Sanctions and Export Controls in the Asia-Pacific Region

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


Comprising dozens of nations with diverse business cultures and economies in various stages of development, the Asia-Pacific region (APAC) is responsible for a substantial portion of annual global trade. Whether a company is based in APAC or is operating there, economic sanctions and export control risks are now a daily concern. With long-standing US and UN sanctions and export control programmes targeting North Korea, and growing US sanctions and export controls targeting China and Russia, APAC has, in many ways, supplanted the Middle East as the world’s sanctions and export control hotspot. For legal and compliance practitioners, this environment presents unique challenges. In this chapter, we describe the sanctions and export control risks for business transactions in APAC and share best practices for managing these risks.

‘Long-arm’ jurisdiction

Economic coercion is a fact of life in Asia, owing to the high degree of state intervention in many economies. China, in particular, regularly withdraws economic opportunities (including tourism) from its neighbours to achieve political objectives. We distinguish these trade-boycott practices from sanctions and export controls whereby governments regulate private commerce to gain economic leverage over a foreign adversary. With the exception of multilateral UN sanctions, few countries in Asia rely on sanctions and export controls as a tool of foreign policy. Although Australia, Japan and a handful of other countries have unilateral (or autonomous) sanctions, the enforcement of these sanctions and export controls outside the home jurisdiction is limited. For companies in APAC, the greater risk arises from ‘long-arm’ or extraterritorial US sanctions and, to a lesser extent, the European Union.[2]

These extraterritorial sanctions are divided into primary sanctions and secondary sanctions. Primary sanctions are jurisdiction-based prohibitions that are enforceable against individuals or entities through traditional criminal or administrative means. Secondary sanctions, used most extensively by the United States, embrace a range of coercive measures, including denial of market access, intended to discourage activities that are beyond the traditional legal jurisdiction of the sanctioning state. Thus, unlike the primary sanctions, US secondary sanctions apply to entirely non-US activity.

During the past decade, companies in APAC have faced an increasing risk of primary and secondary sanctions. This shift is due in part to the companies’ foray into western markets, where primary sanctions jurisdiction is most likely to exist, and greater efforts by western governments to investigate and prosecute activities that threaten their security or foreign policy aims. For these reasons, compliance with foreign sanctions is often the only commercially reasonable choice for companies that desire continued access to western markets, particularly the US financial system.

As explained in greater detail below, the first step in managing sanctions and export control risk is identifying and assessing it in business transactions. A risk assessment for primary sanctions requires understanding and mapping the somewhat intricate rules of foreign legal jurisdiction to business operations. For example, a Chinese manufacturer exporting products to Iran is advised to identify any financial transactions that may implicate the US financial system. A risk assessment for secondary sanctions requires imagining how emerging geopolitical risks may disrupt existing commercial arrangements. That same manufacturer should consider US secondary sanctions that may apply to its Iranian exports and whether suffering US reprisals is a commercially sensible trade-off. Understanding how these risks manifest themselves in a dynamic environment can challenge even the most experienced practitioners.

Conditions that increase sanctions risks

APAC is a target-rich environment for new sanctions. Some nations – North Korea, Myanmar and Vietnam, for example – are currently, or historically have been, targeted with broad embargoes by the United States or significant sanctions by the European Union, Canada, Australia, other western allies and the United Nations. The region also has a significant share of companies and individuals targeted for sanctions in response to human rights abuses, proliferation of weapons of mass destruction, narcotics trafficking, organised crime, and other threats to regional and international peace and security. The United States, in particular, has used sanctions and export controls to target Chinese firms that have committed violations of US laws or acted contrary to US national security or foreign policy interests, a trend that has accelerated under the Trump administration.

Second, questions about sanctions or export control compliance often come not from government investigators, but from banking partners, suppliers and other counter­parties. Sanctions authorities have long considered commercial actors to be ‘force multipliers’ in amplifying the effects of their sanctions. The abundance of multinational enterprises and cross-border supply chains in APAC offers endless touchpoints for introducing sanctions requirements through due diligence, compliance undertakings and internal guidelines to police the behaviour of counter­parties. The presence of many large, regional and multinational financial institutions – a number of which have faced significant sanctions enforcement actions (e.g., HSBC and Standard Chartered) – has put pressure on customers to commit voluntarily to abide by US and EU sanctions and export controls. Some banks demand that customers implement formal compliance programmes as a condition of services. Indeed, a number of significant internal corporate investigations have started as a result of enquiries from banks about customers’ payments potentially involving sanctions targets.

Third, given the complexity of sanctions and export controls and the threat of secondary sanctions, many companies and banks in APAC implement compliance programmes with little regard to the nuances of legal jurisdiction, leading to examples of over-compliance or de-risking, whereby companies and banks walk away from business that is legally permissible. This is especially true in the region’s major trading hubs, such as Hong Kong and Singapore, where OFAC regulations are almost universally observed, regardless of their legal applicability, owing in large part to the high concentration of risk-averse banks. On the other hand, where US sanctions have been applied against major corporates, such as subsidiaries of China Ocean Shipping Company Limited (COSCO), we have observed a marked willingness among financial institutions and corporates to take a more nuanced, albeit still cautious, approach.

The convergence of these three factors, that is a high number of sanctions targets, counter­party demands, and de-risking, presents a daunting compliance challenge, as in the following examples.

Sanctioned countries and governments

Transactions involving countries, territories or governments subject to comprehensive or broad unilateral US sanctions (currently, Crimea, Cuba, Iran, North Korea, Venezuela and Syria) or UN sanctions are not uncommon in the region and, for domestic political reasons, are sometimes encouraged. Many of these transactions are indirect transactions conducted through trading house or shell companies in major trading hubs, such as Hong Kong, Singapore or Dubai. Careful due diligence of counterparties and their business activities is needed to identify transhipment or diversion risk.

Sanctioned persons

Despite the lifting of US sanctions against Myanmar in October 2016, the number of sanctioned individuals and entities located in, or with economic interests in, APAC has increased steadily in recent years. They may appear as direct counterparties to a transaction or indirectly as beneficial owners or shareholders of counterparties. Once identified, companies must determine whether the involvement of a sanctioned person precludes their participation in a proposed transaction. This issue came to the fore in April 2016 when OFAC designated numerous Russian individuals and entities as specially designated nationals (SDNs), including one listed on the Hong Kong Stock Exchange. Similarly, in September 2019, OFAC designated two subsidiaries of COSCO as SDNs for engaging in exports of petroleum from Iran. In both cases, financial institutions and other counterparties grappled with how to maintain important commercial relationships while abiding by applicable US sanctions. The availability of general and specific licences allowed many to do so. The United States has also added Chinese technology companies to the Bureau of Industry and Security (BIS) Entity List for national security and foreign policy reasons and, in certain circumstances, these listings have occurred prior to an initial public offering or exchange listing, inflicting greater costs on the targeted company and its investors. This issue will continue to be prevalent as the US government contemplates Hong Kong-related sanctions.

Supply chains

Supply chain risks attach to (1) raw materials sourced from, (2) suppliers located in, and (3) in the case of North Korea, labour from sanctioned countries. For example, in January 2019, OFAC entered into a US$996,080 settlement with US-based e.l.f. Cosmetics, Inc for distributing false eyelash kits containing materials originating from North Korea. OFAC used the settlement to emphasise the importance of supply chain due diligence to identify the involvement of sanctioned goods or parties. In practice, such due diligence is often hampered by resistant counterparties, language barriers or inaccessible records. Companies often find themselves reliant on declarations or contractual representations concerning a counterparty’s compliance. In some cases, third-party due diligence firms are called in to bridge the gap.

Goods, technology and software originating from the United States

BIS, located within the US Commerce Department, regulates the export, re-export and transfer of items subject to the Export Administration Regulations (EAR).[3] The risk of diversion of EAR-controlled items is high, and transshipments through trading hubs such as Hong Kong and Singapore are commonplace. Yet few companies in the region have sophisticated compliance controls for identifying and tracking items subject to the EAR, including controlled components incorporated into finished products. This is an area of emerging risk, with high enforcement potential. Financial institutions, which are potentially at risk of facilitating their customers’ violations of the EAR, have recently begun strengthening their export control procedures, demanding more information from customers, who remain primarily responsible for understanding how the EAR applies to their activities.

Affiliates or tangential business lines

All these risk factors are compounded by the presence of many large, international, private and state-owned conglomerates. Sanctions and export control concerns frequently arise during the due diligence phase of transactions when affiliates of an investment target are found to have exposure to sanctioned persons or territories, even if that activity is seemingly unrelated to the business opportunity at hand. Use of proceeds clauses and restrictions on the transfer of goods and services offer a limited means of risk mitigation. However, given that US authorities do not accept the outsourcing or transfer of liability for sanctions risks, these provisions offer very limited protection if the company is found to have known (or should have known) about the sanctioned element and facilitated prohibited activity.

As explained above, mapping out the jurisdiction and scope of applicable sanctions and export controls is a good first step to identifying and controlling risks. The following sections offer a few reference points for managing sanctions and export control risk with an eye on recent high-profile enforcement actions.

US and EU sanctions jurisdiction

Most legal systems recognise jurisdiction over activities taking place within their state’s sovereign territory, regardless of nationality, as well as activities undertaken by their nationals, regardless of location. This territorial-based jurisdiction applies to most sanctions, regardless of country, and is the typical framework applied to UN sanctions enforcement in APAC.

However, jurisdiction may also exist over activities undertaken outside a state’s sovereign territory conditioned on an underlying factual nexus, such as the direct or indirect involvement of nationals of the state. Long-arm or extraterritorial sanctions fall under this heading. Understanding clearly the jurisdictional hook underlying a primary or secondary sanction enhances a company’s ability to decide whether and how to comply with it.

Application of sanctions to US persons

OFAC’s administrative enforcement jurisdiction generally applies to ‘US persons’, defined to include (1) all US citizens or permanent residents (i.e., green card holders), regardless of location, (2) all entities organised under US law (including their offices and branches outside the United States), and (3) all persons in the United States, regardless of their nationality. The basic rule is simple: US persons are required to follow OFAC regulations at all times. Additionally, OFAC regulations under the Cuba, Iran and North Korea programmes apply to the activities of non-US entities owned or controlled by US persons or (in the case of North Korea) US financial institutions.

In APAC, US jurisdiction is often based on the involvement of financial institutions (often overseas branches of US banks), offices of US-incorporated companies, subsidiaries of US-based companies, US-based companies transacting in or investing in the region, or as individuals employed by non-US companies. While non-US subsidiaries of US companies are not subject to many OFAC programmes, it is common for subsidiaries to follow the sanctions policies of their headquarters, with limited allowances for local law. An increasing number of non-US companies are devising recusal protocols to document the ways in which their ‘US person’ employees are ring-fenced from transactions involving US-sanctioned persons or territories.

Non-US nationals are considered US persons when within the United States, and clients must often be reminded to abstain from engaging in activities, including phone calls or emails, concerning their companies’ business with sanctioned persons or territories while visiting the United States, whether for business or pleasure. Search and seizure of business records at US borders should remain high on the list of senior executives’ worries while travelling. In serious cases, extradition from a third country to the United States is also a possibility.

Application of sanctions to EU persons

Jurisdiction under EU law follows a similar pattern as US law, although EU member states are less inclined to pursue ‘extraterritorial’ prosecutions, citing international law and comity. Broadly speaking, EU sanctions apply within the territory of the European Union, aboard aircraft or vessels under the jurisdiction of EU member states, to nationals of EU member states, to entities constituted under the laws of EU member states, and in respect of business performed in the EU territory by non-EU persons.

Like US persons, EU persons may appear in a variety of roles in transactions in APAC, and the presence in the region of many prominent EU corporates and financial institutions makes EU sanctions the second-most important foreign sanctions regime in APAC, after that of the United States.

Application of sanctions to non-US and non-EU persons

As indicated above, US and EU sanctions exert a significant influence on commercial activities in APAC. With respect to EU sanctions, this effect is attributable mainly to the presence of many EU-based corporates and financial institutions that are obliged to follow EU sanctions as a matter of law or internal policy. The case is different when it comes to US sanctions because US authorities routinely seek to assert law enforcement jurisdiction over the activities of non-US persons when those activities involve a US jurisdictional element, understood to include US persons, the US financial system and items of US origin (i.e., goods, technology and software that are subject to the EAR).

Of these three elements, it is the US financial system that has the strongest jurisdictional hook. US-dollar denominated transactions, most of which clear through US correspondent accounts, make up the lion’s share of international trade in the region (and globally). OFAC and the US Department of Justice (DOJ) undertake dozens of investigations each year into transactions processed through the US financial system believed to involve prohibited trade with sanctioned persons or territories. Underpinning these cases is the legal theory, among others, that non-US persons ‘cause’ US financial institutions to violate OFAC regulations by initiating transactions that are cleared through US-based accounts.

For example, in July 2017, OFAC entered into a US$12,027,066 settlement with Singapore-based CSE Global Limited and CSE-Transtel Pte Ltd (Transtel) for violations of the Iranian Transactions and Sanctions Regulations (ITSR). According to the OFAC settlement notice, Transtel processed more than 100 wire transfers in its US-dollar denominated account held at a Singapore bank in connection with its business in Iran. While the business presumably was legal under Singapore law, the wire transfers cleared through the Singapore bank’s US correspondent accounts thereby triggering the ITSR’s prohibition against exports of services, directly or indirectly, by US persons (i.e., the US banks holding those accounts). The Singapore bank previously had informed Transtel of this risk and obtained an attestation that the company would not use its account for its Iranian business. The Singapore bank subsequently detected the activity and disclosed it to OFAC. As noted by many commentators, the Singapore bank was not named in the settlement. Rather, OFAC penalised the bank’s customer, Transtel, for causing the violations. In the context of this case, the Singapore bank was rewarded for having effective sanctions compliance controls. However, the settlement also spotlights the conflicting interests of banks and their customers when OFAC violations are detected – a major point of contention in light of recent high-profile enforcement cases against Chinese companies.

For clients new to the subject, it may seem contradictory that a financial transaction could be illegal while the underlying trading activity – which often is not subject to OFAC jurisdiction – is perfectly fine under domestic law. Practically speaking, the challenge for practitioners is to identify transactions involving the US financial system (which can include both US financial institutions and, in some cases, non-US entities owned or controlled by them) and to interdict transactions that would be prohibited for a US bank. Some trans­actions can be safely processed outside the US financial system, subject to relevant secondary sanctions and the internal policies of the processing banks. While US persons are not allowed to facilitate these types of transactions, non-US persons who are familiar with the regional banking system are increasingly finding open payment channels for certain activities.

Enforcement risks from the United States: select cases

The following examples highlight important enforcement trends in APAC and compliance pitfalls to be avoided.

ZTE Technologies

BIS added ZTE and three affiliates to the Entity List during an investigation of the company’s business in US-sanctioned territories, including Iran and North Korea. In March 2017, the company entered into a US$1.19 billion civil and criminal settlement with BIS, OFAC and DOJ. While US$300 million of the penalty was suspended, the settlement also mandated the hiring of a compliance monitor for three years to report to DOJ on the company’s compliance with US sanctions and export control laws, and a seven-year suspended denial order. The order was triggered in April 2018, when the US government determined that the company had made apparent false statements to BIS. In June 2018, the company agreed to pay an additional US$1 billion, which included the hiring of an external compliance consultant for 10 years, who will report to BIS.

ZTE’s violations primarily involved the unlicensed re-export from China to Iran and North Korea of items subject to the EAR. The company obtained some of the items via ‘isolation companies’. The US investigation into ZTE has served as a template of sorts for similar investigations and set the stage for a raft of legislative initiatives, executive orders, regulations and administrative actions aimed at reducing China’s involvement in the US telecommunications sector, which continue to this day. While the use of the Entity List during an investigation was novel in 2016, it has since become routine, and BIS is increasingly using the Entity List to advance US national security objectives.

US-based branches of Asian banks

Several APAC-based financial institutions have entered into settlements with US sanctions and state banking regulators, including the New York Department of Financial Services, for violations of US sanctions and anti-money laundering (AML) laws. These include settlements with Japan’s MUFG (2013, 2014 and 2019), Taiwan’s Mega Bank (2016), China’s Agricultural Bank of China (2016) and South Korea’s Industrial Bank of Korea (2020). In each case, the financial institutions failed to implement adequate sanctions and AML controls in their New York branches, leading to violations of the state’s AML regulations, in addition to OFAC regulations.

Along with direct liability, APAC-based banks have also found themselves on the receiving end of subpoenas relating to the conduct of their customers. In a highly publicised case, in 2019, the US Court of Appeals for the District of Columbia upheld a lower court decision holding three Chinese banks in contempt for refusing to comply with subpoenas for information held outside the United States about transactions through their US-correspondent accounts or branches involving a Hong Kong-based customer alleged to be a North Korean front company.

North Korea indictments and secondary sanctions

North Korea, which is subject to both US comprehensive sanctions and broad UN sanctions, has been a constant source of risk for companies in APAC, especially since the issuance of Executive Order 13722 in March 2016. The North Korean government is widely believed to operate networks of front companies throughout the region, including in Hong Kong, and North Korean workers have historically been sent outside the country to earn revenue for the government. The US government’s efforts to restrict North Korea’s access to the US financial system picked up steam in mid 2017 with the sanctioning of China’s Bank of Dandong, followed by sanctions against China-based trading companies and individuals alleged to act as North Korean intermediaries, as well as vessels and operators engaged in ship-to-ship transfers in apparent violation of UN sanctions.

As with Iran, the US government has issued indictments against numerous individuals and companies outside the United States for violating OFAC’s North Korea Sanctions Regulations by processing transactions through the US financial system in relation to North Korean trade. These indictments are often accompanied by forfeiture orders, under which funds held in US interbank accounts can be seized in an amount equivalent to the violative transactions. Additionally, OFAC is authorised under Executive Order 13810 to target bank accounts through which North Korea-related transactions have been processed, even if those accounts are not themselves held by sanctioned persons.

Strategies for managing multinational sanctions risks

Identification of a US or EU nexus

As primary sanctions are jurisdiction-based, identifying sanctions risk is often a matter of determining at the outset if there is jurisdiction. In addition to mapping out a company’s exposure to sanctioned territories or persons, spotting touchpoints with the United States and the European Union is an essential step in implementing an effective compliance programme. This is particularly true for financial institutions and corporates whose customers and counter­parties change frequently.

For example, once a nexus to the US financial system has been found, a company should adopt real-time name screening controls to filter out transactions involving sanctioned persons or territories. A distributor with a significant EU supplier should consider whether those products can be sold to persons on an EU sanctions list. For the reasons explained above, there are endless examples of these touchpoints in APAC, and it is evident that many companies have allowed themselves to become operationally dependent on US or EU services without having considered the potential sanctions exposure.

In addition to traditional supply chains and financial services, companies are strongly advised not to overlook US and EU connections that may exist in their data processing, including the use of US-origin software or US-based servers. In February 2020, OFAC settled with Switzerland-based Société Internationale de Télécommunications Aéronautiques SCRL (SITA) for US$7,829,640 for transactions involving sanctioned airlines that relied on US-origin software or servers in the United States. US agencies, including OFAC and DOJ, are increasingly aware about how US jurisdiction may be asserted over data. The massive popularity of digital services in APAC – including cryptocurrency exchanges and other digital asset service providers – makes this an area of increasing enforcement risk for the region.

Defining common ground and expectations for sanctions compliance

It is not uncommon for companies in APAC to take the simpler and often prudent decision to implement US and EU sanctions as a matter of internal policy, regardless of juris­diction. When this is not possible for political or commercial reasons, it is necessary to define common ground to allow transaction parties to perform their roles with the least amount of residual risk. Unfortunately, it is also still commonplace for companies engaged in transactions with sanctioned persons or territories to do so in a manner that is not transparent and often without the awareness of their major suppliers or banking partners. The disruption wrought in the telecommunications sector as a result of recent US enforcement cases is an object lesson in why this approach is not advisable. The example given above involving Singapore’s Transtel offers another. The better approach is to identify sanctions risks early on, analyse them and engage stakeholders in decision-making about how to conduct business in a manner that respects applicable rules as well as the tolerances of counterparties. A legal memorandum explaining the issues is often helpful in this regard.

A common situation encountered in APAC involves capital markets or lending transactions in which banks insist that issuers or borrowers ring-fence proceeds from their activities with sanctioned territories or persons, once those activities have been identified through due diligence prior to the transaction. The meaning of the term ring-fence in this context is vague, and it is typically taken to mean segregation of the proceeds from general operating accounts or the adoption of accounting controls to record how the proceeds are used in compliance with use-of-proceeds clauses. (A similar approach is often taken with respect to goods originating in the European Union or the United States, which may be subject to export controls.)

Often, parties are satisfied with a simple use-of-proceeds contractual provision, particularly when funds are raised for specific purposes that are unrelated to a sanctioned territory or person. It is rare in capital markets transactions for underwriters to demand the termination of that business, unless it is particularly problematic. However, lenders appear to be more willing to demand that their borrowers cease activities with sanctioned territories or persons as a condition of financing. This is especially true after the re-imposition of US secondary sanctions against Iran, beginning in August 2018. It is also common for depository institutions to refuse to open or maintain accounts for individuals or corporates with tangential exposure to sanctioned territories (e.g., nationals of sanctioned territories), although the legal basis for these policies is unclear. From a regulatory perspective, financial institutions’ enforcement risk is low if they are not directly or indirectly financing prohibited activities.

Drafting mutually acceptable contractual terms and common issues

It is no secret that lawyers in the region spend a good amount of time negotiating sanctions clauses (sometimes for transactions with no apparent sanctions nexus). Given the fragmented legal picture, it is difficult to accommodate every party’s demands and yet retain succinct and clear contractual language. (Despite best efforts, many agreements are capacious, at best.) The following are some of the common issues to bear in mind.

Scope of representations and warranties

Because parties in the region are subject to differing sanctions and export controls, contract clauses should clearly define which countries or programmes are intended to be covered by the language in the agreement. This includes identifying the authorities issuing sanctions and the targets of those sanctions. Lawyers in the region spend endless hours finessing sanctions clauses to assuage the concerns of clients on both sides of a deal, often with watered-down results. As demonstrated in recent cases concerning the EU Blocking Regulation, and at least one case in Hong Kong involving frozen assets of a customer of a Hong Kong bank, courts may be called on to interpret imprecise language, to the detriment of one party or the other. As a minimum, drafters should be reasonably familiar with sanctions so as to precisely render the parties’ intentions.

Prohibited business

In our experience, there are three approaches to defining prohibited business in sanctions clauses: (1) a total prohibition against dealings with sanctioned territories or persons, irrespective of their relevance to the transaction; (2) a prohibition against using the transactions’ proceeds for dealings with sanctioned territories or persons; or (3) a prohibition against violating sanctions with respect to a transaction (which may be read to permit proceeds to be used for such an activity, provided it is done in compliance with applicable laws and regulations). Broadly speaking, it is rare nowadays to find the first type of prohibition in APAC contracts. The second type is the most common and the least burdensome. The third type is increasingly common and often arises when parties who enter into a transaction are fully aware of the potential risks, and one party has agreed to assume that risk and to implement the appropriate compliance measures. It goes without saying that the party accepting these undertakings should have a reasonable basis for relying on them.

Changes in sanctions

While specificity is a virtue in contract drafting, language can become outmoded if sanctions change during the life of the contract. This problem is most often solved by indicating that references to particular sanctioned territories, persons or lists, are ‘without limitation’, or are defined ‘at the time of the transaction’ to which they apply. Problems arise, however, when a party to a transaction becomes sanctioned after the adoption of an agreement. Companies are increasingly attempting to account for this possibility with the inclusion of termination provisions triggered by changes in the sanctions status of any party, and may even define a mechanism for unwinding the transaction in compliance with applicable regulations.


For sanctions practitioners, advising clients in APAC can be both intellectually challenging and professionally rewarding. Whereas, in some places, the answer to most questions about sanctions is a hard ‘no’, the answer in this region is often ‘maybe’, subject to the circumstances. Clients expect their advisers to understand the ins and outs of international sanctions rules and be prepared to justify the advice given. Situational awareness is paramount. With enforcement and geopolitical risks rising, practitioners require both operational and decision-making skills – due diligence, legal analysis, risk assessment, strategic guidance – to lead their clients through uncharted, sometimes perilous, legal terrain.


1 Wendy Wysong and Ali Burney are partners and Nicholas Turner is of counsel at Steptoe & Johnson in Hong Kong.

2 Given the US government’s heightened enforcement of its laws overseas, we focus primarily on US sanctions and export controls for the purposes of this article.

3 For more information about US export controls, consult Chapter 14 of this guide, US Export Controls by Meredith Rathbone and Hena Schommer.

Unlock unlimited access to all Global Investigations Review content