Executive Summary

On March 6, 2024, the U.S. Departments of the Treasury, Commerce, and Justice jointly issued a Tri-Seal Compliance Note titled “Obligations of Foreign-Based Persons to Comply with U.S. Sanctions and Export Control Laws” (“Tri-Seal Note” or “Note”). The Tri-Seal Note is significant for several reasons. First, it pointedly reminds foreign persons that they have considerable obligations to comply with complex provisions of U.S. sanctions and export control laws under the jurisdiction of the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”), and the U.S. Department of Justice (“DOJ”). To prevent sanctions evasion and the illicit diversion of U.S. technologies, the Note also highlights the powerful extraterritorial reach of U.S. law to persons and activities that may, on their face, appear to have no connection with the United States. As the latest in a series of joint compliance notes showing enhanced coordination among U.S. regulators, the Note puts foreign persons on notice that the U.S. government intends to enhance scrutiny of non-U.S. companies and persons that fail to comply with U.S. law, and that it will employ the various criminal, civil, and administrative tools at its disposal. Finally, while the agencies issuing the Note have previously issued guidance on the compliance obligations of U.S. persons, this Note outlines specific compliance considerations for foreign persons that will likely be used as benchmarks for future enforcement cases—and that can be used as guidelines to try to avoid or mitigate enforcement scrutiny.

I. Introduction

On March 6, 2024, the U.S. Departments of Commerce, Treasury, and Justice issued a Tri-Seal Compliance Note titled “Obligations of Foreign-Based Persons to Comply with U.S. Sanctions and Export Control Laws” (“Tri-Seal Note” or “Note”). This Note is the latest in a series of joint compliance notes published by U.S. federal agencies highlighting the risks and responsibilities under U.S. sanctions and export control laws¹  and serves as a reminder to foreign-based persons of their obligations to comply with these laws under the jurisdiction of the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”), and the U.S. Department of Justice (“DOJ”). The Note describes the breadth of U.S. jurisdiction and the various enforcement mechanisms available to the government to hold non-U.S. persons accountable; identifies specific measures non-U.S. companies should take to mitigate the risks of noncompliance; and puts on notice foreign-based persons regarding the activities that are likely to be subject to increased scrutiny and enforcement in the future.

II. Sanctions

Generally, OFAC sanctions apply to U.S. citizens and permanent resident aliens wherever located, all persons within the United States, and all U.S.-incorporated entities and their foreign branches. U.S. persons are further prohibited from providing “approval” or “facilitation”—defined broadly to include everything from passive information technology (“IT”) services to active involvement—of activities by foreign persons that would violate OFAC regulations if performed by U.S. persons. Some sanctions programs additionally require foreign entities owned or controlled by U.S. persons to comply with OFAC regulations.²

Non-U.S. persons also have certain compliance obligations under OFAC sanctions, as highlighted in the Note. For example, foreign persons are prohibited from causing or conspiring to cause U.S. persons to violate sanctions, indirectly exporting services from the U.S., or otherwise engaging in conduct that evades sanctions. The Note lists several examples of such activity on which OFAC has focused its enforcement actions, including: 

• concealing the existence of sanctioned parties or jurisdictions in a financial transaction with a U.S. person;
• misleading a U.S. person into exporting goods that are actually destined for a sanctioned jurisdiction; and
• routing a prohibited transaction through the United States or the U.S. financial system, thereby causing a U.S. financial institution to process a prohibited payment.

Illustrative enforcement actions include situations where foreign companies and their subsidiaries have run afoul of the rules. In a $6.1 million settlement in 2022, Toll Holdings Limited, an Australian freight forwarder and logistics firm, utilized the U.S. financial system in connection with shipments by the company, its affiliates, and suppliers involving Iran, North Korea, and Syria—comprehensively sanctioned jurisdictions—as well as sanctioned persons.³  This had the effect of causing U.S. financial institutions to transact with blocked persons and to export financial services to sanctioned jurisdictions, which OFAC deemed Toll Holdings had done “recklessly by failing to adopt or implement policies that prevented it from conducting potentially violative transactions.”⁴

 Notably, OFAC may impose civil monetary penalties on a strict liability basis—i.e., even when violating parties lack knowledge or reason to know that their conduct violates sanctions regulations—and appears to be doing so with increasing frequency. Foreign persons who violate U.S. sanctions laws may also be at risk of being added to OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List or Correspondent Account or Payable-Through Account (“CAPTA”) List, among other restrictions available to limit access to the U.S. financial system (e.g., secondary sanctions).

III. Export Controls

Unlike sanctions, which generally target certain activities of U.S. and foreign persons, export controls regulate the items being exported and apply equally to both U.S. and non-U.S. persons. As the Note explains, “The law follows the goods.” BIS administers and enforces export controls on dual-use and certain military-use items through the Export Administration Regulations (“EAR”).

As a basic matter, the EAR applies to the export,⁵  reexport,⁶  and in-country transfer⁷  of most U.S.-origin goods, software, and technology. However, the EAR may also apply to foreign-produced items exceeding certain de minimis thresholds for U.S.-origin components or software.⁸  Typically, a foreign-made item is subject to the EAR if the value of the U.S.-origin controlled content exceeds 25% of the total value of the finished item; for items destined for Cuba, Iran, North Korea, or Syria, this threshold is 10%.⁹  The EAR also applies to certain foreign-produced “direct products” of certain U.S.-origin technology, software, or production resources to certain countries, known as the foreign direct product rule (“FDPR”).¹⁰  FDPR restrictions can also extend U.S. jurisdiction to foreign parties’ transactions involving certain parties on the BIS Entity List, which restricts any sharing of U.S.-regulated items or technology without a license. Items subject to an FDPR may therefore be subject to the EAR even if the items never enter the U.S. market or involve a transaction with a U.S. person.

The Note illustrates several examples of how foreign entities, as well as U.S. entities and their foreign affiliates, have committed violations due to insufficient understanding of export controls. For instance, the Note describes the $300 million administrative penalty—the largest in BIS history—issued against Seagate Technology LLC (“Seagate US”) and Seagate Singapore International Headquarters Pte. Ltd. (“Seagate Singapore”) (collectively, “Seagate”) for Seagate’s alleged shipping of millions of hard disk drives to Huawei without a license.¹¹  In that case, despite the fact that competitors had ceased selling to Huawei, Seagate misapplied the FDPR, incorrectly believing that its non-U.S.-made products were not subject to U.S. export controls. In addition to the substantial monetary penalty, Seagate is also subject to a suspended five-year denial order that allows BIS to cut off its export privileges should Seagate violate key terms of the settlement agreement.

Given these complex rules, foreign parties to an export transaction cannot simply assume, because their transactions have no facial connection with the U.S., that U.S. export controls do not apply. Like sanctions, export controls may be violated directly by engaging in prohibited conduct (e.g., exporting a controlled item to a sanctioned jurisdiction in the absence of a BIS license) or by evading or attempting to evade U.S. export control laws, or indirectly by “causing, aiding, or abetting” a violation.¹²  U.S. export violations can also come with a number of repercussions ranging from administrative and civil penalties to the revocation of export privileges to criminal penalties for willful violations.¹³

IV. Criminal Enforcement of U.S. Sanctions and Export Control Laws

  DOJ is also taking on an increasingly important role in coordination with OFAC and BIS to enforce dynamically evolving U.S. sanctions and export control laws. It is authorized to criminally prosecute willful violations of U.S. sanctions and export laws pursuant to the International Emergency Economic Powers Act (“IEEPA”) and the Export Control Reform Act of 2018, respectively.¹⁴  In a recent enforcement case of note, Binance Holdings Limited pleaded guilty in a resolution of over $4 billion to violating U.S. sanctions laws, inter alia, after the company failed to implement internal controls that would have prevented trades between U.S. users and users in comprehensively sanctioned jurisdictions despite knowing that its system would cause U.S. users to engage in such transactions in violation of IEEPA.¹⁵

V. Risk Mitigation Measures

This Note is important because it serves to put foreign persons on explicit notice of the obligations they have under U.S. sanctions and export control laws and of the stronger enforcement actions they may face for violations. Although OFAC,¹⁶  BIS,¹⁷  and DOJ¹⁸  each maintain their own set of compliance guidelines, this Note offers—for the first time—unified guidance specifically for foreign persons, to help mitigate their risks. Recommended compliance measures include:

• employing a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program;
• establishing strong internal controls and procedures to govern payments and the movement of goods to help detect linkages to sanctioned persons or jurisdictions;
• ensuring that know-your-customer (“KYC”)   information and geolocation data are appropriately integrated into compliance screening protocols and that such information is updated on an ongoing basis per the results of risk assessments and customer risk rating;
• training subsidiaries and affiliates on U.S. sanctions and export controls requirements to ensure they can effectively identify red flags and escalate or report prohibited conduct to management;
• taking immediate and effective action, when a compliance issue is identified, to implement compensating controls until the root cause of the issue can be determined and remediated;
• implementing measures to mitigate sanctions and export control risks prior to merging with or acquiring other enterprises, especially where a company is expanding rapidly and/or disparate IT systems and databases are being integrated; and
• voluntarily self-disclosing potential apparent violations to the relevant agency, where such conduct is identified.

While there is no one-size-fits-all solution, WilmerHale has the skills and experience necessary to assist in developing and enhancing a compliance program tailored to your company’s unique footprint and risk profile.