Exactly a year ago, I published an article on our blog titled Banks Are Busy Verifying Client BIS Export Licenses. With the U.S. Department of Commerce’s Bureau of Industry and Security’s (“BIS”) October 2024 issuance of Guidance for financial institutions (“FIs”) containing best practice recommendations for compliance with the Export Administration Regulations (“EAR”), 15 C.F.R. parts 730-774, it’s a good time to revisit this topic. BIS’s Guidance is effectively a warning shot to FIs that they must also take compliance with the EAR seriously—illustrating certain instances where they may be held liable for a violation—and to dispel any notions that compliance with the EAR is just for exporters. The Guidance provides BIS’s best practice recommendations for FIs, building on several previous joint alerts that BIS had published with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), and underscores the applicability of the EAR’s General Prohibition 10 to FIs facilitating a transaction related to any item subject to the EAR.

When my prior article was published, FIs were verifying BIS export licensing requirements for transactions primarily involving Russia and Belarus. However, the new BIS Guidance isn’t limited to these destinations, and one of the recommendations even includes assessing certain customers export compliance programs, not just applicable BIS licenses. In this article, I’ll provide a relevant background on General Prohibition 10 of the EAR for FIs and a summarized version of BIS’s best practices.

Relevant Background on General Prohibition 10

So, what’s the EAR’s General Prohibition (“GP”) 10 that FIs need to concern themselves with more than ever before? It provides as follows:

You may not sell, transfer, export, reexport, finance, order, buy, remove, conceal, store, use, loan, dispose of, transport, forward, or otherwise service, in whole or in part, any item subject to the EAR and exported, reexported, or transferred (in-country) or to be exported, reexported, or transferred (in-country) with knowledge that a violation of the Export Administration Regulations, the Export Control Reform Act of 2018, or any order, license, license exception, or other authorization issued thereunder has occurred, is about to occur, or is intended to occur in connection with the item. Nor may you rely upon any license or license exception after notice to you of the suspension or revocation of that license or exception. There are no license exceptions to this General Prohibition Ten in part 740 of the EAR.

GP 10 has been on the books since 1996, and it’s basically a catch-all provision for enforcement of the EAR’s licensing requirements against any party that facilitates an export, reexport, or transfer (in-country) of an item subject to the EAR, where they arguably had knowledge that a violation of the EAR was taking place. I have yet to see an FI get into trouble by the U.S. government for allegedly violating GP 10—at least not based on public information—but please do reach out if you are aware of any such enforcement actions. However, incorporated terms like “finance” and “otherwise service” provide the relevant regulatory language to target FIs involved in export transactions, and not just the exporting party. This new BIS Guidance geared specifically for FIs suggests such enforcement actions are likely on the horizon.

As detailed in the BIS Guidance, pursuant to the scope of the EAR, the agency has authority over transactions that involve items subject to the EAR, regardless of whether a U.S. person or U.S. FI is involved. The term items subject to the EAR includes not just U.S.-origin items wherever located in the world, but also certain foreign-made items that incorporate more than applicable de minimis amounts of U.S.-origin controlled content, as well as certain foreign-made items that are produced using controlled U.S. software, technology, or tools, falling under the scope of the EAR’s intricate Foreign-Direct Product (“FDP”) Rules for more sensitive destinations (e.g., Russia). Therefore, where a transaction involves the export, reexport, or transfer (in-country) of items subject to the EAR, even non-U.S. FIs will need to ensure compliance with the EAR to avoid violations of GP 10. To do so, FIs will need to incorporate EAR-related compliance processes into their overall compliance programs to identify any transactions that may require a license under the EAR, and BIS’s Guidance provides several helpful best practices for doing so to prevent processing a transaction in violation of GP 10.

You may be asking yourself about the “knowledge” factor of GP 10 (if so, great question!), and how the U.S. government may apply that term in pursuit of an enforcement action against an FI that facilitated an export, reexport, or transfer (in-country) of items subject to the EAR without the requisite BIS license authorization in place. The EAR’s Definition of Terms in 15 C.F.R. § 772.1 does define the term knowledge as used therein, including as applied to GP 10, and BIS’s Guidance alludes to that definition as well. Specifically, the term knowledge is defined in § 772.1 as follows:

Knowledge of a circumstance (the term may be a variant, such as “know,” “reason to know,” or “reason to believe”) includes not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person’s willful avoidance of facts. This definition does not apply to part 760 of the EAR (Restrictive Trade Practices or Boycotts)

BIS’s Guidance’s does attempt to illustrate instances that may be sufficient to constitute “knowledge” under GP 10 in its detailed best practices. However, it is important to consider given the EAR is a strict-liability legal regime dealing with U.S. national security and foreign policy interests, that BIS will receive (and previously has) broad discretion in interpreting the applicable scope of the term by U.S. courts, especially when it comes to sophisticated institutions such as FIs. See e.g., Federal Express Corp. v. U.S. Department of Commerce, et al., 486 F. Supp. 3d 69 (D.D.C. 2020). In the Federal Express Corp. case, BIS had challenged the EAR’s onerous restrictions on its global shipping enterprise, which it argued in part would hold it strictly liable for violations committed by others (i.e., persons shipping through them), and were therefore substantially over-inclusive. However, in disagreeing with FedEx’s claims, the U.S. District Court for the District of Columbia reasoned in relevant part that unlike potentially one-off consumers, common carriers such as FedEx “…are repeat players with the institutional knowledge and scale to navigate the EAR, thus it is reasonable that common carriers might be held to a higher standard.” Id. at 77. Ergo, FIs are likely to have the same fate in challenging applicability of GP 10.

In short, BIS has broad discretion in interpreting the term knowledge for purposes of GP 10, especially when applying it to U.S. or non-U.S. FIs, and the Guidance is instructive in that regard. Therefore, without further ado, let’s dive into the best practices of the BIS Guidance.

BIS’s Best Practices for Financial Institutions

BIS emphasizes the importance for FIs to incorporate EAR-related due diligence into their existing risk management and compliance processes. If an FI isn’t doing so already, this will be in addition to all other compliance programs, including their economic sanctions and anti-money laundering compliance efforts. As with many other regulatory compliance areas, BIS notes that compliance processes related to the EAR should be risk-based. Therefore, a proper export controls specific risk assessment should first be conducted to identify relevant risk areas under the EAR, to then tailor appropriate controls consistent not just with the best practices of this Guidance but also with BIS’s Export Compliance Guidelines: The Elements of an Effective Export Compliance Program.

A summary of the BIS Guidance’s best practices for FIs is as follows:

Restricted Party Screening

• Restricted party screening efforts should also account for BIS’s restricted party lists, such as the Unverified List, Entity List, Military End-User List, and the Denied Persons List to name a few. For many FIs that have third-party screening vendors, this should be a straightforward process with the flick of a switch, where screening occurs prior to customer onboarding and thereafter automated in some manner. For those that don’t, BIS does refer to the U.S. Department of Commerce’s Consolidated Screening List (“CSL”) tool, which should be used for real-time screening of transactions. Note that both names and addresses are expected to be used in screening efforts. Regardless of which tool is used, FI compliance personnel should be appropriately trained on the EAR’s respective end-user and end-use controls for each such list, to account not only for any applicable BIS licensing requirements to a transaction, but also for the general risk profile of their customers.
• Restricted party screening of customers—and, where appropriate, customer’s customers—should also include the list of entities and addresses that have shipped Common High Priority List (“CHPL”) items to Russia since 2023, screen customers also screen customer’s customers, according to publicly available trade data. According to BIS, such lists can be obtained from third-party commercial service providers or free of charge from the Trade Integrity Project (“TIP”), and initiative of the U.K.-based Open-Source Centre. BIS has previously published separate guidance on the use of such trade data.
• If a customer is identified on any of the above lists, BIS recommends the FI to first determine whether the customer is engaged in transactions related to items subject to the EAR, and if so, to obtain certification as to whether the FI has sufficient controls in place to comply with the EAR (in addition to verifying any licensing requirements for any pending transactions).

Red Flag Monitoring

• Appreciating that FIs will likely not have sufficient information to individually assess every transaction for potential EAR violations before proceeding (a surprising concession)—with the exception of real time restricted party screening of all known parties to a transaction—against BIS restricted party lists—the agency does not expect FIs to review transactions for red flags in real time. However, BIS considers an FI potentially learning of information that constitutes a red flag after processing payment for a transaction to possibly give rise to “knowledge” for purposes of GP 10 for future transactions involving the same customer or counterparties. Therefore, FIs are expected to have risk-based compliance procedures in place to detect and investigate red flags post-transaction, and to prevent violations before proceeding with any transactions involving the same parties.
• BIS refers to the previous joint notices issued with FinCEN identifying red flags to assist in identifying transactions potentially tied to the evasion of U.S. export controls, which we covered in part in a prior article on Preventing Unauthorized Diversion to Russia and Belarus. For potential Russian and Belarusian export controls evasion attempts, FinCEN requests FIs to file Suspicious Activity Reports (“SARs”) using the key term “FIN-2022-RUSSIABIS”in SAR field 2 (Filing Institution Note to FinCEN) and the narrative. For such attempts involving any other part of the world, the key term “FIN-2023-GLOBALEXPORT” should be used. FIs, like exporters, cannot willfully self-blind or ignore such red flags. In certain circumstances following the filing of a SAR with FinCEN, BIS may provide the FI with additional information that would establish “knowledge” that a violation of the EAR has occurred, is about to occur, or is intended to occur, and the FI is expected to take necessary steps to ensure that it does not finance or otherwise service the transaction, including terminating a customer relationship if appropriate.
• If certain specified red flags are encountered by an FI during post-transaction review that cannot be resolved to its satisfaction, BIS expects the FI to refrain from future transactions with the relevant transaction parties, otherwise the FI risks liability (i.e., it will sufficiently amount to “knowledge”) for a violation of GP 10. Recognizing that exporters generally have more information than the FI about a transaction, BIS states that FIs may generally rely on their customer’s representations regarding compliance with the EAR unless it would be unreasonable to do so. The specified red flags include: (1) A customer refuses to provide details to banks, shippers, or third parties, including details about end-users, intended end-use(s), or company ownership; (2) The name of one of the parties to the transaction is a “match” or similar to one of the parties on a restricted-party list; (3) Transactions involving companies that are physically co-located with a party on the Entity List or the SDN List or involve an address BIS has identified as an address with high diversion risk; (4) Transactions involving a last-minute change in payment routing that was previously scheduled from a country of concern but is now routed through a different country or company.
• While BIS does recommend real-time screening by FIs of all parties to a transaction that it has actual knowledge of—especially the ordering customer and beneficiary customer in an interbank financial message—against the agency’s own restricted party lists noted above for cross-border payments and other transactions that are likely to be associated with exports form the United States (or re-exports or in-country transfers outside the United States), it does not generally expect FIs to engage in real-time screening of parties to a transaction to prevent violations of GP 10 because of the difficulties in implementation. Instead, it recommends that FIs implement ongoing review/monitoring for red flags described above to avoid financing or servicing a transaction with “knowledge” in violation of GP 10.
• Finally, BIS actively encourages submission of voluntary self-disclosures (“VSDs”) from parties who suspect they may have violated the EAR, which may take advantage of a mitigated enforcement response.

The author of this blog post is Kian Meshkat, an attorney specializing in U.S. economic sanctions and export controls matters. If you have any questions please contact him at [email protected].