Calibrating the Crosshairs
6 Steps to Implement Export Control Red Flags into Your Compliance Program
📅 November 13, 2024
📅 November 13, 2024
On October 9, 2024, the United States Bureau for Industry and Security (BIS) issued detailed guidance for financial institutions on their responsibilities under export control regulations. This is not the first time guidance has been issued – BIS and FinCEN issued several joint advisories from 2022 to 2024 – however, the newly issued guidance is significantly more comprehensive and extensive. It indicates an increase in BIS’ intention to direct action by financial institutions.
While the guidance recognizes that compliance with export control requirements has primarily been the responsibility of exporters, BIS emphasizes that financial institutions’ responsibilities have increased following recent geopolitical events such as Russia’s further invasion of Ukraine and China’s military modernization efforts.
In this article, we focus specifically on one of these requirements in the new guidance: red flags. We identify six practical steps that a financial institution can take in response to export control red flags and how these can fit into an export control compliance program. This approach applies both as part of initial implementation of a compliance program and can also be used to ensure the program remains up-to-date.
Critical Red Flags and the Standard for “Knowledge"
This article describes potential controls and processes to manage any export control red flags. However, we should recognize that BIS sees some red flags as being particularly critical – these red flags may be sufficient to constitute “knowledge” of export control violations.
Under the Export Administration Regulations (EAR), a financial institution will be liable only if it has “knowledge that a violation of the EAR has occurred, is about to occur, or is intended to occur in connection with the item” (General Prohibition 10 referenced in the New Guidance). “Knowledge” is defined in the EAR and includes “not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness may be inferred from evidence of the conscious disregard of facts known to a person or from a person’s willful avoidance of facts.” (15 C.F.R. § 772.1 (2024))
BIS identifies four specific red flags which it considers will “demonstrate a high probability of evasion” and which “may be sufficient to constitute knowledge.” These are:
🚩customer refuses to provide details to banks, shippers, or third parties, including details about end-users, intended end-use(s), or company ownership
🚩The name of one of the parties to the transaction is a “match” or similar to one of the parties on a restricted-party list
🚩Transactions involving companies that are physically co-located with a party on the Entity List or the Specially Designated Nationals (SDN) List or involve an address BIS has identified as an address with high diversion risk
🚩Transactions involving a last-minute change in payment routing that was previously scheduled from a country of concern but is now routed through a different country or company
A financial institution should give special attention to these red flags when implementing its controls and processes.
When red flags are published, a financial institution should assess the applicability of the red flags taking into consideration:
Let’s look at some example red flags to understand how to apply these questions.
Clients, products, and geographies
While no financial institution should consider it has no exposure to financing unlawful trade, a financial institution’s client base, products, and geographies will influence the relevance and risk associated with each red flag. To provide a straightforward example: a domestic bank that provides only transaction banking services to domestic retail customers will be lower risk compared with a global bank that finances international trade to corporate clients including those in the defense, electronics, and aviation sectors – products which are some of the targets of illicit procurement networks.
Some red flags will be most relevant or only applicable to specific products. For example, red flag 🚩Parties to transactions listed as ultimate consignees or listed in the ‘consign to’ field appear to be mail centers, trading companies, or logistics companies (Alert 004) could be applied to trade finance products because the financial institution is more likely to have documentation that specifies the consignee, whereas for other products this information is unlikely to be available.
Other red flags will be applicable to all clients, products, and geographies, and may already be part of a firm’s existing financial crime compliance program. For example, red flags 🚩IP addresses that do not correspond to a customer’s reported location data or 🚩Use of shell companies (Tri-Seal Alert) are applicable across all clients, products, and geographies. These are already likely to be implemented as control elements to identify money laundering, terrorism financing, sanctions evasion, or other illicit activity.
“Distinction” and data
Some red flags may be very broad, meaning they are not “distinctive” indicators of unlawful trade or the data may not be available to enable filters or searches. An example would be 🚩Transactions related to payments for defense or dual-use products from a company incorporated after February 24, 2022 [Russia’s further invasion of Ukraine], and based in a non-GECC [Global Export Control Coalition] country (Alert004). Data should be collected and readily available within a financial institution on the date and country of registration of corporate clients. However, where payments are made using wire transfers, it is unlikely that the firm will have data on the products being financed. Without this data, any search on companies “incorporated after a specific date in all non-GECC countries” would return a very large number of results – and very few may actually be involved in illicit procurement of defense or dual-use products.
However, this doesn’t mean that these broad or “non-distinctive” red flags are not useful – they may still be valuable depending on when and how they are applied. In our example above, while the red flag may not be suitable to be implemented as part of an automated control or as an initial filter for high-risk clients, it could still be valuable when analyzing a specific client. For example, if a specific client is undergoing enhanced due diligence or is being investigated, an analyst can investigate the detailed characteristics of the client, their transactional activity, customer profile and other information, and manually acquire new data to assist in their assessment. In this context, more information is available and the red flag may form a valuable indicator of potentially illicit activity.
If a firm is not already collecting the data it needs in a readily usable format, this would be a good time to review and implement changes.
Controls and the compliance program
The final step when assessing applicability of red flags is to consider the appropriate control point at which the red flag can be implemented. We can use some of the “critical red flags” in the BIS New Guidance as examples.
🚩Client refuses to provide details about the transaction could be implemented as a control in client-facing teams. For example, Relationship Managers could be provided with training on the types of questions to ask clients during onboarding and throughout the client lifecycle to identify if there are any export control red flags that require further investigation.
In contrast, 🚩The name of a party to the transaction is a match to a restricted-party list could be implemented as a control within automated screening tools similar to the methods already used for screening against financial crime adverse news or sanctions designation lists.
The above are some examples of how red flags can be implemented at different control points, and each institution will need to make its own decisions on the most appropriate implementation of export control compliance requirements.
The outcomes of the red flag assessment should be recorded. This will ensure the decision-making process is available should it be required by a regulator or internal governance process. For example, the assessment could be a detailed table showing each red flag, the applicability assessment by client/product/geography, the reasons for each decision, and – for those red flags that have been implemented – the applicable compliance control.
Given the importance of red flags and the increasing focus on financial institutions’ export controls regimes, it may be appropriate to have the proposed approach to red flags approved by a governing body. The governance requirements will vary based on factors such as the size of the institution, its export control risk profile, and the risk appetite set by its board. Institutions with higher export control risks – clients, products, or geographies – or those with previously identified weaknesses in financial crime compliance controls, would require more stringent governance, compared with those with a low risk profile and effective controls.
Where governing body approvals are necessary, they could be provided by a senior member of the Financial Crime Compliance team or a Compliance Committee. It may also be appropriate to communicate the decisions made “for information” to a Board Risk Committee as part of regular reporting.
When the approach has been finalized on how each red flag will be implemented into the institution’s compliance control program, this must be communicated to teams with new or modified responsibilities. There may also be training required, particularly since export controls are relatively new for financial institutions. Training on red flag controls and processes should form part of broader training on export controls to provide context.
The new and enhanced controls and processes for export control red flags should be fully integrated into existing processes and workflows.
An example of a modified process would be: if export control red flags are identified during the client lifecycle, this may prompt a change to the client’s risk rating, a trigger due diligence review of the client, or other actions – just as it would for other financial crime red flags such as adverse financial crime news or the client expanding its business into higher risk markets.
For the four critical red flags, the BIS Guidance specifies that if these red flags are identified and cannot be satisfactorily resolved, BIS recommends the institution should not conduct further transactions.
Having assessed export control red flags and implemented them into its compliance program, a financial institution should regularly review whether the controls are working as intended and take action accordingly.
For example, if a post-transaction review identifies a potential violation of export control regulations, a review should be undertaken of the red flags to identify whether they could have been identified earlier in the client or transaction lifecycle – and if so, to recalibrate the red flag controls and remediate control weaknesses.
While export controls are still an emerging responsibility for financial institutions, taking a structured approach to red flags will improve a financial institution’s likelihood of remaining compliant and minimize the possibility of financing unlawful trade and drawing regulatory consequences.
This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies.
Accept settingsHide notification onlySettingsWe may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
You can read about our cookies and privacy settings in detail on our Privacy Policy Page.
Privacy Policy