Last updated 2 weeks ago ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
American companies that flout export control laws face penalties that can destroy their businesses overnight.
These regulations are instruments of national security policy designed to keep sensitive technology away from adversaries, terrorists, and human rights abusers.
A single violation can trigger criminal charges, multimillion-dollar fines, and administrative sanctions that effectively ban companies from international trade. Recent cases show the government taking an increasingly aggressive approach, coordinating enforcement across multiple agencies to maximize punishment.
Three federal agencies run this system. The Commerce Department’s Bureau of Industry and Security controls “dual-use” items with both commercial and military applications. The State Department’s Directorate of Defense Trade Controls regulates weapons and military technology. The Treasury Department’s Office of Foreign Assets Control enforces economic sanctions.
For any company involved in international business, research, or technology, compliance isn’t optional. The government has designed penalties to ensure firms can’t simply treat fines as a cost of doing business.
The regulatory framework traces back to the Cold War, when the United States began systematically controlling technology exports to prevent adversaries from accessing sensitive capabilities. Today’s system evolved from those origins but has expanded dramatically to address modern threats including terrorism, weapons proliferation, cyber warfare, and human rights abuses.
Three Types of Punishment
Criminal Sanctions
The Justice Department reserves criminal prosecution for the most serious violations, particularly those committed willfully or with clear knowledge of wrongdoing. Companies can face fines of up to $1 million per violation. Individuals risk 20 years in federal prison and personal fines of $1 million.
Criminal cases often involve sophisticated schemes to evade export controls. Prosecutors typically pursue these cases when they can demonstrate deliberate circumvention, such as using shell companies, falsifying end-user certificates, or routing shipments through third countries to disguise their true destinations.
The government has increasingly used conspiracy charges in export control cases, allowing prosecutors to target entire organizations rather than just individuals directly involved in specific transactions. This approach can result in more severe sentences and broader liability for companies.
Recent criminal cases have involved everything from selling military-grade equipment to Iran and China to providing dual-use technology to sanctioned entities in Russia. The Justice Department has also prosecuted cases involving the theft of trade secrets for foreign governments, treating such cases as both export control violations and espionage.
Civil Monetary Penalties
These are the most common punishments, imposed directly by the regulatory agencies through administrative proceedings. The agencies don’t need to prove criminal intent—negligence or even strict liability can trigger massive fines.
The amounts can be staggering. Penalties are calculated per violation, so a series of illegal exports can quickly reach tens of millions of dollars. Many violations are calculated as the greater of a base amount (around $300,000) or twice the transaction value, meaning a single high-value export can trigger penalties worth millions.
The “per violation” calculation can be particularly devastating. Each shipment, each item, and sometimes each component within an item can constitute a separate violation. A company that ships 100 controlled items without licenses faces 100 separate penalties. The agencies have broad discretion in determining what constitutes a violation, giving them significant leverage in negotiations.
Civil penalties have grown substantially over the past decade as agencies have updated their penalty guidelines to reflect inflation and increase deterrent effects. The base penalty amounts are adjusted annually, ensuring they keep pace with economic growth and maintain their punitive impact.
Administrative Sanctions
For many companies, these non-monetary punishments are more feared than fines because they can kill a business entirely.
Denial of Export Privileges: The Commerce Department can ban a person or company from any transaction involving controlled items. More critically, it becomes illegal for anyone else to do business with the banned party, effectively cutting them off from the entire export economy.
This secondary effect creates a cascade of business relationships that immediately terminate. Suppliers stop shipping, customers cancel orders, and banks may refuse to process transactions. The reputational damage alone can persist long after the formal denial period ends.
Debarment: The State Department can prohibit companies from exporting weapons or military technology. For aerospace and defense firms, this is a corporate death sentence that also makes them ineligible for government contracts.
The defense industry’s interconnected nature means debarment often spreads through supply chains. Prime contractors must immediately terminate relationships with debarred subcontractors, creating ripple effects throughout the defense industrial base.
Asset Blocking: The Treasury Department can freeze all property and financial assets of sanctioned parties within U.S. jurisdiction, immediately cutting them off from the American financial system.
Asset blocking extends beyond bank accounts to include real estate, intellectual property, and even accounts receivable. The breadth of U.S. financial system reach means this sanction can affect assets worldwide if they touch American banks or payment systems.
The Ripple Effect
Government penalties are just the beginning. Enforcement actions trigger a cascade of consequences that can inflict lasting damage.
Public enforcement actions destroy customer trust and damage brands. Companies face delayed shipments and lost commercial relationships. A serious violation can render a firm ineligible for government contracts, devastating for technology and defense companies.
The reputational damage often exceeds the direct financial costs. Once a company appears on enforcement lists or in press releases, it becomes radioactive to many potential partners. Foreign companies may refuse to deal with firms that have violated U.S. export controls, even after penalties are resolved.
Settlement agreements frequently require expensive, multi-year compliance overhauls. Companies must hire external auditors and sometimes accept government-appointed monitors who report directly to regulators—effectively placing a federal watchdog inside the business.
These compliance programs can cost tens of millions of dollars and consume enormous management attention. External auditors bill hundreds of dollars per hour and may spend months or years reviewing every aspect of a company’s operations. Special compliance officers command six-figure salaries and have authority to veto business decisions they deem risky.
Insurance companies often exclude coverage for export control violations, leaving companies to bear the full cost of penalties and remediation. Standard commercial liability policies typically contain exclusions for violations of government regulations, particularly those related to national security.
Recent enforcement shows a trend toward “whole-of-government” coordination. A single illegal transaction can trigger investigations from multiple agencies, each with its own penalties. The 2023 Microsoft case involved both Commerce and Treasury. The 2025 Haas Automation case was a joint Commerce-Treasury effort. The landmark Binance resolution involved Treasury, Justice, the Financial Crimes Enforcement Network, and the Commodity Futures Trading Commission.
This coordinated approach reflects a broader government strategy to maximize deterrent effects and close regulatory gaps. Where companies might previously have faced action from a single agency, they now confront multiple prosecutors operating under different legal authorities with different penalty structures.
The coordination extends beyond enforcement to include intelligence sharing and joint investigations. Agencies increasingly share information about potential violations, creating a more comprehensive enforcement net. A tip to one agency about suspicious activity may trigger investigations by multiple departments.
For global companies, this multi-agency approach creates particular challenges. Different agencies may have conflicting priorities or interpretations of the same facts, forcing companies to navigate complex negotiations with multiple government entities simultaneously.
Maximum Statutory Penalties
| Agency/Regulation | Maximum Civil Penalty (per violation) | Maximum Criminal Fine (per violation) | Maximum Imprisonment |
|---|---|---|---|
| BIS / EAR | ~$300,000 or twice transaction value | $1 million | 20 years |
| DDTC / ITAR | Over $1 million | $1 million | 20 years |
| OFAC / IEEPA | ~$356,579 or twice transaction value | $1 million | 20 years |
Figures subject to periodic inflation adjustments
Commerce Department: Controlling Dual-Use Technology
The Bureau of Industry and Security has the broadest reach of the three agencies. Its Export Administration Regulations govern items that appear on the Commerce Control List—everything from advanced semiconductors to certain chemicals and biological materials.
The Commerce Control List contains thousands of items organized into ten broad categories: nuclear materials, materials, electronics, computers, telecommunications, sensors, navigation, marine technology, aerospace, and propulsion systems. Each item receives an Export Control Classification Number that determines licensing requirements based on destination, end-user, and intended use.
BIS jurisdiction extends beyond physical shipments to include electronic transmission of controlled software and technology. “Deemed exports” occur when controlled technology is shared with foreign nationals inside the United States. For universities and tech companies, this means that having a foreign employee or student work on a controlled project without a license constitutes an export violation.
The deemed export rule creates particular challenges for research institutions and technology companies that employ international talent. A foreign graduate student accessing controlled research data, or a foreign engineer reviewing controlled technical drawings, can trigger licensing requirements even though nothing physically leaves the United States.
Software and technology controls have become increasingly important as cyber threats evolve. BIS controls cybersecurity tools, encryption software, and artificial intelligence technologies that could be used for surveillance or military purposes. The agency has expanded controls on emerging technologies like quantum computing, biotechnology, and advanced manufacturing techniques.
Recent regulatory changes have added controls on items that support China’s military modernization and human rights abuses. New controls target technologies used for mass surveillance, facial recognition systems, and equipment that could support military operations in the South China Sea.
BIS also maintains the Entity List, which identifies foreign parties that pose national security or foreign policy concerns. Companies and individuals on this list face a presumption of license denial for most exports. The Entity List has grown dramatically in recent years, adding hundreds of Chinese companies, Russian entities, and other foreign parties deemed threats to U.S. interests.
The Corporate Death Penalty
BIS’s most powerful tool is the Denial of Export Privileges, formalized in a Denial Order. This administrative sanction prohibits a person or company from participating in any transaction involving items subject to export controls.
The prohibition is comprehensive. It bars the denied person from ordering, buying, receiving, using, or financing any transaction involving controlled items. More importantly, it makes it unlawful for anyone else to conduct such business with the denied person.
The secondary effect of denial orders creates what enforcement officials call a “scarlet letter” effect. Once denied, companies find themselves shunned by suppliers, customers, and business partners who fear their own liability for dealing with a denied party. This isolation often persists even after the formal denial period ends.
BIS can issue Temporary Denial Orders immediately without a hearing to prevent imminent violations. These orders last for renewable 180-day periods and serve as an emergency brake on ongoing illegal exports. The agency uses TDOs when it believes continued exports pose immediate threats to national security or foreign policy interests.
The agency can also deny export privileges for up to 10 years to anyone convicted of certain crimes, including violations of export control laws or sanctions. This statutory denial authority provides an additional tool for long-term punishment of serious violators.
Denial orders affect not just the named party but also their affiliates, subsidiaries, and in some cases, successor companies. BIS has broad authority to determine corporate relationships and can extend denials to prevent circumvention through related entities.
How BIS Decides Penalties
BIS follows detailed guidelines found in Supplement No. 1 to Part 766 of the Export Administration Regulations. The process weighs aggravating, general, and mitigating factors to determine appropriate penalties.
The penalty calculation begins with a base penalty amount that varies by violation type. For most violations, the base penalty is substantial—often hundreds of thousands of dollars per violation. The agency then applies multipliers based on various factors to reach a final penalty amount.
The most significant mitigating factor is Voluntary Self-Disclosure (VSD). Companies that report their own violations receive substantial credit and often face reduced penalties or warning letters with no fines. The VSD process requires companies to conduct thorough internal investigations and report their findings in detailed submissions to BIS.
Aggravating factors that increase penalties include:
- Willfulness or recklessness
- Deliberate concealment
- Potential harm to national security
- History of prior violations
- Management involvement
- Large transaction values
- Attempts to circumvent controls
- Failure to cooperate with investigations
Mitigating factors that reduce penalties include:
- Voluntary self-disclosure
- Exceptional cooperation
- Robust compliance programs
- First-time violations
- Isolated incidents
- Minimal harm to national security
- Small transaction values
- Prompt remedial action
BIS recently updated its penalty guidelines to remove caps that could artificially lower fines for high-value exports. The agency also added “deliberate failure to disclose a significant apparent violation” as an aggravating factor. Previously, not disclosing was neutral—now it actively works against companies.
The guidelines emphasize proportionality, requiring penalties to fit the severity of violations. However, they also stress deterrence, ensuring penalties are large enough to discourage future violations by the company and others in similar situations.
Recent Cases and Enforcement Trends
Haas Automation (2025): The major CNC machine manufacturer paid $2.5 million in combined BIS and Treasury penalties for selling parts to banned Chinese and Russian entities through foreign distributors. The case shows companies can’t outsource compliance responsibility—BIS held Haas liable for distributor actions.
The Haas case involved sales of precision machine tool components through a network of authorized foreign distributors. Some distributors resold components to entities on the BIS Entity List without Haas’s knowledge. BIS determined that Haas failed to exercise adequate due diligence over its distribution network and didn’t have sufficient controls to prevent unauthorized resales.
The enforcement action required Haas to implement enhanced distributor monitoring, conduct regular audits of foreign partners, and establish systems to track end-users throughout the supply chain. The company also agreed to hire an independent compliance monitor for three years.
Indiana University (2024): The university faced penalties for dozens of unlicensed exports of genetically modified fruit flies to research institutions worldwide. Though intended for basic research, the flies contained ricin subunits, making them controlled items requiring export licenses.
The Indiana University case highlights the challenges facing academic institutions. The fruit flies were used in legitimate scientific research on protein function, but their genetic modifications included sequences from ricin, a controlled biological agent. University researchers didn’t realize the exports required licenses because they viewed the organisms as basic research materials.
BIS credited the university’s voluntary self-disclosure and cooperation but noted that academic institutions have the same compliance obligations as commercial enterprises. The settlement included requirements for enhanced export control training for researchers and new procedures for reviewing international scientific collaborations.
First Call International: This company paid $439,992 for exporting military aircraft parts without licenses and submitting backdated documents to conceal the violations. The attempted cover-up was treated as a major aggravating factor.
The company exported helicopter parts to customers in several countries without obtaining required licenses. When BIS began investigating, company officials attempted to create false documentation showing the exports had been properly licensed. The obstruction of justice added substantially to the final penalty.
This case demonstrates BIS’s zero tolerance for concealment and obstruction. The penalty guidelines specifically identify attempts to mislead investigators as serious aggravating factors that can double or triple penalty amounts.
Semiconductor Equipment Companies: BIS has pursued several major cases against companies exporting semiconductor manufacturing equipment to China without licenses. These cases reflect the agency’s priority on protecting advanced semiconductor technology that could support China’s military modernization.
Recent cases have involved companies selling lithography equipment, chemical vapor deposition systems, and other tools used to manufacture advanced microchips. The equipment has both commercial and military applications, making it subject to licensing requirements for certain destinations.
Technology Transfer Cases: BIS has increased enforcement against deemed exports, particularly involving Chinese nationals accessing controlled technology at U.S. companies and universities. These cases don’t involve physical exports but treat the sharing of controlled technical information as equivalent to exports.
Recent deemed export cases have involved aerospace companies, defense contractors, and research universities. The violations typically occur when foreign nationals access controlled technical data without proper licenses, often because companies or institutions don’t understand the deemed export rules.
State Department: Weapons and Military Technology
When items are specifically designed for military use, they fall under the International Traffic in Arms Regulations, administered by the State Department’s Directorate of Defense Trade Controls. ITAR violations carry some of the most severe penalties in American law.
DDTC regulates exports, temporary imports, and brokering of defense articles, services, and technical data listed on the U.S. Munitions List. This includes obvious military hardware like tanks and missiles, but also firearms, military aircraft, satellites, protective equipment, and associated software and technical data.
The U.S. Munitions List encompasses 21 broad categories of defense items, from small arms and ammunition to spacecraft and nuclear weapons technology. The categories are intentionally broad, covering not just finished weapons but also components, accessories, attachments, parts, software, and technical data related to defense articles.
Category VIII covers aircraft and related items, including military helicopters, fighter jets, and unmanned aerial vehicles. This category has generated numerous enforcement cases as commercial companies inadvertently export parts that have both civilian and military applications.
Category XV covers spacecraft and related items, including satellites, launch vehicles, and ground control equipment. This category affects commercial space companies and has been the subject of significant regulatory reform as the commercial space industry has grown.
Any U.S. person or company manufacturing, exporting, or brokering these items must register with DDTC, regardless of whether they’ve actually exported anything. Registration is required even for companies that only provide technical data or defense services related to USML items.
The registration requirement extends to freight forwarders, consultants, and other service providers who facilitate defense trade. Even companies that occasionally provide services related to defense articles must register and comply with ITAR requirements.
DDTC has exclusive jurisdiction over defense articles, regardless of their potential civilian applications. This creates potential conflicts with BIS jurisdiction over dual-use items, requiring careful analysis to determine which agency has control over specific items.
Criminal and Civil Penalties
The Justice Department prosecutes criminal ITAR cases. Willful violations can result in fines up to $1 million per violation for companies and up to 20 years imprisonment for individuals.
Criminal ITAR cases often involve sophisticated schemes to evade controls on military technology. Recent prosecutions have targeted individuals and companies that attempted to export night vision equipment to hostile nations, provide military training to foreign forces without authorization, and transfer satellite technology to restricted countries.
The Justice Department has increasingly used the Foreign Agents Registration Act in conjunction with ITAR violations, particularly in cases involving foreign government influence operations. Individuals who provide defense services to foreign governments without proper registration and authorization face both ITAR and FARA violations.
DDTC can impose its own civil penalties exceeding $1 million per violation through administrative proceedings. Since each unauthorized export counts as a separate violation, patterns of non-compliance can quickly reach hundreds of millions in potential penalties.
Civil penalty amounts have increased dramatically over the past decade. The base penalty for most ITAR violations now exceeds $500,000 per violation, with aggravating factors potentially doubling or tripling that amount. The agency adjusts penalty amounts annually for inflation, ensuring their continued deterrent effect.
The penalty calculation process considers the nature of the defense article, the destination country, the end-user, and the potential harm to U.S. national security. Exports to adversary nations or to end-users with known military connections receive the highest penalties.
Debarment: The Corporate Death Penalty
For defense industry companies, debarment is the ultimate punishment. It prohibits participation in any ITAR-regulated activities and effectively expels companies from the defense industry.
Statutory debarment is automatically imposed following criminal convictions for violating weapons export laws or related national security statutes. It typically lasts three years and isn’t subject to agency discretion.
Statutory debarment occurs without any administrative proceedings or opportunity for mitigation. The conviction itself triggers the debarment, which begins immediately upon sentencing. This automatic nature makes criminal prosecution particularly feared in the defense industry.
Administrative debarment can be imposed for serious civil violations even without criminal convictions. While generally lasting three years, reinstatement isn’t automatic—companies must formally apply and undergo thorough State Department review.
Administrative debarment proceedings provide due process rights, including opportunities for hearings and appeals. However, DDTC has broad discretion in determining whether violations warrant debarment, and the agency typically pursues debarment for violations involving willful misconduct or serious national security harm.
Debarred companies lose export licenses and become blacklisted across the industry. Other government contractors are prohibited from doing business with them, often causing business collapse.
The ripple effects of debarment extend throughout the defense industrial base. Prime contractors must immediately terminate subcontracts with debarred entities, potentially disrupting major defense programs. The debarred company’s employees may find themselves unemployable in the defense industry, as other companies fear association with violators.
Foreign subsidiaries and affiliates of debarred U.S. companies also face restrictions, potentially destroying entire international business relationships. The global nature of modern defense manufacturing makes debarment particularly devastating for multinational corporations.
Consent Agreements
Most civil ITAR enforcement actions resolve through formal Consent Agreements between violating companies and the State Department. These aren’t simple settlements—they’re intensive, multi-year corporate reform programs.
Consent Agreements typically span three to five years and include detailed requirements for compliance program overhauls. The agreements often suspend portions of monetary penalties contingent on successful completion of remedial measures, creating powerful incentives for sustained compliance improvements.
Agreements typically include:
- Substantial monetary penalties (often tens of millions)
- Mandatory external audits by independent auditors
- Government-approved Special Compliance Officers with authority to oversee reforms
- Ongoing State Department supervision for three to four years
- Enhanced employee training programs
- Technology access controls
- Regular compliance certifications
External Audits: Companies must hire independent auditors approved by DDTC to conduct comprehensive reviews of their ITAR compliance programs. These audits examine every aspect of the company’s operations, from technical data controls to employee training records.
The audit requirements are extensive and expensive. Auditors bill hundreds of dollars per hour and may spend months reviewing documentation, interviewing employees, and testing compliance systems. Companies must pay these costs in addition to monetary penalties.
Special Compliance Officers: In serious cases, companies must appoint government-approved Special Compliance Officers with broad authority to oversee compliance reforms. SCOs have access to all company records, can interview any employee, and report directly to DDTC.
The SCO role represents significant intrusion into corporate governance. These individuals often command salaries exceeding $300,000 annually and have authority to veto business decisions they consider risky. Companies must provide SCOs with staff support and full access to corporate information.
Technology Controls: Consent Agreements typically require enhanced controls over technical data and defense articles. Companies must implement new systems for tracking access to controlled information, monitoring employee activities, and preventing unauthorized disclosures.
These technology controls can be particularly burdensome for companies with large engineering workforces or complex product development processes. Requirements may include segregated computer networks, enhanced physical security, and detailed access logs for all controlled information.
This framework ensures companies can’t simply pay fines and continue business as usual. They’re forced into expensive, invasive compliance rebuilding under direct government oversight.
Recent ITAR Enforcement Cases
Aerospace Manufacturing Company (2023): A major aerospace manufacturer paid $16 million to settle allegations that it provided defense services to foreign governments without proper authorization. The company’s foreign subsidiaries provided technical support for military aircraft operated by several allied nations without obtaining the required agreements from DDTC.
The case involved provision of maintenance, training, and technical assistance for military aircraft systems. While the recipient countries were U.S. allies, ITAR requires specific government-to-government agreements for such services. The company’s assumption that ally status exempted it from licensing requirements proved costly.
Satellite Technology Company (2022): This company settled for $13 million after exporting satellite components and technical data to foreign partners without licenses. The violations involved sharing detailed technical drawings and providing on-site technical assistance for satellite assembly in restricted countries.
The satellite industry has been a frequent target of ITAR enforcement as commercial space activities have expanded globally. Companies often underestimate the scope of ITAR controls over space technology, particularly regarding technical data and defense services.
Defense Contractor Subsidiary (2023): A foreign subsidiary of a major U.S. defense contractor paid $8.5 million for unauthorized exports of military vehicle components. The subsidiary sold armored vehicle parts to distributors who then resold them to unauthorized end-users in conflict zones.
This case demonstrates DDTC’s willingness to hold U.S. companies liable for the actions of their foreign subsidiaries. The parent company faced additional scrutiny regarding its oversight of subsidiary operations and compliance training for foreign personnel.
Training Services Company (2024): A private military training company paid $4.2 million for providing unauthorized defense services to foreign government forces. The company conducted tactical training and provided security consulting services without obtaining required DDTC approvals.
Private military contractors have faced increased ITAR enforcement as these services have expanded globally. Companies providing training, consulting, or security services to foreign military or police forces must obtain specific authorizations regardless of the recipient country’s ally status.
Software Development Company (2023): This technology company settled for $2.8 million after sharing controlled software source code with foreign developers. The software had applications in military command and control systems, making it subject to ITAR controls.
Software controls under ITAR have become increasingly important as defense systems rely more heavily on specialized computer programs. Companies often fail to recognize that software development and technical support activities can constitute defense services requiring licenses.
Treasury Department: Economic Sanctions
The Office of Foreign Assets Control wields economic sanctions as tools of foreign policy and national security. OFAC regulations can affect almost any international transaction connected to U.S. persons or the American financial system.
OFAC administers both comprehensive sanctions (broad embargoes against entire countries like Iran and North Korea) and targeted “smart” sanctions against specific individuals, entities, or economic sectors involved in terrorism, weapons proliferation, or other prohibited activities.
The cornerstone of OFAC’s power is the Specially Designated Nationals List—a public list of individuals and entities with whom U.S. persons are prohibited from dealing. Any property of listed parties within U.S. jurisdiction must be immediately blocked.
Criminal and Civil Penalties
Criminal violations prosecuted by Justice can result in corporate fines up to $1 million per violation and individual prison sentences up to 20 years.
OFAC can impose substantial civil penalties without court proceedings. Under the International Emergency Economic Powers Act, penalties can reach $356,579 per violation or twice the transaction value, whichever is greater. OFAC’s annual penalties regularly reach hundreds of millions and sometimes billions of dollars.
Asset Blocking and Seizure
OFAC’s power to freeze assets is immediate and absolute. When someone is added to the sanctions list, all their U.S. property is blocked—frozen but not confiscated. Owners can’t access, transfer, or use blocked property without specific OFAC authorization.
In certain circumstances, particularly in criminal cases, the government can permanently seize and take title to assets involved in sanctions violations.
Recent Major Cases
Binance (2023): OFAC imposed a $968 million penalty on the world’s largest cryptocurrency exchange as part of a $4.3 billion settlement with multiple agencies. Binance processed over 1.6 million transactions between U.S. and sanctioned users, including those in Iran, Syria, and Cuba. OFAC deemed the case “egregious” because senior management knew about violations and encouraged users to circumvent controls.
Microsoft (2023): The tech giant settled for $2.98 million in a coordinated action with Commerce. Violations included screening failures that allowed sales to prohibited parties and intentional circumvention by Russian subsidiary employees. OFAC deemed this “non-egregious” due to Microsoft’s voluntary disclosure, cooperation, and massive remedial measures including firing culpable employees.
3M Company (2023): The $9.6 million settlement involved a Swiss subsidiary selling goods to a German reseller knowing products were destined for Iran’s Law Enforcement Forces. OFAC found the violations “egregious” because subsidiary managers willfully violated sanctions despite numerous red flags.
Recent Major Enforcement Actions
| Company | Primary Agency(ies) | Year | Nature of Violation | Final Penalty |
|---|---|---|---|---|
| Binance | OFAC / DOJ / FinCEN / CFTC | 2023 | Egregious, willful sanctions violations in cryptocurrency; AML failures | ~$4.3 Billion |
| 3M Company | OFAC | 2023 | Egregious violations by foreign subsidiaries selling to prohibited Iranian entity | $9.6 Million |
| Microsoft Corp. | OFAC / BIS | 2023 | Non-egregious screening failures; mitigated by disclosure and remediation | ~$3.3 Million |
| Haas Automation | BIS / OFAC | 2025 | Sales to Entity List parties in Russia and China via distributors | ~$2.5 Million |
| Indiana University | BIS | 2024 | Unlicensed export of controlled biological materials for research | Administrative penalty |
Compliance Strategies
Voluntary Self-Disclosure
Across all three agencies, voluntarily reporting violations is the most important mitigating factor. When companies discover compliance failures, they face a critical choice: report it or hope the government never finds out.
Agencies provide significant credit for transparency. A formal voluntary self-disclosure demonstrates good faith and commitment to upholding the law. It allows companies to control the narrative and often results in reduced penalties or warning letters rather than major fines.
The VSD Process: Voluntary self-disclosures must meet specific requirements to receive full credit. Companies must conduct thorough internal investigations, document their findings comprehensively, and provide detailed reports to the relevant agencies.
The investigation process typically involves hiring external counsel experienced in export control matters. These attorneys work with company personnel to review transactions, interview employees, and analyze compliance systems to identify all potential violations.
Companies must disclose not just the violations they initially discovered but all related violations uncovered during the investigation. Partial disclosures that omit significant violations can be treated as concealment, potentially making the situation worse.
The disclosure itself must be comprehensive, including detailed descriptions of the violations, explanations of how they occurred, assessments of their significance, and descriptions of remedial actions taken or planned.
BIS now treats deliberate failure to disclose known, significant violations as an aggravating factor, making the decision to stay silent an active risk. Companies that learn of violations through whistleblowers, audits, or other internal processes face increasing pressure to report them promptly.
Timing Considerations: The timing of voluntary disclosures can significantly affect their value. Disclosures made promptly after discovery receive more credit than those made after significant delays or external pressure.
Companies should disclose violations as soon as they have sufficient information to provide a meaningful report. Delays to complete exhaustive investigations can reduce the value of the disclosure, particularly if the government learns of violations through other sources during the delay period.
Remedial Actions: Effective voluntary disclosures include detailed plans for remedial action to prevent future violations. Agencies expect companies to demonstrate that they’re taking compliance seriously through concrete measures.
Common remedial actions include enhanced compliance training, improved screening systems, organizational changes to compliance functions, and disciplinary action against responsible employees. The more comprehensive and credible the remedial plan, the more credit agencies provide.
Screening Requirements
A recurring theme in major enforcement cases is inadequate screening of customers, intermediaries, and end-users. The government created the Consolidated Screening List to simplify this process.
This free, publicly available tool consolidates more than a dozen export screening lists from Commerce, State, and Treasury into a single, searchable database. Regular screening against this list is fundamental due diligence.
Best Practices for Screening: Effective screening requires more than occasional database searches. Companies should implement systematic processes that screen all relevant parties before conducting transactions and regularly thereafter.
The screening process should cover not just direct customers but also intermediate consignees, freight forwarders, end-users, and any other parties involved in transactions. Each party should be screened against all relevant government lists.
Companies should also screen for close matches, not just exact matches, to account for variations in name spelling, transliteration differences, and potential evasion attempts. Sophisticated screening software can identify potential matches based on phonetic similarity and other factors.
Regular rescreening is essential because government lists change frequently. A customer who was permissible last month may have been added to a prohibited parties list since the last screening. Many companies implement daily or weekly rescreening of active customer databases.
Red Flags and Enhanced Due Diligence: Beyond list screening, companies should watch for red flags that may indicate sanctions or export control risks. Common red flags include unusual payment methods, complex shipping arrangements, reluctance to provide end-user information, and requests for products inconsistent with the customer’s stated business.
When red flags appear, companies should conduct enhanced due diligence to verify the legitimacy of transactions. This may include site visits, additional documentation requirements, and consultation with legal counsel.
The enhanced due diligence process should be documented to demonstrate good faith compliance efforts. Courts and regulators look favorably on companies that can show they identified potential risks and took reasonable steps to address them.
Cases against Microsoft and Haas Automation show that relying on intermediaries or having incomplete customer information isn’t a defense. Effective compliance requires recurring screening to catch list changes and ensure previously permissible customers haven’t been added to restricted party lists.
Building Effective Compliance Programs
The agencies have published detailed guidance on the elements of effective compliance programs. While specific requirements vary by industry and risk profile, certain common elements appear in all effective programs.
Senior Management Commitment: Effective compliance programs require visible, sustained commitment from senior management. This includes allocating adequate resources, establishing clear policies, and demonstrating through actions that compliance is a priority.
Management commitment must be more than rhetorical. Companies should allocate sufficient budget for compliance functions, provide compliance personnel with appropriate authority, and ensure that business incentives don’t conflict with compliance requirements.
Risk Assessment: Companies should conduct regular risk assessments to identify their specific export control and sanctions risks. These assessments should consider the company’s products, customers, destinations, and business model.
Risk assessments should be updated regularly as companies’ businesses evolve and as regulatory requirements change. New products, new markets, and new business relationships can create new risks that require updated compliance measures.
Policies and Procedures: Companies should maintain written policies and procedures that address their specific risks and provide clear guidance to employees. These documents should be regularly updated and easily accessible to relevant personnel.
Policies should cover all aspects of export control and sanctions compliance, including classification of products, licensing requirements, screening procedures, recordkeeping requirements, and reporting obligations.
Training and Communication: All relevant employees should receive regular training on export control and sanctions requirements. Training should be tailored to employees’ specific roles and responsibilities.
Training programs should be documented to demonstrate compliance with regulatory requirements. Companies should maintain records of who received training, when it was provided, and what topics were covered.
Monitoring and Testing: Companies should implement systems to monitor compliance with export control and sanctions requirements. This includes both automated systems and human oversight.
Regular testing of compliance systems helps identify weaknesses before they lead to violations. Many companies conduct annual compliance audits or engage external consultants to review their programs.
Recordkeeping: Comprehensive recordkeeping is essential for demonstrating compliance and supporting enforcement defense if violations occur. Companies should maintain detailed records of all relevant transactions and compliance activities.
Records should be organized and accessible to support both internal compliance monitoring and any government investigations. Poor recordkeeping can transform minor violations into major enforcement actions.
Industry-Specific Considerations
Different industries face different export control and sanctions risks, requiring tailored compliance approaches.
Technology Companies: Software and technology companies face particular challenges with deemed export controls and rapidly evolving technology controls. These companies should implement robust technical data access controls and regularly review their product classifications.
Cloud computing services raise complex jurisdictional questions about where data processing occurs and who has access to controlled technology. Companies providing these services should carefully analyze the export control implications of their offerings.
Financial Institutions: Banks and other financial institutions face extensive sanctions compliance obligations given their role in processing international payments. These institutions must maintain sophisticated screening systems and monitor transaction patterns for suspicious activity.
Correspondent banking relationships create particular compliance challenges, as institutions may be held liable for the compliance failures of their correspondents. Effective correspondent due diligence programs are essential.
Academic Institutions: Universities and research institutions must navigate complex rules around international students, visiting researchers, and collaborative research projects. These institutions should maintain specialized export control offices with expertise in academic compliance issues.
The fundamental research exclusion provides important protections for basic research, but institutions must understand its limits and requirements. Applied research and development projects may not qualify for the exclusion.
Defense Contractors: Companies in the defense industry face the full scope of ITAR requirements and must implement comprehensive compliance programs. These companies should maintain specialized ITAR compliance functions with appropriate expertise and authority.
Defense contractors must also navigate complex requirements around foreign ownership, control, or influence that can affect their ability to access controlled technology and participate in government contracts.
Government Resources
The enforcement agencies also provide extensive compliance guidance:
Bureau of Industry and Security:
- Main website with regulations and training materials
- Penalty guidelines explaining enforcement approach
- Database of past violations with detailed case summaries
- Violation reporting portal and hotline: 1-800-424-2980
- Industry-specific guidance documents and frequently asked questions
- Export control classification request process for product determinations
- Training seminars and webinars on compliance topics
Directorate of Defense Trade Controls:
- ITAR portal for regulations and licensing
- Penalty information and consent agreements
- Debarred parties list updated regularly
- Commodity jurisdiction request process for USML determinations
- Industry days and outreach events for defense contractors
- Advisory opinions on specific compliance questions
Office of Foreign Assets Control:
- Main website for all sanctions programs
- Enforcement information with detailed case studies
- Sanctions programs by country with program-specific guidance
- Violations hotline: 1-800-540-6322
- Frequently asked questions organized by sanctions program
- Industry-specific compliance guidance for financial institutions, cryptocurrency companies, and other sectors
- Economic sanctions enforcement guidelines explaining penalty calculation methodology
Additional Resources:
- Export compliance training providers offer specialized courses for different industries and roles
- Trade associations often provide industry-specific guidance and best practices
- Legal practitioners specializing in export controls and sanctions can provide tailored advice
- Government advisory committees provide forums for industry input on regulatory development
The Changing Enforcement Landscape
Recent trends show the government taking an increasingly aggressive approach to export control enforcement. Agencies are coordinating more frequently, removing penalty caps that limited fines, and treating concealment of violations as actively harmful rather than neutral.
The Microsoft and Binance cases illustrate how corporate culture and management response to violations heavily influence whether cases are deemed “egregious.” Companies that demonstrate willful blindness or active subversion face catastrophic penalties, while those showing proactive compliance, transparency, and robust remediation can significantly mitigate punishment.
Technological Challenges and Opportunities
The digital transformation of business operations has created new compliance challenges and opportunities. Cloud computing, remote work, and global data flows have complicated traditional concepts of export controls that were designed for physical shipments.
Cloud Computing Implications: Software-as-a-service and cloud computing platforms raise complex questions about where controlled technology is located and who has access to it. Companies providing cloud services must carefully analyze whether allowing foreign nationals to access controlled technology through cloud platforms constitutes deemed exports.
The jurisdictional complexity increases when cloud providers use multiple data centers across different countries. A U.S. company’s controlled technical data stored in a foreign data center may create unexpected export control implications.
Remote Work Challenges: The shift to remote work has complicated deemed export controls for companies with foreign national employees. When foreign nationals access controlled technical data from home computers or personal devices, companies may face additional compliance requirements.
Some companies have implemented technical controls to prevent foreign nationals from downloading or copying controlled information, while others have restructured their operations to segregate controlled and non-controlled activities.
Artificial Intelligence and Machine Learning: The rapid development of AI and machine learning technologies has created new categories of controlled items. BIS has added controls on certain AI chips, software, and algorithms that could support military applications or surveillance activities.
The dual-use nature of AI technology makes compliance particularly challenging, as the same algorithms used for commercial applications may have military or surveillance applications that trigger export controls.
Emerging Enforcement Priorities
The enforcement agencies have signaled several emerging priorities that reflect evolving national security threats and technological developments.
China-Related Enforcement: All three agencies have significantly increased enforcement actions related to China, reflecting broader strategic competition concerns. This includes not just traditional export control violations but also sanctions related to human rights abuses, military activities, and technology transfer.
The Entity List has added hundreds of Chinese companies and institutions, creating compliance challenges for U.S. companies with established Chinese business relationships. Companies must regularly review their Chinese partnerships and customer relationships to ensure continued compliance.
Cryptocurrency and Digital Assets: OFAC has increased focus on cryptocurrency exchanges, wallet providers, and other digital asset companies. These entities often lack traditional banking compliance experience but face identical sanctions obligations.
Recent enforcement actions have involved exchanges that failed to screen users against sanctions lists, processed transactions for prohibited jurisdictions, or facilitated ransomware payments to sanctioned entities. The pseudonymous nature of many cryptocurrency transactions creates particular compliance challenges.
Cybersecurity Tools and Surveillance Technology: BIS has expanded controls on cybersecurity tools, surveillance technology, and other items that could support human rights abuses or cyber attacks. These controls affect companies developing security software, facial recognition systems, and network monitoring tools.
The controls are designed to prevent authoritarian governments from acquiring tools that could be used to suppress human rights or conduct cyber operations against the United States and its allies.
Space Technology: The commercial space industry faces increasing scrutiny as launch capabilities and satellite technology become more sophisticated. DDTC has reformed some ITAR controls to support commercial space activities, but significant restrictions remain on advanced space technologies.
Recent enforcement actions have involved companies sharing satellite technology with foreign partners, providing launch services for foreign governments, and transferring space-related technical data without proper authorization.
Industry Adaptation and Best Practices
Industries subject to export controls and sanctions have developed increasingly sophisticated compliance approaches in response to enhanced enforcement.
Technology Sector Adaptations: Technology companies have implemented complex technical controls to segregate controlled and non-controlled information. These may include separate computer networks, restricted access systems, and technical barriers to prevent unauthorized data transfers.
Some companies have restructured their research and development operations to minimize export control implications, centralizing controlled activities in the United States and ensuring foreign nationals don’t access controlled information.
Financial Sector Innovations: Financial institutions have invested heavily in automated sanctions screening systems that can process millions of transactions daily. These systems use artificial intelligence and machine learning to identify potential sanctions violations in real-time.
Advanced analytics help identify suspicious transaction patterns that may indicate sanctions evasion attempts. Financial institutions increasingly share information about emerging sanctions risks through industry groups and regulatory channels.
Defense Industry Evolution: Defense contractors have developed comprehensive compliance programs that go far beyond minimum regulatory requirements. These programs often include regular third-party audits, extensive employee training, and sophisticated systems for tracking controlled items and technical data.
The defense industry has also adapted to increased foreign ownership restrictions by implementing firewalls between U.S. and foreign operations. Some companies have divested foreign subsidiaries to avoid potential compliance complications.
International Coordination and Extraterritorial Enforcement
U.S. export control and sanctions enforcement increasingly involves coordination with foreign partners and extraterritorial application of U.S. law.
Allied Coordination: The United States works closely with allies to coordinate export controls and sanctions, particularly regarding China, Russia, and other strategic competitors. This coordination can amplify the effects of U.S. controls and reduce opportunities for evasion.
Recent examples include coordinated semiconductor export controls with Japan and the Netherlands, aligned sanctions on Russia following its invasion of Ukraine, and joint efforts to prevent technology transfer to China’s military.
Extraterritorial Application: U.S. export controls and sanctions can apply to foreign companies through various jurisdictional theories. Foreign companies using U.S. technology, dealing with U.S. persons, or processing payments through U.S. financial institutions may face U.S. enforcement actions.
This extraterritorial reach creates compliance challenges for foreign companies that may not realize they’re subject to U.S. law. Recent enforcement actions have involved foreign companies that violated U.S. sanctions despite having minimal direct U.S. connections.
Secondary Sanctions: The United States has increasingly used secondary sanctions that threaten to cut foreign entities off from the U.S. financial system if they engage with primary sanctions targets. These sanctions can be particularly effective against major international companies that rely on access to U.S. markets.
Future Outlook and Recommendations
The trajectory of export control and sanctions enforcement suggests continued intensification and expansion of these regimes. Companies should prepare for:
Increased Penalties: Penalty amounts will likely continue increasing as agencies adjust for inflation and seek to enhance deterrent effects. The removal of penalty caps for high-value violations means that major violations could result in penalties exceeding $100 million.
Broader Scope: Export controls will likely expand to cover additional emerging technologies, including advanced AI systems, quantum technologies, biotechnology applications, and advanced manufacturing techniques. Companies in these sectors should closely monitor regulatory developments.
Enhanced Coordination: Multi-agency enforcement will become more common as the government seeks to close regulatory gaps and maximize enforcement impact. Companies may increasingly face simultaneous investigations by multiple agencies with different legal authorities.
Technological Innovation: Enforcement agencies will continue adopting new technologies to identify potential violations. This includes data analytics to identify suspicious trade patterns, artificial intelligence to screen large datasets, and blockchain analysis to track cryptocurrency transactions.
The Haas Automation case demonstrates that companies remain liable for the actions of their distributors and foreign partners. Using third-party sales models requires rigorous due diligence and oversight of the entire transaction chain.
For universities and research institutions, the Indiana University case shows that even basic research materials can fall under export controls if they contain controlled substances. Academic institutions need robust export control offices to navigate these requirements.
The landscape of American export controls reflects broader geopolitical tensions and national security priorities. As competition with China intensifies and technology becomes increasingly central to national security, companies can expect continued scrutiny and enforcement of these regulations.
The penalties are designed to be severe enough that compliance becomes the only rational business choice. For companies operating in international markets, understanding and following these rules isn’t just about avoiding fines—it’s about staying in business. The complexity of modern global commerce, combined with the severity of potential penalties, makes expert compliance advice essential for any company engaged in international activities.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.