New BIS Export Compliance Guidance for Financial Institutions

In October 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) published guidance for financial institutions on Export Administration Regulations (EAR) compliance. The latest guidance discusses increased responsibilities for financial institutions, especially after Russia’s invasion of Ukraine and heightened concerns about China’s military and human rights issues. The publication provides guidance for financial institutions on best practices, red flags, screening, and reporting and clarifies compliance with the EAR’s most critical prohibition.

What is the EAR?

The EAR regulate the export, reexport, and transfer of dual-use items. U.S.-origin items, certain foreign-made items that contain U.S.-origin components or use U.S. technology, and items shipped from or through the United States are all subject to the EAR. The EAR’s key regulation is General Prohibition 10 (GP 10), which prohibits knowingly financing any transaction that violates the EAR, including reexporting or transferring restricted items.

In addition, U.S. persons and financial institutions may not support specified activities that they know involve certain WMD or military intelligence programs. In both instances, “knowledge” includes not just positive knowledge that the circumstance exists or is substantially certain to occur, but also includes awareness of a high probability of its existence or future occurrences.

Best Practices for Financial Institutions

The BIS guidance advises financial institutions to incorporate EAR-related due diligence into risk management. This includes screening customers against the BIS’s restricted party lists—which include the Unverified List, Entity List, Military End-User list, and Denied Persons List—and reviewing transactions for potential export control evasion by direct customers and, where necessary, customers’ customers. Financial institutions may also use the Consolidated Screening List (CSL), which consolidates restricted-party lists from the BIS and Office of Foreign Assets Control (OFAC). The CSL helps financial institutions ensure they are not financing potentially unauthorized transactions.

Enhanced due diligence is necessary for transactions involving countries under broad trade restrictions, including Russia, Belarus, and Iran. Additionally, financial institutions should review customer activities against the Common High Priority List, which tracks shipments to restricted countries, especially Russia.

Red Flags

If red flags arise, financial institutions should assess whether the customer or item is subject to EAR restrictions. Actions include asking for further certification from the customer, halting the transaction, or escalating for review. No single red flag is necessarily indicative of illicit activity, according to BIS, but the presence of certain individual red flags may be sufficient to institute “knowledge.”

Red Flags may include:

🚩 A lack of transparency regarding end-users, end-use purposes, or company ownership.

🚩 Names of the entities involved match or are similar to those on restricted-party lists, such as the Entity List or SDN List.

🚩 The physical location matches that of a known high-risk or restricted entity.

🚩 Last-minute changes to payment instructions, especially if the payment is rerouted to or from a country of concern.

🚩 Transactions involve entities physically co-located with restricted entities

Reviews and Reporting

It is important to remember that EAR compliance is not limited to onboarding customers, and financial institutions must review transactions regularly to identify risks after the fact. Information emerging after a transaction, such as a new sanctions designation or restriction of an entity or product, could establish “knowledge” of a violation for future dealings. Financial institutions should review the entire context of the transaction to determine if there’s a high probability of export control evasion, establish risk-based processes for reviewing historical transactions, and implement ongoing monitoring for suspicious activity.

Financial institutions should implement real-time screening for transactions linked to potential exports or reexports, cross-check the Denied Persons List, Military End-User Lists, and Entity List, and decline transactions unless the export is authorized under the EAR. They may have to screen not only the primary customer, but also any third parties involved in the transaction. Willingly avoiding relevant information may be considered “knowledge” of an EAR violation under GP 10. If any party in the transaction is a match to an entity or individual on a watchlist, financial institutions should pause the transaction until they can confirm the item or transaction is authorized under EAR.

Finally, financial institutions must file Suspicious Activity Reports (SARs) with the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) using specific key terms if there is a potential involvement in EAR violations. If a financial institution becomes aware of a potential EAR violation, they are encouraged to voluntarily self-disclose to the BIS, which can mitigate penalties if an institution unintentionally violates EAR regulations but reports the violation proactively.

What’s Next?

By incorporating these best practices, financial institutions can minimize the risk of violating GP 10, protect themselves from legal and financial penalties by actively monitoring and addressing risks associated with export transactions, and ensure that they comply with U.S. national security and foreign policy objectives related to dual-use items and export controls.

However, financial institutions may face several challenges in complying with these latest guidelines. One major difficulty is the ability to predict potential future violations and mitigate the associated risks. Despite thorough due diligence, red flags may only emerge after a transaction has been processed, leaving institutions exposed to retroactive liability and resulting in significant derisking to avoid potential EAR violations. Faced with the complexity of compliance, especially with frequent updates to restricted-party lists and evolving red flag indicators, financial institutions may choose to sever ties with higher-risk clients or avoid certain transactions altogether. This approach, while aimed at protecting the institution, could result in the over-restriction of legitimate business activities, limiting financial services for global trade, even when risks can be appropriately managed.

Additionally, screening against constantly updated restricted-party lists can be resource-intensive, particularly when dealing with cross-border transactions involving high-risk destinations. Financial institutions may also have limited visibility into the end-use and end-users of exported goods because of transshipments, the use of opaque corporate structures, or third countries, which adds further complexity to compliance efforts.

The BIS’s most recent guidelines have presented financial institutions with a new challenge: they must find a proper balance between maintaining strict compliance with the BIS guidance and avoiding overly cautious strategies that hinder legitimate business, ensuring they effectively manage risks without unnecessarily derisking viable opportunities.