U.S. BIS issues guidance on export control best practices for financial institutions

While the Guidance to Financial Institutions on Best Practices for Compliance with the Export Administration Regulations (the Guidance) does not introduce new regulatory mandates, it reflects BIS’s increasing emphasis on FIs as important players in export-related compliance. This heightened scrutiny of the finance sector follows BIS’s recent enforcement priorities related to national security risks arising from geopolitical developments, including Russia’s 2022 invasion of Ukraine and escalating security concerns with China. Consistent with joint notices and alerts from BIS and the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued in June 2022, May 2023, and November 2023, the Guidance underscores the agency’s growing focus on FIs in safeguarding U.S. export controls.

The Guidance advises FIs to integrate EAR-related compliance measures within their existing frameworks for onboarding, transaction monitoring, and ongoing risk assessment. Key measures include screening clients against BIS’s restricted-party lists, obtaining export compliance certifications from higher-risk clients, and performing targeted investigations into transactions involving high-priority items or restricted entities. BIS also highlights the importance of consistent recordkeeping, regular reviews of transactions for red flags, and comprehensive documentation to minimize the risk of EAR violations, particularly under General Prohibition 10 (GP 10).

“Knowing” violations of GP 10

Acknowledging that export violations often involve payments facilitated through FIs, the Guidance outlines specific compliance risks for FIs under GP 10.

GP 10 prohibits FIs and other persons, regardless of location or citizenship, from financing or otherwise supporting transactions involving EAR-controlled items if they possess “knowledge” that a violation “has occurred, is about to occur, or is intended to occur in connection with” the export, re-export, or in-country transfer of such items (15 CFR § 736.2).¹

The Guidance clarifies that “knowledge” within the meaning of the EAR encompasses both direct awareness and “an awareness of a high probability of its existence or future occurrence.” Such awareness can be inferred from a “conscious disregard of facts” or “willful avoidance of facts” known to the person. In this context, the EAR treats “knowing” and “having reason to know” as equivalent legal standards (15 CFR § 772.1). FIs may therefore be held liable under GP 10 if there are indications suggesting a high probability of a violation, even absent direct knowledge.

BIS advises that FIs incorporate the compliance measures outlined in the Guidance to mitigate the risks of “knowing” involvement in export control violations under GP 10’s broad standards. As described below, FI should incorporate any red flags they identify as part of their suspicious activity reporting procedures.

Key compliance recommendations

The Guidance identifies three primary areas where FIs should implement a risk-based approach to EAR compliance:

• Client Control:

  • Restricted-Party Screening: BIS recommends that FIs screen clients against its restricted-party lists, including the Denied Persons, Entity, Military End-User, and Unverified List. To facilitate this, BIS refers FIs to the Department of Commerce’s Consolidated Screening List (CSL), which integrates export-related restriction lists from BIS, the Treasury’s Office of Foreign Assets Control (OFAC), and the State Department’s Directorate of Defense Trade Controls (DDTC).

  • CHPL Screening: FIs should also screen clients—and, where appropriate, clients’ customers—against lists identifying entities that have shipped Common High Priority List (CHPL) items to Russia since 2023. As the U.S. government does not maintain an official list, FIs should acquire this data from third-party providers, such as the Trade Integrity Project run by the UK-based Open Source Centre.

  • Risk Management: Screening results should inform each client’s risk profile, with heightened scrutiny for clients connected to embargoed regions (e.g., Russia, Iran, Belarus) or high-risk sectors (e.g., defense, microelectronics). While a client’s presence on a restricted-party list does not automatically prohibit services, BIS advises that such listings weigh heavily in risk assessments.

  • Customer Certifications: For higher-risk clients, BIS suggests that FIs obtain certifications from clients attesting to EAR compliance, which should confirm that clients conduct restricted-party screening, enhanced due diligence on transfers involving embargoed regions, and enhanced protocols for items on the Commerce Control List or CHPL.

  • Ongoing Monitoring and Updates: BIS emphasizes that due diligence is an ongoing obligation. FIs should re-screen clients regularly to account for updates to restricted-party lists and ensure accurate risk profiles.

• Post-Transaction Review:

  • Red-Flags Identification: Certain red flags in post-transaction reviews may indicate a high likelihood of export control evasion:

    • Refusal to Provide Details: Customers unwilling to disclose information on end-users, intended uses, or company ownership.

    • Last-Minute Payment Re-Routing: Sudden re-direction of payments from a country of concern to another jurisdiction.

    • Restricted-Party List Matches: Transaction parties with names closely matching those on restricted-party lists.

    • High-Risk Location: Transactions involving entities located at the same address as restricted entities on the Entity List or the Specially Designated Nationals (SDN) List, or at addresses with diversion risks.

  • Actions on Red Flags: FIs should investigate red flags and, if unresolved, suspend or terminate involvement to avoid GP 10 liability. To address red flags, FIs may verify that the item is not subject to the EAR, determine if the transaction is license-exempt due to scope or exception, or confirm the existence of a BIS license.

  • Reliance on Customer Representations: FIs may generally rely on customer assurances regarding EAR compliance unless publicly available or proprietary data indicate these representations may be false.

  • License Verification Process: BIS generally does not confirm the existence of licenses for third parties. Therefore, FIs should seek confirmation directly from the customer, potentially by requesting a BIS-issued license copy.

• Real-Time Monitoring: While BIS does not expect real-time screening for all transactions, it encourages FIs to maintain continuous monitoring to flag potential export control violations.

• Targeted Screening for High-Risk Transactions: For cross-border payments and other transactions likely associated with exports, re-exports, or in-country transfers, BIS recommends real-time screening against specific restricted-party lists, such as the Denied Persons List, Military-Intelligence End Users List, and designated entries on the Entity List.

• Scope of Screening: Real-time screening only needs to cover parties known to FIs in the ordinary course of business. BIS does not expect FIs to seek additional party names solely for screening purposes but cautions against “willful blindness” to pertinent facts that could imply “knowledge” under GP 10.

  • Action on Matches: Upon identifying a restricted-party match, the FI should immediately suspend the transaction until compliance with EAR is confirmed or an exemption is verified, as proceeding without verification risks GP 10 liability.

  • Suspicious Activity Reporting: The Guidance reiterates FIs’ duties under the prior joint BIS and FinCEN notices to report suspicious activities related to potential EAR violations through Suspicious Activity Reports (SARs).²

    • Follow-up on SARs: After an FI files an SAR to FinCEN, BIS may provide additional information that could establish knowledge of an EAR violation. In such cases, BIS expects FIs to prevent further involvement in transactions that may breach GP 10, which may include terminating the customer relationship.

  • Voluntary Self-Disclosures (VSDs): BIS strongly encourages the submission of VSDs from entities who suspect they may have violated the EAR.

Next steps

As BIS intensifies its focus on the financial sector as a tool to increase industry compliance, FIs should ensure that their compliance programs are comprehensive and integrate EAR-specific controls across due diligence, screening, and transaction monitoring processes. The target of the Guidance puts particular scrutiny on payments related to shipments or transactions outside the United States that may involve items subject to the EAR where the parties may not otherwise be subject to U.S. jurisdiction. Companies need to understand that FIs may report transactions by account holders without advance notice, depending on the circumstances. Given GP 10’s expansive “knowledge” standard, it is critical for FIs to establish robust escalation procedures. Implementing advanced screening tools, including those integrating BIS’s restricted-party lists, can streamline the detection of restricted parties and automate red-flag alerts. FIs should also consider communications with their account holders if they identify potential violations from existing activities in order to mitigate exposure to liability.

For further guidance or tailored assistance in strengthening your institution’s EAR compliance program, please contact the Hogan Lovells team.

Authored by Yue-Zhen Li, Beth Peters, Ajay Kuntamukkala, and Andrea Fraser-Reid.

References

1 Additionally, all U.S. Persons under U.S. export control laws, including such FIs, are prohibited from supporting—such as “servicing” or “financing”—certain activities that they know are connected to weapons of mass destruction or military-intelligence programs (15 CFR § 744.6).