Banks and other financial institutions (FIs) play a crucial dual role in the U.S. financial system: they are financial intermediaries and regulatory gatekeepers. With their comprehensive access to transaction data, FIs must maintain robust risk-based compliance programs under the Bank Secrecy Act (BSA) to detect, deter, and report suspicious activities such as money laundering and sanctions evasion. Beyond these traditional compliance obligations, FIs are uniquely positioned to guard against violations of the Export Administration Regulations (EAR), which are administered and enforced by the Commerce Department’s Bureau of Industry and Security (BIS).
On October 9, 2024, BIS released its New Guidance to Financial Institutions on Best Practices for Export Administration Regulations. This guidance recognizes the universal presence of FIs in export transactions and builds upon their existing compliance infrastructure. BIS emphasized this connection in announcing the guidance, noting: “Every export – every single one – has a related financial transaction.”
The BIS guidance reminds domestic and foreign FIs of their obligation under EAR General Prohibition 10 to not knowingly facilitate export violations. To avoid violations of GP 10, BIS outlines four core compliance steps:
- Initial and ongoing screening against export control lists;
- Enhanced due diligence for high-risk transactions;
- Risk-based customer and transaction derisking; and,
- Reporting and self-disclosing EAR violations.
Additionally, BIS reminds FIs to file suspicious activity reports (SARs) under the BSA, as directed in three alerts issued jointly by the BIS and FinCEN,[1] and that those agencies said successfully generated SAR filings.[2]
The guidance emerges during a period of intensified export regulation and enforcement driven by national security and foreign policy concerns. BIS explains that while responsibility for export compliance “has traditionally been of greatest concern to exporters,” “FIs’ responsibilities under the EAR have increased significantly following Russia’s further invasion of Ukraine in 2022 and the enhanced national security and foreign policy imperative to restrict China’s military modernization efforts and commission of human rights violations.” The guidance signals BIS’ readiness to enforce the EAR against FIs.
The Export Administration Regulations: Scope and Extraterritorial Reach[3]
The EAR governs dual-use items, commodities, software, and technology— those with both civilian and military applications.[4] The EAR encompasses three key activities: exports from the United States, reexports between foreign countries, and in-country transfers where end uses or users change within a foreign country.
Items “subject to the EAR” include foreign-made products that exceed de minimis levels of U.S. content, as well as foreign direct products of U.S. software, technology, or plants or major components of plants.[5] Additionally, the EAR applies to certain U.S. person activities worldwide, such as those related to weapons proliferation and “foreign military, security, or intelligence services.”[6]
The EAR is extraterritorial in scope. As the Departments of Commerce, Treasury (OFAC), and Justice said in their March 6, 2024 Tri-Seal Compliance Note on obligations of foreign-based persons to comply with U.S. sanctions and export control laws: “U.S. export control laws may extend to items subject to the EAR anywhere in the world, and to foreign persons who deal with them . . . the law follows the goods.”
General Prohibition 10 Applicable to U.S. and Foreign FIs
In addition to controls on specific items, the EAR imposes ten “general prohibitions” of varying applicability.[7] The last of them is General Prohibition 10 (GP 10). GP 10 applies to all transactions involving items “subject to the EAR,” and is the core of the BIS guidance.[8] GP 10 prohibits direct violations of the EAR and facilitation of EAR violations, including through financing. A person may not under GP 10 proceed with a transaction “with knowledge that a violation” of the EAR has occurred, is about to occur, or is intended to occur.[9]
A. GP 10 “Knowledge” Standard
Understanding the EAR’s “knowledge” standard is necessary to implement the BIS guidance. “Knowledge” “of a circumstance” includes “positive knowledge that the circumstance exists or is substantially certain to occur” and “awareness of a high probability of its existence or future occurrence. Awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person’s willful avoidance of facts.”[10]
The guidance notes that “exporters generally have more information than FIs about whether an item may be subject to the EAR.” FIs may not, however, unreasonably rely on customer representations of export compliance, such as when they have reason to know the representations are false. In short, FIs are obliged to review export transaction information and inquire where circumstances suggest an actual, potential, or intended EAR violation. FIs may not “willfully self-blind.”
Like the rest of the EAR, GP 10 follows things and activities “subject to the EAR.” “FIs and other persons (regardless of location, country in which they are headquartered or registered, or nationality)” may not knowingly violate or facilitate violations of the EAR.
B. FIs Involved in Trade Finance May Have Greater Knowledge
An FI’s “knowledge” and degree knowledge may vary with the nature of its business. The most recent-FinCEN-BIS alert observes that FIs “directly involved in providing trade financing for exporters also may have access to information relevant to identifying potentially suspicious activity,” including “customers’ end-use certificates, export documents, contracts, or other documentation, such as those associated with letters of credit-based trade financing.” More knowledge may be attributed to FIs “directly involved” in trade finance.
C. The Guidance Provides Knowledge of Specific Semiconductor Export Controls
BIS reminds FIs that under EAR’s Foreign Direct Product Rules, “nearly all foreign-produced microelectronics and integrated circuits, including items bearing the brand name of a company headquartered in the United States, are subject to the EAR when destined for Russia, Belarus, or Iran, or a Russia/Belarus Military End User or Procurement entity anywhere in the world, regardless of where such items are manufactured.” The provision of this information gives FIs reason to know that export transactions involving the specified items and end users and uses may violate the EAR.
Financial Institutions’ Export Compliance Obligations Under GP 10
A. Initial and Ongoing Due Diligence: Screening Names and Addresses Against Export Lists and Using Interbank Messaging Information
BIS advises FIs to conduct real-time screening of export transaction party names and addresses, including sourced from the “ordering customer and beneficiary customer” fields of interbank financial messages.[11]
1. Customer and Customers’ Customers Screening Against BIS Lists
When onboarding new customers and “as a part of regular risk-based due diligence,” FIs should screen customers against “lists of persons subject to the BIS’ end-user restrictions.” Those lists are the:
The above lists, along with BIS lists below and OFAC sanctions and State Department/DDTC ITAR lists, may all be searched using the Commerce Department’s Consolidated Screening List (CSL).
2. Screening Customers and Customers’ Customers for CHPL Shippers to Russia
BIS recommends that FIs also screen customers and, “where appropriate,” customers’ customers, against lists of persons who have shipped Common High Priority List (CHPL) items to Russia since 2023. The CHPL, developed with Japan, the EU, and UK, alerts “industry” to “50 common high priority items” that “pose a heightened risk of being diverted illegally to Russia because of their importance to Russia’s war efforts.” BIS advises FIs to obtain lists of CHPL shippers from commercial providers or the Trade Integrity Project, “an initiative of the U.K.-based Open-Source Centre.”[12]
3. Additional Screening Related to Cross-Border Payments
For “cross-border payments” and other transactions likely “associated with exports,” reexports, or in-country transfers, BIS recommends “real-time screening” against the following lists.
- Denied Persons List;
- Military-intelligence end user lists at 15 C.F.R. § 744.22(f)(2) and applicable to Belarus, Burma (Myanmar), Cambodia, Cuba, China, Iran, North Korea, Russia, Syria, and Venezuela.
- Persons on the Entity List:
- pursuant to the Entity List Foreign Direct Product Rule at 15 C.F.R. § 734.9(e) and designated with a footnote 4 in the license requirement column; or
- pursuant to the Russia/Belarus-Military End User and Procurement Foreign Direct Product Rule and designated with a footnote 4 in the license requirement column; or,
- subject to the restrictive license review policy at 15 C.F.R. 744.2(d) (nuclear end use), 15 C.F.R. § 744.3(d) (rocket and unmanned aerial vehicle end use), or 15 C.F.R. § 744.4(d) (chemical and biological weapons end use).
4. Ongoing Screening
BIS notes that EAR due diligence is not “one-and-done.” FIs should continually screen customers, and customers’ customers, against the BIS and CHPL lists, as those lists are “updated continuously.”
5. FIs Should Not Proceed with Export Transactions Involving a List Match
Where an export transaction party matches a party on a list, BIS advises FIs to not proceed “until the FI can determine that the underlying export, reexport, or transfer (in-country) is authorized under the EAR (or alternatively not subject to the EAR).” Failure to verify EAR compliance in such cases “risks liability for a knowing violation” of GP 10.
B. Ongoing and Enhanced Due Diligence
1. FI Determination of EAR Applicability; Customer Certification of EAR Compliance
The BIS regards transactions involving a BIS or CHPL-related list party “to be of particularly high risk of involving a GP 10 violation,” and recommends enhanced due diligence (EDD).[13] In such cases, BIS advises FIs to take two steps. First, to determine if the “customer is engaged in export, reexport, or transfer of items subject to the EAR.” That step requires EAR knowledge on the part of the FI.
If the EAR applies, an FI should, second, “ask” the customer to “certify” that it has “sufficient controls” to “comply with the EAR, including screening . . . exercising heightened due diligence for exports, reexports, or transfers to destinations subject to BIS-administered embargoes or broad trade restrictions, such as Russia; and engaging in enhanced due diligence processes for items included on the” Commerce Control List (CCL).
BIS does not expect FIs to validate the veracity of customer certifications or the quality of their compliance programs. The certification requirement may be useful in future enforcement against FI transaction parties, considering that FIs are skilled makers of records and making false statements to certain FIs may, depending on facts, give rise to EAR or collateral liability for certifying parties.[14]
2. Post-Export Transaction Review for Red Flags; Heightened GP 10 Violation Risk
BIS recommends ongoing post-transaction review when one of the following four red flags, or the red flags listed in FinCEN-BIS alerts, are present, or when “all of a transaction’s surrounding facts and circumstances” require. The presence of certain red flags “may be sufficient to constitute ‘knowledge’ under the EAR.”
- Customer refusal to furnish transaction details to banks, shippers, or third parties, including about end use, end user, or company ownership.
- A transaction party name is a match or similar to a name on a BIS-restricted list.
- A transaction involves companies that are “physically co-located” with a person on the Entity List or an SDN (Specially Designated National under OFAC-administered sanctions), or an address identified with CHPL-related “high diversion risk.”
- There is “a last-minute change in payment routing that was previously scheduled from a country of concern” and is re-routed through a different country or company.
To resolve red flags, BIS advises FIs to confirm that the EAR is inapplicable, that no license requirement applies, or that the export activity is authorized under a BIS license or license exception. If a customer represents that an export transaction is authorized under a license, the FI should obtain a copy of the license from the customer, or the license Application Control Number to track license status in the System for Tracking Export License Applications (STELA). BIS notes that it “does not generally authorize transactions that would otherwise be prohibited by GP 10,” and thus implicitly advises FIs to scrutinize, or not rely on, representations that a license has been secured.
Under the guidance, post-transaction review is most valuable, considering that “FIs will likely not have sufficient information to individually assess every transaction for potential EAR violations before proceeding” with a transaction, except for real-time screening. Post-transaction review is also the phase in which FIs have the greatest risk for GP 10 violations. Failure to act on information obtained post-transaction “may give rise to ‘knowledge’ for purposes of GP 10” in future transactions involving the same customers and counterparties (i.e., customers’ customers).
C. Derisking Customers and Transactions to Avoid GP 10 Violations
The guidance recommends ad hoc derisking in two situations. First, if an FI is unable to resolve any one of the four above red flags, BIS recommends refraining from future transactions with “the relevant transaction parties.” “Otherwise, the FI risks liability for a violation” of GP 10.
Second, BIS advises FIs to “weigh heavily a customer’s presence on” the above BIS lists “when determining the customer’s overall risk profile for potential EAR violations—including in connection with the receipt of services.” The guidance notes that a party’s presence on a BIS list does not prohibit the provision of FI services, such as a blocking sanction would.[15] However, the recommendation to disengage customers would, when implemented, result in a sanctions-like bar on U.S. financial services on an FI-by-FI basis.
D. Export-Related SARs for Reporting, Due Diligence, and Derisking
Consistent with prior FinCEN-BIS alerts, BIS “expects FIs to report all suspicious activity related to EAR violations” using export terms “FIN-2022-RUSSIABIS” and “FIN-2023-GLOBALEXPORT,” as directed in FinCEN-BIS alerts.
SARs also aid the enhanced due diligence outlined in the guidance. After an SAR is filed, “BIS may provide the FI with additional information that would establish knowledge that a violation of the EAR has occurred, is about to occur, or is intended to occur.”
E. Voluntary Self-Disclosures
In addition to reporting EAR violations and suspicious activity by others, BIS encourages FIs to voluntarily disclose their own violations of the EAR. A voluntary self-disclosure (VSD) is a mitigating factor under the EAR’s enforcement provisions.[16]
Practical Steps for FIs and Customers
Although lacking the formality of a statute, regulation, or administrative rulemaking, the BIS guidance is significant. U.S. and foreign FIs should carefully determine how to efficiently incorporate the guidance into their existing BSA and other compliance protocols, including those adopted in response to FinCEN-BIS alerts. Such incorporation might include:
- Complete or partial integration of export screening with existing screening lists and procedures. The extent of integration may be keyed to, g., the volume of an FIs’ export/trade business and the degree to which that business line is connected to others.
- Creating form customer certifications of export compliance programs and adopting related procedures with the understanding that certifications may be requested by the BIS or other government entities related to or separately from any FI reporting.
- Adopting processes and documentation to give relevant customers advance notice of export-related documentation requirements.
- Adopting policies on export-related customer and/or transaction derisking and pre-derisking steps.
- Determining how to best acquire and deploy, at compliance program and transaction levels, the EAR knowledge needed to comply with GP 10 and the BIS guidance, including whether EAR knowledge should be developed among a segment of compliance personnel or more widely in an FI.
- Considering the most recent FinCEN-BIS alert’s observation that FIs directly involved in trade financing will have more access to more information, such FIs should consider providing needed EAR education to non-compliance trade finance personnel, to sync commercial knowledge with GP 10 and its knowledge standard.
Finally, FI customers involved in export transactions should be prepared to provide and validate export documentation. Customers should also conduct their own screening and other export due diligence to satisfy their direct obligations under the EAR. These steps should help to mitigate the risk of transaction delays and relationship or transaction derisking by FIs.
***
NOTES
[1] See FinCEN and BIS Announce New Reporting Key Term and Highlight Red Flags Relating to Global Evasion of U.S. Export Controls, Nov. 6, 2023 (expanding prior Russia-related export controls and adding SAR term “FIN-2023-GLOBALEXPORT”); Supplemental Alert: FinCEN and BIS Urge Continued Vigilance for Potential Russian Export Control Evasion Attempts, May 19, 2023 (“additional information regarding new BIS export control restrictions related to Russia”); FinCEN and BIS Urge Increased Vigilance for Potential Russian and Belarusian Export Control Evasion Attempts, June 28, 2022 (providing a list of “commodities of concern for possible export control evasion” and red flags to assist FIs “in identifying suspicious transactions relating to possible export control evasion”).
[2] FinCEN publishes anonymized SAR statistics searchable by, e.g., regulated entity type, product type, and category/type of suspicious activity like money laundering and “other suspicious activities.” It not apparent how export-related suspicious activity is categorized, or if that data is reflected in the database that includes information through 2024.
[3] EAR, 31 C.F.R. 15 parts 730-744. BIS does not exercise jurisdiction over exports exclusively controlled by other agencies, such as defense articles and services controlled by the Department of State’s Directorate of Defense Trade Controls under the International Traffic in Arms Regulations (ITAR). 15 at § 734.3(b)(1)(i).
[4] See, e.g., 15 C.F.R. § 734.3 (Items Subject to the EAR).
[5] See Foreign Direct Product Rules, 15 C.F.R. §§ 734.2-734.5, 734.9.
[6] 15 C.F.R. § 734.5; Export Control Reform Act of 2018, 50 U.S.C. § 4812(a)(2).
[7] 15 C.F.R. part 736.
[8] 15 C.F.R. § 736(b)(10).
[9] Id. (emphasis added).
[10] 15 C.F.R. § 772.1.
[11] A number of U.S. sanctions enforcement cases, mostly against foreign banks, involved “stripping” party names from interbank messages to obscure the involvement of sanctioned persons. FIs should bear this history in mind in reviewing interbank messages, particularly where other red flags are present.
[12] The BIS likewise recommended the Trade Integrity Project as a resource in its July 10, 2024 Guidance to Industry of BIS Actions Identifying Transaction Parties of Diversion Risk.
[13] Here, the guidance parallels BSA regulations that, e.g., require EDD as to foreign correspondent accounts that the law treats as high risk. E.g., 31 C.F.R. § 1010.610.
[14] See, e.g., 18 U.S.C. § 1344 (bank fraud).
[15] See, e.g., Hdeel Abdelhady, U.S. blocking and non-blocking sanctions on Russia to be felt widely, Reuters, Mar. 1, 2022 (discussing the difference between blocking and non-blocking sanctions administered by OFAC).
[16] 15 C.F.R. § 764.5(a) (amended on Sept. 16, 2024).