Tri-Seal Compliance Note Stresses Importance of Non-U.S. Persons Complying with U.S. Sanctions and Export Control Laws

On March 6, 2024, the U.S. Departments of Commerce, Justice, and the Treasury issued a Tri-Seal Compliance Note (Compliance Note) stressing the need for non-U.S. persons to comply with U.S. sanctions and export controls. The Compliance Note highlights the numerous ways in which U.S. sanctions and export controls can apply to persons and entities located outside the United States (non-U.S. persons) as well as the enforcement mechanisms, both civil and criminal, that the U.S. government uses to hold non-U.S. persons accountable for violations of such laws.

The Compliance Note does not impose any new legal obligations, but warns non-U.S. companies and individuals to “take seriously the impacts of U.S. sanctions and export control laws . . . and take appropriate steps to understand how these laws may apply to them, what risks are posed by their business operations, and how they can mitigate these risks.”  The Compliance Note further details recommended compliance measures non-U.S. persons should employ to mitigate their U.S. sanctions and export controls risks. Notably, many of these measures align with similar compliance program expectations that have been outlined by the agencies previously for U.S. persons. The issuance of this Compliance Note underscores that these agencies remain increasingly focused on activities by non-U.S. persons that may either violate or otherwise undermine U.S. foreign policy and national security policies.

The key takeaways from the Compliance Note are:

1. Where U.S. sanctions and export controls apply (regardless of how limited the U.S. touchpoints may be), non-U.S. persons are expected to comply with these laws, and the U.S. government is prepared to exercise its enforcement authorities for instances of non-compliance.
2. It is critically important that non-U.S. persons understand their touchpoints to the United States and the compliance risks those touchpoints create.
3. Non-U.S. persons should establish, implement, and maintain a compliance program that accounts for U.S. sanctions and export controls requirements and that is tailored to their particular risks and includes necessary internal controls to address such risks.

Applicability of U.S. Sanctions and Export Controls to Non-U.S. Persons

It is not always apparent to non-U.S. persons how U.S. sanctions and export controls apply to their conduct.  To help fill this knowledge gap, the Compliance Note highlights the ways in which such laws can apply to non-U.S. persons and provides examples of relevant U.S. government enforcement actions against non-U.S. persons for violative conduct.

Sanctions

Non-U.S. persons are prohibited from causing or conspiring to cause U.S. persons to violate U.S. sanctions.  As an example, the Compliance Note explains that non-U.S. persons are prohibited from routing prohibited transactions through the U.S. financial system, because such conduct causes U.S. financial institutions to process payments (i.e., export services) in violation of U.S. sanctions.  Such violations can also involve the reexport of U.S.-origin goods or non-financial services to sanctioned jurisdictions or sanctioned parties.

Additionally, non-U.S. persons are prohibited from engaging in conduct that evades U.S. sanctions, such as obscuring or omitting references to a sanctioned party or jurisdiction in a transaction involving a U.S. touchpoint (e.g., U.S. persons, U.S. territory, or U.S.-origin goods or services).

Export Controls

The Compliance Note emphasizes that U.S. export controls extend to items subject to the Export Administration Regulations (EAR) anywhere in the world (or, as the Compliance Note sums it up, “to put it simply, the law follows the good”). U.S. export controls cover not only the initial export, but also reexports and in-country transfers of items subject to the EAR’s jurisdiction. This includes, in many cases, foreign-produced items (e.g., commodities, software, or technology) that incorporate a certain percentage of controlled U.S. content (de minimis thresholds) and certain foreign-made items produced using U.S. software, technology, or production equipment (known as the foreign direct product rule).

Compliance Considerations for Non-U.S. Persons

Given the complexity of U.S. sanctions and export controls and the impact such laws may have on the business and operations of non-U.S. companies, the Compliance Note stresses that non-U.S. persons “must ensure that they have robust compliance measures in place,” and outlines the following measures that non-U.S. persons “should take care to do” (emphasis added):

• Employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program.
• Establish strong internal controls and procedures to govern payments and the movement of goods involving affiliates, subsidiaries, agents, or other counterparties.
• Ensure that know-your-customer information (such as passports, phone numbers, nationalities, countries of residence, incorporation, operations, and addresses) and geolocation data are appropriately integrated into compliance screening protocols and information is updated on an ongoing basis based on its overall risk assessment and specific customer risk rating.
• Ensure that subsidiaries and affiliates are trained on U.S. sanctions and export control requirements, can effectively identify red flags, and are empowered to escalate and report prohibited conduct to management.
• Take immediate and effective action when compliance issues are identified, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
• Identify and implement measures to mitigate sanctions and export control risks prior to merging with or acquiring other enterprises, especially where a company is expanding rapidly and/or disparate information technology systems and databases are being integrated across multiple entities.
• Parties who believe they may have violated sanctions or export control laws should voluntarily self-disclose the conduct to the relevant agency. (The Compliance Note cites to an earlier Tri-Seal publication on the Voluntary Self-Disclosure of Potential Violations).

Compliance professionals will recognize that these recommended compliance measures are similar to those previously outlined in the Office of Foreign Assets Control’s 2019 Framework for OFAC Compliance Commitments, which explicitly applied to non-U.S. persons conducting business in or with the United States or U.S. persons, or otherwise dealing in U.S.-origin goods or services.

Conclusion

U.S. sanctions and export controls create legal exposure not only for U.S. persons, but also for non-U.S. persons engaged in transactions involving U.S. touchpoints.  These laws can create especially complex compliance burdens for companies operating in sensitive geographic regions or sectors. The publication of the Compliance Note, and its tone, reinforce that the enforcement of these laws is a priority for the U.S. government.  The compliance expectations identified in the Compliance Note and summarized above, which are nearly identical to those expected of U.S. businesses, can be complex and burdensome for non-U.S. persons to employ, but the risks of noncompliance could be far more costly in the long run.

Morrison Foerster’s National Security team features market-leading expertise in assisting non-U.S. persons with understanding the implications of, and complying with, U.S. sanctions and export controls. Please reach out to a member of our team with any questions about the significant implications of the Compliance Note; we stand ready to assist.