Photo of Meredith Rathbone

Meredith Rathbone focuses on export controls and economic sanctions, and has assisted clients in the energy, manufacturing, telecommunications, information security, banking, insurance, pharmaceutical, and service industries, among many others, in navigating the requirements of the Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR) and US sanctions regulations administered by the Office of Foreign Assets Control (OFAC) and US Department of State. She regularly assists companies in developing compliance policies, conducting internal investigations, performing training, and conducting due diligence in M&A transactions. She has represented individuals and companies facing civil and criminal investigations in this area, and has also represented clients in their efforts to be removed from OFAC’s list of Specially Designated Nationals (SDNs). She is a frequent writer and speaker on export controls and sanctions topics. She is the co-chair of the American Bar Association’s Export Controls and Economic Sanctions Committee, and also serves on the Sanctions Subcommittee of the State Department’s Advisory Committee on International Economic Policy.

Read Meredith's full bio.

On May 10, 2024, the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Interim Final Rule, effective August 8, 2024 (the “IFR”), that clarifies the scope of OFAC’s rejected transaction reporting requirement, and introduces other amendments to the Reporting, Procedures and Penalties Regulations (“RPPR”) at 31 CFR Part 501.

While reported enforcement actions under the RPPR are not common, there are past examples, such as one that we reported on in 2016 and a 2022 enforcement action involving Nodus International Bank, Inc. (“Nodus”), an international financial entity located in Puerto Rico, for failure to maintain full and accurate records related to the handling of blocked property and inaccurate reporting of the blocked property to OFAC. Given OFAC’s increasing regulatory focus on the RPPR requirements, such as rejected transaction reporting, one can expect that the agency may increase its enforcement focus in this area as well. Therefore, parties subject to OFAC’s regulatory jurisdiction, including organizations that are not financial institutions, would be well advised to consider how to integrate these changing RPPR requirements into their compliance programs.Continue Reading OFAC Amends Reporting Requirements – Important Considerations for Compliance

On April 24, 2024, President Biden signed HR 815, “Making emergency supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes,” into law (the “National Security Supplemental” or the “NSS”). The National Security Supplemental appropriates funds to provide security assistance to Ukraine, Israel, and US partners in the Indo-Pacific and humanitarian aid for Gaza. Alongside the appropriations measures, the National Security Supplemental includes the “21st Century Peace through Strength Act”, a collection of fourteen sanctions, export controls, and related regulatory measures targeting Iran, Russia, and China, in addition to areas of concern including narcotics trafficking, terrorist financing, and misuse of information and communications technology and services (“ICTS”).

In this post, we assess these new developments and the areas where they will likely have the greatest impact.Continue Reading President Signs Expansive Sanctions Bill Into Law; Doubling of Limitations Period for IEEPA Violations Likely to Have Major Impact

On March 21, 2024, the Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final rule under the U.S. Export Administration Regulations (“EAR”) that imposes new export controls on certain individuals and entities identified on the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC’s”) List of Specially Designated Nationals and Blocked Persons (“SDN List”).  More specifically, the final rule imposes a BIS licensing requirement on exports, reexports, or transfers (in-country) of all items “subject to the EAR” when certain categories of SDNs are parties to the transaction.  The covered types of SDNs are designated under 11 OFAC-administered sanctions programs (as noted by BIS), including those relating to Russia, Belarus, transnational criminal organizations, and narcotics traffickers (as well as making slight changes to similar preexisting controls on SDNs designated for activities related to terrorism or proliferation of weapons of mass destruction).

The U.S. government has described these broader EAR restrictions as a “force multiplier” to complement OFAC’s jurisdiction, by allowing these controls in Part 744 of the EAR to “act as a backstop for activities over which OFAC does not exercise jurisdiction.”  OFAC’s sanctions regulations generally prohibit U.S. persons from engaging in any transactions or dealings involving SDNs and blocked parties (i.e., entities owned 50 percent or more by one or more SDNs or blocked parties), and the property or interest in property of such parties in the United States or within the possession or control of a U.S. person must be blocked (i.e., frozen) and reported to OFAC.  Non-U.S. persons can violate U.S. sanctions programs by, among other things, “causing” a U.S. person to violate U.S. sanctions.  With limited exceptions such as under the Cuban Assets Control Regulations and the Iranian Transactions and Sanctions Regulations, OFAC’s sanctions regulations generally do not specify whether they apply to transactions taking place entirely outside the United States that do not involve U.S. persons simply because the transactions involve items subject to the EAR.  This new rule aims to close this gap by providing BIS with clear authority to take export controls enforcement action in such cases where U.S. products or technologies, but not U.S. persons, are involved.   

As a result of BIS’s rule, non-U.S. persons outside the United States, who may not clearly be prohibited (absent the involvement of U.S. persons) by U.S. sanctions regulations from dealing in the property or interests in property of an SDN or blocked party, will now generally be subject to licensing requirements under the EAR if reexporting or transferring (in-country) any item “subject to the EAR” when an SDN designated under at least one of these sanctions programs is a “party to the transaction,” including as purchaser, intermediate consignee, ultimate consignee, or end user.  This underscores the guidance in the Tri-Seal Compliance Note of March 6, 2024 that non-U.S. persons have export controls (and sanctions) licensing obligations under U.S. law, even if operating wholly offshore, and therefore, they should consider enhancing compliance screening protocols and controls to prevent violations of U.S. export controls and sanctions.Continue Reading Export Controls and Sanctions Converge: New BIS Restrictions on SDNs

On February 28, 2024, the Biden administration announced the creation of a new national security regulatory regime that will prohibit or restrict certain transactions involving bulk sensitive US personal data or government-related data and specified “countries of concern.” The Biden administration announced the regime in a new executive order, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO 14117), which was accompanied by an advance notice of proposed rulemaking (ANPRM) issued by the National Security Division (NSD) of the Department of Justice (DOJ), the component and agency with primary responsibility for implementing and enforcing the forthcoming regulations. The White House and DOJ also published fact sheets regarding the new regime.

Executive branch officials and members of Congress have long been concerned about the lack of a national security regulatory regime covering the transfer of sensitive US personal data to countries of concern, particularly China. As explained in EO 14117, such data has the potential to be used for a variety of nefarious purposes, including surveillance, extortion, and influence campaigns targeting US government employees and members of the US military, among others. The order highlights that such risks have become more acute due to the rapid advancement of artificial intelligence (AI) and its ability to analyze and manipulate data sets. Bulk sensitive personal data can also be used in the creation and refinement of AI models and other advanced technologies.

According to the White House, the EO is “the most significant executive action any President has ever taken to protect Americans’ data security.”

The public may submit comments on the ANPRM through April 19, 2024 and will likely have an additional opportunity to comment on the language contained in a proposed rule, once issued.

Although intended to be tailored in its scope, our initial assessment is that the new regulatory scheme, once fully implemented, will likely have a profound impact on a number of industries and entities around the world. At a minimum, it seems certain that regulatory compliance costs could be substantial, particularly on entities that have not previously focused on building out a risk-based compliance program in this or other related areas.Continue Reading Biden Administration to Implement New National Security Rules Targeting Personal Data

In a first of its kind action, the US Department of Commerce has begun a rulemaking process to prohibit or impose conditions on certain transactions involving foreign technology used in so-called “connected vehicles” or “CVs,” as defined below for automotive applications.

The measure, announced by Commerce on February 29, 2024 in a press release and an advanced notice of proposed rulemaking (ANPRM), is Commerce’s first attempt to cover a class of transactions under the Department’s Information and Communications Technology and Services (ICTS) rules.

The ICTS rules, contained at 15 CFR Part 7, were first issued in 2021, but Commerce has not yet implemented or used the rules to cover a particular class of transactions. However, Commerce recently created a new Office of Information and Communications Technology and Services (OICTS) within the Bureau of Industry and Security (BIS) and appointed the first ever director of that office (see additional detail here). Those measures, coupled with the ANPRM on CVs, suggest that Commerce has ramped up its efforts in this area and is becoming increasingly active in its use of the ICTS rules. It is all but certain that the ANPRM on CVs is just the first example of industries to be targeted, and we expect to see similar efforts in relation to other high-priority industries going forward.

Comments on the ANPRM are due by April 30, 2024. Commerce will likely publish a proposed rule after reviewing public comments on the ANPRM and provide an additional opportunity to comment on the proposed rule at that time.Continue Reading In First of Its Kind Action, Commerce Moves to Regulate Foreign Tech in Vehicles

On February 23, 2024, the United States issued a broad set of new Russia-related sanctions and export controls in response to the second anniversary of Russia’s invasion of Ukraine and the February 16, 2024, death of opposition leader, Aleksey Navalny, in Russian custody.

The Treasury Department’s Office of Foreign Assets Control (OFAC), the Commerce Department’s Bureau of Industry and Security (BIS), and the State Department all issued new designations.  The agencies also issued an inter-agency advisory warning non-Russian companies from doing business in or with Russia.Continue Reading US Government Imposes New Russia Sanctions, Designating Over 500 Parties and Issuing Interagency Russia Business Advisory

On January 16, 2024, the Assistant Secretary for Export Enforcement at the Department of Commerce’s Bureau of Industry and Security (BIS) issued a memorandum, announcing that:

  1. parties disclosing minor or technical violations that occurred close in time can submit a single Voluntary Self-Disclosure (VSD) on a quarterly basis, which may include an abbreviated narrative account of the suspected violations; and
  2. parties sending formal requests to BIS’s Office of Exporter Services to engage in otherwise prohibited activities with respect to items involved in violations of the Export Administration Regulations (EAR) should also send courtesy copies to the Office of Export Enforcement (OEE), which will help expedite BIS’s processing of such requests.

The memorandum builds upon previous changes to BIS’s administrative enforcement program, which were announced in memoranda dated June 30, 2022 and April 18, 2023.  These changes are intended to help OEE fast-track its review of “minor” or “technical” VSDs and to encourage additional disclosures of potentially significant violations of the EAR, but do not apply to VSDs relating to Part 760 of the EAR (antiboycott and restrictive trade practices).  For a detailed analysis of the previous memoranda, see our blog posts from July 6, 2022 and April 26, 2023.  Continue Reading BIS Makes Further Changes to Administrative Enforcement, But Questions Remain

Overview

On August 9, 2023, the White House issued a long-awaited Executive Order, entitled Addressing United States Investments in Certain National Security Technologies and Products in Countries of Concern (“EO 14105”). The EO establishes a new national security regulatory regime, implemented principally by the US Department of the Treasury (“Treasury”), in consultation with other federal agencies including the US Department of Commerce, that will require the notification of, as well as prohibit, certain investment activity by US persons in named “countries of concern,” currently China.

EO 14105 does not restrict all US person investment activity regarding China, and is tailored to focus on specific products, technologies, and capabilities involving: (1) semiconductors and microelectronics (including advanced integrated circuits and supercomputers); (2) quantum information technologies (e.g., computers, sensors, networking, and systems); and (3) certain artificial intelligence systems (e.g., with certain military, intelligence, or surveillance end uses).Continue Reading Biden Administration Announces New Outbound Investment Regime Targeting China

On June 16, 2023, the US Department of Commerce published a final rule (the “June 16 rule”) to implement Executive Order (EO) 14034, Protecting Americans’ Sensitive Data From Foreign Adversaries, by amending Commerce’s previously-issued Securing the Information and Communications Technology Supply Chain regulations (the “ICTS rule”).   Among other requirements, EO 14034 directed the Secretary of Commerce to consider the risks posed by “connected software applications” and take “appropriate action” in accordance with the previously issued ICTS rule and EO 13873, Securing the Information and Communications Technology and Services Supply Chain, pursuant to which the ICTS rule was issued. 

The ICTS rule authorizes Commerce to prohibit or otherwise regulate certain transactions involving information and communications technology or services (“ICTS”) with a nexus to “foreign adversaries” that pose an “undue or unacceptable risk” to US national security.  (For additional detail on the ICTS rule, see our prior blog post.)  The June 16 rule amends the ICTS rule to clarify Commerce’s ability to regulate transactions involving software, including so-called “connected software applications,” and to further enumerate the criteria that Commerce will consider when reviewing such transactions.   The changes are effective July 17, 2023.Continue Reading Commerce Issues Final Rule Targeting Connected Software Applications

On April 18, 2023, Matthew Axelrod, Assistant Secretary for Export Enforcement at the Department of Commerce’s Bureau of Industry and Security (BIS), issued a memorandum outlining two important changes to BIS’s settlement guidelines when significant potential violations of the Export Administration Regulations (EAR) are identified. Specifically, BIS announced that (1) the deliberate non-disclosure of a significant potential violation will now be treated as an aggravating factor in civil enforcement cases, and (2) whistleblowing of significant potential violations by another party that ultimately results in a BIS enforcement action will be considered a mitigating factor in any future enforcement action involving the whistleblower, even for unrelated conduct. The policy changes are intended to incentivize the submission of disclosures to BIS when industry or academia uncovers significant EAR violations (i.e., those reflecting possible national security harm, as opposed to minor, technical violations).

BIS’s new policy of treating non-disclosure of significant potential violations of the EAR as an aggravating factor marks a potential sea change in the voluntary self-disclosure (VSD) risk calculus for exporters and reexporters. By reorienting the purpose of the VSD to serve as both carrot and stick, BIS has now interjected more complexity into the voluntary disclosure decision making process. Companies that may have been inclined, previously, to remediate significant potential violations but not disclose may now face a more difficult choice. While it may take years for the civil penalty data to demonstrate the concrete costs of non-disclosure of significant potential violations of the EAR, consideration of that factor is likely to weigh heavily in any future BIS VSD decisions.Continue Reading A Carrot and a Stick: BIS Clarifies Policy on Self-Disclosures and Whistleblowing