This is the fourth in a series of articles by Eversheds Sutherland partners Jeff Bialos and Ginger Faulk explaining the legal and regulatory impacts of certain recent US sanctions and export control actions targeting various Chinese entities. Each article explains the regulatory context of the recent rules.
Our previous articles have discussed recent developments in US sanctions and export controls affecting trade with China, including US export controls on software and semiconductor technology, the Department of Defense list of Chinese military companies, the Commerce Department’s “Military End User” rule, and the use of the US “Entity List” to target various concerns from export control to human rights to Iran sanctions. The last month has also seen efforts to restrict foreign investments in publicly traded securities of companies associated with the Chinese military.
The purpose of this article is to provide a framework and practical guidance for complying with existing and emerging US-China export controls and sanctions. In other words, how does a company establish an effective compliance program that appropriately manages risk, limits potential liability exposure, and, at the same time, if things go wrong, confirms to regulators and prosecutors that the company took compliance seriously, thereby mitigating penalties and avoiding a criminal referral?
The best approach to trade compliance is a multidisciplinary approach
As a starting point, if recent developments in US-China trade policies have taught us anything, it’s that US trade restrictions can apply to everything from technical exchanges (internal and external) and product shipments to intracompany shipments and financial transactions and investments. As such, a company’s approach to compliance with US-China trade rules and well as the broader range of other sanctions regimes should be multidisciplinary and capable of responding to emerging requirements in any and all of these areas.
Recent US-China trade policies have targeted certain products, technology, and software; third parties; financial flows and financial institutions; inbound foreign investment; imports and tariffs; and even access to capital market financing. As a result, in considering your multinational company’s compliance obligations and risk exposure, you should consider the implications across business units and functions, including:
-Research and Development
-Sales and Marketing
-Shipping and Logistics
-Finance and Accounting
-Banking and Insurance
-IT Systems, and others.
These rules can apply to intra-company, as well as external, activities. Even if one segment of your business has a particular type of heightened risk exposure, it does not mean that is the only segment of your business that may be exposed.
Ensure accountability and support for trade compliance
Overall, an effective compliance program requires a number of core elements: 1) leadership commitment and the allocation of resources to the compliance function; 2) robust procedures and processes integrated into the company’s business; 3) internal controls that can test the efficacy of the procedures on an ongoing basis; and 4) training that ensures that the company’s personnel understand their compliance obligations and internalize them in their work routines.
US regulatory agencies expect a company to assign responsibility to a person or function within a company for ensuring trade compliance and to provide that function sufficient access to, and support from, senior management. Often, this means designating a compliance officer who reports to the board of directors. Regulators will look not only at a company’s “culture of compliance,” but also assess whether the company provided adequate compliance resources commensurate with the size and nature of its operations. Recognizing that a corporate parent may be held liable for its subsidiaries’ trade control violations resulting from inadequate supervision, companies are advised to establish centralized policies and procedures for ensuring and monitoring compliance by each of their subsidiaries. Compliance integration under these policies should be part of every post-acquisition integration effort.
Know Thyself: Assessing your own business risks
A centerpiece of modern regulatory compliance is prudent risk management. In many regulatory areas, including sanctions, it is challenging for firms to achieve 100% compliance at all times. Rather, the goal is to establish a program to appropriately manage and mitigate compliance risk.
US foreign trade and investment regulatory and enforcement agencies emphasize the importance of conducting a risk assessment in order to identify compliance risks that are particular to your business. OFAC’s Framework for Compliance Commitments advises companies in developing compliance measures to consider the risk profiles of the company’s “customers, supply chain, intermediaries, and counter-parties; (ii) the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems; and (iii) the geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties.” 
You should also understand how sanctions laws may apply in the context of your company’s multinational structure and operations. It is a mistake to believe that companies operating outside of the US cannot be touched by US sanctions and export controls. Many times violations arise from US person “facilitation” of sanctioned activities and interactions by non-US companies with the US financial system, e.g., through US dollar-denominated financial transactions. For this reason, some US-based multinationals have elected to apply sanctions and export control compliance throughout not only their US, but also foreign, operations – even in areas where the controls are not fully extraterritorial. The application of corporate liability rules in a multinational enterprise where US persons have some level of involvement around the globe otherwise makes compliance more challenging than it needs to be.
In assessing its exposure to US trade controls, a company must look not only at the location of management and administrative support personnel, but also the geographic footprint of its entire product and R&D supply chains, i.e., the location of internal technology and software development and the location of manufacturing of products, parts, components and materials and the development of software and technology on which they are based. Consider not only software and technology shared with third parties but also internal (intracompany) cross-border or domestic transfers of software and technology and establish effective internal controls.
Implement a program to manage identified risks effectively, including Know Your Counterparty (KYC) controls
As impressive as a compliance program may appear on paper, the only worthwhile compliance program is one that is effective. To be effective, a compliance program should work with company’s existing structures and information flows and be integrated with day to day internal work instructions. It needs to be able to incorporate and screen in real-time existing third-party information and implement stop-hold procedures for transactions that trigger risk. This usually calls for a customized screening and software solution.
In developing a trade compliance program, US regulators and enforcement agencies encourage companies to build around certain basic core elements.
Management Commitment – As discussed above, demonstrate and document senior management approval of the compliance program and foster a “culture of compliance” with a positive “tone from the top.”
(2) Risk Assessment – Again, a compliance program must be responsive to identified risks, and there is no “one-size-fits-all” approach.
(3) Internal Controls – Per OFAC, this refers to “policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws.” These internal policies should be clearly set out in writing and consistently implemented and enforced. Heightened review is recommended for transfers of dual-use and military items and dealings with high-risk destinations or counter-parties.
Beyond day-to-day KYC screening, numerous companies have recognized that their foreign collaborative engagements can involve significant risk, which can vary depending on the country, industry, and the particular party involved. Thus, firms often establish a special committee to vet engagements with third parties, whether agents, distributors, or joint venture partners. Individual business units may propose these engagements, and the company will evaluate them on an enterprise-wide basis after due diligence and the assessment of risks, advising also on the structuring of legal arrangements to mitigate such risks.
(4) Testing and Auditing – Regular monitoring of trade compliance is encouraged and, in some cases, expected. Regular auditing can occur at a global level or may rotate to focus on certain business units, functions, or procedures. Testing and auditing may be conducted by internal audit or external subject matter experts.
(5) Compliance training – Much of trade compliance depends on employees knowing how to spot and address “red flags” of sanctions and export control issues. Compliance training should provide information that is readily useable and easily accessible, risk-focused, and tailored to the duties and responsibilities of the participants.
To summarize, in today’s global business, complying with US-China trade policies requires a holistic review of a company’s external and internal operations. The best compliance programs are developed on the basis of a realistic review of a company’s compliance risk exposure; designed to be able to respond to ever-changing targets and regulations; and implemented effectively to work with a company’s existing systems and structures.
Ginger T. Faulk, partner at Eversheds Sutherland, represents multinational companies in matters involving US government regulation of foreign trade and investment. She has extensive experience advising and representing global companies, counseling clients in matters arising under US sanctions, export controls, import and other national security and foreign policy trade-related regulations.
Jeffrey P. Bialos, partner at Eversheds Sutherland, assists clients in making multi-faceted business decisions, structuring transactions and complying with complex regulatory requirements. A former Deputy Under Secretary of Defense for Industrial Affairs, he brings deep experience in defense, homeland security and national security matters, including antitrust, export controls, foreign investment, industrial security, the Foreign Corrupt Practices Act, and mergers and acquisitions, and procurement.
 OFAC Framework for Compliance Commitments, at https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf; see also BIS Elements of an Effective Compliance Program, available at at https://www.bis.doc.gov/index.php/documents/pdfs/1641-ecp/file; see also US Department of Justice, National Security Division, “Export Control and Sanctions Enforcement Policy for Business Organizations,” Dec. 14, 2019, available at https://us.eversheds-sutherland.com/portalresource/ces_vsd_policy_2019.pdf.