Impacts of Sanctions and Export Controls on Supply Chains
Today’s globalised, on-demand supply chains rely on increasingly seamless cross-border movement of raw materials and goods in order to be cost efficient and effective. Sanctions and export controls present potential impediments that, if not managed properly, can imperil a company’s performance, whether as an original or intermediate supplier, or as the final recipient of supplied goods or technology. In some cases, governments may impose new sanctions or export controls with little or no warning, with similarly swift knock-on effects cascading through impacted supply chains. However, this tends to be the exception rather than the rule; a business that is watching carefully will generally spot the storm clouds on the horizon. A well-designed, risk-based compliance programme tailored to a company’s specific circumstances, including the risk profiles of its suppliers, intermediaries and customers, will help with this forecasting, allowing a company to identify and address even the most challenging sanction and export control developments.
Effective development of compliance strategies starts with understanding the basis for sanctions and export controls, how they overlap and interact, and how to mitigate their related risks. It is also critical to understand how sanctions and export controls have evolved in recent years, and how still-developing trends could impact their trajectory in the near term and long term.
Sanctions and export control overview and overlap
While the specifics may vary, sanctions and export controls regimes are a reflection of foreign policy. In the case of sanctions, they are imposed by one country or multilateral organisation against an individual, entity or country to respond to, or deter, some course of conduct. Typically, they are designed to isolate and pressure their target via some combination of financial and trade restrictions (e.g., preventing the targeted person, entity or jurisdiction from having access to certain financial markets, goods or technologies). In some cases, they are narrowly tailored, such as by targeting a single individual or entity, while in others they are widespread, up to and including imposition of country- or territory-wide embargoes. In many cases, including under US law, sanctions operate on strict liability principles (i.e., if you engage in a prohibited transaction with a sanctioned person, entity or jurisdiction, you have violated the law regardless of your knowledge or intent). However, whether an enforcement action is pursued, and the penalties that may be imposed, will hinge heavily on intent. For example, the United States’ primary sanctions enforcer, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has developed enforcement guidelines that turn primarily on the question of whether a violation was ‘egregious’ or ‘non-egregious’. Key factors in that determination include whether the violation occurred due to wilful or reckless conduct, and whether supervisory or management-level personnel had actual knowledge of, reason to know of, or involvement in, the conduct at issue. Other factors include the size and sophistication of the implicated company, the existence, nature and adequacy of its compliance programme, and its remedial response to the apparent violation.
Export controls, on the other hand, generally reflect foreign policy not via an outward-facing targeting of specific individuals, entities or jurisdictions, but rather via an inward-facing defensive motive to identify and limit the export of particularly critical goods and technologies. That being said, export controls can have many of the same characteristics as sanctions, have always had a level of interplay with sanctions, and have become increasingly intertwined with sanctions in recent years. A prime example is the United States’ imposition of various sanctions against Russia in the wake of the annexation of the Crimea Region of Ukraine in 2014, and its more recent 2022 invasion of Ukraine. A key component of these sanctions is a complex set of restrictions relating to the export of most US-origin goods and technologies to Russia. Prior to the 2022 invasion, a more targeted set of export restrictions had targeted the export of some goods and technologies to companies operating in certain segments of the Russian economy and in support of certain kinds of projects. Related de facto embargoes of the Crimea and so-called ‘Donetsk People’s Republic’ and ‘Luhansk People’s Republic’ regions of Ukraine rest largely on a prohibition on the export of US-origin goods and technologies to the regions (in addition to accompanying sanctions prohibitions on the export, re-export, sale or supply of any goods, services or technology from the United States or by US persons to the regions).
Although the leading sanctions and export control regimes (i.e., those of the US, UK, EU and UN) often differ in the specific targets of their sanctions and export controls, they all tend to have significant overlap in the types of conduct for which they impose sanctions and the types of technologies over which they impose export controls. From a sanctions perspective, terrorist activity, destabilising military or political activity, drug trafficking and human rights abuses predominate. Whether a particular individual, entity or regime will be targeted by a particular sanctions enforcer tends to turn on complicated questions of internal politics, geopolitics and geography. From an export perspective, the rule is typically that military technology is subject to the most stringent restrictions (e.g., in the United States, most military technology must be licensed for export by the State Department’s Directorate of Defense Trade Controls under the International Traffic in Arms Regulations, with limited exceptions), and everything else is typically subject to little restrictions on export unless it falls into a particularly sensitive category (e.g., nuclear, biological or chemical processing technology). Whether a particular technology will be subject to export controls turns on a balancing of the sensitivity of the technology (particularly if it can be used in problematic ways), a protectionist desire to limit distribution of the technology, and a counterbalancing desire to avoid limiting innovation by artificially restricting access to markets and talents by being overly protectionist.
Supply chain impacts – old tactics and an expanding set of tools
Sanctions and export controls impacting western supply chains are not a new development. As a prime example, for over 10 years world powers have imposed severe economic sanctions on North Korea. While the primary impetus behind these sanctions has been to pressure North Korea to denuclearise, some of the most robust sanctions regimes against the Kim regime also target its use of forced labour and have specifically sought to limit the flow of commercial goods to or from North Korea. Among other things, OFAC regulations currently prohibit the importation into the United States of any goods made in North Korea or by its Worker’s Party or other state agencies. Separately, since the passage of the Countering America’s Adversaries Through Sanctions Act in 2017, ‘any significant goods, wares, articles, and merchandise mined, produced, or manufactured wholly or in part by the labour of North Korean nationals or citizens’ have been prohibited from entry into the United States unless US Customs and Border Protection (CBP) ‘finds through clear and convincing evidence that the merchandise was not produced with a form of prohibited labour’. Because the North Korean government is known to send its citizens abroad to work under government contracts, including in China and Russia, the risk that North Korean forced labour has been exploited to produce raw materials or manufactured goods exists even when the materials or goods come from a country other than North Korea. As a result, businesses in the United States are obligated to assess the risk that their global supply chain may be tainted by North Korean labour. More recently, similar concerns regarding forced labour and other human rights violations by China’s government against the Uighur populations in the Xinjiang region of north-western China have been at the forefront. In July 2020, the US Departments of State, the Treasury, Commerce and Homeland Security issued an advisory alerting businesses to supply chain risks from links to entities exploiting forced labour and other human rights abuses in Xinjiang. Those government departments, joined by the US Trade Representative and the US Department of Labor, updated and reissued that guidance in July 2021. The US Department of Commerce also restricted exports to several Chinese companies and government ministries by placing them on its Entity List. In the same time frame, the US Department of the Treasury imposed sanctions on the Xinjiang Production and Construction Corps (XPCC), a paramilitary organisation that has been identified as building and running re-education camps holding Uighur and other Muslim minorities in Xinjiang. According to news reports, the XPCC was responsible for up to one-third of China’s cotton production in 2019, which translates to up to 7 per cent of the world’s cotton. Under the sanctions, US companies may not buy from or sell to the XPCC or subsidiaries where it has a majority stake.
The overlapping Xinjiang sanctions and export controls have forced companies and industries doing business in key sectors of the Chinese economy to revisit whether and how they screen their Chinese supply chains. Consistent with OFAC enforcement policies, the July 2020 and updated 2021 advisories emphasise that US companies must operate under a ‘reason to know’ standard. That is, companies that know or become aware of the potential that they are sourcing goods from, or supplying goods to, a party that is sanctioned, subject to export restrictions or otherwise engaged in human rights abuses in Xinjiang, will be expected to thoroughly vet their transactions via robust due diligence.
Additional, less-common tools have been deployed to target human rights abuses in the Xinjiang region that could severely impact certain supply chains. For example, CBP has issued a series of withhold release orders (WROs) against cotton and other products from Xinjiang based on information that reasonably indicates the use of forced labour in their production. The first several WROs targeted products made by specific entities in Xinjiang, including the XPCC and several other entities involved in the operation of ‘re-education camps’, cotton processing and the production of electronics, textiles and hair products. The most recent WRO, dated 13 January 2021, applies broadly to cotton and tomatoes grown in Xinjiang as well as to all products made using such cotton and tomatoes, including clothing, textiles and tomato sauce, without regard to whether the final products were made in Xinjiang. CBP will prevent the admission into the United States of all merchandise within the scope of a WRO, and direct importers to export or destroy any such merchandise that is present in the United States but has not yet cleared customs. Congress has also recently enacted the Uyghur Forced Labor Prevention Act on a broadly bipartisan basis, which, among other things, creates a rebuttable presumption that all goods manufactured in whole or in part in the Xinjiang Uyghur Autonomous Region are the product of forced labour and are not entitled to enter US ports.
WROs have been an increasingly popular tool since 2016, when the Tariff Act of 1930 was amended to eliminate a statutory exemption and to give CBP more enforcement power. The Xinjiang region has not been the only target of WROs, and their use is expected to continue, if not expand, during the Biden administration.
Sanctions, Entity List designations and WROs are not the only tools being deployed that may directly impact supply chains. The US Department of Commerce has recently issued regulations enabling it to block any information communications technology and service (ICTS) transaction involving goods or services designed, developed, manufactured or supplied from foreign adversaries or companies organised in, or otherwise subject to the direction or control of, a foreign adversary. These regulations were issued under Executive Order 13873, signed by President Trump in May 2019, intended to protect sensitive information, critical infrastructure and vital emergency services in the United States. Commerce has identified China, Cuba, Iran, North Korea and Russia as foreign adversary countries, and Venezuelan president Nicolás Maduro individually as a foreign adversary. On 17 March 2021, and again on 13 April 2021, the Department of Commerce issued subpoenas to multiple Chinese companies that provide ICTS in the United States in a move that Commerce described as an ‘important step in investigating whether the transactions involving these companies meet the criteria set forth in the Executive Order’. These actions indicate that the Biden administration intends to actively use this new power to evaluate transactions.
Further, these tactics can impact not only the movement of goods from a targeted country to its export markets, but also the internal supply chains of targeted countries. Perhaps the most notable examples of such impacts are the cases of ZTE and Huawei, both of which became subject to highly restrictive export control prohibitions in the face of concerns that they or their products were placing US national security at risk. In ZTE’s case, in 2018 it became subject to a seven-year export denial order by Commerce, cutting it off from nearly all US components, following a finding that it was in non-compliance with a settlement relating to illegal exports to Iran and North Korea. Within a month, ZTE had suspended major operations and manufacturing due to its no longer having access to 25 per cent of the components on which it relied for smartphone manufacturing. It was only able to survive due to a negotiated resolution entered into two months later, by which time its share of the US smartphone market had gone from 10 per cent to zero.
In May 2019, Huawei was similarly ensnared by US export control restrictions, this time in the form of designation on the US Department of Commerce’s Entity List in conjunction with Commerce’s foreign-produced direct product rule. The designation, which applies to a number of Huawei entities, requires a licence from Commerce before any US-origin goods or technology can be exported to Huawei, with a presumption of denial. Through multiple amendments to the rule, the foreign-produced direct product rule now reaches the Huawei supply chain, extending export prohibitions to foreign-produced items that are the direct product of specified technology or software subject to the Export Administration Regulations (EAR) or products of a plant or major component of a plant that is a direct product of such technology, if the foreign-produced item will be incorporated into or used in the production or development of an item that is produced, purchased or ordered by a designated Huawei entity. It is estimated that the restrictions on exports to Huawei – most notably limiting Huawei’s access to semiconductors – have cost Huawei billions of dollars and triggered a talent drain at Huawei that continues to escalate. And Huawei is not alone on the Entity List, to which scores of Chinese companies have been added in recent years over national security concerns.
Meanwhile, the Chinese government has not stood idly by. In March 2021, China began issuing a raft of retaliatory sanctions against individuals and entities in the United States, United Kingdom and Canada in response to the US’s, UK’s and Canada’s issuance of Xinjiang-related sanctions. The Chinese sanctions target lawmakers and companies, and include prohibitions on their entry into China, Hong Kong or Macau, the freezing of assets located in China and prohibitions on Chinese citizens and companies doing business with them. China had previously announced sanctions in July 2020 against a small number of US lawmakers who were particularly vocal critics of China’s treatment of ethnic Uighur populations. China’s more recent round of sanctions marks a noteworthy escalation, and could be a sign that it – and other countries targeted by sanctions imposed by western governments – may be more willing to trade blows in ways that will result in restrictions on commerce between China and western businesses. For companies caught in the political crossfire, such tit-for-tat escalations could complicate their cross-border operations, including through disruption of their global supply chains.
In 2022, we are seeing a similar sanctions ‘back-and-forth’ play out between Russia and major western economies, including the United States, the UK, the EU and beyond. This includes deployment of closely paired sanctions and export restrictions in a coordinated (although not 100 per cent aligned, country-to-country) fashion, with Russia answering in kind via counter-sanctions. As this plays out, we are seeing the full spectrum of sanctions and export control strategies that have evolved over recent years being promulgated across a rapidly developing legal and political landscape that is largely unrecognisable from the sanctions philosophies of just a decade ago. These sanctions and counter-sanctions are already proving disruptive to global supply chains, as companies facing import and export restrictions on one side of relevant borders or another are forced to find alternative sources of supply, to divert shipments to alternative markets or to otherwise revise or unwind sourcing and supply strategies. This includes disruptions due to direct prohibitions on particular imports or exports, indirect impacts due to finance and investment-related restrictions and market-driven pressures to curtail or cease certain wholly allowable activities as a matter of moral or ethical compulsion, or political expediency.
Sanctions and export controls can be highly dynamic in the speed with which they can be implemented and adjusted. Accordingly, businesses operating with international supply chains need to be prepared to be equally nimble. Fortunately, there are relatively straightforward and scalable strategies that companies can deploy to ensure they have a robust and effective compliance framework through which to operate, as detailed below.
Classification and risk analysis
It is imperative that companies moving goods and technologies across borders fully understand the potential restrictions that may apply to those transactions. This starts with a clear understanding of which goods and technologies fall under which applicable export control regimes. Companies should understand which regimes apply (e.g., are they subject to control as military items, dual-use items or purely commercial items), where their products are classified within each applicable regime and what licensing, reporting and other requirements might apply to their export.
Once applicable classifications are well understood, companies should conduct supply chain risk analysis to determine whether and where they might face challenges in securing licences or other export authorisations, and whether and where they might face heightened risk of sanctions impacting their supply chains. Among other things, companies must know the source of their raw materials and other goods and have some understanding of how their suppliers conduct business. As part of the risk analysis, contracts should be reviewed to ensure that appropriate contractual language is employed and that the company is properly exercising its rights under each contract. Not only will such a risk analysis help identify and avoid potential pitfalls, but it can also serve as a baseline for demonstrating that a company’s compliance programme is being reasonably risk calibrated.
Companies operating across borders leave sanctions and export control compliance as an afterthought at their own peril. Companies should allocate adequate resources to this compliance function, both internally and through the use of outside advisers. The larger and more sophisticated the company and its global activities, the more enforcement authorities will expect to be invested in related compliance efforts.
It goes without saying that a company’s workforce can only address compliance risks if it is aware of and attuned to those risks. Training is therefore imperative, not only for those expected to serve as frontline compliance gatekeepers, but also for anyone in a function that touches on the supply chain. Personnel in finance and accounting, sales and marketing, logistics and fulfilment, and – critically – management should all have at least a baseline understanding of how sanctions and export controls work and impact the company and its supply chain, so that they can be positioned to identify, report and escalate red flags indicating potential violations as early as possible.
As the Xinjiang discussion above illustrates, due diligence is an increasingly important consideration when dealing with higher-risk markets. It will only become increasingly so as the Uyghur Forced Labor Prevention Act is implemented, new Russia sanctions take root and would-be sanctions evaders begin to seek outlets for their sourcing and sales needs. Just as a company should understand its goods and technology through classification, so too should it understand its counterparties and third-party partners through some level of due diligence. While the level and type of due diligence can and should be calibrated to the relative risks presented by the market, transactions and type of parties involved, it should not be ignored altogether. Further, an effective third-party due diligence programme can protect a company not just against sanctions and export control risk, but also against bribery and corruption risks, money laundering risks and business risks, including potential exposure to undue financial or reputational risks associated with human rights abusers or unqualified (or underqualified) partners and counterparties.
Screening is an often overlooked but mission-critical compliance strategy in the context of sanctions and export control compliance. Not only is it necessary to determine whether a company might be dealing with a designated sanctions target or export-restricted entity, but also whether it can be readily automated and built into existing business infrastructure such as enterprise resource planning platforms and payment systems.
Sanctions, export controls and import prohibitions typically operate separately from one another, but can be deployed in a coordinated and complementary way. In considering them, companies should bear in mind that when they see an emergent use of one to target particular conduct or companies, there is a good chance the other will follow.
One key consideration is that sanctions, export controls and import prohibitions can be ‘sticky’, insofar as they can follow a person or an entity as they operate outside their home jurisdiction based on their nationality, and they can follow a product as it moves through commerce because of its origin. For example, a US national working for a European company outside the United States cannot be involved in that company’s dealings with Iran without violating US sanctions (absent some licence or other authorisation). Similarly, a US-origin air traffic control system that has been exported to a customer in Europe will continue to be subject to US export controls in the event that the customer wants to re-export it to a recipient in Asia. Accordingly, the selling company may need to obtain a licence to conduct such a sale, even if none was required for the original export (as licensing requirements can vary depending on the country to which an item is being exported or re-exported). Export controls are also sticky insofar as they can attach to an item once it is imported into a jurisdiction, unless it is simply moving in transit through the jurisdiction or is being held in a free trade zone or other special-status area. As a result, it is important to have a thorough, holistic and comprehensive view of where and how sanctions and export controls can impact one’s organisation.
For example, it is not unusual for the documentation for an item originally exported from the United States to include EAR or OFAC declarations notifying any intermediate consignees or end users of the US origin of the shipment and asserted extraterritorial application of US laws and regulations. It is also the case that some US exporters request information and certifications to assess their potential export obligations and satisfy best practice guidance promulgated by the Bureau of Industry and Security (BIS) within the US Department of Commerce in support of efforts to ensure re-export controls are operating effectively and preventing improper diversion to prohibited end uses, end users and locations. Although these inquiries are not necessarily required, particularly in the case of exports of products subject to limited export classifications (e.g., the EAR99 catch-all classification under the EAR), BIS considers it a ‘red flag’ (that should be resolved before completion of a transaction) if a company refuses to cooperate with reasonable requests for information. Accordingly, unless there is a reasonable, good faith and readily articulable reason not to comply, counterparties making reasonable requests should be given adequate information and assurances to satisfy their inquiries. Finally, companies should be aware that while sanctions and export restrictions can be imposed quickly in the face of a developing foreign policy issue, the run up to the imposition often develops quite slowly and with a good deal of purposeful foreshadowing. In the example of the sanctioning of XPCC, the sanctions, Entity List designations and WROs were imposed only after a long campaign by workers’ rights organisations. The US government issued a detailed alert to industry forecasting its punch, and allowed a period of time for industry participants to revise their approach to the Xinjiang region. This is a familiar pattern in this space, and one that companies should be aware is likely to be repeated. To the extent that large and sophisticated human rights organisations put entities in their cross hairs, there is a significant risk that sanctions of some form will follow. Businesses should not wait for a designation or WRO to be issued before addressing potential issues and considering options for supply chain redundancy or other changes.
By the same token, sanctions and export controls can be nimble and quickly deployed, as we have seen in the case of the response to Russia’s invasion of Ukraine. Taking largely unforeseeable circumstances such as Russia’s aggression into account, having a well-trained compliance function in place, supported by trusted outside advisers, is the key to having the system resiliency needed to rapidly pivot in the wake of precipitous sanction and export control developments.
The export control and sanction regimes described above are complex, with a variety of overlapping considerations and jurisdictional vagaries that can vary from country to country and transaction to transaction, and that are subject to periodic amendment. Companies seeking to navigate them successfully need to thoroughly understand the goods and technology with which they deal, and the supply chains through which they operate.
 Alex J Brackett, J Patrick Rowan, Jason H Cowley, Laura C Marshall and Edwin O Childs, Jr are partners, and Elissa N Baur is an associate, at McGuireWoods LLP.
 These guidelines are located at 31 Code of Federal Regulations (CFR) Part 501, Appendix A.
 This concern was highlighted in some detail in a 23 July 2018 Advisory by the US Departments of the Treasury, State and Homeland Security entitled ‘Risks for Businesses with Supply Chain Links to North Korea’.
 See, e.g., U.S. Customs Ruling HQ H317249 (5 March 2021) (finding that the company did not have the clear and convincing evidence needed to overcome a presumption that imported goods were made using North Korean forced labour when manufactured at a specific Chinese company).
 The Entity List, which is maintained by the Bureau of Industry and Security (BIS) within the US Department of Commerce, is a list of individuals and entities (including businesses, research institutions, government and private organisations, individuals, and other types of legal persons) whose privilege to receive US exports has been limited or prohibited due to some form of misconduct or national security concern. Those placed on the Entity List, found in Supplement No. 4 to Part 744 of the Export Administration Regulations (EAR), are subject to specific licence requirements for the export, re-export or transfer (in-country) of specified items, supplemental to those found elsewhere in the EAR.
 These orders were authorised under Section 307 of the Tariff Act of 1930, which prohibits the importation of merchandise mined, produced or manufactured in any foreign country by convict labour or forced or indentured labour, including forced child labour.
 Pub L 117-78 (2021).
 This amendment was part of the Trade Facilitation and Trade Enforcement Act of 2015, signed on 24 February 2016.
 Although a destination control statement is not required for most EAR99 exports or most re-exports (see 15 CFR 732.5(b)), it is not unreasonable for a company to inquire as to end-user and end-use information to fully assess whether an export is allowable under General Prohibition Five (see 15 CFR §§ 732.3(m) (encouraging performance of ‘Know Your Customer’ due diligence) and 744.1 (regarding prohibited end uses and end users)).
 See 15 CFR Part 732, Supplement 3 (outlining guidance for ‘Know Your Customer’ due diligence); BIS, ‘Best Practices for Preventing Unlawful Diversion of U.S. Dual-Use Items Subject to the EAR, Particularly through Transshipment Trade’, available at www.bis.doc.gov/index.php/documents/pdfs/625-best-practices/file.
 See 15 CFR Part 732, Supplement 3 (identifying ‘red flags’: when ‘[t]he customer or purchasing agent is reluctant to offer information about the end-use of a product’; and ‘[w]hen questioned, the buyer is evasive or unclear about whether the purchased product is for domestic use, export or reexport’).