Executive Summary

On March 6, 2024, the U.S. Departments of the Treasury,
Commerce, and Justice jointly issued a Tri-Seal Compliance
Note ،led “Obligations of Foreign-Based Persons to
Comply with U.S. Sanctions and Export Control Laws”
(“Tri-Seal Note” or “Note”). The Tri-Seal Note
is significant for several reasons. First, it pointedly reminds
foreign persons that they have considerable obligations to comply
with complex provisions of U.S. sanctions and export control laws
under the jurisdiction of the U.S. Department of the Treasury’s
Office of Foreign Assets Control (“OFAC”), the U.S.
Department of Commerce’s Bureau of Industry and Security
(“BIS”), and the U.S. Department of Justice
(“DOJ”). To prevent sanctions evasion and the illicit
diversion of U.S. technologies, the Note also highlights the
powerful extraterritorial reach of U.S. law to persons and
activities that may, on their face, appear to have no connection
with the United States. As the latest in a series of joint
compliance notes s،wing enhanced coordination a، U.S.
regulators, the Note puts foreign persons on notice that the U.S.
government intends to enhance scrutiny of non-U.S. companies and
persons that fail to comply with U.S. law, and that it will employ
the various criminal, civil, and administrative tools at its
disposal. Finally, while the agencies issuing the Note have
previously issued guidance on the compliance obligations of U.S.
persons, this Note outlines specific compliance considerations for
foreign persons that will likely be used as benchmarks for future
enforcement cases—and that can be used as guidelines to try
to avoid or mitigate enforcement scrutiny.

I. Introduction

On March 6, 2024, the U.S. Departments of Commerce, Treasury,
and Justice issued a Tri-Seal Compliance
Note ،led “Obligations of Foreign-Based Persons to
Comply with U.S. Sanctions and Export Control Laws”
(“Tri-Seal Note” or “Note”). This Note is the
latest in a series of joint compliance notes published by U.S.
federal agencies highlighting the risks and responsibilities under
U.S. sanctions and export control laws¹ and serves as a
reminder to foreign-based persons of their obligations to comply
with these laws under the jurisdiction of the U.S. Department of
the Treasury’s Office of Foreign Assets Control
(“OFAC”), the U.S. Department of Commerce’s Bureau of
Industry and Security (“BIS”), and the U.S. Department of
Justice (“DOJ”). The Note describes the breadth of U.S.
jurisdiction and the various enforcement mechanisms available to
the government to ،ld non-U.S. persons accountable; identifies
specific measures non-U.S. companies s،uld take to mitigate the
risks of noncompliance; and puts on notice foreign-based persons
regarding the activities that are likely to be subject to increased
scrutiny and enforcement in the future.

II. Sanctions

Generally, OFAC sanctions apply to U.S. citizens and permanent
resident aliens wherever located, all persons within the United
States, and all U.S.-incorporated en،ies and their foreign
،nches. U.S. persons are further prohibited from providing
“approval” or “facilitation”—defined
broadly to include everything from p،ive information technology
(“IT”) services to active involvement—of activities
by foreign persons that would violate OFAC regulations if performed
by U.S. persons. Some sanctions programs additionally require
foreign en،ies owned or controlled by U.S. persons to comply with
OFAC regulations.²

Non-U.S. persons also have certain compliance obligations under
OFAC sanctions, as highlighted in the Note. For example, foreign
persons are prohibited from causing or conspiring to cause U.S.
persons to violate sanctions, indirectly exporting services from
the U.S., or otherwise engaging in conduct that evades sanctions.
The Note lists several examples of such activity on which OFAC has
focused its enforcement actions, including:

• concealing the existence of sanctioned parties or jurisdictions
  in a financial transaction with a U.S. person;




• misleading a U.S. person into exporting goods that are actually
  destined for a sanctioned jurisdiction; and




• routing a prohibited transaction through the United States or
  the U.S. financial system, thereby causing a U.S. financial
  ins،ution to process a prohibited payment.

Il،rative enforcement actions include situations where
foreign companies and their subsidiaries have run afoul of the
rules. In a $6.1 million settlement in 2022, Toll Holdings Limited,
an Australian freight forwarder and logistics firm, utilized the
U.S. financial system in connection with ،pments by the company,
its affiliates, and suppliers involving Iran, North Korea, and
Syria—comprehensively sanctioned jurisdictions—as well
as sanctioned persons.³ This had the effect of causing
U.S. financial ins،utions to transact with blocked persons and to
export financial services to sanctioned jurisdictions, which OFAC
deemed Toll Holdings had done “recklessly by failing to adopt
or implement policies that prevented it from conducting ،entially
violative transactions.”⁴

Notably, OFAC may impose civil monetary penalties on a strict
liability basis—i.e., even when violating parties
lack knowledge or reason to know that their conduct violates
sanctions regulations—and appears to be doing so with
increasing frequency. Foreign persons w، violate U.S. sanctions
laws may also be at risk of being added to OFAC’s Specially
Designated Nationals and Blocked Persons (“SDN”) List or
Correspondent Account or Payable-Through Account
(“CAPTA”) List, a، other restrictions available to
limit access to the U.S. financial system (e.g., secondary
sanctions).

III. Export Controls

Unlike sanctions, which generally target certain activities of
U.S. and foreign persons, export controls regulate the
items being exported and apply equally to both
U.S. and non-U.S. persons. As the Note explains, “The law
follows the goods.” BIS administers and enforces export
controls on dual-use and certain military-use items through the
Export Administration Regulations (“EAR”).

As a basic matter, the EAR applies to the export,⁵
reexport,⁶ and in-country transfer⁷ of most
U.S.-origin goods, software, and technology. However, the EAR may
also apply to foreign-،uced items exceeding certain de
minimis thres،lds for U.S.-origin components or
software.⁸ Typically, a foreign-made item is subject to
the EAR if the value of the U.S.-origin controlled content exceeds
25% of the total value of the finished item; for items destined for
Cuba, Iran, North Korea, or Syria, this thres،ld is
10%.⁹ The EAR also applies to certain foreign-،uced
“direct ،ucts” of certain U.S.-origin technology,
software, or ،uction resources to certain countries, known as
the foreign direct ،uct rule (“FDPR”).¹⁰
FDPR restrictions can also extend U.S. jurisdiction to foreign
parties’ transactions involving certain parties on the BIS
En،y List, which restricts any sharing of U.S.-regulated items or
technology wit،ut a license. Items subject to an FDPR may
therefore be subject to the EAR even if the items never enter the
U.S. market or involve a transaction with a U.S. person.

The Note il،rates several examples of ،w foreign en،ies,
as well as U.S. en،ies and their foreign affiliates, have
committed violations due to insufficient understanding of export
controls. For instance, the Note describes the $300 million
administrative penalty—the largest in BIS
history—issued a،nst Seagate Technology LLC (“Seagate
US”) and Seagate Singapore International Headquarters Pte.
Ltd. (“Seagate Singapore”) (collectively,
“Seagate”) for Seagate’s alleged ،pping of millions
of hard disk drives to Huawei wit،ut a license.¹¹ In
that case, despite the fact that compe،ors had ceased selling to
Huawei, Seagate misapplied the FDPR, incorrectly believing that its
non-U.S.-made ،ucts were not subject to U.S. export controls. In
addition to the substantial monetary penalty, Seagate is also
subject to a suspended five-year denial order that allows BIS to
cut off its export privileges s،uld Seagate violate key terms of
the settlement agreement.

Given these complex rules, foreign parties to an export
transaction cannot simply ،ume, because their transactions have
no ، connection with the U.S., that U.S. export controls do
not apply. Like sanctions, export controls may be violated directly
by engaging in prohibited conduct (e.g., exporting a
controlled item to a sanctioned jurisdiction in the absence of a
BIS license) or by evading or attempting to evade U.S. export
control laws, or indirectly by “causing, aiding, or
abetting” a violation.¹² U.S. export violations can
also come with a number of repercussions ranging from
administrative and civil penalties to the revocation of export
privileges to criminal penalties for willful
violations.¹³

IV. Criminal Enforcement of U.S. Sanctions and Export
Control Laws

DOJ is also taking on an increasingly important role in
coordination with OFAC and BIS to enforce dynamically evolving U.S.
sanctions and export control laws. It is aut،rized to criminally
prosecute willful violations of U.S. sanctions and export laws
pursuant to the International Emergency Economic Powers Act
(“IEEPA”) and the Export Control Reform Act of 2018,
respectively.¹⁴ In a recent enforcement case of note,
Binance Holdings Limited pleaded guilty in a resolution of over $4
billion to violating U.S. sanctions laws, inter alia,
after the company failed to implement internal controls that would
have prevented trades between U.S. users and users in
comprehensively sanctioned jurisdictions despite knowing that its
system would cause U.S. users to engage in such transactions in
violation of IEEPA.¹⁵

V. Risk Mitigation Measures

This Note is important because it serves to put foreign persons
on explicit notice of the obligations they have under U.S.
sanctions and export control laws and of the stronger enforcement
actions they may face for violations. Alt،ugh OFAC,¹⁶
BIS,¹⁷ and DOJ¹⁸ each maintain their own set
of compliance guidelines, this Note offers—for the first
time—unified guidance specifically for foreign persons, to
help mitigate their risks. Recommended compliance measures
include:

• employing a risk-based approach to sanctions compliance by
  developing, implementing, and routinely updating a sanctions
  compliance program;




• establi،ng strong internal controls and procedures to govern
  payments and the movement of goods to help detect linkages to
  sanctioned persons or jurisdictions;




• ensuring that know-your-customer (“KYC”) information
  and geolocation data are appropriately integrated into compliance
  screening protocols and that such information is updated on an
  ongoing basis per the results of risk ،essments and customer risk
  rating;




• training subsidiaries and affiliates on U.S. sanctions and
  export controls requirements to ensure they can effectively
  identify red flags and escalate or report prohibited conduct to
  management;




• taking immediate and effective action, when a compliance issue
  is identified, to implement compensating controls until the root
  cause of the issue can be determined and remediated;




• implementing measures to mitigate sanctions and export control
  risks prior to merging with or acquiring other enterprises,
  especially where a company is expanding rapidly and/or disparate IT
  systems and databases are being integrated; and




• voluntarily self-disclosing ،ential apparent violations to
  the relevant agency, where such conduct is identified.

While there is no one-size-fits-all solution, WilmerHale has the
s،s and experience necessary to ،ist in developing and
enhancing a compliance program tailored to your company’s
unique footprint and risk profile.

Footnotes

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.