Categories
Blog

The Bosch Declineation, Part 5: Warnings in an Insufficient Compliance System

This final post in the Bosch series should not end with a victory lap about the DOJ Declination. That would be the wrong lesson. Bosch earned real credit for what it did after discovery: it disclosed, cooperated, remediated, added 66 trade compliance employees, expanded U.S. trade compliance resources, and resolved the matter with DOJ and BIS. Those are serious steps, and compliance professionals should not dismiss them.

But the Declination should not be mistaken for vindication. Bosch avoided prosecution because of what it did after the failure, not because the compliance program worked before the failure. The uncomfortable lesson is that Bosch apparently had to suffer an enforcement crisis, a $36 million BIS penalty, disgorgement, and a very public Order (and reputational hit) before it fully resourced and restructured the function. That is a very expensive way to find religion.

The core thesis of this series is that Bosch is the rare enforcement action that rewards post-discovery conduct while simultaneously exposing a pre-discovery compliance program that was under-resourced, under-expertized, and too willing to treat red flags as paperwork. Bosch did not lack all compliance infrastructure. That is what makes the case more troubling. It had processes. It had trade compliance personnel. It had internal blocks. It had external warnings. It had business personnel receiving certifications. It had opportunities to stop, ask, escalate, and reassess. Yet the wrong answer became institutional truth.

The failure was not one bad legal interpretation

Every compliance failure has a beginning. In Bosch, the initial guidance was erroneous regarding the impact of the August 2020 rule change on sales to Huawei. But that was not the whole failure. Bad advice happens. Complex regulations are difficult. People make mistakes. A mature compliance program is not measured by whether it never produces the wrong answer. It is measured by whether it can identify, challenge, correct, and contain the wrong answer before it metastasizes into operating policy. Bosch failed that test.

The BIS Order said Bosch had established export compliance processes, including U.S. export compliance processes, but its U.S. export compliance team lacked sufficient expertise and resources to address the August 2020 changes. During much of the relevant period, Bosch’s U.S. export controls team primarily consisted of two employees, only one of whom was primarily tasked with U.S. export controls advice.

That is not a rounding error. That is a resource model visibly misaligned with the risk profile of a global technology and manufacturing company with hundreds of thousands of employees, hundreds of subsidiaries, complex supply chains, and high-risk customers. Compliance professionals should say this plainly: you cannot run mission-critical regulatory risk on heroic undercapacity and then be surprised when the system breaks.

Expertise matters, and generic compliance experience is not enough

One of the sharper lessons from Bosch is that “having compliance people” is not the same thing as having the right compliance expertise. The Evaluation of Corporate Compliance Programs (ECCP) asks whether compliance personnel have the appropriate experience and qualifications for their roles, whether those qualifications have changed over time, how the company invests in further training, and who reviews the performance of the compliance function. Bosch’s facts read like an answer key in reverse.

The relevant compliance personnel misunderstood the rule, conflated separate concepts, and repeatedly relied on a flawed conclusion. That misunderstanding then became the basis for releasing orders and continuing sales. The issue was not merely a knowledge gap. It was an expertise governance failure: no second-level review, no effective challenge process, no documented reassessment trigger, and no apparent mechanism to say, “This conclusion is too consequential to rest on a thin and possibly confused analysis.”

For CCOs, the hard question is not whether your compliance team is busy. Everyone’s team is busy. The question is whether your team has the technical depth to manage the risks your business actually creates. If the answer is no, the next question is why the business is permitted to keep operating as if the answer were yes.

The company had warnings and treated them as noise

The most damning part of the Bosch story is not the original mistake. It is the persistence of the mistake after multiple warning signs. Company Four warned Bosch that equipment used in its factories included U.S.-export-controlled items and that products worked on by Company Four for Huawei might be prohibited from export. Company One asked Bosch personnel to sign a certification that should have forced reconciliation with Bosch’s prior guidance. Company Five told Bosch that products containing items manufactured by Company Five could not be provided to Huawei without authorization and even referenced the Seagate penalty. Contract manufacturer certifications repeated the same basic warning: these were not ordinary commercial forms; they were control documents.

This is where COSO Principle 15 becomes useful. Principle 15 is not only about what the company communicates outward to third parties. It also recognizes that third parties can provide information back to management about the effectiveness of internal controls and regulatory communications.

Bosch failed to treat third-party communications as control information. That is a blunt but fair reading. Supplier warnings were received. Certifications were signed. Objections were routed. But the organization lacked a system to convert that information into escalation, reconsideration, documentation, and action. That should bother every CCO. The problem was not that the information was hidden. The problem was that it was visible, yet it still did not matter enough.

Business pressure became a control weakness

The Bosch Order also shows how business pressure can quietly become a compliance override. When the U.S. trade compliance professional requested information from Bosch businesses, BST did not provide it. The response cited a “dire allocation situation” and the need to spare the team time. The order says that had BST answered the specific questions, Bosch’s U.S. trade compliance personnel likely would have identified the issue. That fact should stop compliance professionals cold.

A compliance information request tied to a major regulatory change should not be optional. It should not be negotiable because the business is under pressure. It should not depend on whether a senior business leader believes the issue was already “clarified.” The moment commercial urgency is allowed to excuse incomplete compliance fact-gathering, the control environment has already bent.

The hard question for CCOs is simple: when compliance asks for information necessary to assess legal risk, can the business say no? If the answer is yes, the company lacks an authorized compliance program, once again violating not only the tenets of a best-practice compliance program but also those of the ECCP. It has a request-and-hope function.

Remediation was real, but late

Bosch deserves credit for remediation. Adding 66 trade compliance employees is not a cosmetic move. Expanding U.S. trade compliance resources is meaningful. Updating policies and procedures to clarify U.S. export control jurisdiction and licensing requirements is exactly the kind of tangible remediation DOJ and BIS expect.

But compliance professionals should not miss the obvious: those resources came after the failure. The better compliance question is why those resources were not there before. Why did it take a public enforcement action to reveal that the compliance function was not staffed or expert for the company’s risk profile? Boards and senior executives often ask whether compliance needs more people. Bosch suggests a sharper question: what will it cost if we wait until the government answers that question for us?

Hard questions for compliance professionals

The Bosch series leaves CCOs with hard questions.

Who owns complex regulatory change from interpretation through operational implementation?

Who validates high-risk legal or compliance advice before the business relies on it?

Does high-risk advice have a lifecycle, including assumptions, facts reviewed, date issued, owner, and reassessment triggers?

Can compliance force a business unit to respond to fact-gathering requests before shipments can continue?

Are supplier letters, certifications, refusals, and regulatory objections tracked as compliance intelligence?

Are procurement, logistics, supply chain, legal, production, and contract management trained to recognize red flags in third-party communications?

Who reviews whether compliance has sufficient expertise, not just sufficient headcount?

Can the compliance function stop, hold, or escalate transactions when the facts are incomplete?

Does the internal audit test whether compliance blocks are released for sound reasons, or merely whether they were processed?

When a supplier tells the company, “You may have a compliance problem,” does the company investigate the warning or look for another supplier?

Those are not academic questions. Bosch shows what happens when the answers are weak.

The final word

Bosch is not a story about a company with no compliance program. It is more troubling than that. It is a story about a company with a compliance infrastructure that still failed when the business needed judgment, expertise, escalation, and courage.

The final lesson is systemic. Bosch’s failure was not one bad legal interpretation. It was a systemic breakdown: a wrong answer became institutional truth because no one had the expertise, authority, process, or discipline to challenge it.

That is the compliance lesson worth remembering. Not the declination. Not the headline penalty. Not even the technical export control issue. The real lesson is that compliance programs fail when they cannot recognize and act on the information already in front of them. Bosch had the warnings. It did not have a compliance system.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Bosch and the Foreign Direct Product Rule: Lessons from the Export Controls and NSD Settlement

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it in greater depth. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss the recent Bosch export controls enforcement action involving two German subsidiaries that sold about $72 million in advanced microsensors and software to Huawei from 2020 to late 2024

Their actions violate U.S. export controls tied to the Foreign Direct Product Rule and 2020 “footnote one” restrictions. Although Bosch voluntarily self-disclosed, cooperated, remediated, disgorged profits, and received a DOJ criminal Declination, BIS imposed a $36.1 million civil penalty, citing fundamental compliance failures: an understaffed and underqualified export controls function, confusion between the de minimis rule and the foreign direct product rule (which has no de minimis exception), and mishandling repeated external warnings from business partners and suppliers. They highlight internal control and communication breakdowns (including external signals) and the need to build specialized export/sanctions compliance capacity, noting BIS issued a compliance framework in 2020 and offers training.

Key highlights:

  • Bosch case overview
  • Understaffed compliance fallout
  • Ignored partner warnings
  • Declination and remediation
  • COSO signals and controls
  • Building export compliance muscle

Resources

Matt in Radical Compliance

Tom in the FCPA Compliance Blog: Part 1, Part 2, Part 3, Part 4, and Part 5 posts on Thursday, June 25.

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

The Bosch Delineation, Part 4: Third-Party Warnings and the COSO Principle 15 Failure

The Bosch enforcement action is, at one level, an export controls case. But for compliance professionals, it is also a communications failure. More specifically, it is a case study of what can happen when a company receives significant external compliance information but does not treat it as control-relevant intelligence.

That is why COSO 2013 Objective IV, Information and Communication, is such a useful lens for the penultimate post in this Bosch series. COSO Objective IV states that management must obtain, generate, and use relevant, high-quality information from both internal and external sources to support the functioning of internal control. It also describes communication as a continual, iterative process of providing, sharing, and obtaining necessary information. External communication is expressly twofold: it enables inbound communication of relevant external information and allows the organization to provide information externally in response to requirements and expectations.

That framework maps directly onto Bosch. The issue was not that Bosch lacked all information. The issue was that Bosch lacked an effective system to recognize, escalate, reconcile, and act on information it already had. The thesis is simple: Bosch failed to treat third-party communications as control information under COSO Principle 15. The Bosch order illustrates what a Principle 15 failure can look like in practice.

Principle 15: External communication is not just outbound messaging

Principle 15, “Communicate Externally,” is sometimes understood too narrowly. Companies often think of external communication as pushing information outward: codes of conduct, supplier expectations, hotline information, compliance certifications, contractual clauses, and policy requirements. Those are important. But they are only half the principle.

The COSO summary makes clear that Principle 15 also recognizes that outside parties can provide information to management about the effectiveness of internal controls and regulatory communications. In other words, third parties are not only recipients of compliance expectations. They can also be sources of control information. Compliance officers must evaluate communication lines to third parties because information can flow both ways: compliance obligations can go out, and compliance issues can come back.

That is the key Bosch lesson. Bosch’s suppliers and contract manufacturers were not merely exchanging paperwork. They were providing information that challenged Bosch’s existing compliance conclusion. They were telling Bosch, in substance, that something about the Huawei analysis might be wrong. Under Principle 15, those communications should have entered a controlled process for review, escalation, reconciliation, and documented decision-making.

As noted in the BIS-Bosch Order, Bosch continued to rely on erroneous guidance for more than four years despite indications that should have raised questions about the accuracy of the original August 25, 2020, guidance.

Company Four: the first external warning

Company Four sent BST’s (a Bosch subsidiary named in the Order) purchasing department a letter on September 2, 2020. It explained the relevant rule and advised BST that it should assume the equipment involved in Company Four’s assembly and test processes triggered the relevant product-scope provisions. Company Four also requested that BST complete a compliance certification addressing whether products processed by Company Four would be incorporated into items produced, purchased, or ordered by Huawei or whether Huawei was a party to any transaction involving Company Four’s product.

That communication should have been treated as a control event. It came from an external party with direct knowledge of its own production and testing environment. It raised a specific compliance concern. It requested a certification. It implicated a high-risk customer. It was precisely the kind of external information Principle 15 expects a company to receive, process, and use.

Bosch’s response illustrates the failure. BST’s purchasing and logistics personnel forwarded the letter to the BST Executive. Bosch trade compliance personnel in Germany then drafted a general but inaccurate response stating that BST’s transactions were compliant and that Company Four’s products were neither incorporated into nor used in products subject to the EAR. Company Four pushed back, noting that the response did not expressly address the recent Huawei-related changes and explicitly warned that equipment used at Company Four factories included U.S. export-controlled equipment. Company Four further stated that BST should assume that transferring products worked on by Company Four for Huawei might be prohibited. BST purchasing personnel took no further action, and BIS found that Bosch did not analyze the Company Four warning to determine whether Bosch’s own understanding was consistent with Company Four’s warning.

For CCOs, this is the moment Principle 15 becomes operational. An inbound external communication that contradicts internal guidance should trigger a defined escalation pathway. It should not depend on whether purchasing personnel recognize the warning’s legal significance.

Company One: the certification that should have forced reconciliation

Company One’s February 2021 certification request presented another clear opportunity. Company One asked personnel at a Bosch production facility to complete an end-user certification for items produced using Company One’s epitaxy machines. The certification required Bosch personnel to acknowledge that the machines’ direct products could be subject to licensing requirements if the relevant rule applied. It also asked Bosch personnel to certify that the machines would not be used in the production or development of items produced, purchased, or ordered by an entity with a footnote 1 designation.

This was not routine vendor paperwork. It was a third-party control communication requiring a representation from Bosch. Bosch personnel asked German trade compliance for advice. A Germany-based trade compliance employee correctly advised that Huawei was a footnote 1 entity and that products manufactured with Company One’s equipment must not be involved in business activities with Huawei if the document was to be signed. Yet when the BST Executive learned of the certification request separately, he provided the production facility personnel with the earlier email dated August 25, 2020, stating that the rule did not affect BST products. The production personnel then signed the certification without reconciling the conflicting guidance and the specific warning provided by Company One.

This is a classic internal-control breakdown. The external communication entered the organization. Compliance was consulted. A relevant warning was generated. But the organization lacked a mechanism to force reconciliation between the supplier certification, the newer internal advice, and the original advice. Principle 15 requires communication lines that allow external information to inform management’s understanding of control effectiveness. Here, the warning was received but not acted upon.

Company Five: The warning Bosch treated as a supplier problem

Company Five’s communication in June 2023 was even more striking. In connection with onboarding Company Five as a new contract semiconductor manufacturer, Company Five told BST that BST would not be able to provide products containing items manufactured by Company Five to Huawei without appropriate authorization. When BST procurement asked why, Company Five cited the relevant rule and referenced the $300 million penalty imposed on Seagate for sales to Huawei without authorization.

That should have triggered a broader question: if Company Five believed its manufacturing process created a restriction, why would Bosch assume that similar risks did not exist with other suppliers or contract manufacturers?

Instead, the response became supplier-specific. A Bosch trade compliance professional in Germany advised that Company Five’s position was based on its internal policy and not compelled by U.S. export requirements. BST’s Managing Director responded that Company Five’s position made it an unsuitable supplier. BIS found no evidence that BST management, procurement, or trade compliance personnel made appropriate efforts to understand why the restrictions cited by Company Five would not affect BST’s other suppliers or Bosch’s ability to sell sensors to Huawei.

For a CCO, this is a critical lesson. Third-party resistance is often compliance data. When a supplier refuses to proceed, demands a certification, cites a regulatory issue, or references a peer enforcement action, the company should not dismiss the issue as the supplier’s internal policy. It should ask whether the supplier has identified a risk that the company has missed.

Contract manufacturer certifications: repeated paperwork, repeated missed signals

Between 2021 and 2024, BST employees signed multiple compliance certifications for two contract semiconductor manufacturers involved in the BST Sensor production process, including Company Two. Each certification noted that items produced by the manufacturers were subject to the EAR and required BST to certify that it would not provide such items to a footnote 1 entity. The relevant BST personnel later explained that they signed the certifications because they did not understand that Huawei was a footnote 1 entity.

That fact is particularly important for compliance professionals because it shows how external communication failures often begin in business functions. Procurement, logistics, supply chain, legal, contract management, production, and customer response personnel may be the first employees to receive a supplier warning or to sign a certification. If they do not understand escalation triggers, the compliance function may never receive the information in a usable form.

Principle 15, therefore, requires more than an external-facing policy. It requires training and controls around inbound third-party information. Employees need to know that certifications, supplier refusals, regulatory references, customer warnings, and contract clauses may be compliance intelligence.

Lessons learned for compliance professionals

  1. Express third-party compliance communications as control information. Supplier letters, certifications, onboarding objections, contract restrictions, and compliance representations should be categorized, tracked, and reviewable.
  2. Build escalation triggers. Any third-party communication that references a restricted customer, a government list, a license requirement, a blocked transaction, sanctions/export rules, an enforcement action, or an inability to proceed should require escalation to compliance or legal.
  3. Require the reconciliation of conflicting information. When external warnings conflict with prior internal advice, the prior advice should not automatically control. The company should document the conflict, identify the owner, obtain subject-matter review, and record the final rationale.
  4. Train the first receivers. CCOs should ensure that procurement, logistics, supply chain, legal, production, and contract management personnel know when third-party communications are not merely commercial communications. They need practical examples and clear escalation channels.
  5. Track certifications centrally. Certifications signed by business personnel should be stored, searchable, and periodically reviewed by compliance. Repeated certifications on the same topic should be treated as a pattern rather than isolated paperwork.
  6. Treat supplier refusals as red flags. When a supplier does not support a transaction due to a compliance concern, the response should not be limited to replacing the supplier. Compliance should ask whether the supplier has exposed a broader control gap.
  7. Close the loop. Principle 15 is not satisfied when a third-party warning is forwarded. It is satisfied when the company receives the information, evaluates it, escalates it, acts on it, and documents the decision.
  8. Test the system. A CCO should be able to ask, “Can we identify all third-party compliance warnings received in the last year?” Who reviewed them? Which were escalated? Which changed a control, a customer decision, a supplier decision, or a legal conclusion?

The Bosch order demonstrates that compliance failures do not always arise from a lack of information. Sometimes the information is already inside the company. The failure is the absence of a system to recognize, escalate, and act on it. That is the core lesson of Principle 15, and it is one every CCO should take seriously.

Categories
Blog

The Bosch Declination: Part 2 – Lessons Learned in Transparency, Remediation, and the ECCP in Action

Every Chief Compliance Officer should study the Bosch declination because it answers a practical question: what does the DOJ reward when a company discovers serious national security compliance failures? It is also a useful case study for CCOs beyond export controls. It is a broader lesson in how enforcement authorities evaluate program effectiveness, internal controls, and corporate response after misconduct is identified.

The answer is not perfection. The answer is transparency, cooperation, remediation, resources, accountability, and governance. Bosch received a declination from the National Security Division under the DOJ’s Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) after self-disclosing export control issues, cooperating with the investigation, remediating, and resolving parallel civil exposure with BIS.

Lessons Learned

1. Manage Your Organization’s Risks

Those facts present the first lesson for CCOs. A compliance program must be built around the company’s actual risk profile. For a global technology and manufacturing company, that means export controls cannot be treated as a narrow legal specialty. They must be embedded into product development, sales, logistics, customer review, third-party engagement, software, engineering, and business approval processes.

This point aligns directly with the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The ECCP asks three fundamental questions: Is the program well designed? Is it applied earnestly and in good faith, meaning adequately resourced and empowered? Does it work in practice? DOJ also states that prosecutors evaluate the program at the time of the offense and at the time of charging or resolution.

The Bosch Declination demonstrates why those questions matter. A program may exist on paper, yet still fail if it lacks specialized knowledge, escalation paths, and operational integration. The Foreign Direct Product Rule (FDPR) is technical. It requires understanding product origin, technology lineage, software, manufacturing equipment, Entity List designations, and licensing requirements. If the compliance team lacks the expertise or access needed to analyze those issues, the control environment is not fit for purpose. Clearly, the Bosch compliance team lacked the expertise needed for trade compliance.

2. Quick Action-the Need for Speed

The second lesson is that detection and escalation remain central to program effectiveness. The DOJ credited Bosch with conducting an internal investigation after discovering the issues and voluntarily self-disclosing to both NSD and BIS while that investigation was still ongoing. That detail matters. Bosch did not wait for a perfect final report before going to the government. It identified the problem, investigated it, and disclosed it while continuing to learn the facts.

For CCOs, this is the real-world self-disclosure dilemma. Companies often want certainty before disclosure. DOJ policy rewards promptness. The Bosch matter shows that the government may credit a company that self-discloses while its internal investigation is still underway, provided the company preserves evidence, continues to develop the facts, cooperates, and remediates.

3. Active Cooperation

The third lesson is that cooperation must be active. The DOJ cited Bosch’s disclosure of relevant facts; the preservation, collection, and production of documents and information; and prompt, voluntary responses to CES requests following the self-disclosure. This is not passive cooperation. It is an organized, disciplined, and documented cooperation.

For the CCO, this means the company must be ready before a crisis. There should be an investigation protocol. There should be document preservation capabilities. There should be clarity on who owns export control investigations, who briefs the board, who coordinates with outside counsel, who manages government requests, and who ensures that remediation does not wait until the matter concludes.

4. Substantive Remediation

The fourth lesson is that remediation must be tangible. Bosch was credited with organizational changes, including adding 66 employees to its trade compliance organization, expanding U.S. trade compliance resources, and updating internal policies and procedures to clarify U.S. export control jurisdiction and licensing requirements.

That is an important message for every compliance leader. Remediation is not a memo. Remediation is not revised policy language alone. Remediation means changing the program so that the same issue is less likely to happen again. It means more resources where the risk requires them. It means better expertise. It means clearer rules. It means stronger controls. It means accountability. Law360 reported that Bosch also made organizational changes, imposed discipline, added trade compliance employees, expanded U.S. trade compliance resources, and updated internal policies and procedures.

5. Effectiveness

The fifth lesson is that the DOJ is connecting compliance effectiveness to enforcement outcomes. DOJ’s CEP is designed to encourage companies to invest in effective compliance programs, voluntarily self-report potential misconduct, cooperate with law enforcement, and rectify wrongdoing. The policy states that the DOJ will decline to prosecute when the company voluntarily self-discloses, fully cooperates, remediates in a timely and appropriate manner, has no aggravating circumstances, and is required to disgorge, forfeit, or otherwise compensate victims for the misconduct.

Bosch is the proof point. DOJ did not ignore the misconduct. Bosch agreed to disgorge $11,430,098, with a credit for amounts paid to BIS. BIS imposed a parallel civil penalty. DOJ also made clear that the declination did not protect individuals and that the investigation could be reopened if DOJ learned new information that changed its assessment or if disgorgement was not paid promptly.

That is a critical governance message. A declination is not a free pass. It is an enforcement outcome tied to conditions, cooperation, transparency, remediation, and accountability.

The Board Component

For boards, Bosch should be read as a Caremark-adjacent reminder that mission-critical compliance risks require real oversight. Export controls and sanctions are not technical back-office functions for global technology companies. They are national security, legal, operational, reputational, and business continuity risks.

The Bosch declination letter states that the company’s Management Board had been advised of the terms of the letter agreement and that Bosch’s Global General Counsel signed the agreement on behalf of the company. That is how these matters should land. Senior management and the board must understand the facts, the root cause, the remediation plan, the financial consequences, and the continuing obligations.

Boards should be asking whether the company has identified its mission-critical regulatory risks. For a technology, manufacturing, software, logistics, aerospace, life sciences, energy, or semiconductor company, export controls and sanctions may sit at the center of that risk map. The board should ask whether compliance has sufficient expertise, authority, budget, data access, and independence. It should ask whether management has tested the controls around high-risk customers, restricted parties, product classification, end-use, end-user, software, and foreign-produced items.

The ECCP reinforces this governance point. The DOJ expects prosecutors to consider whether a company has made significant investments in its compliance program and internal controls and whether improvements have been tested to demonstrate that they would prevent or detect similar misconduct in the future.

Top Five Takeaways

  1. Voluntary self-disclosure still matters. Bosch received credit because it disclosed to NSD and BIS while still under investigation and then continued to cooperate and remediate.
  2. Export controls are internal controls. FDPR risk requires more than screening. It requires integration across product, software, engineering, sales, legal, and compliance.
  3. Resources are evidence. DOJ credited Bosch for adding 66 trade compliance employees and expanding U.S. trade compliance resources. That is remediation prosecutors can see.
  4. The ECCP is a governance tool. CCOs should use the ECCP’s three questions to assess whether the program is well designed, empowered, resourced, and working in practice.
  5. Boards must oversee national security risks. Export controls and sanctions are mission-critical risks for many global companies. Bosch shows that transparency and remediation can materially shape the enforcement outcome.

The Bosch remediation was not cosmetic. Adding 66 trade compliance employees and expanding U.S. trade compliance resources communicates seriousness. It tells enforcement authorities that the company understood the root cause and invested in fixing it. CCOs should take that lesson directly to the board. Compliance resources should follow risk. Where the business model creates national security exposure, compliance must have the technical capability to match that risk.

Categories
Blog

The Bosch Declination: Part 1 – The DOJ’s New National Security Enforcement Playbook

The Bosch Declination is an important early marker in the Department of Justice’s new corporate enforcement architecture. It is also a practical case study in how export controls, national security compliance, voluntary self-disclosure, and remediation now intersect under the Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy. Over the next two blog posts, we will consider this Declination. Today we look at the Declination itself. In the next blog post (on Monday), we will consider the lessons for compliance professionals.

On June 17, 2026, the DOJ announced that the National Security Division had declined prosecution of Robert Bosch GmbH, resolving an investigation into an alleged scheme involving the export of products and software to an Entity-listed company in the People’s Republic of China. The Declination was reached under Part I of DOJ’s Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy, after DOJ considered the Principles of Federal Prosecution of Business Organizations. DOJ stated that Bosch promptly disclosed the misconduct to NSD, fully cooperated, and timely and appropriately remediated, with no aggravating circumstances present.

The facts are significant. The DOJ’s Declination letter states that from approximately September 2020 to September 2024, Bosch, through two non-U.S. subsidiaries, re-exported more than $70 million in foreign-produced Micro-Electro-Mechanical Systems sensor products and foreign-produced software to Huawei Technologies Co., Ltd. and its affiliates on the Entity List, including Huawei Tech. Investment Co., Ltd., Hong Kong. DOJ identified the two Bosch subsidiaries as Bosch Sensortec GmbH and ETAS GmbH. According to the DOJ, the products were provided without the required license or authorization from the Department of Commerce’s Bureau of Industry and Security, in violation of the Export Administration Regulations.

The central export control issue was the Entity List Foreign Direct Product Rule, or FDPR. The DOJ stated that BST and ETAS provided Huawei with foreign-produced items subject to the EAR under the Entity List FDPR for designated entities, without obtaining the required authorization from BIS. DOJ further found that Bosch’s trade compliance personnel were “ill-equipped” to provide accurate guidance on the FDPR. The investigation also identified ongoing sales despite several missed opportunities in which third-party companies had identified potential FDPR applications for Bosch products or equipment used in providing services. DOJ calculated that Bosch made approximately $11,430,098 in pre-tax profits from the conduct.

That fact pattern is important for compliance professionals because this was not described as a simple denied-party screening failure. It involved the intersection of foreign-produced products, U.S.-origin technology or software, non-U.S. subsidiaries, Entity List restrictions, and a rule that requires sophisticated technical, legal, and operational judgment. This is precisely the type of export control risk that can sit outside traditional compliance comfort zones. It may involve engineering data, manufacturing equipment, software lineage, product classification, third-party technical inputs, and commercial teams operating far from the United States.

The DOJ letter also makes clear that Bosch’s response mattered. DOJ stated that, after discovering the issues, Bosch conducted an internal investigation and voluntarily self-disclosed the matter to both the National Security Division’s Counterintelligence and Export Control Section and BIS. In contrast, the internal investigation was still ongoing. Bosch also remediated promptly and appropriately. The Declination letter notes that Bosch’s internal investigation uncovered numerous mistakes in applying the FDPR to Huawei sales. However, Bosch did not believe those mistakes rose to the level of willfulness required for criminal violations under the Export Control Reform Act.

The DOJ’s decision rested on four factors. First, Bosch made a timely and voluntary self-disclosure. Second, Bosch cooperated, including by disclosing relevant facts, preserving, collecting, and producing documents and information, and promptly responding to NSD requests. Third, Bosch remediated, including through organizational changes, adding 66 employees to its trade compliance organization, expanding U.S. trade compliance resources, and updating policies and procedures to provide clearer guidance on U.S. export control jurisdiction and licensing requirements. Fourth, DOJ found that regulatory remedies were adequate, specifically the approximately $36 million penalty imposed by BIS for civil violations under the ECRA and EAR.

The financial terms are also instructive. The DOJ conditioned the Declination on Bosch’s agreement to disgorge $11,430,098 within thirty days. That amount represented the pre-tax profits from sales to Huawei through BST and ETAS for products for which Bosch had not obtained the required EAR authorization. DOJ agreed to credit $7,829,069 paid by Bosch to BIS in the parallel resolution against the disgorgement amount.

Law360 reported that Bosch agreed to pay $36 million to resolve allegations that it improperly exported technology products to Huawei, with the payment amount including profit disgorgement under the DOJ Declination and a penalty under the parallel BIS agreement. Law360 also reported that Bosch said the civil violations were unintentional. That, upon discovering the potential export control violations, it conducted an extensive investigation, voluntarily self-disclosed to U.S. authorities, and cooperated throughout the process.

The timing matters. The DOJ released its first Department-wide Corporate Enforcement Policy for criminal matters on March 10, 2026. That policy was designed to provide uniformity, predictability, and fairness across DOJ corporate criminal enforcement. DOJ stated that, absent certain limited aggravating circumstances, companies that voluntarily disclose discovered misconduct, cooperate, and timely and appropriately remediate may receive a declination.

The Bosch matter is also tied directly to NSD’s export control and sanctions enforcement priorities. DOJ’s March 30, 2026, NSD guidance stated that enforcing export control and sanctions laws is a top priority for NSD and that companies and employees are at the forefront of protecting U.S. national security by preventing unlawful exports of sensitive commodities, technologies, and services, as well as unlawful transactions with sanctioned countries and designated parties.

In that context, Bosch is not merely an export controls case. It is the first public example of how NSD will apply the new Department-wide CEP to a national security matter. DOJ stated that this was the first time NSD had declined to prosecute a company under the CEP.

For trade compliance professionals, the facts underscore several enforcement realities. Export control jurisdiction can attach to foreign-produced items. Non-U.S. subsidiaries can create U.S. enforcement exposure. Entity List designations require more than customer screening. FDPR analysis must be integrated into product classification, sales review, engineering support, and third-party risk management. A compliance program that lacks the technical competency to interpret the rule can fail even when employees are trying to comply.

This is where the facts become the enforcement message. DOJ did not say Bosch had no compliance program. The DOJ said the relevant personnel were ill-equipped on a critical rule and that third-party warning signs were missed. In other words, the issue was not simply whether the company had a trade compliance function. The issue was whether that function had the expertise, authority, resources, and escalation mechanisms to identify and stop sales governed by complex national security controls.

The Bosch Declination also shows that voluntary self-disclosure continues to have real value, but only when paired with cooperation and remediation. DOJ did not reward disclosure alone. It credited Bosch for preserving and producing facts, responding promptly, making organizational changes, expanding resources, adding personnel, strengthening policies, accepting disgorgement, and resolving the civil matter with BIS.

That is the factual landscape. On Monday, we will turn from the facts to the lessons. For CCOs, Bosch is not simply a trade compliance resolution. It is a case study in what DOJ expects from compliance governance, internal controls, resources, remediation, and board oversight when national security risk moves from theoretical to real.