Western Sanctions against Russia: Tips for Tech Companies Managing Compliance Risk
As the war in Ukraine rages on, authorities are cracking down on the smuggling of U.S. technology in support of Russia’s war effort, an initiative with implications for the tech industry. One significant example of this is Russia’s drone program, with a December 2022 expose describing U.S. chips, circuit boards, and amplifiers found in downed Russian drones, and mapping part of the supply chain trafficking such items to Russia in spite of Western sanctions.
This has prompted broader concerns regarding the diversion of Western technology to Russia in support of illicit end-uses, such as, for example, the Russian government’s use of facial recognition technology to crack down on dissidents.
In response to this, the United States and its partners recently imposed new sanctions against Russia to coincide with the one-year anniversary of the invasion of Ukraine, including expanded export controls over drone components, electronics, industrial equipment, and other items. The U.S. government followed this up with an advisory warning companies of the risk of third parties diverting their products to Russia.
Suppliers of electronics, drone components, and other sanctioned items face the risk that third parties will divert their products to Russia’s defense industrial base or to the battlefield in Ukraine, given the Russian military’s continued demand for battlefield equipment. Companies can mitigate this risk by conducting due diligence on counterparties and by auditing sales channels.
Overview of Russia sanctions
The United States and its partners (including the United Kingdom, the European Union, Canada, Australia, and Japan) have imposed a range of sanctions and export controls against Russia, prohibiting, among other things:
- dealings with restricted parties (such as major banks, oligarchs and oligarch-owned companies, and companies in Russia’s defense industrial base);
- new investment in Russia; and
- exports to Russia of certain items, including a broad range of electronics, drone components, software, sensors and lasers, marine equipment, aviation and aerospace equipment, power supplies, and industrial equipment.
In particular, U.S. export controls can have worldwide reach, applying to all U.S.-origin items, wherever located; non-U.S. items incorporating more than a “de minimis” level of “controlled” U.S. content; and non-U.S. items that are the “direct product” of certain U.S. technology or software.
Violations of sanctions and export controls carry stiff penalties, including civil penalties of up to the greater of $353,534 (annually adjusted for inflation) or twice the value of the transaction, and criminal penalties of up to $1 million and/or 20 years’ imprisonment.
Concern over diversion of items to Russia
U.S. officials are deeply concerned over the ongoing diversion to Russia of items restricted under sanctions, and have made it a policy focus. This concern is reflected in the March 2023 advisory noted above, in which the U.S. Department of Justice, the U.S. Department of the Treasury, and the U.S. Department of Commerce jointly warned industry of the risk of third-party intermediaries seeking to procure items on Russia’s behalf, identifying certain red flags to note.
Companies selling items that are restricted under Russia sanctions can face the risk of diversion in a variety of contexts, including channel partners reselling products to Russia, straw buyers secretly working on behalf of Russian buyers, and other “gray market” activity. Notably, this applies both to tangible items and software.
Companies can be penalized based on the diversion of their products to Russia, even where a third party acted completely independently of the company. This is because U.S. sanctions and export controls apply on a “strict liability” basis, i.e., innocent mistakes are punishable without regard to a company’s state of mind or standard of care. In the context of third-party diversion, companies can face risk to the extent that a third party “causes” them to violate the regulations, even unwittingly, and the risk of enforcement is elevated where the company has not implemented adequate policies and procedures regarding sanctions and export control compliance.
Companies can address the risks described above through implementation of reasonably tailored mitigation measures. Notably, the relevant regulations do not require any specifically delineated compliance policy, or even any compliance policy at all. Rather, U.S. regulators expect companies to implement a risk-based approach based on the profile of the company and the nature of the compliance risk that it faces based on its operations and industry, among other factors.
Compliance policy elements
For companies engaged in cross-border transactions involving items that are restricted under Russia-related export controls, it is prudent to implement a compliance policy reasonably designed to prevent, deter, and detect violations. Such a policy and related procedures could cover:
- screening of counterparties against U.S. sanctions- and export control-related restricted party lists;
- identification of export-controlled products and implementation of related internal controls;
- training of employees; and
- periodic testing of the functionality of the compliance program.
Mitigating the risk of diversion
Regarding third-party diversion risk in particular, companies can take the following steps:
- Conduct reasonably robust due diligence on third parties such as resellers, distributors, and sales agents;
- Obtain from counterparties “end-user certificates,” confirming the intended end-use and end-user of the products;
- Incorporate compliance-related terms into contracts with counterparties; and
- Conduct periodic audits of sales / distribution channels.
What to do in the event of a violation
Companies that have violated sanctions or export controls, or are concerned that a third party has involved them in a violation, should conduct a review of the facts and circumstances related to the violation, identify the violation’s root cause, implement corrective actions, and consider voluntarily disclosing the potential violations to the authorities. While such a voluntary disclosure generally is not legally required, often it can be a good option for companies, as authorities will reduce potential civil penalties by 50% and generally will accord the disclosing party credit for cooperating.
The relevant authorities are the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) (for sanctions), the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) (for export controls), and the U.S. Department of Justice (for criminal violations of either).
How can investors determine if they are backing compliant companies?
For new investments, it is crucial for investors to conduct due diligence on the investment target with respect to its compliance with sanctions and export controls, and its overall risk exposure. Regarding existing investments, investors should consider exercising their governance of the company to cause the company to implement appropriate compliance policies and procedures, and, as warranted, to proactively review the company’s risk exposure and audit its resellers and distributors.
When to hire counsel
Counsel can provide advice across the range of issues described above, including with respect to:
- assessing products to confirm if they are subject to export controls;
- developing compliance policies and procedures;
- drafting sanctions- and export control-related terms for contracts;
- conducting audits of sales channels;
- conducting due diligence on investment targets;
- conducting internal investigations of potential violations; and
- preparing and submitting to U.S. authorities voluntary disclosures of potential violations.
Suppliers of items restricted under Russia sanctions should be aware of the risk of third-party diversion of their products, particularly given Russia’s continued demand for such products and U.S. authorities’ focus on the issue as a national security priority. Companies can navigate this risk proactively by implementing risk-based compliance policies and procedures, auditing sales channels as warranted, conducting due diligence on investments, and engaging counsel for advice.
"Western Sanctions against Russia: Tips for Tech Companies Managing Compliance Risk," by Anthony Rapa was published in TechCrunch on May 8, 2023. Reprinted with permission.