Supply chain risks under US and EU sanctions and export controls
April 2017 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
Firms with international supply chains confront a complex web of sanctions and export controls imposed by the US and the European Union (EU), among others. To avoid getting caught in this web, it is essential that companies develop and implement a compliance programme tailored to the special risks associated with their supply chain and operations. To that end, firms must identify the activities within their organisation that pose potential compliance risks, determine if they have ‘controlled’ items in their supply chain, determine if they have transactions involving embargoed countries or sanctioned entities and adopt policies and procedures that prevent exports and transactions that run afoul of US and EU regulations.
Identifying activities that pose compliance risks
Many firms erroneously assume that, because they are not US corporations or because they do not export goods from the US, they are not subject to US export controls and sanctions. In reality, US law is broad enough to regulate items that leave the US, as well as the movement of US-origin goods and technology between foreign countries or between foreign nationals. Indeed, a US ‘export’ can occur when one travels outside the US with US-origin goods or technology or when one transfers such items abroad (or to a foreign national even within the US), either physically, electronically, orally or visually. The concept of ‘deemed’ export, that is, transfer to a foreign national within the territory of the exporting company, is not part of EU law. The EU requires that an export must actually take place or will clearly take place.
Accordingly, when companies review their supply chain for compliance with export controls and sanctions, the first step is to identify the various contexts in which a firm might engage in such activities. A frequent mistake is to focus too narrowly on just the finished products that a company might ship to customers abroad. There are numerous other contexts that pose a compliance risk. Some examples of the activities that may be regulated include: importing parts and supplies, transferring items between foreign offices and suppliers, brokering transactions, providing samples, conducting research and development, procuring goods for the core business or for support departments, providing bills of material or drawings to subcontractors or teaming partners, submitting proposals, engaging in discussions or collaborations and providing visual disclosures tours. To a large extent, the step of identifying compliance risks depends upon a solid understanding of the regulatory programmes at issue. However, organisations must also be prepared to examine all levels of their operations and supply chain management.
Similarly, the UK has recently imposed legislation aimed at curbing the horrors of human trafficking. The Modern Slavery Act applies to all commercial organisations which carry on business or part of a business in the UK and which have a turnover of £36m or more and can, therefore, apply to non-UK registered companies. The thrust is a requirement to publish an annual slavery and human trafficking report confirming either the steps the organisation has taken to ensure that slavery and human trafficking are not taking place in any of its supply chains or in any part of its own business, or that no such steps have been taken.
Identifying controlled items in the supply chain and operations
The next question companies must ask is whether any of the finished goods or items in their supply chain is subject to export controls. Most items subject to US export controls are either ‘dual use’ items, controlled by the US Department of Commerce, Bureau of Industry and Security (BIS) under the Export Administration Regulations (EAR) or defence or space-related articles, services or technology controlled by the US Department of State under the International Traffic in Arms Regulations (ITAR).
Items will be subject to the EAR if they are commodities, software or technology that are located in the US, produced in the US (wherever they are located), made outside the US with more than de minimis US-origin content; and certain items that are ‘direct products’ of US-origin technology (i.e., items produced directly by the use of US-origin technology or software). These last two categories in particular pose a supply risk because they require firms to collect and act on information from their suppliers beyond the country or origin of the items supplied. Firms must also determine the extent to which items incorporate US-origin parts, technology or software.
Companies seeking to export items within the above categories must determine if the items are subject to any export controls under the EAR. If an item is controlled it will be identified under an Export Control Classification Number (ECCN) on the Commerce Control List (CCL). Each ECCN describes a specific category of item and indicates what licensing requirements apply. For example, an item classified under a particular ECCN may require a licence from the Bureau of Industry and Security (BIS) prior to export to certain countries because of nuclear proliferation concerns, while no BIS licence is required for other countries. Items classified as ‘EAR99’ generally may be exported to non-embargoed destinations without a licence.
Articles, services and technical data controlled under the ITAR are listed on the US Munitions List (USML). The USML covers 21 categories of defence articles. In addition to categories that are obviously military in nature (e.g., firearms, guided missiles and aircraft), the USML covers numerous types of articles that one might not immediately recognise as defence articles (e.g., gas turbine engines, personal protective equipment, toxicological agents and various types of technical data). Virtually all items on the USML require a licence from the US Department of State prior to export or re-export, regardless of the country of destination.
The task of properly classifying items under the EAR and ITAR requires great care as errors are subject to significant fines under a strict liability standard. In a highly publicised case involving Aeroflex Inc. (now known as Cobham plc), for example, the company incorrectly classified many of its electronics and technical data as subject to the EAR instead of the ITAR, resulting in an $8m penalty for 158 ITAR violations.
Even when items are properly classified and exported under the appropriate licence, companies must ensure compliance with all export licence restrictions. In many cases, items shipped under an export licence may not be re-exported to a third country, or even within the same country, without prior authorisation. Companies are thus required to identify the end-users for exported items and to provide them with notice regarding all licence restrictions. Conversely, firms receiving goods subject to US export controls must ensure that they do not themselves violate the EAR or ITAR by engaging in unlicensed re-exports.
The thrust of the EU’s and its individual member states’ export controls is broadly similar to that of the US because of a shared underlying concern about international security, the need to avoid sensitive items coming into the possession of certain persons and the conviction that there should be no weapons proliferation, at least in relation to some types of weapons.
So far as weapons are concerned, the EU has promulgated a Common Military List (which is occasionally updated) by Council Common Position 2008/944/CFSP, which defines common rules governing the control of military technology and equipment. The Common Military List acts as a reference point for member states’ national military technology and equipment lists, but does not directly replace them. It also serves as a basis for interpretation by EU member states of all EU arms embargoes. Each EU member state would have its own local legislation setting out its requirements in regard to weapons.
Dual-use items, that is to say, goods and technology developed for civilian uses, but which can be used for military applications and (importantly) to produce weapons of mass destruction (WMDs), are the subject of Council Regulation (EC) No 428/2009 (as amended). They are also subject to legislation in individual member states providing for prohibitions, licensing requirements and penalties for breach of such restrictions.
The EU regulations also require exporters to consider the end use that any export will be used for. Any items (whether they would usually be subject to licensing requirements or not) which the exporter knows, or suspects, will be used in WMDs or for military purposes in an embargoed country will be subject to licensing requirements. These requirements apply to brokering and providing technical assistance as well as permitting the export of a physical product.
The upshot is that multinational corporations must be aware of EU, EU member state and US restrictions (and other country restrictions depending on the complexity of their supply chains) in order to build systems to control risk.
Ensuring supply chain and operations comply with US and EU sanctions?
In addition to export controls, US and EU sanctions impose serious compliance risks for any firm with an international supply chain and international operations. US sanctions are administered by the US Treasury Department, Office of Foreign Assets Control (OFAC), which currently oversees comprehensive sanctions against Iran, Cuba, North Korea, Syria and the Crimea region of Ukraine. Generally speaking, these sanctions prohibit the export of most goods, technology and services from the US (directly or indirectly) to these countries, the importation of most goods from embargoed countries into the US, the buying or selling of goods or services with nationals of embargoed countries and the facilitation of transactions that would be barred if conducted by a US person.
In addition to comprehensive sanctions, OFAC also administers ‘targeted’ sanctions that restrict transactions with certain persons and entities within a host of other countries. Targeted sanctions are also directed at numerous persons and entities involved in narcotics trafficking, terrorism, proliferation and transnational criminal organisations. Persons subject to OFAC sanctions are listed on OFAC’s Specially Designated Nationals (SDN) List. SDN’s property and interests in property are ‘blocked’ and cannot be transferred from the US or using the US financial system.
Most OFAC regulations apply only to US persons. However, there are several so-called ‘secondary sanctions’ that have extraterritorial effect. Particularly noteworthy are US sanctions against Iran which apply to non-US persons engaging in significant transactions with Iranian persons that are on the SDN List. Although many of these secondary sanctions involving SDNs were removed following the Joint Comprehensive Plan of Action (JCPOA) in January 2016, several hundred names remained. Also included were the Islamic Revolutionary Guard Corps (and its affiliates) and any other person on the SDN List designated due to connections with Iran’s proliferation of weapons of mass destruction or their means of delivery or Iran’s support for international terrorism. In addition, sanctions targeting certain activities related to trade in materials described in section 1245(d) of the Iran Freedom and Counter-Proliferation Act of 2012 (IFCA) that are outside the scope of the JCPOA and related waivers, remain in place.
EU sanctions comprise council decisions and regulations, combined with individual member state legislation dealing with enforcement issues. EU legislation is administered and enforced at member state level by ‘competent authorities’, which are the entities designated by each member state for this purpose.
The EU does not have an approach which is a near analogue to US secondary sanctions, although there are some circumstances in which EU sanctions may apply to non-EU persons. In addition, for historical reasons, the EU does not share the US focus on Cuba. Furthermore, the EU position under the JCPOA has removed many of the pre-existing prohibitions against EU entities and persons dealing with Iran. As a result, there has been a significant upswing in EU entities and persons having business dealings with Iran.
The EU does have a designated entity list, a presence on which results in the imposition of an asset freeze and the providing, either directly or indirectly, of funds and economic resources, both of which terms being very broadly defined.
There are also certain types of sanctions targeting particular areas of economic activity in certain countries, for example, the credit prohibitions in place against certain corporate participants in key sectors of the Russian economy.
The compliance challenges facing firms with international supply chains are substantial and a serious commitment on the part of management is required to mitigate risk. As discussed above, the first task is to conduct a risk assessment that identifies the activities, operations, foreign affiliates, suppliers and goods that implicate compliance concerns. Building on this risk assessment, companies should develop policies and procedures that prevent unauthorised exports and prohibited dealings with sanctioned persons and entities. Such procedures must be widely communicated to all impacted employees and reinforced through training sessions and written materials such as compliance manuals.
‘Know your customer’ principles are essential to any compliance programme. This entails conducting due diligence and thorough sanctions screening for all suppliers, distributors, customers, vendors, subcontractors, agents and other counterparties. In addition, firms must be alert on a continuing basis to any ‘red flags’ indicating that a party is affiliated with or acting on behalf of a sanctioned entity. Similarly, firms must be on the lookout for any warning signs that a counterparty is attempting to circumvent sanctions or export controls (e.g., a buyer is reluctant to provide information about the end-use or end-user for the product the firm is exporting). Indeed, suppliers and other counterparties should not only be forthcoming with information regarding end-use, country of origin and related information, they should also be willing to certify to their compliance with applicable export controls and sanctions in their commercial agreements with the firm.
Finally, because US and EU sanctions and export controls form a rather complex web of prohibitions and exemptions that change frequently over time, it is important to have policies that direct personnel to knowledgeable, designated individuals within the firm (preferably counsel) in all circumstances not clearly addressed by the firm procedures.
Leigh Hansson is a partner, Jeffrey Orenstein is an associate and David Myers is counsel at Reed Smith. Ms Hansson can be contacted on +44 (0)20 3116 3394 or by email: firstname.lastname@example.org. Mr Orenstein can be contacted on +1 (202) 414 9217 or by email: email@example.com. Mr Myers can be contacted on +44 (0)20 3116 3740 or by email: firstname.lastname@example.org.
© Financier Worldwide
Leigh Hansson, Jeffrey Orenstein and David Myers