First Ever Targeted Guidance on Financial Institutions’ Compliance with Export Administration Regulations

On 9 October 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) published its first ever unilateral guidance specifically addressed to financial institutions (FIs).[1] The Guidance to Financial Institutions on Best Practices for Compliance with the Export Administration Regulations (EAR) (the Guidance) outlines BIS’s expectations on the increasing responsibility of FIs to ensure compliance with EAR. The intent of the Guidance is to equip FIs with best practices that will help minimize EAR violations, notably with regard to General Prohibition 10 (GP 10), which ultimately enhances the national security and foreign policy goals of the United States.

The Guidance, among other things, reminds FIs of their responsibilities under GP 10, explains how BIS interprets the knowledge element under the prohibition, and outlines BIS’s expectations on certain practical steps the banks can take to minimize the risk of export controls violations. While the Guidance is not the first time BIS addresses the financial industry—see prior joint guidance published by BIS and the U.S. Department of the Treasury’s Financial Crime Enforcement Network (FinCEN) in June 2022, May 2023, and November 2023[2]—it signifies the increasing attention of BIS on FIs as the intermediaries in trade transactions. Even more important, the Guidance is not limited to U.S.-based FIs and implies that BIS can proceed with enforcement actions worldwide, due to the expansive jurisdiction it has over U.S.-origin goods and technologies.

This Policy Alert first provides an overview of the Guidance issued by BIS, including best practices recommended by BIS for export controls-oriented compliance processes. Given these recommended best practices, the Policy Alert subsequently outlines K2 Integrity’s suggested considerations for financial institutions and the specific measures FIs can implement to meet the increasing regulatory expectations concerning the role of FIs in disrupting illicit trade flows. These measures include:

• Understanding the extensive jurisdiction of EAR;
• Documenting EAR-focused controls;
• Harnessing transaction monitoring and screening technologies that account for export control risks;
• Adding export control-focused training to financial crime compliance training curriculums;
• Conducting investigations as necessary based on post-transaction reviews; and
• Strengthening communications with regulators.

Background on BIS’s Jurisdiction, GP 10, and the Notion of Knowledge

The Guidance reminds domestic and foreign audiences of BIS’s authority over transactions worldwide that involve items—goods, commodities, and technology—that are “subject to the EAR,” even when no U.S. person or U.S. financial institution is present in the transaction. Items subject to the EAR include:

• All items physically in the United States, including in a U.S. Foreign Trade Zone or moving in-transit from one foreign country to another through the United States (with certain exceptions);
• U.S.-origin items, meaning items produced in or exported from the United States, no matter where these items are currently located or how much time has passed since the export;
• Certain foreign-made items that incorporate more than a de minimis amount of U.S.-origin controlled content (10% to 25%, depending on the country); and
• Certain foreign-made items that are produced abroad using controlled U.S. software, technology, or tools.[3]

The EAR have codified ten General Prohibitions, each of which describes an activity that may subject a person to an enforcement action or penalties described under section 764 of the EAR.[4] Of particular relevance to FIs, GP 10 prohibits any person to “finance . . . or otherwise service, in whole or in part, any item subject to the EAR . . . with knowledge that a violation of the [EAR] has occurred, is about to occur, or is intended to occur in connection with the item.”[5] Additionally, U.S. persons, as defined in EAR, wherever located—including FIs—may not support (e.g., finance or facilitate) certain specified activities that they know involve certain weapons of mass destruction or military intelligence programs, as stated in 15 CFR 744.6.[6]

The Guidance reminds FIs that the EAR defines knowledge as follows: “[K]nowledge of a circumstance includes not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness may be inferred from evidence of the conscious disregard of facts known to a person or from a person’s willful avoidance of facts.” [7]

Best Practices Recommended by BIS for Export Controls-Oriented Compliance Processes

While the Guidance uses terms such as “recommend” and “best practices,” it strongly communicates BIS’s detailed expectations for FIs in terms of developing export controls-oriented compliance processes.

First, BIS recommends that FIs add EAR-related due diligence to their customer controls. This includes:

1. Screening customers against BIS’s end-user-focused restrictions (i.e., BIS’s lists[8]) at onboarding and on an ongoing basis, and understanding the scope of the applicable restrictions when matches are identified.
2. Screening the names and addresses of customers and, “where appropriate, customers’ customers,” against lists of entities that are known to have shipped Common High Priority List (CHPL) items to Russia since 2023, according to publicly available trade data.
   1. Note: There is no list of such actors put together by BIS or other U.S. regulators. Instead, BIS encourages banks to seek these lists from commercial service providers. BIS also mentioned a free list created by Trade Integrity Project, a U.K. initiative to make such data available to industry stakeholders to strengthen due diligence.[9]
3. Using the screening results to determine the customer’s overall risk profile for potential EAR violations and seeking customer representations and warranties or implementing additional due diligence measures where warranted.
4. Ensuring that any screening effort is designed to capture updates to the lists.

Second, BIS recommends that FIs review transactions on an ongoing basis for red flags. BIS believes that certain controls should be implemented in post-transaction review, while others should be applied on a real-time basis (recognizing the difficulties of real-time transaction screening).

BIS recommends real-time controls include live screening of all parties (names and addresses) in cross-border payments or in other transactions that are likely to be associated with exports from the United States (or reexports or in-country transfers) against the following lists:

1. The BIS Denied Persons List;
2. Military intelligence end users identified in 15 CFR 744.22(f)(2);[10] and
3. Certain persons designated on the Entity List subject to Foreign Direct Product Rule, Military End User, nuclear, or chemical controls.[11]

For all other transactions, BIS recommends post-transaction monitoring with a focus on identifying the following red flags (herein Strong Red Flags):

1. A customer refuses to provide details to banks, shippers, or third parties, including details about end users, intended end use(s), or company ownership.
2. The name of one of the parties to the transaction is a “match” or similar to one of the parties on a restricted-party list.
3. Transactions involving companies that are physically co-located with a party on the Entity List or the SDN List or involve an address BIS has identified as an address with high diversion risk.
4. Transactions involving a last-minute change in payment routing that was previously scheduled from a country of concern but is now routed through a different country or company.

If any of the Strong Red Flags are identified by an FI, the institution should refrain from future transactions with the relevant parties. If, however, none of the Strong Red Flags are identified, then the FI may continue to monitor transactions retroactively.

It is important to note that BIS construes the presence of any of Strong Red Flags sufficient to establish knowledge under GP 10 for future transactions.

Furthermore, BIS provides information about how it expects FIs to “treat” red flags. Since exporters and other parties who originate or receive financial transactions (i.e., customers of FIs) know more about the nature of transaction and whether the transaction is permissible under the EAR, FIs may generally rely on their customers’ representations regarding compliance with the EAR, unless such reliance would be unreasonable; for example, when—based on publicly available information or proprietary data that is available to the FI—the FI has reason to know that such representations may be false.

While BIS reminds the public that it does not share information regarding the existence or lack of licenses, it invites FIs to seek confirmation from their customers regarding BIS-issued licenses, including by obtaining a copy of an export license issued by BIS.

Lastly, the Guidance reminds FIs of their obligations to file Suspicious Activity Reports (SARs) when they notice suspicious activities related to potential violations of EAR. The Guidance adds that in certain circumstances, following an FI’s filing of a SAR with FinCEN, BIS may provide the FI with additional information, otherwise unknown to public, that would establish knowledge that a violation of the EAR has occurred, is about to occur, or is intended to occur. In such circumstances, to avoid violating GP 10, the FI would be expected to take the steps necessary to ensure that it does not finance or otherwise service items exported (or reexported or transferred in-country) in violation of the EAR in the future.

Our Takeaways and Considerations for Financial Institutions

The Guidance shows an increased expectation from BIS regarding FIs’ responsibilities in the fight against the illicit trade of goods, commodities, and technologies, while acknowledging the limitations of their role due to the intermediated nature of FIs’ roles in trade transactions. The Guidance emphasized the role of customer due diligence, both at onboarding and on a periodic basis; the importance of “post transaction review”; and the necessity of real-time screening on a risk basis. The best practices identified in the Guidance align with the core controls of financial crime compliance programs (e.g., customer due diligence, real-time transaction screening, and transaction monitoring). The practical implementation of those recommendations, however, may prove challenging for FIs depending on the sophistication of their screening tools and risk assessment processes. FIs may consider the following when exploring how to ramp up their EAR-focused controls.

Consideration #1: Understanding the Extensive Jurisdiction of EAR

Unlike economic sanctions that are applicable to U.S. persons and to non-U.S. persons in certain circumstances, the EAR applies to any person who engages with items that are subject to EAR, whether such person is a U.S. person or not. While there has never been a BIS enforcement action again any FI, either domestic or foreign, BIS jurisdictional reach is much more expansive than the Department of the Treasury’s Office of Foreign Assets Control (OFAC), thereby requiring any person, including U.S. and non-U.S. FIs, to ramp up their knowledge of U.S. export controls.

Consideration #2: Documenting EAR-Focused Controls

Considering the complexity of EAR, FIs must consider creating procedures that are dedicated to compliance with EAR. Such documentation would include the following topics:

• A risk appetite statement that indicates which customers’ customers should be subject to enhanced scrutiny and under which conditions a live transaction should be subject to real-time screening against applicable BIS lists;
• Processes to screen customers against BIS and trade-related third-party lists, including the timing of such screening, the cadence of the screening, the set of lists used for screening, the screened data fields, and the similarity thresholds for matching names;
• Descriptions of relevant transaction monitoring rules designed to detect suspicious behavior related to potential export control violations;
• Descriptions of red flags and proscribed steps following the identification of each red flag;
• Clear instructions on how to handle alerts generated against BIS and trade-related third-party lists or illicit trade-focused transaction monitoring rules; and
• Clarification of the roles and responsibilities of various stakeholders within the organization.

By having documentation that governs this increasingly important topic and provides evidence of the seriousness with which an FI considers export controls, institutions demonstrate their commitment to compliance, which in turn could be seen as a mitigating factor by the relevant authorities.

Consideration #3: Harnessing Transaction Monitoring and Screening Technologies

The Guidance references the need to leverage both “post-transaction reviews” and “real-time screening,” which are common tools to mitigate financial crime compliance related risks. The Guidance describes how those existing controls should be harnessed to mitigate export control-related risk—an area not historically covered by FIs outside the context of trade finance.

When considering screening, it is recommended that FIs ensure that:

• The lists that are used for live or post-transaction screening are chosen in alignment with expectations set by the Guidance;
• Addresses of entries on BIS-issued lists and OFAC’s Specially Designated Nationals and Blocked Persons List are considered for customer due diligence;[12]
• For live screening, only transactions that may be related to trade of items, insofar as identifiable, are screened against what the Guidance recommends, thereby avoiding a surge of false positives that can tax the resources of an FI’s operations and compliance departments;
• New technologies, such as artificial intelligence, are used to reduce the number of false hits. Such technologies may use the information that is available publicly or known to the FI through its proprietary data.

Notably, BIS states that it does not expect FIs to obtain additional names of parties for the exclusive purpose of conducting real-time screening. FIs should balance their assessed risk against the practical measures.

When considering transaction monitoring, it is recommended that FIs:

• Define or update scenarios in line with the expectations in the Guidance;
• Consider all circumstances around a customer profile or a transaction; and
• Review future transactions of customers that present Strong Red Flags in real time if an FI does not terminate the relationship.

Consideration #4: Adding Export Control-Focused Training to the Financial Crime Compliance Training Curriculum

Given increased regulatory expectations that FIs will act upon the information available to them to detect illicit trade flows, FIs must invest in learning about export-based restrictions that are relevant to them. Implementing a training program specifically designed to inform FIs of the risks associated with illicit trade flows, applicable regulations, regulatory expectations, and best practices to mitigate such risks would enhances the quality of trade-focused compliance and demonstrate commitment to compliance with export-related obligations.

Consideration #5: Conducting Reviews

FIs have large amounts of financial data about their customers and interactions with counterparties. When considering whether a customer has been engaged in activities that might be in violation of EAR and whether that customer subsequently exposed the FI to the risk of violating GP 10, FIs must consider all information that is available to them, whether collected for compliance purposes or otherwise, when evaluating the potential of having “knowledge” under GP 10. Upon identification of Strong Red Flags, FIs must take further measures to understand customers’ activity and take corrective action if needed.

Consideration #6: Strengthening Communication with Regulators

The Guidance, in many instances, reminds FIs of their obligations to file SARs and of the benefits of filing a Voluntary Self Disclosure (VSD) when an apparent violation of EAR has been detected. Additionally, BIS has been reaching out to members of the financial sector extensively to receive their feedback about how FIs can play a role in stopping the illicit flows of trade that threaten U.S. national security and foreign policy goals. FIs should take full advantage of the opportunities to communicate with BIS to share valuable financial information with regulators, reap the benefits given to successful VSDs, and inform the regulators on capabilities and limitations of FIs in the fight against illicit trade flows.

K2 Integrity Stands Ready to Assist

Our team of sanctions and export control experts, with years of experience in financial institutions, can assist your financial institution in navigating the Guidance and identifying specific steps your team can take to strengthen EAR-focused controls and meet BIS’s increasing expectations. To learn more, please contact us here.

 

---

[1] Department of Commerce, Bureau of Industry and Security New Guidance to Financial Institutions on Best Practices for Compliance with the Export Administration Regulations, 9 October 2024, https://www.bis.gov/media/documents/guidance-financial-institutions-best-practices-compliance-export-administration.

[2] FinCEN BIS First Joint Alert, 28 June 2022, https://www.fincen.gov/sites/default/files/2022-06/FinCEN%20and%20Bis%20Joint%20Alert%20FINAL.pdf; FinCEN BIS Second Joint Alert, 19 May 2023, https://www.bis.doc.gov/index.php/documents/enforcement/3272-fincen-and-bis-joint-alert-final-508c/file; and FinCEN BIS Third Joint Alert, 6 November 2023, https://www.fincen.gov/sites/default/files/shared/FinCEN_Joint_Notice_US_Export_Controls_FINAL508.pdf.

[3] 15 CFR 734.3, available at https://www.ecfr.gov/current/title-15/section-734.3.

[4] General Prohibitions, 15 CFR Part 736, available at https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-736; and Enforcement and Protective Measures, 15 CFR Part 764, https://www.ecfr.gov/current/title-15/part-764.

[5] 15 CFR 736.2(b)(10), available at https://www.ecfr.gov/current/title-15/part-736#p-736.2(b)(10).

[6] Under the EAR, U.S. person generally includes (1) any individual who is a citizen of the United States, a permanent resident alien of the United States, or a protected individual as defined by 8 U.S.C. 1324b(a)(3); (2) any juridical person organized under the laws of the United States or any jurisdiction within the United States, including foreign branches; and (3) any person in the United States.

[7] 15 CFR 772.1 “Knowledge,” available at https://www.ecfr.gov/current/title-15/part-772#p-772.1(Knowledge).

[8] BIS maintains four lists of parties of concern: Denied Persons List, Entity List, Unverified List, and Military End User List. For more information, see https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern.

[9] Trade Integrity Project Website, available at https://www.trade-integrity.org/.

[10] This includes the following entities: (i) For Burma: Office of Chief of Military Security Affairs (OCMSA) and the Directorate of Signal; (ii) for Cambodia: General Department of Research and Intelligence (GDRI); (iii) for Cuba: Directorate of Military Intelligence (DIM) and Directorate of Military Counterintelligence (CIM); (iv) for People’s Republic of China: Intelligence Bureau of the Joint Staff Department; (v) for Iran: Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO) and Artesh Directorate for Intelligence; (vi) for North Korea: Reconnaissance General Bureau (RGB); (vii) for Russia: Main Intelligence Directorate (GRU); (viii) for Syria: Military Intelligence Service; (ix) for Venezuela: General Directorate of Military Counterintelligence (DGCIM); and (x) for Belarus: Main Intelligence Directorate of the General Staff of the Armed Forces of Belarus.

[11] Specifically the following entries on the Entity List: (i) Entities subject to the Entity List Foreign Direct Product rule and designated with a footnote 4 in the license requirement column of the Entity List; (ii) entities subject to the Russia/Belarus-Military End User and Procurement FDP rule and designated with a footnote 3 in the license requirement column of the Entity List; and (iii) other persons included on the Entity List and subject to the license review policy set forth in 15 CFR 744.2(d) (related to certain nuclear end uses), 15 CFR 744.3(d) (related to certain rocket systems and unmanned aerial vehicles end uses), and 15 CFR 744.4(d) (related certain chemical and biological weapons end uses).

[12] Most screening solutions are not designed to screen on address as a primary data point. As the industry explores how to screen addresses referenced on in flight transactions, FIs must continue to pay special attention to addresses as part of their KYC controls.