New BIS Guidance Continues Trend of Enhanced EAR Compliance Expectations for Financial Institutions

The U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) issued new guidance (“BIS Guidance”) for financial institutions (“FIs”) on October 9, 2024, recommending that FIs undertake specific compliance practices to minimize their risk of violating General Prohibition (“GP”) 10 of BIS’s Export Administration Regulations (“EAR”).  GP 10 prohibits any person (U.S. or otherwise) from selling, transferring, exporting, reexporting, financing, ordering, buying, removing, concealing, storing, using, loaning, disposing of, transporting, forwarding, or otherwise servicing an item “subject to the EAR” with knowledge that that item was, or will be, exported, reexported, or transferred in violation of the EAR.  Knowledge in this context goes beyond actual knowledge, and can be inferred from circumstances surrounding a transaction; in other words, a “known or should have known” standard.  Although BIS has published several joint alerts with FinCEN encouraging financial institutions to look for potential red flags of evasion of export controls, this guidance goes further in establishing specific export compliance best practices for financial institutions and suggests that financial institutions that finance or otherwise service prohibited exports risk liability under the EAR.

The Potential for Direct Enforcement Against Financial Institutions

GP 10 is not new.  But this is the first time that BIS has issued formal public guidance specially for financial institutions to avoid liability for servicing prohibited exports.  In a previous series of joint alerts and notices, BIS and the Financial Crimes Enforcement Network (“FinCEN”) identified red flags of potential export controls evasion, and encouraged financial institutions to consider these flags and for U.S. financial institutions to file appropriate suspicious activity reports (“SARs”) with respect to any they identified, as required under anti-money laundering rules.  However, the new BIS Guidance goes farther, and anticipates that financial institutions will make significant changes to their customer due diligence, post-transaction monitoring, real-time screening, and other compliance processes to avoid potential violations of the EAR.

Direct Relevance to Non-USFIs

BIS’s jurisdiction extends to any person—U.S. or non-U.S.—that undertakes activity involving goods, software, or technology (collectively “Items”) subject to the EAR.  As a result, the BIS Guidance to financial institutions is just as applicable to non-U.S. financial institutions (“non-USFIs”) as it is to U.S. financial institutions (“USFIs”).  If the underlying activity involves Items subject to the EAR or U.S. persons’ services in support of EAR-prohibited end uses, USFIs and non-USFIs alike face the same obligations under the EAR.

In recent years, BIS has extended the jurisdictional scope of the EAR to capture a broader range of non-U.S. origin items if certain U.S. technology or software is used in the design or production process.  These changes mean an increased scope of commercial activity occurring entirely outside the U.S. is now subject to the EAR, particularly if it involves parties in Russia or Belarus, or various Chinese companies on the BIS Entity List of prohibited end users.  Under EAR GP 10, both U.S. and non-U.S. FIs are required to refrain from servicing such transactions if they have “knowledge” that an EAR violation has occurred or will occur.

Acknowledgment Regarding Information Challenges

BIS acknowledges the information asymmetry challenges that confront FIs in their efforts to monitor for export control related risks, given that FIs will very rarely have the information necessary to determine classification or jurisdiction for an Item, particularly in the context of a live payment.  Specifically, BIS “recognizes that exporters generally have more information than FIs about whether an item may be subject to the EAR” and that “FIs will likely not have sufficient information to individually assess every transaction for potential EAR violations before proceeding….”  As a result, “BIS does not expect FIs to review transactions for [] red flags in real time,” with the exception of screening against certain BIS issued lists as discussed below.  This is an important distinction from sanctions, where regulators generally expect real-time screening controls to prevent activity with sanctioned persons or jurisdictions.

Even so, BIS does expect FIs to incorporate BIS lists of restricted parties, red flags for potential export control evasion, and other information into their compliance programs, in particular with respect to customer due diligence, post-transaction monitoring, and real-time screening.

Incorporating BIS Lists into Customer Due Diligence

BIS recommends that FIs screen customers against BIS restricted party lists, both at onboarding and on a risk basis thereafter, including BIS’s Unverified List, Entity List, Military End-User List, and Denied Persons List. 

BIS also recommends that FIs screen not just against lists that it publishes, but against non-BIS issued lists of entities that have shipped “Common High Priority List” (“CHPL”) items to Russia since 2023; these are available through commercial service providers or the website of the Trade Integrity Project, an initiative of the UK-based Open-Source Centre.  BIS recommends additional diligence measures with respect to customers that appear on any of these lists.

Real-Time Transaction Screening Against BIS-Related Lists

In addition to screening at onboarding, BIS does recommend real-time screening against a smaller set of specific BIS lists for “cross-border payments” and “other transactions that are likely to be associated with exports from the United States” or “re-exports or in-country transfers outside the United States.”  In cases where there is a match to these lists, BIS recommends that FIs not proceed with the transaction until they can determine that it would not violate the EAR, and says that failure to do so “risks liability for a knowing violation of the EAR under GP 10.”  It may be challenging for FIs to identify what transactions should be screened against these lists, given the jurisdictional challenges identified above. 

Incorporating BIS Considerations into Post-Transaction Monitoring and SAR Filing

BIS also “recommends that FIs have risk-based procedures in place to detect and investigate red flags post-transaction.”  This includes red flags that BIS identifies in the BIS Guidance, and that BIS and FinCEN have identified in prior joint notices from 2022 and 2023.  BIS also maintains a list of red flag indicators on its website. 

To the extent that an FI identifies these red flags in post-transaction monitoring, and is not able to resolve it as legitimate activity, BIS recommends that the institution take steps to ensure that future transactions involving the same parties do not relate to prohibited exports.  BIS suggests that, in some cases, it will treat unresolved red flags as the FI having constructive knowledge of any future export violation, and that transactions by the FI that finance or service the prohibited export could be treated as a violation of GP 10.  The guidance identifies the following specific circumstances where it considers red flags especially likely to result in “knowledge” if they cannot be resolved:

• A customer refuses to provide details to banks, shippers, or third parties, including details about end-users, intended end-use(s), or company ownership.
• The name of one of the parties to the transaction is a “match” or similar to one of the parties on a restricted-party list.
• Transactions involving companies that are physically co-located with a party on the Entity List or the SDN List or involve an address BIS has identified as an address with high diversion risk.
• Transactions involving a last-minute change in payment routing that was previously scheduled from a country of concern but is now routed through a different country or company.

To the extent FIs identify these red flags and cannot resolve them, BIS recommends FIs “refrain from future transactions with the relevant transaction parties,” because otherwise the FI “risks liability for a violation of the EAR under GP 10.” 

BIS also suggests that, in cases where an FI files a SAR relating to a transaction, BIS may provide the FI with information about a customer or transaction that would establish that an EAR-prohibited transaction occurred or may occur in the future.  In such cases, BIS expects FIs to take appropriate action to prevent future violations.

The Focus on Financial Institutions is Increasing

The BIS Guidance escalates previous efforts by BIS, in coordination with FinCEN and other agencies, to ensure that banks and other FIs take steps to identify, report on, and prevent potential violations of U.S. export controls.  This focus is in parallel to, but supportive of, a recent focus by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) on the role that financial institutions may play in the movement of products to Russia.  Specifically, the United States issued Executive Order 14114 in December 2023, which enabled the designation of foreign financial institutions (“FFIs”) for several activities, including for the supply to Russia of specific classes of items designated by OFAC.  OFAC used this authority to identify a list of critical goods that it determined could support Russia’s military-industrial base and publishing guidance for FFIs on the steps they could take to mitigate their related risks.  We anticipate this integrated focus from BIS, OFAC, FinCEN and other regulators to continue.