As most readers know, sometimes when I get going on a multipart blog series, I either get carried away or simply cannot stop. Maybe sometimes it is both. This week is beginning to seem like one of those times. Today, I recorded an episode of Compliance into the Weeds with my co-host Matt Kelly, and we discussed some very interesting points from the enforcement action that I decided to keep going. (The episode will post on Wednesday, June 24.)
Over the past couple of blog posts, I have reviewed the DOJ Declination through the lens of the National Security Division. Today, I want to look at the BIS enforcement action and mine it for a different set of lessons learned.
The BIS enforcement is a useful case study for compliance professionals because it is not merely a story about a company without a compliance program. Rather, Bosch had export compliance processes, including U.S. export compliance processes. The failure was more subtle and more important: the compliance function lacked sufficient expertise and staffing to interpret a major regulatory change, translate that change into operational requirements, challenge incomplete business responses, and revisit advice when contrary facts emerged. BIS charged Bosch with 109 violations involving approximately $72.4 million in exports to Huawei without required authorization.
That is precisely the kind of failure the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) is designed to test. Under ECCP Section II, prosecutors ask whether the compliance program is “adequately resourced and empowered to function effectively.” Section II.B, “Autonomy and Resources,” directs prosecutors to examine whether compliance personnel have sufficient qualifications, seniority, and stature; sufficient resources, including staff to audit, document, and analyze; and sufficient autonomy from management, including access to the board or audit committee.
As laid out in the BIS enforcement action, Bosch failed in the Expertise requirement. The enforcement action stated:
Bosch’s U.S. export compliance team did not have sufficient expertise or resources at the time to adequately address the August 2020 changes to the EAR, namely, the FOP Rule, which expanded restrictions on Huawei. Bosch’s failure to have an effective U.S. export controls compliance program in place for BST and ETAS at this time contributed directly to the violations at issue in these charges.
Bosch also failed in the Resources requirement. Here, the enforcement action stated:
During most of the relevant period, Bosch’s export controls compliance team in the United States consisted primarily of two employees. These employees were responsible for advising Bosch’s central trade compliance function, based in Germany, and Bosch’s non-U.S. businesses on compliance with U.S. export control regulations. Only one of these employees was tasked primarily with advising on compliance with U.S. export controls. The second employee provided part-time assistance with U.S. export controls compliance while also focusing on U.S. customs and tariffs compliance. The U.S. trade compliance team included other employees primarily focused on U.S. customs and tariffs, who could occasionally assist with minor, discrete export controls questions.
1. Did compliance personnel have the right experience and qualifications?
The ECCP asks whether compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities. That question sits at the center of the Bosch enforcement action.
During much of the relevant period, Bosch’s U.S. export controls compliance team primarily consisted of two employees. Only one was tasked primarily with advising on U.S. export controls; the second provided part-time export controls assistance while also focusing on customs and tariffs. Other U.S. trade compliance personnel were primarily customs and tariffs employees who could occasionally assist with minor export controls questions.
That staffing model proved inadequate for the risk. BIS found that Bosch’s U.S. export compliance team lacked sufficient expertise or resources to address the August 2020 changes to the EAR, and that this failure directly contributed to the violations. Communications between U.S. and German trade compliance personnel showed confusion about the Foreign Direct Product Rule (FDPR). That confusion produced erroneous guidance: a Germany-based trade compliance employee advised BST (a Bosch German entity) management that if products contained less than 25% U.S. content and the U.S. content was not classified under certain ECCNs, there was no impact and no license requirement. BIS explained that this advice improperly confused and conflated the De Minimis Rule with the FDPR.
For compliance professionals, the lesson is direct. Experience and qualifications cannot be evaluated generically. “Trade compliance experience” is not the same as deep expertise in a specific high-risk, fast-changing legal regime. A compliance team may be experienced enough for ordinary classification, screening, and documentation work, but underqualified for a complex regulatory change affecting a major restricted customer, foreign production, production equipment, software, suppliers, and end-user certifications.
The same issue appeared in Bosch’s German subsidiaries, collectively known as ETAS, in the enforcement action. Bosch trade compliance personnel reviewed automotive software sales to Huawei but incorrectly concluded that the FDPR applied only to physical goods, not software. BIS said Bosch personnel repeatedly advised ETAS that the restrictions did not apply to CycurHSM software.
The broader point is that qualifications must match the company’s risk profile. For a global technology company operating across complex supply chains, compliance expertise must be technical, up to date, and operationally fluent.
2. Did the level of experience and qualifications change over time?
The ECCP also asks whether the level of experience and qualifications in compliance and control roles changed over time. Bosch is a warning about static capability in a dynamic risk environment.
After the original August 2020 advice, Bosch received repeated warnings that should have triggered reassessment. Company Four warned BST that equipment used in its factories included U.S. export-controlled equipment and that products worked on by Company Four for Huawei could be prohibited under the EAR. BST did not analyze whether that warning conflicted with Bosch’s internal understanding.
A Bosch trade compliance professional in the United States also sent a September 4, 2020, request for information to Bosch businesses, including BST. The request sought detailed information about production lines, production equipment, and U.S.-origin software and technology used in production. BST did not answer the specific questions. The BST Executive responded that the products had already been “clarified” as not impacted and cited a “dire allocation situation.” BIS found that, had BST answered the questions, Bosch’s U.S. trade compliance personnel likely would have identified the sensors as within the FDPR’s product scope.
The failure was not merely the first wrong answer. It was the absence of a mechanism to upgrade expertise, revisit assumptions, and escalate conflicting information. A mature compliance program treats major legal change as a trigger for a surge of resources, specialist review, and documented reassessment. It also treats repeated inconsistent data points as evidence that the original advice may no longer be reliable.
3. How did the company invest in training and development?
The ECCP asks how the company invests in further training and development of compliance and control personnel. Bosch shows that training cannot be limited to compliance staff alone.
Between 2021 and 2024, BST employees signed multiple compliance certifications for semiconductor manufacturers under contract. Those certifications stated that items produced by the manufacturers were subject to the EAR and required BST to certify that it would not provide such items to an entity with a footnote 1 designation. The relevant employees later explained that they signed because they did not understand that Huawei was a covered entity.
That is a gatekeeper training failure. Procurement, logistics, production, contract management, and customer-response personnel were all part of the control environment. They received supplier certifications, customer requests, internal guidance, and external warnings. Yet the process did not ensure they understood what those documents meant or when they had to escalate.
The lesson is practical: high-risk certifications should not be treated as administrative paperwork. They are control documents. Employees who sign them need tailored, role-based training. They should understand restricted-party designations, escalation triggers, the consequences of inaccurate certifications, and the limits of relying on old guidance.
Compliance personnel also need continuing education. Where regulations are complex and fast-moving, development should include external specialist support, second-level review of high-risk advice, lessons learned from enforcement actions, and technical briefings with engineering and supply chain personnel. Obviously, the regulations changed in 2020, but it appears Bosch trade compliance professionals received training on this change.
4. Who reviewed the performance of the compliance function?
The ECCP’s final question asks who reviews the performance of the compliance function and what the review process is. Bosch illustrates why that review must go beyond activity metrics.
BIS found that Bosch’s internal controls were insufficient to ensure that compliance advice was broadly distributed, independently reviewed, or reassessed to confirm that it was correct or updated for new facts. Bosch also implemented internal blocks on Huawei orders, but German trade compliance personnel repeatedly released those orders based on the erroneous August 2020 advice from the US trade compliance team.
A meaningful review process would have asked different questions: Were high-risk legal interpretations independently validated? Were assumptions documented? Were unanswered business information requests escalated? Were supplier warnings reconciled against prior advice? Were order-block releases reviewed for quality, not just processed for speed? Were compliance personnel empowered to say, “No complete data, no release”?
Performance review of compliance should include legal quality, escalation discipline, documentation, red-flag closure, audit findings, and whether the function has sufficient staff to do the work expected of it. It should also include board or audit committee visibility when resource constraints affect the company’s ability to manage material compliance risks.
Lessons learned for compliance professionals
The Bosch order offers several broader lessons.
- Compliance resources must be risk-based. A global company cannot judge staffing by historical headcount or budget inertia. Staffing must be measured against regulatory complexity, geographic scope, business volume, customer risk, and the operational burden of collecting facts.
- Specialist expertise matters. A general compliance function may identify issues, but complex regulatory regimes require personnel or advisors with deep subject-matter knowledge.
- Business pressure is a control risk. The “dire allocation situation” response mattered because it showed how operational urgency can displace compliance fact-gathering. A strong program requires mandatory responses to requests for compliance information.
- Advice must have a lifecycle. High-risk compliance advice should identify assumptions, facts reviewed, legal basis, owner, date issued, and reassessment triggers. It should not become a permanent operating authority unless periodically reviewed.
- Gatekeepers must be trained as gatekeepers. Employees who sign certifications, release orders, onboard suppliers, or respond to customers are part of the compliance control system.
The Bosch case is a reminder that a compliance program can have policies, procedures, and blocks and still fail. The ECCP asks whether compliance is adequately resourced and empowered. Bosch shows why that question matters. The issue is not whether compliance was present. The issue is whether compliance had the expertise, staff, authority, and review mechanisms necessary to function effectively when the business needed it most.