On March 21, 2024, the Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final rule under the U.S. Export Administration Regulations (“EAR”) that imposes new export controls on certain individuals and entities identified on the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC’s”) List of Specially Designated Nationals and Blocked Persons (“SDN List”).  More specifically, the final rule imposes a BIS licensing requirement on exports, reexports, or transfers (in-country) of all items “subject to the EAR” when certain categories of SDNs are parties to the transaction.  The covered types of SDNs are designated under 11 OFAC-administered sanctions programs (as noted by BIS), including those relating to Russia, Belarus, transnational criminal organizations, and narcotics traffickers (as well as making slight changes to similar preexisting controls on SDNs designated for activities related to terrorism or proliferation of weapons of mass destruction).

The U.S. government has described these broader EAR restrictions as a “force multiplier” to complement OFAC’s jurisdiction, by allowing these controls in Part 744 of the EAR to “act as a backstop for activities over which OFAC does not exercise jurisdiction.”  OFAC’s sanctions regulations generally prohibit U.S. persons from engaging in any transactions or dealings involving SDNs and blocked parties (i.e., entities owned 50 percent or more by one or more SDNs or blocked parties), and the property or interest in property of such parties in the United States or within the possession or control of a U.S. person must be blocked (i.e., frozen) and reported to OFAC.  Non-U.S. persons can violate U.S. sanctions programs by, among other things, “causing” a U.S. person to violate U.S. sanctions.  With limited exceptions such as under the Cuban Assets Control Regulations and the Iranian Transactions and Sanctions Regulations, OFAC’s sanctions regulations generally do not specify whether they apply to transactions taking place entirely outside the United States that do not involve U.S. persons simply because the transactions involve items subject to the EAR.  This new rule aims to close this gap by providing BIS with clear authority to take export controls enforcement action in such cases where U.S. products or technologies, but not U.S. persons, are involved.   

As a result of BIS’s rule, non-U.S. persons outside the United States, who may not clearly be prohibited (absent the involvement of U.S. persons) by U.S. sanctions regulations from dealing in the property or interests in property of an SDN or blocked party, will now generally be subject to licensing requirements under the EAR if reexporting or transferring (in-country) any item “subject to the EAR” when an SDN designated under at least one of these sanctions programs is a “party to the transaction,” including as purchaser, intermediate consignee, ultimate consignee, or end user.  This underscores the guidance in the Tri-Seal Compliance Note of March 6, 2024 that non-U.S. persons have export controls (and sanctions) licensing obligations under U.S. law, even if operating wholly offshore, and therefore, they should consider enhancing compliance screening protocols and controls to prevent violations of U.S. export controls and sanctions.

Below, we provide an overview of the new rule, analyze how it will expand U.S. extraterritorial jurisdiction and complement OFAC’s authorities, and offer some observations on the practical impact it may have in the near term.  We also offer some perspective on the trend we see taking shape regarding a convergence among U.S. international regulatory authorities and enforcement efforts.

Scope and Limitations of the Rule

The rule imposes a license requirement for all items “subject to the EAR” when an SDN designated under at least one of 11 OFAC-administered sanctions programs is a party to the transaction.  SDNs designated under the Narcotics Trafficking Sanctions Regulations, 31 C.F.R. part 536​, and/or the Foreign Narcotics Kingpin Sanctions Regulations, 31 C.F.R. part 598 were not previously subject to additional EAR licensing requirements, but are now subject to a license requirement for all items “subject to the EAR” as a result of BIS’s new rule.  Prior to this rule, the EAR only imposed a license requirement on all items “subject to the EAR” for SDNs designated under the Foreign Terrorist Organizations Sanctions Regulations, the Global Terrorism Sanctions Regulations, and/or the Weapons of Mass Destruction Proliferators Sanctions Regulations.  While BIS previously imposed end-user controls under EAR § 746.10 for ‘luxury goods’ identified in EAR Part 746, Supplement No. 5 on SDNs designated under EOs relating to Russia and Belarus, the new rule represents a significant expansion in the scope of items subject to additional licensing requirements, covering all items “subject to the EAR.”

It is important to highlight the limitations to the scope of this final rule. Notably, these new controls only apply to SDNs under certain OFAC authorities, omitting major sanctions programs like Global Magnitsky, Malicious Cyber-Enabled Activities, Iran, Venezuela, Syria, and others (although Iran and Syria are subject to comprehensive embargoes under Part 746 of the EAR).  The controls also do not apply to parties identified on other restricted party lists such as OFAC’s Non-SDN Chinese Military-Industrial Complex Companies List, Non-SDN Menu-Based Sanctions List, or Sectoral Sanctions Identifications List, among others.  Furthermore, the controls apply only to specifically-listed SDNs under the identified sanctions authorities and not to other, non-listed parties that are blocked pursuant to OFAC’s 50 Percent Rule.  This appears to represent a similar approach as under other EAR restricted party rules, such as the Entity List, that typically do not extend to non-listed, affiliated entities who are separate legal entities. As with restrictions connected to designation on the Entity List, however, caution is still warranted when dealing with affiliated parties to confirm that the listed party is not involved indirectly in a way that may violate these restrictions.

Another potentially significant limitation on these controls is that the items must be “subject to the EAR,” which includes all items located in or sent from the United States, all U.S.-origin items, non-U.S.-origin items located outside the United States that incorporate controlled U.S.-origin content above applicable de minimis levels, certain non-U.S.-origin items that are subject to the EAR under one or more of the foreign direct product rules, as described in § 734.9 of the EAR, and certain encryption items subject to the EAR under License Exception ENC. While some of the foreign direct product rules may apply to transactions involving these covered SDNs, there is no specific foreign direct product rule to cover these SDNs.  However, parties doing business with these SDNs outside U.S. jurisdiction should watch for a possible promulgation of additional foreign direct product rules targeting these covered SDNs as was the case with Entity List footnote 1, 3, and 4 entities.

Finally, the rule applies only when a covered SDN is a “party to the transaction,” which includes as a purchaser, consignee, or end user. This does not include other types of parties, however, such as the seller and non-consignee intermediaries, agents, etc.  But involvement by a covered SDN would be a red flag, including with respect to concerns over possible “evasion” of these targeted restrictions. 

Controls that had previously applied to SDNs designated as senior officials of the former Iraqi regime of Saddam Hussein, members of their families, and entities they own or control, have now been removed under the rule because the majority of those individuals or entities have died or ceased to exist.  Also removed are the previous restrictions on SDNs designated under the Terrorism Sanctions Regulations, which were removed from the Code of Federal Regulations in March 2020.

The rule specifies a presumption of denial license review policy when its restrictions apply, unless an Entity List entry for a covered SDN provides for a more open license review policy.  The rule also generally restricts the availability of all EAR license exceptions.  However, for transactions in which an OFAC general or specific license or exemption applies (or would apply if the requisite U.S. person involvement were present), another license generally will not be required from BIS.  For covered SDNs that are also on the Entity List, BIS has stated that the Entity List restrictions will “take precedence over those set forth in § 744.8.”  So, for example, if an OFAC general license applies to one of these covered SDNs, BIS would not also require a license for the activity authorized by OFAC, unless the SDN were also on the Entity List, in which case both OFAC and BIS authorizations may be required.  Conversely, if a covered SDN is also on the Entity List with license exception availability under its Entity List entry, those exceptions are available even if they go beyond the scope of an OFAC authorization, and even though other SDNs covered by these new BIS rules are subject to a general restriction on EAR license exception availability.

Practical Effects and Extraterritoriality

The purpose of the rule, according to BIS, is to expand U.S. extraterritorial jurisdiction and complement OFAC’s authorities, including over exports, reexports, and transfers (in-country).   BIS also states that this new rule is intended to cover deemed exports and deemed reexports, i.e., “releases” of controlled technology or source code to foreign nationals in the U.S. or to third country nationals in other countries.  However, in practice, the rule would typically not impose new restrictions on deemed exports, as those by definition involve a U.S. person, and SDNs in any case typically do not have a business presence within the United States.  While at first glance deemed reexports outside the United States could appear to be a new risk area under this rule, it would not appear that this rule would actually apply in many cases.  Deemed reexports target disclosures of technology to individuals based on their nationality, and the EAR states that the technology is “deemed” to have been provided to the individual’s country of nationality even if no activity takes place in that country.  This rule does not appear to change the deemed reexport restrictions under the EAR, as it does not depend on nationality.  Rather, unlicensed disclosures of technology subject to the EAR to the covered SDNs would be an actual reexport or transfer (in-country) to the SDN in potential violation of this rule.  The individual’s nationality would not be relevant.  So, in general, the deemed reexport concept would not come into play. 

Before this new rule, transactions with covered SDNs were already subject to OFAC’s comprehensive prohibitions when they took place inside the United States, or otherwise involved U.S. persons, typically including transactions denominated in U.S. dollars.  But for most of OFAC’s sanctions programs (including those covered by this rule), OFAC jurisdiction has not clearly extended to transactions outside the United States with no direct involvement by U.S. persons when there is a product or technology subject to U.S. jurisdiction (i.e., subject to the EAR) involved.  BIS’s rule complements OFAC’s jurisdiction by allowing EAR Part 744 controls applicable to covered SDNs to “act as a backstop for activities over which OFAC does not exercise jurisdiction.”

While this is not a secondary sanctions authority, it is noteworthy that BIS views it as being complementary to OFAC’s secondary sanctions authorities.  More specifically, the preamble states that “the new license requirements allow for controls on items outside the United States, complementing the existing authority in many OFAC programs to impose blocking sanctions on persons who materially assist, sponsor, or provide financial, material, or technological support for, or goods or services to or in support of, SDNs, even outside of U.S. jurisdiction.”  However, under this BIS rule, the item must be subject to U.S. jurisdiction in order for a violation of the EAR to occur.  And, unlike U.S. secondary sanctions, this BIS rule applies civil and criminal penalties for violations, rather than merely being added to a restricted party list.

These new restrictions also appear to set out a new risk area for foreign financial institutions (“FFIs”) that still do business with newly BIS-restricted SDNs in ways that previously were outside U.S. jurisdiction.  Now, in addition to considering secondary sanctions risk, which has long been a concern in such cases, but which has also seen significant new authorities enacted recently through EO 14024, as explained in our earlier blog post, FFIs under this new BIS rule now may elect to distinguish in their risk assessments and compliance programs between BIS-restricted and BIS-unrestricted SDNs.  If the BIS-restricted SDNs are retained as clients or permissible counterparties, they would need to be subject to more detailed compliance review to assess if items subject to the EAR are involved in the transactions, which can be a challenge for banks and other FFIs to assess.

In some cases, the new rule will have little or no impact, such as for transactions involving covered SDNs that are already on the Entity List and therefore subject to broad restrictions under the EAR.  Additionally, there may be little or no impact for a covered SDN located in Crimea or another comprehensively sanctioned territory that is already subject to very broad export controls and licensing requirements under Part 746 of the EAR.  While most items subject to the EAR were already restricted for Russia and Belarus, not all items are subject to those restrictions, so this rule will have significant impacts in some cases in transactions involving Russia and Belarus.

The biggest impacts may be for covered SDNs that are not currently on the Entity List and that are located in non-sanctioned countries.  For example, under its Russia-related sanctions authorities, OFAC has been targeting numerous individuals and entities in third countries that are viewed to have been involved in circumvention of U.S. export controls or sanctions.  Those SDNs will now be subject to much broader U.S. regulatory restrictions under the EAR as well as the preexisting OFAC restrictions. 

Additionally, the new end-user controls for Specially Designated Narcotics Traffickers (“SDNTs”) and Specially Designated Narcotics Trafficking Kingpins (“SDNTKs”), which previously were not subject to additional EAR licensing requirements, may impact numerous companies in Latin America, Southeast Asia, and elsewhere.  Notably, several Chinese companies have recently been designated under these SDN authorities based on an aggressive new U.S. policy targeting fentanyl precursor production and trafficking.

Companies and financial institutions in places like China, the UAE, Turkey, and Central Asia should pay close attention to the rule and consider how to further integrate their compliance approach based on both OFAC and BIS restrictions.  This rule highlights that these restrictions will continue to evolve at a fast pace and in complex ways, and compliance programs must be attentive to new developments and agile enough to keep up with them.

Parties impacted by these new EAR restrictions can consider applying for licenses from BIS if they believe there would be significant adverse consequences that could result from these new restrictions and if the U.S. government may view it as consistent with U.S. national security and foreign policy interests to authorize continued exchanges of products and technology subject to the EAR with these SDNs.  As noted above, there is a presumption of denial license review policy in most cases (e.g., except when an Entity List entry for one of these covered SDNs provides for a more open license review policy, such as case-by-case review), but it may be possible to overcome that presumption and obtain licenses in compelling cases.

Trend of Regulatory Convergence and Unilateral U.S. Action

This new rule appears to be part of an emerging trend among key U.S. regulators with national security missions to align their regulations and more closely cooperate on enforcement.   For instance, as explained in our recent blog post, OFAC recently added section 510.520 to the North Korean Sanctions Regulations (“NKSR”), which authorizes “[a]ll transactions ordinarily incident to the exportation or reexportation of items (commodities, software, or technology) to North Korea, including transactions with the Government of North Korea” or certain other OFAC-“blocked” persons, “provided that the exportation or reexportation of such items to North Korea is licensed or otherwise authorized by the Department of Commerce.”  This rulemaking made more explicit OFAC’s longstanding deference to BIS for North Korea licensing in many cases.

We have also recently seen more parties being listed both as SDNs and Entity List entities, a product of closer interagency coordination on restricted party targeting.  In addition, BIS’s Russia and Belarus sanctions, along with recent foreign direct product rule changes targeting Iran, Crimea, and other OFAC targets, illustrate this close coordination and use of dual OFAC and BIS restrictions to create expanded U.S. government jurisdiction. 

A recent focus of BIS and OFAC policy has been to align with U.S. partner countries, for example by including the Part 746 carveouts from the EAR’s Russia and Belarus sanctions for Global Export Control Coalition countries.  This new BIS rule is an example of the opposite.  Notably, this rulemaking extends U.S. jurisdiction extraterritorially with no carveout for activity in U.S. partner countries.  Consequently, the rule is more akin to the recent BIS semiconductor rules, which began as unilateral U.S. regulations and gradually have been adopted to some degree by key U.S. partners. 

Some members of Congress have also pushed for closer coordination between the Departments of Commerce and Treasury on restricted party targeting and licensing determinations.  For instance, HR 5613, the “Sanctions List Harmonization Act”, sponsored by Rep. Mike Waltz (R-FL), would require all the agencies that maintain restricted party lists to check whether restricted parties identified on other agencies’ lists should be added to their own lists as well.  In arguing in support of the legislation, Representative Waltz has stated that the “U.S. government has various sanctions lists with different jurisdiction authorities maintained by numerous agencies.  Right now, our federal agencies do not adequately…communicate when a foreign entity is added to their respective sanctions lists.  And this is a major national security concern.  For example, an entity may be denied an export license by the Department of Commerce, but still be allowed to conduct banking transactions regulated by the Department of Treasury…”  This new BIS rule is a more targeted approach, not yet adopting the full-scale list harmonization that some have advocated for.  As such, further expansion of this rule in the future – potentially due in part to prodding by Congress – certainly seems possible.

Conclusion

This final rule is part of a recent trend of closer coordination between OFAC and BIS and appears to represent a continuation of a more aggressive U.S. assertion of jurisdiction abroad when there are only limited links to the United States.  We may see this trend continue, in some cases facilitating compliance by closing regulatory gaps, but in many cases increasing the overall complexity of the rules in ways that may make effective compliance programs more challenging to implement in practice.  As noted in the preamble of the rule, “BIS will continue its regular coordination with OFAC to impose restrictions on persons designated under other OFAC blocking or sanctions programs in cases in which BIS determines that its export controls would be an effective tool to complement OFAC’s sanctions programs.”

This new rule may have arisen in part due to certain limitations that the U.S. Department of Justice (“DOJ”) has been facing in some of its recent, more aggressive enforcement efforts, such as forfeiture actions involving products subject to the EAR but with only minimal U.S. person connections (e.g., U.S. dollar-denominated transactions).  By broadening the scope of U.S. jurisdiction in such cases, enforcement options may, likewise, be expanded.

With those considerations in mind, prompt and aggressive enforcement of these new authorities by the DOJ and other U.S. agencies seems likely.  Impacted organizations should consider quickly whether there is a need to update their compliance programs.  Given the broad prohibitions imposed under the EAR’s General Prohibition 10 – when there are past, present, or future violations of the EAR involved – parties impacted by these new rules should take note of the accompanying risks if these new restrictions apply.  Particularly for financial institutions and others that have limited insight into the types of products and technologies involved in a transaction, incorporating these new concepts into an effective, risk-based compliance program will take careful thought and planning.