Categories
Blog

The Bosch Declineation, Part 5: Warnings in an Insufficient Compliance System

This final post in the Bosch series should not end with a victory lap about the DOJ Declination. That would be the wrong lesson. Bosch earned real credit for what it did after discovery: it disclosed, cooperated, remediated, added 66 trade compliance employees, expanded U.S. trade compliance resources, and resolved the matter with DOJ and BIS. Those are serious steps, and compliance professionals should not dismiss them.

But the Declination should not be mistaken for vindication. Bosch avoided prosecution because of what it did after the failure, not because the compliance program worked before the failure. The uncomfortable lesson is that Bosch apparently had to suffer an enforcement crisis, a $36 million BIS penalty, disgorgement, and a very public Order (and reputational hit) before it fully resourced and restructured the function. That is a very expensive way to find religion.

The core thesis of this series is that Bosch is the rare enforcement action that rewards post-discovery conduct while simultaneously exposing a pre-discovery compliance program that was under-resourced, under-expertized, and too willing to treat red flags as paperwork. Bosch did not lack all compliance infrastructure. That is what makes the case more troubling. It had processes. It had trade compliance personnel. It had internal blocks. It had external warnings. It had business personnel receiving certifications. It had opportunities to stop, ask, escalate, and reassess. Yet the wrong answer became institutional truth.

The failure was not one bad legal interpretation

Every compliance failure has a beginning. In Bosch, the initial guidance was erroneous regarding the impact of the August 2020 rule change on sales to Huawei. But that was not the whole failure. Bad advice happens. Complex regulations are difficult. People make mistakes. A mature compliance program is not measured by whether it never produces the wrong answer. It is measured by whether it can identify, challenge, correct, and contain the wrong answer before it metastasizes into operating policy. Bosch failed that test.

The BIS Order said Bosch had established export compliance processes, including U.S. export compliance processes, but its U.S. export compliance team lacked sufficient expertise and resources to address the August 2020 changes. During much of the relevant period, Bosch’s U.S. export controls team primarily consisted of two employees, only one of whom was primarily tasked with U.S. export controls advice.

That is not a rounding error. That is a resource model visibly misaligned with the risk profile of a global technology and manufacturing company with hundreds of thousands of employees, hundreds of subsidiaries, complex supply chains, and high-risk customers. Compliance professionals should say this plainly: you cannot run mission-critical regulatory risk on heroic undercapacity and then be surprised when the system breaks.

Expertise matters, and generic compliance experience is not enough

One of the sharper lessons from Bosch is that “having compliance people” is not the same thing as having the right compliance expertise. The Evaluation of Corporate Compliance Programs (ECCP) asks whether compliance personnel have the appropriate experience and qualifications for their roles, whether those qualifications have changed over time, how the company invests in further training, and who reviews the performance of the compliance function. Bosch’s facts read like an answer key in reverse.

The relevant compliance personnel misunderstood the rule, conflated separate concepts, and repeatedly relied on a flawed conclusion. That misunderstanding then became the basis for releasing orders and continuing sales. The issue was not merely a knowledge gap. It was an expertise governance failure: no second-level review, no effective challenge process, no documented reassessment trigger, and no apparent mechanism to say, “This conclusion is too consequential to rest on a thin and possibly confused analysis.”

For CCOs, the hard question is not whether your compliance team is busy. Everyone’s team is busy. The question is whether your team has the technical depth to manage the risks your business actually creates. If the answer is no, the next question is why the business is permitted to keep operating as if the answer were yes.

The company had warnings and treated them as noise

The most damning part of the Bosch story is not the original mistake. It is the persistence of the mistake after multiple warning signs. Company Four warned Bosch that equipment used in its factories included U.S.-export-controlled items and that products worked on by Company Four for Huawei might be prohibited from export. Company One asked Bosch personnel to sign a certification that should have forced reconciliation with Bosch’s prior guidance. Company Five told Bosch that products containing items manufactured by Company Five could not be provided to Huawei without authorization and even referenced the Seagate penalty. Contract manufacturer certifications repeated the same basic warning: these were not ordinary commercial forms; they were control documents.

This is where COSO Principle 15 becomes useful. Principle 15 is not only about what the company communicates outward to third parties. It also recognizes that third parties can provide information back to management about the effectiveness of internal controls and regulatory communications.

Bosch failed to treat third-party communications as control information. That is a blunt but fair reading. Supplier warnings were received. Certifications were signed. Objections were routed. But the organization lacked a system to convert that information into escalation, reconsideration, documentation, and action. That should bother every CCO. The problem was not that the information was hidden. The problem was that it was visible, yet it still did not matter enough.

Business pressure became a control weakness

The Bosch Order also shows how business pressure can quietly become a compliance override. When the U.S. trade compliance professional requested information from Bosch businesses, BST did not provide it. The response cited a “dire allocation situation” and the need to spare the team time. The order says that had BST answered the specific questions, Bosch’s U.S. trade compliance personnel likely would have identified the issue. That fact should stop compliance professionals cold.

A compliance information request tied to a major regulatory change should not be optional. It should not be negotiable because the business is under pressure. It should not depend on whether a senior business leader believes the issue was already “clarified.” The moment commercial urgency is allowed to excuse incomplete compliance fact-gathering, the control environment has already bent.

The hard question for CCOs is simple: when compliance asks for information necessary to assess legal risk, can the business say no? If the answer is yes, the company lacks an authorized compliance program, once again violating not only the tenets of a best-practice compliance program but also those of the ECCP. It has a request-and-hope function.

Remediation was real, but late

Bosch deserves credit for remediation. Adding 66 trade compliance employees is not a cosmetic move. Expanding U.S. trade compliance resources is meaningful. Updating policies and procedures to clarify U.S. export control jurisdiction and licensing requirements is exactly the kind of tangible remediation DOJ and BIS expect.

But compliance professionals should not miss the obvious: those resources came after the failure. The better compliance question is why those resources were not there before. Why did it take a public enforcement action to reveal that the compliance function was not staffed or expert for the company’s risk profile? Boards and senior executives often ask whether compliance needs more people. Bosch suggests a sharper question: what will it cost if we wait until the government answers that question for us?

Hard questions for compliance professionals

The Bosch series leaves CCOs with hard questions.

Who owns complex regulatory change from interpretation through operational implementation?

Who validates high-risk legal or compliance advice before the business relies on it?

Does high-risk advice have a lifecycle, including assumptions, facts reviewed, date issued, owner, and reassessment triggers?

Can compliance force a business unit to respond to fact-gathering requests before shipments can continue?

Are supplier letters, certifications, refusals, and regulatory objections tracked as compliance intelligence?

Are procurement, logistics, supply chain, legal, production, and contract management trained to recognize red flags in third-party communications?

Who reviews whether compliance has sufficient expertise, not just sufficient headcount?

Can the compliance function stop, hold, or escalate transactions when the facts are incomplete?

Does the internal audit test whether compliance blocks are released for sound reasons, or merely whether they were processed?

When a supplier tells the company, “You may have a compliance problem,” does the company investigate the warning or look for another supplier?

Those are not academic questions. Bosch shows what happens when the answers are weak.

The final word

Bosch is not a story about a company with no compliance program. It is more troubling than that. It is a story about a company with a compliance infrastructure that still failed when the business needed judgment, expertise, escalation, and courage.

The final lesson is systemic. Bosch’s failure was not one bad legal interpretation. It was a systemic breakdown: a wrong answer became institutional truth because no one had the expertise, authority, process, or discipline to challenge it.

That is the compliance lesson worth remembering. Not the declination. Not the headline penalty. Not even the technical export control issue. The real lesson is that compliance programs fail when they cannot recognize and act on the information already in front of them. Bosch had the warnings. It did not have a compliance system.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Bosch and the Foreign Direct Product Rule: Lessons from the Export Controls and NSD Settlement

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it in greater depth. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss the recent Bosch export controls enforcement action involving two German subsidiaries that sold about $72 million in advanced microsensors and software to Huawei from 2020 to late 2024

Their actions violate U.S. export controls tied to the Foreign Direct Product Rule and 2020 “footnote one” restrictions. Although Bosch voluntarily self-disclosed, cooperated, remediated, disgorged profits, and received a DOJ criminal Declination, BIS imposed a $36.1 million civil penalty, citing fundamental compliance failures: an understaffed and underqualified export controls function, confusion between the de minimis rule and the foreign direct product rule (which has no de minimis exception), and mishandling repeated external warnings from business partners and suppliers. They highlight internal control and communication breakdowns (including external signals) and the need to build specialized export/sanctions compliance capacity, noting BIS issued a compliance framework in 2020 and offers training.

Key highlights:

  • Bosch case overview
  • Understaffed compliance fallout
  • Ignored partner warnings
  • Declination and remediation
  • COSO signals and controls
  • Building export compliance muscle

Resources

Matt in Radical Compliance

Tom in the FCPA Compliance Blog: Part 1, Part 2, Part 3, Part 4, and Part 5 posts on Thursday, June 25.

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

The Bosch Delineation: Part 3 – Bosch and the ECCP: When Compliance Expertise and Resources Fail

As most readers know, sometimes when I get going on a multipart blog series, I either get carried away or simply cannot stop. Maybe sometimes it is both. This week is beginning to seem like one of those times. Today, I recorded an episode of Compliance into the Weeds with my co-host Matt Kelly, and we discussed some very interesting points from the enforcement action that I decided to keep going. (The episode will post on Wednesday, June 24.)

Over the past couple of blog posts, I have reviewed the DOJ Declination through the lens of the National Security Division. Today, I want to look at the BIS enforcement action and mine it for a different set of lessons learned.

The BIS enforcement is a useful case study for compliance professionals because it is not merely a story about a company without a compliance program. Rather, Bosch had export compliance processes, including U.S. export compliance processes. The failure was more subtle and more important: the compliance function lacked sufficient expertise and staffing to interpret a major regulatory change, translate that change into operational requirements, challenge incomplete business responses, and revisit advice when contrary facts emerged. BIS charged Bosch with 109 violations involving approximately $72.4 million in exports to Huawei without required authorization.

That is precisely the kind of failure the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) is designed to test. Under ECCP Section II, prosecutors ask whether the compliance program is “adequately resourced and empowered to function effectively.” Section II.B, “Autonomy and Resources,” directs prosecutors to examine whether compliance personnel have sufficient qualifications, seniority, and stature; sufficient resources, including staff to audit, document, and analyze; and sufficient autonomy from management, including access to the board or audit committee.

As laid out in the BIS enforcement action, Bosch failed in the Expertise requirement. The enforcement action stated:

Bosch’s U.S. export compliance team did not have sufficient expertise or resources at the time to adequately address the August 2020 changes to the EAR, namely, the FOP Rule, which expanded restrictions on Huawei. Bosch’s failure to have an effective U.S. export controls compliance program in place for BST and ETAS at this time contributed directly to the violations at issue in these charges.

Bosch also failed in the Resources requirement. Here, the enforcement action stated:

During most of the relevant period, Bosch’s export controls compliance team in the United States consisted primarily of two employees. These employees were responsible for advising Bosch’s central trade compliance function, based in Germany, and Bosch’s non-U.S. businesses on compliance with U.S. export control regulations. Only one of these employees was tasked primarily with advising on compliance with U.S. export controls. The second employee provided part-time assistance with U.S. export controls compliance while also focusing on U.S. customs and tariffs compliance. The U.S. trade compliance team included other employees primarily focused on U.S. customs and tariffs, who could occasionally assist with minor, discrete export controls questions.

1. Did compliance personnel have the right experience and qualifications?

The ECCP asks whether compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities. That question sits at the center of the Bosch enforcement action.

During much of the relevant period, Bosch’s U.S. export controls compliance team primarily consisted of two employees. Only one was tasked primarily with advising on U.S. export controls; the second provided part-time export controls assistance while also focusing on customs and tariffs. Other U.S. trade compliance personnel were primarily customs and tariffs employees who could occasionally assist with minor export controls questions.

That staffing model proved inadequate for the risk. BIS found that Bosch’s U.S. export compliance team lacked sufficient expertise or resources to address the August 2020 changes to the EAR, and that this failure directly contributed to the violations. Communications between U.S. and German trade compliance personnel showed confusion about the Foreign Direct Product Rule (FDPR). That confusion produced erroneous guidance: a Germany-based trade compliance employee advised BST (a Bosch German entity) management that if products contained less than 25% U.S. content and the U.S. content was not classified under certain ECCNs, there was no impact and no license requirement. BIS explained that this advice improperly confused and conflated the De Minimis Rule with the FDPR.

For compliance professionals, the lesson is direct. Experience and qualifications cannot be evaluated generically. “Trade compliance experience” is not the same as deep expertise in a specific high-risk, fast-changing legal regime. A compliance team may be experienced enough for ordinary classification, screening, and documentation work, but underqualified for a complex regulatory change affecting a major restricted customer, foreign production, production equipment, software, suppliers, and end-user certifications.

The same issue appeared in Bosch’s German subsidiaries, collectively known as ETAS, in the enforcement action. Bosch trade compliance personnel reviewed automotive software sales to Huawei but incorrectly concluded that the FDPR applied only to physical goods, not software. BIS said Bosch personnel repeatedly advised ETAS that the restrictions did not apply to CycurHSM software.

The broader point is that qualifications must match the company’s risk profile. For a global technology company operating across complex supply chains, compliance expertise must be technical, up to date, and operationally fluent.

2. Did the level of experience and qualifications change over time?

The ECCP also asks whether the level of experience and qualifications in compliance and control roles changed over time. Bosch is a warning about static capability in a dynamic risk environment.

After the original August 2020 advice, Bosch received repeated warnings that should have triggered reassessment. Company Four warned BST that equipment used in its factories included U.S. export-controlled equipment and that products worked on by Company Four for Huawei could be prohibited under the EAR. BST did not analyze whether that warning conflicted with Bosch’s internal understanding.

A Bosch trade compliance professional in the United States also sent a September 4, 2020, request for information to Bosch businesses, including BST. The request sought detailed information about production lines, production equipment, and U.S.-origin software and technology used in production. BST did not answer the specific questions. The BST Executive responded that the products had already been “clarified” as not impacted and cited a “dire allocation situation.” BIS found that, had BST answered the questions, Bosch’s U.S. trade compliance personnel likely would have identified the sensors as within the FDPR’s product scope.

The failure was not merely the first wrong answer. It was the absence of a mechanism to upgrade expertise, revisit assumptions, and escalate conflicting information. A mature compliance program treats major legal change as a trigger for a surge of resources, specialist review, and documented reassessment. It also treats repeated inconsistent data points as evidence that the original advice may no longer be reliable.

3. How did the company invest in training and development?

The ECCP asks how the company invests in further training and development of compliance and control personnel. Bosch shows that training cannot be limited to compliance staff alone.

Between 2021 and 2024, BST employees signed multiple compliance certifications for semiconductor manufacturers under contract. Those certifications stated that items produced by the manufacturers were subject to the EAR and required BST to certify that it would not provide such items to an entity with a footnote 1 designation. The relevant employees later explained that they signed because they did not understand that Huawei was a covered entity.

That is a gatekeeper training failure. Procurement, logistics, production, contract management, and customer-response personnel were all part of the control environment. They received supplier certifications, customer requests, internal guidance, and external warnings. Yet the process did not ensure they understood what those documents meant or when they had to escalate.

The lesson is practical: high-risk certifications should not be treated as administrative paperwork. They are control documents. Employees who sign them need tailored, role-based training. They should understand restricted-party designations, escalation triggers, the consequences of inaccurate certifications, and the limits of relying on old guidance.

Compliance personnel also need continuing education. Where regulations are complex and fast-moving, development should include external specialist support, second-level review of high-risk advice, lessons learned from enforcement actions, and technical briefings with engineering and supply chain personnel. Obviously, the regulations changed in 2020, but it appears Bosch trade compliance professionals received training on this change.

4. Who reviewed the performance of the compliance function?

The ECCP’s final question asks who reviews the performance of the compliance function and what the review process is. Bosch illustrates why that review must go beyond activity metrics.

BIS found that Bosch’s internal controls were insufficient to ensure that compliance advice was broadly distributed, independently reviewed, or reassessed to confirm that it was correct or updated for new facts. Bosch also implemented internal blocks on Huawei orders, but German trade compliance personnel repeatedly released those orders based on the erroneous August 2020 advice from the US trade compliance team.

A meaningful review process would have asked different questions: Were high-risk legal interpretations independently validated? Were assumptions documented? Were unanswered business information requests escalated? Were supplier warnings reconciled against prior advice? Were order-block releases reviewed for quality, not just processed for speed? Were compliance personnel empowered to say, “No complete data, no release”?

Performance review of compliance should include legal quality, escalation discipline, documentation, red-flag closure, audit findings, and whether the function has sufficient staff to do the work expected of it. It should also include board or audit committee visibility when resource constraints affect the company’s ability to manage material compliance risks.

Lessons learned for compliance professionals

The Bosch order offers several broader lessons.

  1. Compliance resources must be risk-based. A global company cannot judge staffing by historical headcount or budget inertia. Staffing must be measured against regulatory complexity, geographic scope, business volume, customer risk, and the operational burden of collecting facts.
  2. Specialist expertise matters. A general compliance function may identify issues, but complex regulatory regimes require personnel or advisors with deep subject-matter knowledge.
  3. Business pressure is a control risk. The “dire allocation situation” response mattered because it showed how operational urgency can displace compliance fact-gathering. A strong program requires mandatory responses to requests for compliance information.
  4. Advice must have a lifecycle. High-risk compliance advice should identify assumptions, facts reviewed, legal basis, owner, date issued, and reassessment triggers. It should not become a permanent operating authority unless periodically reviewed.
  5. Gatekeepers must be trained as gatekeepers. Employees who sign certifications, release orders, onboard suppliers, or respond to customers are part of the compliance control system.

The Bosch case is a reminder that a compliance program can have policies, procedures, and blocks and still fail. The ECCP asks whether compliance is adequately resourced and empowered. Bosch shows why that question matters. The issue is not whether compliance was present. The issue is whether compliance had the expertise, staff, authority, and review mechanisms necessary to function effectively when the business needed it most.

Categories
FCPA Compliance Report

FCPA Compliance Report – Navigating Export Control and Trade Sanction Challenges in Venezuela: Insights from Brent Carlson

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this inaugural episode of 2026, Tom Fox welcomes back Brent Carlson, a specialist in trade and economic sanctions, focusing on compliance issues related to Venezuela.

Tom and Brent discuss the shifting political landscape, potential business opportunities in the energy sector, and the steps compliance professionals need to take to navigate new regulations and restrictions from the export control and trade sanctions perspective. Brent emphasizes the importance of a robust, business-aligned compliance strategy, a non-siloed approach involving all risk disciplines, and proactive dialogue with regulators. They also discuss the heightened enforcement landscape and the need for companies to remain vigilant and adaptable in a rapidly changing global environment.

Key highlights:

  • Focus on Venezuela: Navigating Export Controls and Sanctions
  • Business Opportunities and Risks in Venezuela
  • Importance of Understanding Business Operations
  • Board of Directors: Asking the Right Questions
  • Geopolitical Changes and Risk Management

Resources:

Brent Carlson on LinkedIn

Red Flags Rising website

Tom Fox

Five-Part Blog Post Series on Doing Business in Venezuela on the FCPA Compliance and Ethics Blog

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Returning to Venezuela: Part 3 – Export Controls and the Illusion of “Reopening”

We continue to explore what the ‘reopening’ of Venezuela to US energy companies means for the compliance professional. Over the last two days, we considered the corruption issues in Parts One and Two of this blog post series. Today in Part 3, we look at export control and trade sanction issues. I spoke with Brent Carlson, founder of Red Flags Rising Solutions LLC, for his insights.

When the White House announces that U.S. oil companies may be returning to Venezuela, the business press immediately begins talking about opportunities. Compliance professionals should be talking about risk. Not hypothetical risk. Not academic risk. Real, layered, enterprise-threatening risk that sits at the intersection of export controls, sanctions, geopolitics, corruption, security, and board oversight. The conversation I recently had with Carlson makes one thing abundantly clear: Venezuela is not “opening.” It is recalibrating. And compliance programs that treat this moment as a return to business as usual will fail.

Venezuela Remains a High-Risk Jurisdiction by Design

Let us start with first principles. Venezuela remains designated as a D:5 country under the Export Administration Regulations (EAR). That places it in the most restrictive category, alongside jurisdictions such as Iran and North Korea. Even the shipment of EAR99 items can be problematic under the current framework.

That legal reality did not change simply because the President met with U.S. energy executives. Carlson is clear on this point. Whatever policy adjustments may come will be sector-specific, narrowly tailored, and aligned with geopolitical priorities, particularly oil production. There will not be a wholesale rollback of export controls or sanctions. For compliance professionals, this means one thing: the law today is the law as it existed yesterday. Until the Bureau of Industry and Security (BIS) and OFAC issue formal guidance, licenses, or regulatory amendments, nothing has changed.

Regulatory Enforcement Follows Politics, but Law Follows Process

One of the most important compliance insights Carlson offers is that regulatory enforcement follows political drivers, which in turn follow geopolitical drivers. That is undoubtedly true. But it is also where companies get themselves into trouble. Political signaling is not legal authorization. Tweets, speeches, and press briefings do not override the Export Administration Regulations, OFAC sanctions, or anti-money laundering laws. Compliance programs must be built to withstand whiplash, not chase headlines.

This is especially critical in Venezuela, where any meaningful restart of oil production will require billions of dollars, long project timelines, complex infrastructure, and sustained government engagement. These are not quick deals. They are multi-year commitments that must be compliant from day one.

Start With the Business, but Do Not Stop There

Carlson emphasizes that compliance analysis must begin with the business opportunity itself. What is the company actually trying to do? What products or services will be provided? Who will operate them? Where will the equipment go? Who will maintain it? For compliance professionals, this requires operational fluency that goes far beyond policy review. You must understand the business process step by step. Not in the abstract. Literally, transaction by transaction.

This exercise does more than identify export control risks. It exposes corruption, diversion, money laundering, security, and reputational risks. Venezuela is not a jurisdiction where silos survive.

Dual-Use Risk Is Not Theoretical in Venezuela

Any company operating in the energy sector must assume heightened scrutiny around dual-use items. Control systems, industrial machinery, software, and communications technology can all be repurposed. Carlson makes an important point here. Companies that manufacture or deploy these items already know where the risks are. The issue is not ignorance. The problem is prioritization and escalation.

This is where proactive engagement with the BIS becomes essential. Unlike some areas of compliance, export controls encourage dialogue with regulators. Companies can and should engage BIS field offices early to discuss proposed transactions, licensing pathways, and regulatory obstacles. This is not lobbying. It is compliance.

One of the most powerful insights in our discussion is the call for compliance professionals to sit down with business operations and map every operational step. This is not busywork. It is risk triage. Too often, compliance reviews occur after a deal is already emotionally committed. At that point, compliance becomes the obstacle rather than the enabler. Carlson is explicit: sales and operations teams do not want to waste time on deals that will collapse under regulatory scrutiny. When compliance is embedded early, it improves deal quality. It filters out bad opportunities and strengthens good ones. That is value creation.

Siloed Compliance Will Fail in Venezuela

If there is one jurisdiction where compliance silos are fatal, it is Venezuela. Export controls intersect with sanctions. Sanctions intersect with AML. AML intersects with corruption. Corruption intersects with security. Security intersects with human rights and ESG. Carlson cites enforcement actions where companies failed because information did not flow across functions. Finance saw one risk. Operations saw another. Compliance saw a third. No one saw the whole picture.

For Venezuela, companies must adopt a non-siloed, enterprise-wide risk model. Export control specialists must talk to anti-corruption teams. Treasury must talk to security. Legal must talk to operations. This is not optional.

Board Oversight Must Evolve Beyond Periodic Updates

Boards of directors will play a decisive role in whether companies succeed or fail in Venezuela. Carlson is clear that boards must demand updated, transaction-specific risk assessments focused on central compliance risks, not generic program health. This is not about micromanagement. It is about governance. Boards must understand that Venezuela presents a dynamic risk environment where geopolitical shifts can occur overnight. The right board questions are not “Do we have a compliance program? ” They are:

  • What export control risks are central to this opportunity?
  • What sanctions exposure remains?
  • How are we monitoring changes in real time?
  • What is our exit strategy if conditions reverse?

The Case for a Standing Enterprise Risk Committee

Carlson raises a critical governance concept: the need for a standing, cross-functional risk committee empowered to act quickly. Not an ad hoc task force. Not an annual review. A permanent capability. We are no longer in a stable geopolitical environment. Long-trusted partners can become sanctioned entities within weeks. Supply chains built over decades can collapse overnight. For compliance professionals, this reinforces the need for real-time risk sensing, escalation protocols, and decision authority. Venezuela is simply the proving ground.

Enforcement Is Coming, Not Fading

The most sobering warning Carlson offers is about enforcement. The U.S. government has been signaling for some time that export control enforcement will increase. DOJ’s Trade Fraud Task Force, BIS outreach visits, and expanded definitions of “knowledge” under the EAR all point in the same direction. Compliance professionals should recognize the parallel to early FCPA enforcement. Policies alone are not enough. Programs must demonstrate that they identify high-probability risks, escalate them, and act. Testing matters. Documentation matters. Integration matters.

Final Thoughts

The prospect of renewed oil activity in Venezuela is not a green light for compliance. It is a stress test. Companies that approach this moment with discipline, humility, and integrated risk management can create value while protecting themselves. Companies that treat it as a political reopening will find themselves exposed on multiple fronts. For compliance professionals, this is a defining moment. The question is not whether Venezuela is open for business. The question is whether your compliance program is ready for the real world.

Categories
Red Flags Rising

Red Flags Rising: S01 E33: Back to Basics

As the geopolitical and national political winds continue to swirl, Mike & Brent go back to basics to level-set and provide some foundational first principles of export controls compliance. They discuss the roller-coaster of the Affiliates Rule suspension (01:44); why the real risks from a compliance and enforcement perspective lay just outside of the Rule (02:37); how General Prohibition 10, the full definition of “knowledge” to include “an awareness of a high probability,” and the various inchoate provisions (i.e., causing, aiding and abetting, solicitation and attempt, conspiracy, acting with knowledge, misrepresentation and concealment, intent to evade, and failure to comply with recordkeeping requirements) are the foundational anti-diversion provisions under the U.S. Export Administration Regulations (EAR) (03:02); great listener feedback about how the Affiliates Rule shaped the in-house discussion of diversion risk (05:23); developing and implementing a high probability protocol as the only way to stay grounded in dynamic and challenging times (08:33); recent legislative proposals and hearings, including a recent hearing by a subcommittee of the House Foreign Affairs Committee focused on export control loopholes, and the dangers of a dissatisfied U.S. Congress (09:42); why the definition of “knowledge” under the EAR is not mere legalese to be lost in the 1,467 pages (as of January 1, 2025) of the EAR but is instead the path forward for both government and industry (14:18); the details and implications of General Prohibition 10 (17:11); the details of the full definition of “knowledge,” including what we can learn from its history in the U.S. Foreign Corrupt Practices Act and, before then, the Model Penal Code (18:48); and recent enforcement activity by DOJ and BIS, and what the activity signals about the government’s next enforcement moves (22:30).

They then conclude with the latest installment of Brent’s increasingly popular “Managing Up” segment (27:14).

Resources:

Brent’s latest NYU Law School Program on Corporate Compliance & Enforcement post, from October 31, 2025

Brent’s email: brent@redflagsrising.com

Mike’s email: michael.huneke@morganlewis.com

Categories
Red Flags Rising

Red Flags Rising: S01 E31: Running To and Through the Export Controls Investigation Finish Line – Avoiding Resolution Pitfalls and Monitoring What Matters

Mike and Brent take a break from Affiliates Rule (delayed) suspension news to focus on practical advice for companies that may be in the midst of U.S. government investigations into alleged export control violations. They discuss the importance of engaging with the government with an awareness and an appreciation for the latest enforcement trends and signals, particularly regarding the government’s emphasis on the full definition of “knowledge” to include “an awareness of a high probability” (00:49); the importance of not being surprised by these trends in the middle of an investigation (02:52); the dangers to the cost, delay, and outcome of any investigation for failing to perceive the signals through the noise (04:08); the particular relevance of these strategies in defending against allegations of entity-shifting (09:48); the need to consider waiving privilege over prior bad legal advice—especially to avoid paying more to protect an investigation that was triggered by adhering to the prior advice (11:52); what to look for in the terms of a proposed settlement agreement, including whether and how the company will be “covered” if there are post-resolution reports of additional, previously undisclosed pre-resolution misconduct (13:22) and executive officer certification requirements (16:51); and the importance in national security resolutions, where they are imposed, of having post-resolution independent monitors or independent compliance consultants commit to focused, risk-based post-resolution monitoring that direct addresses the root causes of the violations, to avoid “industrial tourism” and to best promote the national security objectives of the United States (19:34).

Then, conclude with the next installment of Brent Carlson’s “Managing Up” segment (23:37).

Resources:

Brent’s latest NYU Program on Corporate Compliance & Enforcement (PCCE) post, “From Peanuts to Elephant-Sized Penalties: A Fresh Look at Recent U.S. Export Controls Enforcement Developments & Future Trends” (Oct. 31, 2025)

Mike & Brent’s prior NYU PCCE post, “Monitoring What Matters: A Fresh Look Proposal to Government and Industry for How Post-Resolution Oversight Can Best Deny Hostile Actors the Means to Cause Deadly Harm” (Mar. 28, 2024)

Contact Brent: brent@redflagsrising.com

Contact Mike: michael.huneke@morganlewis.com

Categories
Red Flags Rising

Red Flags Rising: S01 E30: Look Before You Leap, Think Before You Speak

Fresh off the October 15, 2025, WIT-NC/PAEI/TTRA “Global Trade Compliance Best Practices Conference” in Santa Clara, California, Mike and Brent discuss the practical takeaways of several recent media reports and statements from the U.S. Congress, including how compliance programs that incorporate the high-probability standard give executives and spokespersons the most options. Specifically, they discuss the conference (00:49); the recent Affiliates Rule (01:27); why straightforward statements that a company “complies with the law” might generate cynicism from the public and inquiries as to how from the government (02:59); why it’s important for companies to consider the context in which their public statements will appear, even where they might not agree with the facts asserted in that context (04:06); how delegitimizing the laws in the eyes of the public might be one of the smugglers’ objectives (05:47); how thinking about compliance as never being a one-and-done solution can help avoid pitfalls in public statements (06:54); why it’s dangerous to rely upon assertions by anonymous “legal experts” reported in articles about the existence of loopholes, including because those loopholes do not actually exist (08:49); the importance of keeping in mind, in the context of the Entity List and the Affiliates Rule, that the List is but one part of U.S. export controls and statements that fixate on the Entity List’s applicability expose corporations to questions about their compliance with other catch-all provisions, with General Prohibition 10, and with the various inchoate provisions (10:27); the importance of appreciating that U.S. regulators read the news too (11:40); how the “high probability” standard can help companies in making enhancements to their compliance programs to better support broader public statements as to their compliance with the law (14:41); recent reports about U.S. items being sold for crime control purposes and attention from the U.S. Congress on those reports (15:03); similar risks related to the recent report by the U.S. House of Representatives’ Select Committee on the Chinese Communist Party (17:23); keeping in mind that your own disagreement with U.S. national security policy is not a defense to export controls promulgated in support of that policy (19:02); and the importance of having advisors who are viewed by the government as honest brokers that are not clinging to legacy views about the government’s intentions or authorities (21:07).

Mike and Brent then conclude with another installment of Brent Carlson’s “Managing Up” (23:29).

Resources:

Contact Brent: brent@redflagsrising.com

Contact Mike: michael.huneke@morganlewis.com

Learn more about the conference’s organizing associations:

Women in International Trade – Northern California (WIT-NC)

Professional Association of Exporters & Importers (PAEI)

Technology Trade Regulation Alliance (TTRA)

Categories
Red Flags Rising

Red Flags Rising: S01 E29: Affiliates Rule Aftermath – Finding the Right Path Forward

Mike and Brent take an even deeper dive into the “Affiliates” or “50%” Rule announced by the Bureau of Industry & Security (BIS) on September 29, 2025. They identify several misperceptions in the public discussion, explain why they are misperceptions, and identify the pitfalls of operating under those misperceptions—especially in response to inquiries by BIS about pre-rule due diligence on affiliates of entities on the entity list. Specifically, they discuss why the Affiliates Rule is a close cousin to the Office of Foreign Assets Control’s own 50% rule, but why and how BIS’s Affiliates Rule serves different national security objectives and operates a bit differently (02:42); whether the Affiliates Rule brings new compliance burdens and, if so, risk-based due diligence strategies and likely questions from BIS regarding why (10:26); why in the current geopolitical context the benefit of local, boots-on-the-ground compliance might be overstated—or significantly discounted by the U.S. government—and what to do about it (16:18); why it would be a mistake to think that BIS is not today able to bring enforcement actions based on the Affiliate Rule, especially given their ability to bring enforcement actions on the “full” definition of knowledge to include “an awareness of a high probability” (19:26); and why it is dangerous to think of “knowledge” as only “actual knowledge,” and thereby misperceiving that the new Affiliates Rule—by reminding everyone that the catch-all provision under which the Entity List is promulgated is a strict-liability regulation, even as to awareness—has someone taken away a previously available “absence of actual knowledge” defense (23:00).

Mike and Brent then offer practical tips for applying for the license available under the Affiliates Rule for situations where the exporter, reexporter, or transferor is aware of “red flags” as to ownership that it cannot resolve through risk-based due diligence (28:20).

Mike and Brent then conclude with a special edition of Brent Carlson’s “Managing Up,” in which Brent offers some valuable self-reflection (34:58).

Resources:

More about Brent: www.redflagsrising.com

Contact Brent: brent@redflagsrising.com

Mike: https://www.linkedin.com/in/mhuneke/https://www.morganlewis.com/bios/michaelhuneke

Contact Mike: michael.huneke@morganlewis.com

BIS’s “Export Control Decision Tree”

Categories
Red Flags Rising

Red Flags Rising: S01 E26 – Grab the Carrots, Avoid the Sticks, and Get Ready for More Transparency

Mike and Brent pick up the discussion from Episode 25 with some further thoughts on the proposed revenue-sharing arrangement between the U.S. government and certain exporters, including what should be anticipated from the U.S. government in terms of increased transparency (01:36), give their take on the Maintaining American Superiority by Improving Export Controls Transparency Act signed into law by the President, including both what it does do and what it doesn’t do (10:27), and provide their takes on the long-running media speculation about a so-called “50% rule” that would extend the Entity List maintained by the U.S. Bureau of Industry & Security (BIS) automatically to subsidiaries or affiliates owned 50% or more by a listed entity (18:53), including questions that the debate raises about what due diligence is being done now on subsidiaries and affiliates of listed entities, and important distinctions between U.S. economic sanctions—from where the 50% rule concept is being borrowed—and U.S. export controls that suggest the rule is better suited for the former than the latter.

They conclude with another installment of Brent Carlson’s “Managing Up” (26:25).

Resources:

Brent LinkedIn

Mike LinkedIn

Mike & Brent’s “Fresh Looks” Series