On April 24, 2024, President Biden signed HR 815, “Making emergency supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes,” into law (the “National Security Supplemental” or the “NSS”). The National Security Supplemental appropriates funds to provide security assistance to Ukraine, Israel, and US partners in the Indo-Pacific and humanitarian aid for Gaza. Alongside the appropriations measures, the National Security Supplemental includes the “21st Century Peace through Strength Act”, a collection of fourteen sanctions, export controls, and related regulatory measures targeting Iran, Russia, and China, in addition to areas of concern including narcotics trafficking, terrorist financing, and misuse of information and communications technology and services (“ICTS”).

In this post, we assess these new developments and the areas where they will likely have the greatest impact.

Statute of Limitations Doubled for IEEPA and TWEA Enforcement Actions

As part of the FEND Off Fentanyl Act, Congress doubled the statute of limitations period for both civil and criminal violations of the International Emergency Economic Powers Act (“IEEPA”) and the Trading with the Enemy Act (“TWEA”) from 5 years to 10 years from the latest date of the underlying violation. Since these laws form the statutory foundation for the vast majority of the sanctions imposed by the US government, the extended statute of limitations will have a significant effect on the enforcement of sanctions violations. IEEPA forms the statutory foundation for several other types of US government regulatory programs as well, which will now also be subject to this extended limitations period, such as the Information and Communications Technology and Services (“ICTS”) (discussed here) and Infrastructure as a Service (“IaaS”) (discussed here) regulations, administered by the Commerce Department, along with some of the various obligations imposed under the President’s recent AI Executive Order (discussed here).

IEEPA also still underlies certain portions of the Export Administration Regulations (“EAR”), although most of the EAR now fall under the authority of the Export Control Reform Act of 2018 (“ECRA”). This extension of the limitations period under IEEPA without a corresponding change to ECRA now creates an unusual and challenging disconnect between the basic enforcement authorities underlying the US export controls and sanctions regimes. For that reason, we would expect to see a similar change to the EAR limitations period.

An important question is whether OFAC and other agencies with IEEPA-based civil enforcement authority will seek to apply the new statute of limitations retroactively. Since the FEND Off Fentanyl Act does not explicitly provide for retroactive effect, the agencies may view the new statute of limitations as only applying prospectively. We expect that there would likely be legal challenges to any civil enforcement attempt related to conduct that concluded between April 2014 and April 2019. We note that the Ex Post Facto Clause of the US Constitution, along with other basic concepts such as due process, limit any retroactive effects of laws in the criminal context, and would do so in certain civil enforcement contexts as well.

Lastly, we note that OFAC’s recordkeeping requirement is five years (see 31 CFR §501.601). At this time there is no indication that OFAC will increase this period. However, companies should review their recordkeeping and retention policies and assess whether the extension of the statute of limitations period warrants a corresponding increase in the document retention period for relevant documents and information.

New Authorities Targeting Information and Communications Technology and Services

PAFACA and the Protecting Americans’ Data from Foreign Adversaries Act of 2024

New Laws Aimed at Preventing Foreign Adversary Control of US Person Data

The National Security Supplemental contains two new laws that seek to restrict control over US person data by foreign adversaries. The laws build upon and also diverge from recent similar efforts by the White House and Department of Justice (“DOJ”).

One of the laws, the Protecting Americans from Foreign Adversary Controlled Applications Act (“PAFACA”), prohibits app stores and internet hosting services in the United States from supporting certain applications owned by a foreign adversary. Owners of such applications have 270 days (or potentially longer) to divest their interest in such applications, which would permit their continued availability in the United States. While the law is partially drafted as a law of general applicability applying to any applications meeting the criteria of the statute, it also explicitly targets TikTok and its parent company ByteDance, Ltd.

The other law, the Protecting Americans’ Data from Foreign Adversaries Act of 2024, prohibits data brokers from providing personally identifiable sensitive data of a US individual to a foreign adversary country or an entity controlled by a foreign adversary.

Scope of Covered Persons – Foreign Adversary Control

The laws are designed to target the control of data by foreign adversaries and they share a central component in how they function. They apply only where an individual or entity is controlled by a “foreign adversary country” (“FAC”). The laws define FACs as those countries that are on a statutory list of non-allied foreign nations prohibited from acquiring sensitive materials. That list, which was determined by Congress as part of the 2019 National Defense Authorization Act, is codified at 10 U.S.C. § 4872(d)(2) and currently includes four countries: China, Russia, North Korea, and Iran.

One of the following must apply for an entity to be within the control of a FAC:

Criteria A – A foreign entity with its domicile, headquarters, or principal place of business in a FAC (including an entity that is organized under the laws of a FAC).

Criteria B – An entity which is at least 20 percent owned, directly or indirectly, by a foreign entity or combination of foreign entities that fall within Criteria A.

Criteria C – An entity subject to the direction or control of a foreign entity described in Criteria A or B.

These criteria encompass US entities as Criteria B and C are not restricted to foreign entities.


PAFACA effectively forces the sale of any application deemed to be under foreign adversary control (a “Subject Application”). PAFACA accomplishes this goal by providing a controlling entity with a choice between divestment of control over such an application or removal of the application from the US market. If a controlling entity does not divest itself from a Subject Application (or the US business operations of a Subject Application) within the statutory time frame, then digital marketplaces, like Apple’s App Store and Google’s Play Store, will be prohibited from distributing, maintaining, or updating the application within the United States. Moreover, internet hosting service providers would be prohibited from distributing, maintaining, or updating the application in the United States. The law is designed to seriously impede an application’s business operations in the United States if the foreign adversary does not sell it.

PAFACA is primarily intended to address US government concerns over perceived national security risks posed by TikTok and its potential access to US person data. The intent of Congress and the White House to force a sale of TikTok is evident in the design of the law and from associated statements. Not only does the law create a framework for the identification of a Subject Application, it also specifically provides that a website or application is a Subject Application if it is operated, directly or indirectly, by TikTok, its parent company, ByteDance, or a subsidiary or successor entity to TikTok or ByteDance if that entity is controlled by a foreign adversary.

Once an application is determined to be subject to foreign adversary control, a fast track to divestment begins. Unless the President authorizes a one-time extension for up to 90 days, a controlling entity will only have 270 days after the determination to accomplish a “qualified divestiture,” failing which the US market restrictions described above would kick in. Since TikTok and ByteDance were designated by PAFACA, they have only 270 days from the date of enactment to complete the divestment. In order to be a qualified divestment, the President must determine that the Subject Application is no longer controlled by a foreign adversary and that the US operations of the application are walled off from any formerly affiliated entities that are controlled by a foreign adversary.

TikTok has announced its intent to challenge the legality of PAFACA on constitutional grounds. ByteDance, TikTok, and a collection of TikTok users previously overcame a different type of attempt by the Trump Administration to restrict the use of TikTok in the United States in 2020. While PAFACA provides new statutory authority to force the sale, the plaintiffs are expected to raise primarily constitutional arguments, unlike the statutory focus of the previous challenge. Most notably, plaintiffs and civil rights amicus curiae will likely argue that a TikTok ban violates the First Amendment speech rights and Fifth Amendment due process rights of its users. ByteDance and TikTok may also seek to challenge PAFACA on the basis that it constitutes an unconstitutional bill of attainder and that it violates the Takings Clause of the Fifth Amendment. Interestingly, TikTok’s challenge will proceed directly to the DC Circuit. PAFACA vests that court with exclusive jurisdiction to hear any challenge to the law.

Even if the DC Circuit were to uphold PAFACA, there is considerable public speculation regarding whether ByteDance would be able to divest itself from the US portion of TikTok and still maintain TikTok as users in the United States. In particular, it is unknown how ByteDance would balance concerns of Chinese regulators regarding the sale or export of TikTok’s technology, including its algorithm that drives engagement on the platform.

The TikTok litigation will likely impact any future attempts of the US government to compel the divestiture of foreign adversaries from other popular applications. However, it is notable that only certain applications will be subject to this risk. In general, PAFACA limits enforcement to applications that are social content platforms that have more than one million monthly active users. For an application to be subject to this law, the application’s owner must be controlled by a foreign adversary and the President must reach a determination that the application’s owner presents a significant threat to the national security of the United States.

Protecting Americans’ Data from Foreign Adversaries Act of 2024

The Protecting Americans’ Data from Foreign Adversaries Act of 2024 prohibits data brokers from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to, or otherwise making available personally identifiable sensitive data (the “Covered Activities”) of a person residing in the United States to any FAC or any entity that is controlled by a FAC. This law comes on the heels of recent Biden administration efforts to prohibit or restrict access to bulk sensitive US personal data or government-related data by certain countries of concern, including China, through EO 14117 and a DOJ advance notice of proposed rulemaking (“ANPRM”).

The focus of the law is on the protection of “personally identifiable sensitive data” from access by a FAC or any entity controlled by a FAC. This type of data is broadly defined. It includes “any sensitive data that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linked or reasonably linkable to an individual.” The statute sets forth numerous categories of sensitive data, including: certain health information; certain financial information; biometric information; genetic information; precise geolocation; private communications content, such as emails, texts, messages, voice communications, and certain associated metadata; account or device credentials; certain demographic information; information identifying an individual’s online activities over time and across websites or online services; and information about a minor.

Although the statute bars a wide array of Covered Activities and covers a sweeping range of data, it only applies to a narrowly defined group of “data brokers,” which are entities that:

  1. undertake, for valuable consideration, one or more of these Covered Activities with respect to the data of persons residing in the United States;
  2. do not collect that data directly from those persons; and
  3. provide the data to another entity that is not acting as a service provider.

Numerous companies are considered “service providers” under the law. A service provider is an entity that collects, processes, or transfers data on behalf of, and at the direction of, either an individual or entity, which is not a FAC or controlled by a FAC, or a governmental entity. Thus, many entities that engage in the Covered Activities with respect to personally identifiable sensitive data will not be data brokers under the law because the entity receiving the data qualifies as a service provider.

Additionally, the law specifically excludes certain types of entities from the definition of data broker. These include entities that: transmit data, including communications, of a person residing in the United States at the request or direction of that person; provide, maintain, or offer a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service; report or publish news or information of public interest; report, publish, or otherwise make available news or information that is available to the general public such as information from a book, magazine, television program, or a public website; or act as a service provider.

This new statute differs in numerous ways from the Biden administration’s approach and creates short term uncertainty for industry. First, the law only applies to data brokers while EO 14117 and the ANPRM applies to data brokers plus numerous other actors. Second, the executive order and this statute diverge on which agency has authority over the bulk data issue. EO 14117 gave authority over the issue to the DOJ, which is moving forward with the rulemaking process, led by DOJ’s National Security Division. In contrast, this new statute provides the Federal Trade Commission (“FTC”) with enforcement authority as part of the FTC’s general authorities over unfair or deceptive acts or practices under the FTC Act. Third, in most cases, the ANPRM would only apply to a data transaction that exceeds certain bulk data volumes defined by DOJ. In contrast, this new statute applies regardless of how much data is made available to a FAC or an entity controlled by a FAC. Fourth, the ANPRM and the new statute adopt different criteria to qualify as an entity that cannot receive data from a US data broker. For example, unlike the ANPRM, the statute prohibits a data broker from transferring data to an entity that is only 20 percent, directly or indirectly, owned by an entity domiciled in a FAC.

These are just a few of the differences between the Act and the ANPRM. Given the overlap and potential conflicts between the new statute and the ANPRM, the path forward for the DOJ’s proposed rules is somewhat unclear.

New Cyber-related Sanctions

Section 5 of the Strengthening Tools to Counter the Use of Human Shields Act includes a new statutory authorization for the President to impose sanctions against any foreign person engaged in certain cyber activities that constitute a significant threat to the United States. The Act expands upon and codifies some elements of the existing cyber-related sanctions regime, which was established by President Obama through the issuance of EO 13694 on April 1, 2015, and subsequently amended through the issuance of EO 13757 on December 28, 2016.

Notably, this new statute no longer requires that the purpose or effect of a malicious cyber attack be related to disruption of critical infrastructure, the theft of trade secrets for commercial or competitive advantage, the disruption of a computer or computer network, or election interference. Instead, under this law, the Treasury Secretary may sanction a foreign person for significant cyber-enabled activities that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States, regardless of the more specific purpose or effect of those activities.

Authorities Targeting Iran

The Iran-China Energy Sanctions Act of 2023

The Iran-China Energy Sanctions Act of 2023 amends section 1245(d) of the National Defense Authorization Act (“NDAA”) for FY 2012 by defining the term “significant financial transaction” to include any transaction, without regard to the size, number, frequency, or nature of the transaction (i) by a Chinese financial institution involving the purchase of Iranian-origin petroleum or petroleum products, and (ii) by a foreign financial institution (“FFI”) involving the purchase of Iranian unmanned aerial vehicles (“UAVs”), UAV parts, or related systems. Section 1245(d) requires the President to prohibit the opening of, and prohibit or impose “strict conditions” on the maintenance of, US correspondent or payable-through accounts of FFIs where such institutions are determined “knowingly” to have conducted or facilitated “significant financial transaction(s)” involving sanctioned Iranian financial institution.

The Iran-China Energy Sanctions Act of 2023 provides the President discretion to consider “relevant facts and circumstances” in determining whether a transaction conducted or facilitated by a Chinese financial institution or any FFI involving Iranian-origin petroleum or petroleum products or UAVs, UAV parts, or related systems is “significant.” However, that discretion is more limited than financial transactions conducted or facilitated by FFIs involving SDN Iranian financial institutions that do not involve such items. As explained in OFAC’s FAQ 671, OFAC considers the seven factors identified in the Iranian Financial Sanctions Regulations in determining whether financial transactions involving an SDN Iranian financial institution that are conducted or facilitated by any FFI are “significant.” These factors include, among others, the size, number, frequency, and nature of the transaction(s). These are not permissible considerations with respect to transactions involving SDN Iranian financial institutions that are conducted or facilitated by Chinese financial institutions for the purchase of Iranian-origin petroleum or petroleum products, and transactions conducted or facilitated by any FFIs for the purchase of Iranian-origin UAVs, UAV parts, or related systems.

The Stop Harboring Iranian Petroleum (“SHIP”) Act

The SHIP Act requires the President to impose blocking sanctions and other restrictions on certain foreign persons, including owners and operators of ports, vessels, and refineries, involved in activities related to the transportation, processing, and refining of Iranian-origin crude oil or petroleum products.

Specifically, section 3 of the SHIP Act mandates – subject to a limited Presidential waiver authority – sanctions against any foreign person who owns or operates –

  1. a foreign port that knowingly permits the docking of a vessel that is:
    1. operated or owned by a foreign person who knowingly engages in a significant transaction involving the vessel to transport, offload, or deal in significant transactions in condensate, refined, or unrefined petroleum products, or other petrochemical products originating from Iran; or
    2. designated as an SDN for transporting Iranian crude oil or petroleum products;
  2. a vessel through which the owner knowingly conducts a ship to ship transfer involving a significant transaction of any Iranian-origin petroleum product; or
  3. a refinery through which the owner knowingly engages in a significant transaction to process, refine, or otherwise deal in any petroleum product originating from Iran.

The SHIP Act specifies that a foreign person shall not be determined to have knowledge that petroleum or petroleum products are Iranian-origin if such person relied on a certificate of origin or other documentation confirming that the origin of the petroleum or petroleum products was a country other than Iran, unless the person knew or had reason to know that the documentation was falsified.

Section 3 of the SHIP Act also mandates sanctions on entities owned or controlled by a person described in paragraphs (1), (2), or (3) above that knowingly engage in any sanctionable activity described in those paragraphs, as well as any spouse, adult child, parent, or sibling of any foreign person who engages in sanctionable activity described under section 3 of the Act or who demonstrably benefits from such sanctionable activity.

The sanctions that may be imposed under the SHIP Act include designation as an SDN, restrictions on eligibility for US visas and admission into the United States, and a ban on vessels landing at a US port. The sanctions do not apply to the conduct or facilitation of transactions for the provision of agricultural commodities, food, medicine, medical devices, or humanitarian assistance, or to certain safety-related activities.

The SHIP Act also requires Federal agencies to provide to Congress (i) a report on Iran’s exports of petroleum and petroleum products, and (ii) a written strategy and briefing on China’s role “in evasion of U.S. sanctions… with respect to Iranian-origin petroleum products,” including options for strengthening related sanctions and enforcement going forward. Both the report and the written strategy must be submitted to Congress within 120 days of enactment. The unclassified portions of these documents will be publicly available.

The Fight and Combat Rampant Iranian Missile Exports (“Fight CRIME”) Act

The Fight CRIME Act mandates the imposition of blocking sanctions and visa restrictions on foreign persons knowingly involved in the supply, sale, or transfer of, or support for Iran’s nuclear-capable ballistic missiles and UAVs. This includes through activities involving the Government of Iran or any “Iran-aligned entity,” meaning any foreign person that is controlled or significantly influenced by, and that knowingly receives material or financial support from, the Government of Iran, including Hezbollah, the Houthis, or any other proxy group that furthers Iran’s national security objectives.

More specifically, the Act requires the President to impose blocking sanctions and visa restrictions on any foreign person determined to knowingly –

  1. engage in any effort to acquire, possess, develop, transport, transfer, or deploy any goods, technology, software, or related material specified in the Missile Technology Control Regime Annex (collectively, “covered technology”) to, from, or involving the Government of Iran or Iran-aligned entities;
  2. provide entities owned or controlled by the Government of Iran or Iran-aligned entities with goods, technology, parts, or components, that may contribute to the development of covered technology;
  3. participate in joint missile or drone development, including development of covered technology, with the Government of Iran or Iran-aligned entities, including technical training, storage, and transport; or
  4. import, export, or re-export to, into, or from Iran any significant arms or related materiel prohibited under paragraph (5) or (6) to Annex B of United Nations Security Council Resolution 2231 (2015).

These mandatory sanctions provisions also extend to the adult family members of designated persons, as well as actors knowingly providing significant financial, material, or technological support to, or knowingly engaging in a significant transaction with, such designated persons. The Act contains a waiver for the national security interest of the United States, and exceptions for intelligence activities, compliance with international treaty obligations, law enforcement activities, and specified humanitarian assistance.

The Fight CRIME Act also requires the President to designate as a foreign terrorist organization (“FTO”) any “Iranian person” determined to have attacked a US citizen using UAVs, resulting in a prohibition on US persons providing material support or resources to an FTO, and in certain property blocking and reporting requirements.

The Mahsa Amini Human Rights and Security Accountability (“MAHSA”) Act

The MAHSA Act requires that the President, within 90 days of the Act’s enactment and annually thereafter, make a sanctions determination regarding whether certain Iranian government entities and officials meet the criteria for designation under various enumerated sanctions authorities targeting corruption, human rights abuses, and terrorism.

Determinations are required under each sanctions authority with respect to the following persons and entities:

  1. the Supreme Leader of Iran and officials in the Office of the Supreme Leader of Iran;
  2. the Iranian president and any official in the Office of the President of Iran or the cabinet, including cabinet ministers and executive vice presidents;
  3. entities, including foundations and economic conglomerates, overseen by the Office of the Supreme Leader of Iran which is complicit in financing or resourcing of human rights abuses or support for terrorism;
  4. any official of any entity owned or controlled by the Supreme Leader of Iran or the Office of the Supreme Leader of Iran; and
  5. any person determined by the President to:
    1. have been appointed by the Supreme Leader, the Iranian president, or their offices as an Iranian state official, or as the head of any entity wherever located that is owned or controlled by one or more entities in Iran;
    2. have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of any person whose property and interests in property are blocked pursuant to any sanctions authority listed in the MAHSA Act;
    3. be owned or controlled by, or to have acted or purported to act for or on behalf of, any person whose property and interests in property are blocked pursuant to any sanctions authority listed in the MAHSA Act; or
    4. be a member of the board of directors or a senior executive officer of any person whose property and interests in property are blocked pursuant to any sanctions authority listed in the MAHSA Act.

The MAHSA Act also creates a mechanism for appropriate congressional committees to request Presidential determinations under the Act.

The “Holding Iranian Leaders Accountable Act”

The “Holding Iranian Leaders Accountable Act” requires the President, within 180 days of the Act’s enactment, and every 2 years thereafter, to report certain information to Congress regarding the assets of Iranian government officials listed in the Act, and the senior leadership, as determined by the President, of Hizballah, Hamas, Palestinian Islamic Jihad, and Kata’ib Hizballah. Each report may be limited to not fewer than five such natural persons covered by the Act and must include certain information, including a list of non-Iranian financial institutions that (i) maintain an account in connection with assets described in the report, or (ii) knowingly provide significant financial services to any natural person covered by the report. There is an exception to the reporting requirement for financial institutions that agree to close such accounts, cease to provide targeted services, or otherwise provide significant cooperation to the United States for Iran-related national security or law enforcement purposes.

The Act requires the closure of accounts at any US financial institution that holds funds or assets of a natural person named in the report and US financial institutions listed in the report are prohibited from providing significant financial services to such natural person. The Secretary of the Treasury is also required to actively seek the closure of accounts at any FFI that holds funds or assets of a natural person named in the report, and the cessation of significant financial services to a natural person covered by the report using any existing authorities, as appropriate.

Notably, the Act also requires the Secretary of the Treasury to provide relevant congressional committees with a list (subject to some limited exceptions) “of all general licenses, specific licenses, action letters, comfort letters, statements of licensing policy, answers to frequently asked questions, or other exemptions issued by the Secretary with respect to sanctions relating to Iran that are in effect as of the date of the report.”

No Technology for Terror Act

This Act expands the Iran-related foreign-direct product (“FDP”) rule to cover a broader scope of non-US-produced items. Beginning 90 days after the date of enactment, foreign-produced items that are (1) the “direct product” (i.e., the immediate product produced directly) of US “technology” or “software” identified in supplement no. 7 to part 746 of the EAR, or specified in any Export Control Classification Number (“ECCN”) in product groups D or E of CCL Categories 3-9 (“covered ECCNs”), or that are (2) produced by a complete plant or ‘major component’ of a plant that itself is a direct product of US-origin “technology” or “software” specified in any covered ECCNs, will be subject to the EAR where the foreign-produced items are exported (from abroad) or transferred (in-country) to Iran or involve the Government of Iran, and there is knowledge that such items are destined to Iran, or will be incorporated into or used in the “production” or “development” of any “part,” “component,” or “equipment” subject to the EAR and produced in or destined to Iran.

Foreign-produced items subject to the EAR under the FDP rule will generally require an export license from BIS. However, a BIS license will not be required for food, medicine, or medical devices designated as EAR99; or for services, software, or hardware (other than services, software, or hardware for end-users owned or controlled by the Government of Iran) that are (i) are necessarily and ordinarily incident to communications, (ii) designated as EAR99, or (iii) designated as ECCN 5A992.c or 5D992.c pursuant to § 740.17 of the EAR and subject to a general license issued by the Department of Commerce or Department of Treasury.

Seizing Russian Assets

The Rebuilding Economic Prosperity and Opportunity (“REPO”) for Ukrainians Act: Seizure of Russian State Assets for Ukraine

As part of the NSS, Congress has authorized the seizure, confiscation, transfer, or vesting of Russian sovereign assets that are subject to the jurisdiction of the United States for the purpose of transferring those funds to a compensation fund to be established to benefit Ukraine. Under the “REPO for Ukrainians Act,” sovereign assets of Russia and, subject to a Presidential determination, Belarus, may be seized and transferred by the US government for the benefit of a new Ukraine Support Fund that is to be established pursuant to this law. Russian sovereign assets include funds or property of the Central Bank of Russia, the Russian National Wealth Fund, the Russian Ministry of Finance, and any other funds or property owned by the Russian government, including its subdivisions, agencies, and instrumentalities.

As a potential alternative to asset seizure and transfer to the Ukraine Support Fund, and an apparent attempt to immunize at least this limited portion of the current sanctions against Russia from differing policies of future US Presidential administrations, the statute prohibits the Treasury Department from otherwise releasing blocked or effectively immobilized Russian sovereign assets for five years. The only exception allowing such other releases would be if the President certifies that hostilities between Russia and Ukraine have ceased and, at a minimum, Russia has begun the process of compensating Ukraine for the invasion. If the President makes a determination to release these Russian sovereign assets, the law requires the President to notify Congress prior to the release and Congress will have the opportunity to prohibit the release through a joint resolution of disapproval, which, however, would either need to be signed by the President or to overcome a Presidential veto in order to be effective. Likewise, the Secretary of State must notify Congress prior to distributing funds from the Ukraine Support Fund and Congress would be able to prohibit the proposed transfer through a joint resolution of disapproval that similarly must be enacted into law.

Notably, the REPO for Ukrainians Act provides limited opportunity for aggrieved property owners to remedy the seizure, confiscation, transfer, or vesting of their property pursuant to the REPO for Ukrainians Act. Such a claim may only be brought on the basis that the action would deny rights that are protected under the US Constitution. No other cause of action is available, and any claim must be brought no later than 60 days after the date of the seizure. The law vests exclusive jurisdiction over any challenges in the US District Court and Court of Appeals for the DC Circuit.

The REPO for Ukrainians Act is one small piece of a much broader international effort to seize frozen Russian state-owned assets for the benefit of Ukraine. As part of its findings underlying the REPO for Ukrainians Act, Congress estimated that only 1 to 2 percent of the approximately $300 billion in frozen Russian sovereign assets are subject to the jurisdiction of the United States. The vast majority of the assets are immobilized within the EU. The REPO for Ukrainians Act provides for US coordination with Ukraine, the G7, the European Union, Australia, and other allies on establishing a global “Ukraine Compensation Fund” that may receive and use assets from the Ukraine Support Fund. Treasury Secretary Janet Yellen’s statement on the passage of the NSS indicates that discussions regarding the creation of the global fund are ongoing within the G7. US National Security Advisor Jake Sullivan expressed that the United States has a clear preference to act multilaterally with its allies. These developments follow a recent push in the EU to release a large portion of the profits earned on Russian financial assets that are currently frozen in the EU, most of which are held by Belgium-based Euroclear, to Ukraine. The seizure of the actual assets themselves is, however, still very controversial in the EU.

Indeed, the movement towards seizing Russian sovereign assets in the United States and other jurisdictions is fraught with political, practical, and legal controversy. There are concerns about financial stability, retaliatory claims and asset seizures within Russia, and a panoply of others. In the EU, several Member States as well as the European Central Bank are pushing back against US pressure to seize Russian frozen assets, arguing that this would undermine the rule of law and could lead to financial instability as this other third countries may withdraw their assets from the EU. The enactment of the REPO for Ukrainians Act is therefore a particularly significant moment, with the US government taking bold initial action unilaterally to clear the first and major legal obstacle, potentially adding momentum to this movement in other like-minded countries. But it is equally possible that this could represent a high-water mark of optimism that a coordinated global seizure of these sovereign assets may be feasible, which will depend primarily on what further actions, if any, are taken in Brussels. If the EU does not follow, there are real doubts as to whether the US government would act unilaterally to seize these Russian assets.

In the near term, industry should look for the US Treasury Department, as required by the REPO for Ukrainians Act, to issue additional guidance or regulations within 90 days regarding requirements for any financial institution that holds Russian sovereign assets and knows or should know that it holds such assets to provide notice of such assets no later than 10 days after such assets are detected. Similar requirements are already in place under OFAC’s regulations, including pursuant to Directive 4 under EO 14024, so it remains to be seen what, if any, additional requirements or guidance the Treasury Department may set out.

New Authorities Targeting Terrorism and Narcotics Trafficking

Hamas and Other Palestinian Terrorist Groups International Financing Prevention Act

The “Hamas and Other Palestinian Terrorist Groups International Financing Prevention Act” requires the President to impose blocking sanctions on foreign persons, and certain restrictions on foreign states, that assist in sponsoring acts of terrorism or transact with four militant organizations: Hamas, Palestinian Islamic Jihad, the Al-Aqsa Martyrs Brigade, and the Lion’s Den, and their affiliates and successors (collectively, the “named militant organizations”).

Blocking Sanctions

The Act directs the President to, not later than 180 days after the bill’s enactment, impose blocking sanctions on foreign persons determined to “assist[] in sponsoring or providing significant financial, material, or technological support for, or goods or other services to enable, acts of terrorism” or “engage[] directly or indirectly, in a significant transaction with—(A) a senior member of Hamas, Palestinian Islamic Jihad, Al-Aqsa Martyrs Brigade, the Lion’s Den, or any affiliate or successor thereof; or (B) a senior member of a foreign terrorist organization designated pursuant to section 219 of the Immigration and Nationality Act (8 U.S.C. 1189) that is responsible for providing, directly or indirectly, support to Hamas, Palestinian Islamic Jihad, Al-Aqsa Martyrs Brigade, the Lion’s Den, or any affiliate or successor thereof.” The President is also required to issue implementing regulations within 60 days. There is a waiver for vital national security interests and a carveout for specified humanitarian assistance.

Foreign Government Support

The Act also requires the President to impose restrictions on foreign states that knowingly provide “significant material or financial support for acts of international terrorism” under various legal authorities, provide “significant material support” to the named militant organizations, or engage in a “significant transaction that materially contributes, directly or indirectly,” to the terrorist activities of the named militant organizations. The restrictions include: suspension of US foreign assistance (for at least one year); instructions to the US Executive Director of each appropriate international financial institution (not defined) to oppose and vote against loans or financial or technical assistance (for one year); and a prohibition on exporting items on the US Munitions List (“USML”) or Commerce Control List (“CCL”) (for one year) to the state in question. The President is required to issue implementing regulations within 60 days of the Act’s enactment.

The Act authorizes the President to exempt a foreign state from application of the restrictions, if they would interfere with any status of forces agreement. Certain authorized intelligence activities and the provision of specified humanitarian assistance are likewise exempt. The Act also mandates a semiannual report to Congress on the assets of and international support for the named militant organizations.

Likely Impacts

Three of the organizations – Hamas, Palestinian Islamic Jihad, and the Al-Aqsa Martyrs Brigade – are already designated as Specially Designated Global Terrorists (“SDGTs”) and FTOs by the US Government. As a result, the conduct described in the Act as regards these three organizations is already broadly prohibited under the Foreign Terrorist Organizations Sanctions Regulations (31 C.F.R. Part 597) and the Global Terrorism Sanctions Regulations (31 C.F.R. Part 594).

According to the State Department’s 2022 Country Reports on Terrorism, the Lion’s Den is a relatively new armed group based in Nablus, a Palestinian city in the West Bank, assessed by the Israeli authorities to have fewer than 100 members at the time. While the group has claimed responsibility for dozens of attacks, it does not operate at the same scale as the other three organizations. The organization also has no publicly known affiliates.

The largest potential impact appears to relate to restrictions on foreign states that may now be targeted for sanctions in connection with specified “support” or “significant transactions” connected to Hamas and the other named militant organizations (or acts of international terrorism generally). The suspension of US foreign assistance and the prohibition on exports of any items on the USML and CCL have the potential to be highly impactful measures. Whether they are enough to deter continued or future support of these organizations by certain foreign states, and how related diplomatic complexities will be handled, remains to be seen.

End Financing for Hamas and State Sponsors of Terrorism Act

This Act requires the Secretary of the Treasury to submit a report within 180 days to several House and Senate committees with jurisdiction over foreign affairs and banking analyzing major sources of funding to Hamas, a description of US and multilateral efforts to disrupt illicit finance involving Hamas, an evaluation of US efforts to undermine Hamas’s financing of armed hostilities against Israel, and a plan to implement a strategy (in coordination with US allies and partners) to undermine Hamas’s financing of the same.

The Strengthening Tools to Counter the Use of Human Shields Act

The NSS also includes a new law that authorizes sanctions against members of Palestine Islamic Jihad that the President identifies as knowingly ordering, controlling, or otherwise directing the use of civilians to shield military objectives from attack. The “Strengthening Tools to Counter the Use of Human Shields Act” also empowers the leadership of certain Congressional committees to refer a person to the President for such a determination within 120 days.

Illicit Captagon Trafficking Suppression Act

The “Illicit Captagon Trafficking Suppression Act” establishes authority for sanctions related to the production and proliferation of captagon, a drug similar to amphetamine, whose illicit production has been tied to the Syrian Government of Bashar Al-Assad. Notably, the Act defines captagon to mean “any compound, mixture, or preparation which contains any quantity of a stimulant in schedule I or II of section 202 of the Controlled Substances Act,” including related chemical analogues and precursors, bringing a wide range of substances under the umbrella of “captagon.” The Act instructs the President to sanction any foreign person determined to:

  • engage[] in, or attempt[] to engage in, activities or transactions that have materially contributed to, or pose a significant risk of materially contributing to, the illicit production and international illicit proliferation of captagon; or
  • knowingly receive[] any property or interest in property that the foreign person knows—
    • constitutes or is derived from proceeds of activities or transactions that have materially contributed to, or pose a significant risk of materially contributing to, the illicit production and international illicit proliferation of captagon; or
    • was used or intended to be used to commit or to facilitate activities or transactions that have materially contributed to, or pose a significant risk of materially contributing to, the illicit production and international illicit proliferation of captagon.

The Act authorizes imposition of blocking sanctions, as well as visa-related restrictions. The Act also requires a determination, and a report to Congress, as to whether a list of eight individuals—including senior Syrian government officials, leaders of Assad-allied militias, and other individuals publicly linked to the Assad family and captagon trafficking—meet the criteria for sanctions.

The Act contains a waiver for the national security interest of the United States, and exceptions for intelligence activities, compliance with international treaty obligations, law enforcement activities, and specified humanitarian assistance.

New Sanctions Targeting Fentanyl

The FEND Off Fentanyl Act is the latest example of the US government’s use of sanctions and anti-money laundering laws to tackle transnational crime, in this case illicit drug trafficking and money laundering. It also reflects a growing focus on Chinese producers and manufacturers of fentanyl and fentanyl precursors, and related money laundering networks.

The law authorizes the President to impose blocking sanctions against a foreign person who is either knowingly involved in the significant trafficking of fentanyl, fentanyl precursors, or other related opioids, or is knowingly involved in significant activities of a transnational criminal organization related to fentanyl. Additionally, the law authorizes the Treasury Secretary to designate certain financial institutions, classes of transactions, or types of accounts as being “of primary money laundering concern” in connection with illicit opioid trafficking. Once designated, the Treasury Secretary may prohibit or impose certain conditions on transactions between US financial institutions and the subject of the designation.

While the US government already possessed broad authorities to take similar actions in this area, the FEND Off Fentanyl Act is a strong signal from the Congress and the government that this will be elevated as a priority focus in the near future.

The law builds on a series of efforts in recent years to apply sanctions laws to fentanyl trafficking. These efforts began to gain steam with the passage of the Fentanyl Sanctions Act in 2019. President Biden’s subsequent Executive Order (EO) 14059, issued in 2021, authorized the imposition of sanctions on foreign persons that engage in or materially contribute to the proliferation of illicit drugs. In October 2023, Treasury designated 12 entities and 13 individuals based in China for the manufacture and distribution of fentanyl and other illicit drugs pursuant to EO 14059. Shortly thereafter, President Biden announced that he had reached an agreement with President Xi Jinping regarding the reduction of fentanyl precursor exports from China. More recently, on April 16, 2024, the House Select Committee on China published a report in which it claimed that the Chinese government subsidizes the manufacture and export of illicit fentanyl precursors. It appears that the diplomatic efforts of the US government to address this issue bilaterally with China have not at this stage proved satisfactory for many policy makers and other observers, and so we expect an increasing focus on maximizing the use of sanctions and other enforcement tools to try to impose costs on those involved in the illicit fentanyl market.

US agencies will likely continue to prioritize enforcement against Chinese fentanyl producers and distributors and related money laundering networks in the near future given the focus on this topic on Capitol Hill and in the White House. Notably, US financial institutions should expect forthcoming guidance from the Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), as required by the FEND Off Fentanyl Act, regarding the filing of suspicious activity reports (“SARs”) related to suspected fentanyl trafficking. If this leads to more and improved SAR filing in this area, as expected, one can expect an increase in enforcement activity based on that upgraded data set to which the government will have access.


If you have any questions about how this new law may affect your organization, reach out to a member of our Sanctions, Export Controls, or National Security teams.