United States: FinCEN And BIS Expand SAR Guidance For Export Control Evasion, As General Prohibition Ten Looms Large

Financial institutions have long asked how—and to what extent—they need to comply with export controls, and recently, the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) and the U.S. Department of Commerce's Bureau of Industry and Security (BIS) have started to respond. The guidance thus far strengthens export controls and prevents evasion by (1) providing financial institutions with red-flag indicators for export control evasion, (2) providing key terms to use in export control evasion-related Suspicious Activity Reports (SARs), and (3) reminding financial institutions of their other longstanding obligations under the Bank Secrecy Act (BSA). But financial institutions should know that it is not merely BSA obligations that matter when it comes to export control issues—financial institutions can also be liable for export control violations under regulations such as the Export Administration Regulations (EAR), which are administered and civilly enforced by BIS.

On November 6, 2023, the FinCEN and BIS issued their third joint notice since June 2022 regarding financial institutions' responsibilities and expectations with respect to export control evasion (the November 6 Notice). The November 6 Notice highlights a new SAR term (FIN-2023-GLOBALEXPORT) for financial institutions to reference when reporting on individuals or entities suspected of export control evasion unrelated to Russia. BIS appears to have found its footing with the first two joint alerts from June 2022 and May 2023 specifying Russia-related export control evasion (for which the key term "FIN-2022-RUSSIABIS" should be used) and, by all appearances, is laying the groundwork for a generally higher level of financial institution compliance globally.

The November 6 Notice also reminds financial institutions that they must take a risk-based approach under the BSA, and that financial institutions directly involved in providing trade finance for exporters may have access to information relevant to identifying potentially suspicious activity, including end-use certificates, export documents, contracts, or other documentation. FinCEN and BIS also implore financial institutions to remain vigilant in spotting and mitigating red-flag indicators of export control evasion.

However, it is not just BSA obligations that financial institutions should be concerned about when it comes to export control evasion. BIS has enforcement jurisdiction over financial institutions that engage in export control violations. Unfortunately, there is not much guidance from BIS with respect to export control compliance for financial institutions, and many do not regularly interact with BIS. That said, it is important for financial institutions to note that they could indeed be subject to BIS enforcement action—particularly where information in their possession provides them with EAR-defined "knowledge" regarding export control violations.

EAR General Prohibition Ten (GP 10) bans "[p]roceeding with transactions with knowledge that a violation has occurred or is about to occur." Specifically, no person may

sell, transfer, export, reexport, finance, order, buy, remove, conceal, store, use, loan, dispose of, transport, forward, or otherwise service, in whole or in part, any item subject to the EAR and exported, reexported, or transferred (in-country) or to be exported, reexported, or transferred (in-country) with knowledge that a violation of the Export Administration Regulations, the Export Control Reform Act of 2018, or any order, license, license exception, or other authorization issued thereunder has occurred, is about to occur, or is intended to occur in connection with the item.

15 C.F.R. §736.2 (emphases added). Financial institutions that, for example, finance items "subject to the EAR" that are to be exported or transferred—with knowledge that a violation of the EAR or any order, license, or other authorization has occurred, is about to occur, or is intended to occur in connection with the item—could be in potential violation of GP 10. The EAR also contain causing, aiding, or abetting and conspiracy enforcement provisions at 15 C.F.R. §764.2(b) and (d) that could conceivably be brought against a financial institution under egregious circumstances.

Financial institutions worldwide should take note for the following reasons:

• Extraterritorial Jurisdiction. The EAR assert jurisdiction based largely on the U.S. origin of the Item at issue in a transaction. EAR jurisdiction rarely relies on (a) the nationality of the individual or entity involved with the Item or (b) where the Item is currently located outside the United States. Therefore, BIS asserts enforcement authority against non-U.S. individuals and entities, wherever located, for transactions involving Items "subject to the EAR," wherever located.
• Financial Institutions a New Frontier in Export Controls. BIS does not have much prominent—or perhaps any—public enforcement history with financial institutions. Given the consistently escalating joint guidance emanating from BIS and FinCEN since last year, BIS's Office of Export Enforcement will likely be prioritizing cases that could result in a significant enforcement action against a financial institution. If brought, such an enforcement action will be immediately public upon the filing of a charging letter with the administrative-law judge prior to disposition of the case due to a BIS policy change announced June 30, 2022.
• EAR "Knowledge." Under the EAR, "knowledge" includes not only positive knowledge that the circumstance exists or is substantially certain to occur but also the awareness of a high probability of its existence or future occurrence. Such awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person's willful avoidance of facts. Merely having the information at your disposal gives you "reason to know" under the EAR "knowledge" standard, even if you never review the information.
• Disruptive Technologies a Focus. BIS is, of course, most concerned with leading-edge, disruptive technologies and includes a nonexhaustive list describing things like semiconductors for artificial intelligence, novel materials for production of semiconductors smaller than 14 nanometers, graphics-processing units, quantum technologies, etc. This list complements other recently released high-risk items lists such as the October 24, 2023 Common High Priority Items List, and the High Priority Items List released in the May 2023 joint alert.
• EAR Military End-User Controls.The additional list of red flags in the November 6 Notice tells financial institutions to look out for transactions that "involve a purported civil end-user, but basic research indicates the address is a military facility or co-located with military facilities in a country of concern." While not specifically cited, the red flag comes uncomfortably close to asking financial institutions to prevent transactions that involve (a) any Items "subject to the EAR" destined to military end users or end uses (MEUs) associated with Belarus or Russia, and (b) certain enumerated Items listed in 15 C.F.R. Part 744, Supplement No. 2 to MEUs associated with Burma (Myanmar), Cambodia, China (including Hong Kong), or Venezuela. There is no exhaustive list of MEUs that financial institutions can check for Items destined to MEUs in the above-listed countries (though the MEU controls are limited outside those countries to only certain entities listed in Supplement No. 7 to Part 744). The MEU rules have a "knowledge" requirement, but that may not be sufficient reassurance to the increasingly risk-averse financial industry.
• Deliberate Nondisclosure of "Significant" Violations an Aggravating Factor. Under a policy change announced in April 2023, those persons (including financial institutions) that may have identified "significant" violations but "deliberately" chose not to voluntarily self-disclose them will see that fact work against them as an "aggravating" factor in any BIS enforcement action of those violations.

Financial institutions—particularly those that are engaged in trade finance—should take note of higher-risk Items, such as those highlighted in FinCEN and BIS's joint notices, and apply heightened diligence to ensure that the transaction is being conducted in line with applicable regulations. Consider consulting legal counsel if past potential violations are identified. BIS administers a frequently used voluntary-self-disclosure process through which potential violators can gain significant prosecutorial credit that could, depending on the violator's particular circumstances (such as for many first-time offenders), result in no enforcement action or settlement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.