Insights

As they have on each previous anniversary, the EU and UK released new sanctions against Russia on February 24, 2025, to mark the three-year anniversary of Russia’s full-scale invasion of Ukraine. For the first time, the United States did not do the same, electing to issue a limited set of Iran-related sanctions on the anniversary instead. The EU package was more fulsome than the UK package, including new port and airport restrictions, additional trade restrictions (including an aluminium ban), enhanced military end-user restrictions, and additional asset freezes and vessel designations.

On February 4, 2025, President Trump issued a National Security Presidential Memorandum (NSPM-2) on “Imposing Maximum Pressure on the Government of the Islamic Republic of Iran, Denying Iran All Paths to a Nuclear Weapon, and Countering Iran’s Malign Influence.” NSPM-2 directs U.S. government agencies to take a range of measures to reimpose “maximum pressure” sanctions on Iran. 

On November 13, 2024, the U.S. Department of the Treasury’s (“Treasury’s”) Office of Foreign Assets Control (“OFAC”) updated its FAQs for insurers in a long-awaited move to modernize its published sanctions compliance guidance for the insurance industry.  None of the industry-specific FAQs had been updated since January 2015, and many had not been amended in more than 20 years, so these updates represent an important step by OFAC to ensure that its public guidance reflects the industry as it is today. 

The U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) issued new guidance (“BIS Guidance”) for financial institutions (“FIs”) on October 9, 2024, recommending that FIs undertake specific compliance practices to minimize their risk of violating General Prohibition (“GP”) 10 of BIS’s Export Administration Regulations (“EAR”).  GP 10 prohibits any person (U.S. or otherwise) from selling, transferring, exporting, reexporting, financing, ordering, buying, removing, concealing, storing, using, loaning, disposing of, transporting, forwarding, or otherwise servicing an item “subject to the EAR” with knowledge that that item was, or will be, exported, reexported, or transferred in violation of the EAR.  Knowledge in this context goes beyond actual knowledge, and can be inferred from circumstances surrounding a transaction; in other words, a “known or should have known” standard.  Although BIS has published several joint alerts with FinCEN encouraging financial institutions to look for potential red flags of evasion of export controls, this guidance goes further in establishing specific export compliance best practices for financial institutions and suggests that financial institutions that finance or otherwise service prohibited exports risk liability under the EAR.

In response to the ongoing conflict in Ukraine and to exert further pressure on Russia, the EU enacted its 14thsanctions package against Russia on June 24, 2024. The new package comes after months of negotiations between Member States, and follow, but in many ways expand upon, those passed by the United States and the UK last week (see Crowell’s Alert on those developments here). 

On June 12, 2024, the U.S. Department of the Treasury’s Office of Foreign Asset Control (OFAC) and the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) announced additional sanctions and export restrictions in response to Russia’s continued aggression in Ukraine. The next day, the UK announced additional sanctions designations.

Following a meeting of the G7 Summit Leaders, on May 19, 2023, the United States and the United Kingdom announced a new round of sanctions and export controls against the Government of the Russian Federation (“Russia”) to continue their efforts against key sectors of Russia’s military-industrial base. These actions target procurement and evasion networks to curtail the flow of necessary resources Russia needs to maintain and fund its campaign against Ukraine. In this alert, Crowell & Moring attorneys based in our U.S. and UK offices provide a comprehensive overview of the recent multi-jurisdictional actions taken by the respective countries’ government agencies.

On February 24, 2023, the United States and other G7 nations announced a number of new sanctions and export control measures coinciding with the one-year mark of Russia’s military invasion of Ukraine. Shortly after these expansive sanctions and export controls were announced, the Departments of Justice (“DOJ”), the Treasury (“Treasury”), and Commerce (“Commerce”) issued their first-ever joint guidance regarding a planned crack-down by these agencies on sanctions and export controls evasion related to Russia in concert with DOJ’s sweeping announcements of a renewed focus on corporate compliance with sanctions and export controls.

On February 24, 2023, the United States and other G7 nations announced a number of new sanctions and export control measures coinciding with the one-year mark of Russia’s military invasion of Ukraine. Shortly after these expansive sanctions and export controls were announced, the Departments of Justice (“DOJ”), the Treasury (“Treasury”), and Commerce (“Commerce”) issued their first-ever joint guidance regarding a planned crack-down by these agencies on sanctions and export controls evasion related to Russia in concert with DOJ’s sweeping announcements of a renewed focus on corporate compliance with sanctions and export controls.

On October 7, 2022, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) simultaneously published a final rule strengthening the antiboycott regulations in Part 766 of the Export Administration Regulations (EAR) (the “Final Rule”), as well as a memorandum on the new rule’s implementation (the “Final Rule Memo”), issued by the Assistant Secretary for Enforcement. Pursuant to the Final Rule, BIS will make three primary changes:

According to recent reports, Ukrainian President Zelenskyy has directly requested that the United States designate Russia as a State Sponsor of Terrorism (“SST”), an action that the United States has been considering for some time. The designation would have far-reaching implications and would automatically trigger some of the most aggressive unilateral sanctions in the United States’ arsenal, including restrictions on financial transactions, defense exports and sales, and foreign aid. These would further ramp up pressure from even the existing slew of sanctions imposed on Russia and its oligarchs.

On December 2, 2021, the United States, the European Union (“EU”), the United Kingdom (“UK”) and other allies took coordinated action to designate various individuals, entities, and aircraft connected to human rights abuses by Belarussian President Alexander Lukashenko and his regime. This builds on asset freezing actions by the U.S., UK, EU, and Canada earlier this year (which we discuss here).

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory on potential sanctions risks for companies that facilitate ransomware payments in response to cyberattacks, guidance on preventative measures companies can implement to mitigate such risks, and criteria that OFAC will consider as mitigating factors in any potential enforcement action. OFAC also announced that it has added SUEX OTC, S.R.O. (“SUEX”), a Russian virtual currency exchange, to its Specially Designated Nationals and Blocked Persons List (the “SDN List”), as a result of its role in facilitating ransomware payments. This represents OFAC’s first-ever designation of a virtual currency exchange.

Senator Maggie Hassan (N.H.-D): “My question is, in your planning, did you have a plan for cybersecurity response that included guidance about ransomware?”

As recently as six months ago, ransomware was the domain of CISOs (chief information security officers) and cybersecurity lawyers. But in the wake of high-profile attacks by Russian-based cybercriminals on Colonial Pipeline, operator of the country’s largest refined fuel pipeline, and JBS Foods, the world’s largest meat processor, ransomware jumped to the top of the agenda for President Biden’s meeting with Russian President Vladimir Putin this week. These high-profile incidents have shown that ransomware attacks are a significant business/operational and legal risk for global companies. Colonial Pipeline paid $5 million to resolve its attack, JBS $11 million, and the group responsible for an attack on Acer is demanding $50 million.

The Institute for Security and Technology (IST) recently released recommendations aimed at combating the growing threat of ransomware, proposing a comprehensive framework focused on regulatory and diplomatic ideas designed to disrupt the threat, and to assist organizations prepare for and respond to ransomware attacks. Ransomware crimes pose significant legal challenges that continue to evolve alongside the threat itself, as efforts to combat ransomware attacks, such as those proposed by the IST, are developed and implemented. Organizations should remain mindful of this quickly-evolving legal landscape.

On April 15, 2021, the United States unveiled a sweeping series of additional sanctions on Russia, marking the first major Russia-related sanctions development of the Biden Administration and the most material such U.S. action in several years.  The actions were spearheaded by President Biden’s issuance of Executive Order 14024 (the “EO”) that grants the Department of Treasury a wide-ranging set of new designation authorities, including to designate persons “operating in” the “technology” and “defense and related material” sectors of the Russian economy.  Acting under this authority, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) designated six Russian entities for operating in the “technology” sector as well as expanding existing restrictions on U.S. financial institutions to now restrict participation in the primary market for certain ruble-, as well as non-ruble-denominated bonds, as well as certain ruble- or non-ruble-denominated lending activities.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently announced settlements with two virtual currency service providers, Bit Pay, Inc. (Bit Pay) and BitGo, Inc. (BitGo), for alleged sanctions violations. Separately, Coinbase Global Inc., (Coinbase) the largest virtual currency exchange in the U.S., has disclosed that its services may have been used in violation of U.S. sanctions, and that the case remains pending under OFAC’s review. The BitGo and Bit Pay settlements involved failures to use Internet Protocol (IP) location data to detect transactions with persons in sanctions jurisdictions (in addition to other alleged failures in the case of BitGo), and build on previous guidance that OFAC has provided to money transmitters (which includes many virtual currency businesses) about its expectation that they will use such services to aid compliance with sanctions. Together, these settlements and investigation suggest a concerted effort by OFAC to remind virtual currency businesses of their OFAC obligations and to encourage broader implementation of appropriate compliance programs.

In the first material sanctions-related action of the new U.S. Administration, on February 11, 2021, President Biden issued Executive Order 14014 (EO) imposing sanctions on Myanmar (Burma) in response to the February 1, 2021, military coup and subsequent detention of government leaders, politicians, and others there. The sanctions focus on the defense sector of the Burmese economy, its military, and current military government, but provide authority to expand the scope of the sanctions. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) subsequently sanctioned 10 individuals and three entities pursuant to the new authorities. Simultaneously, the Commerce Department’s Bureau of Industry and Security (BIS) tightened its existing licensing policy on Burma and previewed a potential substantial expansion of future export controls in the event the situation deteriorates further. 

On December 7, 2020, The Council of the European Union adopted a global human rights sanctions regime, similar to the Magnitsky Sanctions program used by the Department of the Treasury’s Office of Foreign Assets Control (OFAC). The EU’s framework will permit it to target individuals, entities, and bodies, whether state or non-state actors, and those who provide technical, financial, or material support to those who are “responsible for, involved in or associated with serious human rights violations and abuses worldwide, no matter where they occurred.” This includes the imposition of targeted sanctions for acts such as genocide, crimes against humanity and other serious human rights violations or abuses (e.g., torture, slavery, arbitrary executions, arbitrary detentions, etc.), and other widespread, systemic and serious human rights violations (e.g. human trafficking, sexual and gender-based violations, violations or abuses of freedom of assembly, association, speech, religion).