When companies and compliance departments think about US sanctions and export control risks, they often focus on sales to customers and exports/reexports from one country to another.  In that context, the attention is typically on confirming that a customer and other parties involved in a sale and shipment are not restricted parties and that the transfer of a product is authorized under applicable export-control regulations.  This is only half the story.  Companies can have similar risks in their supply chain, which can be disruptive to a company’s operations beyond one transaction or customer relationship if not properly managed.

Suppliers and vendors present many of the same risks as customers under US sanctions.  Failure to properly screen suppliers and vendors used by a company could lead to repeated dealings with a Specially Designated National (“SDN”), for example.  Given the comprehensive prohibitions targeting SDNs, a US company would likely have significant liability if it had obtained goods or services over a long period from an SDN.  When an SDN customer is identified and business terminated, a company may suffer financial losses in the immediate and medium term but new, non-SDN customers can be found to keep up sales.  By contrast, identifying a supplier that is an SDN can be disruptive to a company’s supply chain over a long period, particularly if that supplier was a crucial or only source in the manufacturing process and is no longer available.  This risk underscores the need for companies and their compliance teams to consider frequent screening of suppliers and vendors to mitigate such risks. 

As part of a screening risk assessment, compliance functions should, at a minimum, focus their efforts on regions that include US comprehensively sanctioned territories (i.e., Crimea, Cuba, Iran, North Korea, Syria).  Not only do such areas have a higher prevalence of restricted parties, US comprehensive sanctions prohibit imports into the United States, and/or US Persons dealing in products, from comprehensively sanctioned territories.  US companies that directly or indirectly procure parts, components, or other items from comprehensively sanctioned territories can face liability under US sanctions.  Since the beginning of 2019, the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) has imposed civil penalties ranging from $500,000 to almost $1 million in three cases on companies procuring products directly or indirectly from such territories or receiving services from SDNs.  Furthermore, OFAC’s new “Framework for Compliance Commitments” emphasizes the need for sanctions risks assessments to cover supply chains and highlights supply-chain risks in two of ten root causes for common compliance breakdowns.

US export controls can also pose risks in the supply chain, particularly for non-US companies.  The US Government applies its export controls on an extraterritorial basis in which US and non-US persons may have liability if they violate US export controls in their dealings with items (i.e., goods, software, technology) subject to US jurisdiction, wherever such items are located.  To the extent a non-US company procures items from a US supplier (whether for re-sale or to incorporate into a product manufactured outside the United States), failure to appreciate applicable US export-control restrictions can lead to liability for that company and risk being cut off from such suppliers if they do not have faith in the non-US company’s US export-control compliance program.  This risk is acute where non-US companies procure controlled items under the International Traffic in Arms Regulations and/or Export Administration Regulations.  Companies with supply chains that incorporate this risk should have adequate compliance controls to ensure that their use of items subject to US jurisdiction complies with US export controls.

Beyond the practical consequences that can arise from not properly addressing US sanctions and export-control risks in their supply chain, companies should keep in mind that potential penalties are significant and can add up quickly.  As of February 2020, the maximum civil penalties for US sanctions violations are generally the greater of $302.584 or twice the value of the transaction, while the maximum civil penalties for US export-control violations are the greater of $305,292 or twice the value of the transaction.  These civil penalties can be imposed for each violation on a strict liability basis, and the maximum amounts are adjusted each year to account for inflation.  Beyond civil penalties, the US Government has also increasingly designated companies on one of its restricted parties lists (e.g., Entity List, Denied Parties List, Foreign Sanctions Evaders List, etc.) to penalize parties that do not comply with US sanctions or export controls and may not cooperate with US Government investigations. Designation on one of these US restricted-parties list can be devastating to a company’s operations (and particularly supply chains reliant on US suppliers), even if they are later lifted by the US Government.

For these reasons, it is important for compliance departments to consider US sanctions and export-control risks in a company’s supply chain and implement appropriate compliance measures commensurate with such risks.

This post is an updated version of a February 2019 post on the Sanctions & Export Controls Update blog.


Alex advises clients on compliance with US export controls, trade and economic sanctions, export controls (Export Administration Regulations (EAR); International Traffic in Arms Regulations (ITAR)) and antiboycott controls. He counsels on and prepares filings to submit to the US Government's Committee on Foreign Investment in the United States (CFIUS) with respect to the acquisition of US enterprises by non-US interests.