The Tri-Seal Compliance Note cited several other key examples of enforcement against non-US companies, including the following:

  • OFAC settled for $6.1 million with an Australian freight forwarding and logistics company for violating US sanctions on Russia. The company originated or received payments through the US financial system related to shipments involving Iran, North Korea, and Syria, countries subject to comprehensive US sanctions prohibitions. The company was liable under US sanctions because it “caused U.S. financial institutions to transact with blocked persons and export financial services to sanctioned jurisdictions.” OFAC stated that the company “recklessly fail[ed] to adopt or implement policies” that would have prevented the violations.

  • A Sweden-based international financial institution recently settled with OFAC for about $3.4 million related to violations of US sanctions on Crimea. One of the financial institution’s e-banking platform customers used an internet protocol address associated with Crimea when sending payments to other persons also in Crimea. OFAC asserted jurisdiction because the payments were processed through US correspondent banks. Among other factors cited for the settlement with the financial institution was that it “failed to exercise due caution or care in neglecting to account for information in its possession regarding its Client’s presence in Crimea and by solely relying on the Client’s assurances when it possessed contrary information, including KYC and IP data.”[7]

  • DOJ, OFAC, and Treasury’s Financial Crimes Enforcement Network obtained a guilty plea, civil settlements, and undertakings (including a multiple-year independent compliance monitor) from the world’s largest cryptocurrency exchange and guilty plea of its founder (a Canadian National) for various offenses, including violating US sanctions laws. The cryptocurrency exchange acknowledged that it was aware of a significant volume of users in both the US and Iran. Despite this knowledge, it further admitted that it failed to design or implement controls to prevent trades between its US and Iranian users, resulting in close to $900 million in trades between users based in the two countries over a four-year period. The cryptocurrency exchange agreed to a $4.3 billion financial penalty for violations of the Bank Secrecy Act, as well as nearly $1 billion to settle potential civil liability for more than 1.6 million apparent violations of multiple sanctions programs.

Additionally, although not specifically covered in the Tri-Seal Compliance Note, other recent, key OFAC resolutions further highlight OFAC’s focus on non-US companies, including one involving a tobacco and cigarette manufacturer headquartered in London, which agreed to pay over $508.6 million to settle its potential civil liability for apparent violations of sanctions targeting North Korea and weapons of mass destruction proliferators. The apparent violations arose from the export of tobacco and related products to North Korea and receipt of payment for those exports through the US financial system and from the use of US financial institutions to receive or otherwise process US dollar-denominated payments for the sale of cigarettes. In doing so, the company caused US financial institutions to process wire transfers that contained the blocked property interests of sanctioned North Korean banks and to export financial services and facilitate the exportation of tobacco to North Korea. The settlement amount equaled the statutory maximum civil monetary penalty due to OFAC’s determination that the violations were egregious and not voluntarily self-disclosed.

Compliance considerations

The Tri-Seal Compliance Note reaffirms the compliance measures that OFAC, BIS, and DOJ expect companies to consider in balancing their compliance risk – a balance that companies should recalibrate in today’s heightened enforcement environment. Although companies should tailor their compliance controls to their business, the Tri-Seal Compliance Note offers some helpful insight and recommendations, including that companies are encouraged to take the following steps:

  • Develop, implement, and routinely update a US sanctions and export controls compliance program, including an assessment of risk exposure and compliance policies that reflect corporate awareness and commitment to compliance.

  • Establish strong internal controls and procedures to ensure that all payments and the movement of goods and services comply with applicable US sanctions and export control laws. These controls should address compliance by affiliates, subsidiaries, agents, or other counterparties.

  • Integrate know-your-customer and know-your-customer’s customer information and geolocation data into compliance screening protocols and update such information on an ongoing basis.

  • Conduct training for employees on US sanctions and export control requirements.

  • Identify and implement measures to mitigate sanctions and export control risks prior to merging with or acquiring other entities.

  • Take prompt and effective action when addressing compliance issues, and submit voluntary self-disclosures for apparent violations of US sanctions or export control laws.

Key takeaways

  • An effective US sanctions and export controls compliance program has never been more important for US and non-US companies. US enforcement agencies continue to demonstrate their aggressive pursuit of violations of US sanctions and export control laws, including from non-US parties. The Tri-Seal Compliance Note signals that the US government will continue to prioritize civil and criminal enforcement action against non-US parties and scrutinize the compliance practices in considering penalties. US and non-US companies are encouraged to familiarize themselves with the requirements of US sanctions and export control laws and adopt and implement a compliance program that is appropriately tailored to the risks based on their operations, products, business model, and geographical footprint. Companies that do not have a proper compliance program are at risk. In this regard, since May 2019, OFAC has made clear its expectations by publishing on its website a document titled, “A Framework for OFAC Compliance Commitments.”[8] The essential components of a risk-based sanctions compliance program set forth in the Framework are also routinely cited in OFAC’s published penalty notices.

  • Parties may be liable for violations even if their involvement is indirect. Companies may be liable for US sanctions and export control fines and other penalties based on conduct and transactions of their customers, distributors, and other third parties. OFAC regularly cites improper due diligence on customers as a root cause of compliance deficiencies that lead to violations.[9] Especially when providing new technology and/or services globally, companies may be held responsible for knowledge of the information reasonably available to them, and OFAC expects a compliance program to properly screen and consider those data inputs before engaging in transactions. This may include analyzing various data sources such as traditional address information, IP and/or geo-location, and others. Moreover, for multinational companies seeking to comply with OFAC’s rules, sharing information across jurisdictions presents challenges in the face of data localization laws in the EU and China.

  • Penalties for violations of US sanctions and export controls can be severe. Recently published enforcement actions against non-US companies and individuals demonstrate the US government’s broad range of enforcement authority, including civil penalties, TDOs denying export privileges, public designations denying access to the US financial system, imprisonment, civil and criminal forfeiture of property and funds, or a combination thereof. We may expect to see regular enforcement actions and severe penalties as US sanctions and export controls continue to be a primary tool for achieving US national security and foreign policy objectives.

DLA Piper has a robust sanctions and export controls practice providing global coverage and deep experience with complex compliance, licensing, and enforcement matters. Find out more about the implications of the Tri-Seal Compliance Note for your business and compliance with sanctions and export controls by contacting any of the authors.

For more information

Please contact any of the partners of the National Security and Global Trade practice:

Nate Bolin 
Christine Daya 
Melanie Garcia 
Nicholas Klein 
Richard Newcomb 
Ignacio E. Sanchez 

[1] See US Dep’t of Commerce, US Dep’t of the Treasury, and US Dep’t of Justice, Tri-Seal Compliance Note, Obligations of foreign-based persons to comply with US sanctions and export control laws, at 2 (Mar. 6, 2024) (Tri-Seal Compliance Note). OFAC is primarily responsible for administering and enforcing US economic sanctions. The Department of Commerce’s Bureau of Industry and Security (BIS) administers and enforces certain export controls. The Department of Justice (DOJ) is the chief law enforcement agency of the US.
[2] US Dep’t of Commerce, US Dep’t of the Treasury, and US Dep’t of Justice, Departments of Justice, Commerce and Treasury Issue Joint Advisory on Compliance of Foreign-Based Persons with Sanctions and Export Laws, https://www.justice.gov/opa/pr/departments-justice-commerce-and-treasury-issue-joint-compliance-note-obligations-foreign (Mar. 6, 2024).
[3] Id.
[4] Id.
[5] The EAR’s de minimis content requirements are found in 15 C.F.R. §§ 734.4(c)-(d).
[6] 15 C.F.R. §§ 734.9, 736.2(b)(3).
[7] US Dep’t of the Treasury, OFAC Settles with Swedbank Latvia for $3,430,900 Related to Apparent Violations of
Sanctions on Crimea
(June 20, 2023), https://ofac.treasury.gov/media/931911/download?inline.
[8] See OFAC, A Framework for OFAC Compliance Commitments (May 2, 2019), https://ofac.treasury.gov/media/16331/download?inline.
[9] See, e.g., id. at 10.

Print