Categories
Blog

The Bosch Declineation, Part 5: Warnings in an Insufficient Compliance System

This final post in the Bosch series should not end with a victory lap about the DOJ Declination. That would be the wrong lesson. Bosch earned real credit for what it did after discovery: it disclosed, cooperated, remediated, added 66 trade compliance employees, expanded U.S. trade compliance resources, and resolved the matter with DOJ and BIS. Those are serious steps, and compliance professionals should not dismiss them.

But the Declination should not be mistaken for vindication. Bosch avoided prosecution because of what it did after the failure, not because the compliance program worked before the failure. The uncomfortable lesson is that Bosch apparently had to suffer an enforcement crisis, a $36 million BIS penalty, disgorgement, and a very public Order (and reputational hit) before it fully resourced and restructured the function. That is a very expensive way to find religion.

The core thesis of this series is that Bosch is the rare enforcement action that rewards post-discovery conduct while simultaneously exposing a pre-discovery compliance program that was under-resourced, under-expertized, and too willing to treat red flags as paperwork. Bosch did not lack all compliance infrastructure. That is what makes the case more troubling. It had processes. It had trade compliance personnel. It had internal blocks. It had external warnings. It had business personnel receiving certifications. It had opportunities to stop, ask, escalate, and reassess. Yet the wrong answer became institutional truth.

The failure was not one bad legal interpretation

Every compliance failure has a beginning. In Bosch, the initial guidance was erroneous regarding the impact of the August 2020 rule change on sales to Huawei. But that was not the whole failure. Bad advice happens. Complex regulations are difficult. People make mistakes. A mature compliance program is not measured by whether it never produces the wrong answer. It is measured by whether it can identify, challenge, correct, and contain the wrong answer before it metastasizes into operating policy. Bosch failed that test.

The BIS Order said Bosch had established export compliance processes, including U.S. export compliance processes, but its U.S. export compliance team lacked sufficient expertise and resources to address the August 2020 changes. During much of the relevant period, Bosch’s U.S. export controls team primarily consisted of two employees, only one of whom was primarily tasked with U.S. export controls advice.

That is not a rounding error. That is a resource model visibly misaligned with the risk profile of a global technology and manufacturing company with hundreds of thousands of employees, hundreds of subsidiaries, complex supply chains, and high-risk customers. Compliance professionals should say this plainly: you cannot run mission-critical regulatory risk on heroic undercapacity and then be surprised when the system breaks.

Expertise matters, and generic compliance experience is not enough

One of the sharper lessons from Bosch is that “having compliance people” is not the same thing as having the right compliance expertise. The Evaluation of Corporate Compliance Programs (ECCP) asks whether compliance personnel have the appropriate experience and qualifications for their roles, whether those qualifications have changed over time, how the company invests in further training, and who reviews the performance of the compliance function. Bosch’s facts read like an answer key in reverse.

The relevant compliance personnel misunderstood the rule, conflated separate concepts, and repeatedly relied on a flawed conclusion. That misunderstanding then became the basis for releasing orders and continuing sales. The issue was not merely a knowledge gap. It was an expertise governance failure: no second-level review, no effective challenge process, no documented reassessment trigger, and no apparent mechanism to say, “This conclusion is too consequential to rest on a thin and possibly confused analysis.”

For CCOs, the hard question is not whether your compliance team is busy. Everyone’s team is busy. The question is whether your team has the technical depth to manage the risks your business actually creates. If the answer is no, the next question is why the business is permitted to keep operating as if the answer were yes.

The company had warnings and treated them as noise

The most damning part of the Bosch story is not the original mistake. It is the persistence of the mistake after multiple warning signs. Company Four warned Bosch that equipment used in its factories included U.S.-export-controlled items and that products worked on by Company Four for Huawei might be prohibited from export. Company One asked Bosch personnel to sign a certification that should have forced reconciliation with Bosch’s prior guidance. Company Five told Bosch that products containing items manufactured by Company Five could not be provided to Huawei without authorization and even referenced the Seagate penalty. Contract manufacturer certifications repeated the same basic warning: these were not ordinary commercial forms; they were control documents.

This is where COSO Principle 15 becomes useful. Principle 15 is not only about what the company communicates outward to third parties. It also recognizes that third parties can provide information back to management about the effectiveness of internal controls and regulatory communications.

Bosch failed to treat third-party communications as control information. That is a blunt but fair reading. Supplier warnings were received. Certifications were signed. Objections were routed. But the organization lacked a system to convert that information into escalation, reconsideration, documentation, and action. That should bother every CCO. The problem was not that the information was hidden. The problem was that it was visible, yet it still did not matter enough.

Business pressure became a control weakness

The Bosch Order also shows how business pressure can quietly become a compliance override. When the U.S. trade compliance professional requested information from Bosch businesses, BST did not provide it. The response cited a “dire allocation situation” and the need to spare the team time. The order says that had BST answered the specific questions, Bosch’s U.S. trade compliance personnel likely would have identified the issue. That fact should stop compliance professionals cold.

A compliance information request tied to a major regulatory change should not be optional. It should not be negotiable because the business is under pressure. It should not depend on whether a senior business leader believes the issue was already “clarified.” The moment commercial urgency is allowed to excuse incomplete compliance fact-gathering, the control environment has already bent.

The hard question for CCOs is simple: when compliance asks for information necessary to assess legal risk, can the business say no? If the answer is yes, the company lacks an authorized compliance program, once again violating not only the tenets of a best-practice compliance program but also those of the ECCP. It has a request-and-hope function.

Remediation was real, but late

Bosch deserves credit for remediation. Adding 66 trade compliance employees is not a cosmetic move. Expanding U.S. trade compliance resources is meaningful. Updating policies and procedures to clarify U.S. export control jurisdiction and licensing requirements is exactly the kind of tangible remediation DOJ and BIS expect.

But compliance professionals should not miss the obvious: those resources came after the failure. The better compliance question is why those resources were not there before. Why did it take a public enforcement action to reveal that the compliance function was not staffed or expert for the company’s risk profile? Boards and senior executives often ask whether compliance needs more people. Bosch suggests a sharper question: what will it cost if we wait until the government answers that question for us?

Hard questions for compliance professionals

The Bosch series leaves CCOs with hard questions.

Who owns complex regulatory change from interpretation through operational implementation?

Who validates high-risk legal or compliance advice before the business relies on it?

Does high-risk advice have a lifecycle, including assumptions, facts reviewed, date issued, owner, and reassessment triggers?

Can compliance force a business unit to respond to fact-gathering requests before shipments can continue?

Are supplier letters, certifications, refusals, and regulatory objections tracked as compliance intelligence?

Are procurement, logistics, supply chain, legal, production, and contract management trained to recognize red flags in third-party communications?

Who reviews whether compliance has sufficient expertise, not just sufficient headcount?

Can the compliance function stop, hold, or escalate transactions when the facts are incomplete?

Does the internal audit test whether compliance blocks are released for sound reasons, or merely whether they were processed?

When a supplier tells the company, “You may have a compliance problem,” does the company investigate the warning or look for another supplier?

Those are not academic questions. Bosch shows what happens when the answers are weak.

The final word

Bosch is not a story about a company with no compliance program. It is more troubling than that. It is a story about a company with a compliance infrastructure that still failed when the business needed judgment, expertise, escalation, and courage.

The final lesson is systemic. Bosch’s failure was not one bad legal interpretation. It was a systemic breakdown: a wrong answer became institutional truth because no one had the expertise, authority, process, or discipline to challenge it.

That is the compliance lesson worth remembering. Not the declination. Not the headline penalty. Not even the technical export control issue. The real lesson is that compliance programs fail when they cannot recognize and act on the information already in front of them. Bosch had the warnings. It did not have a compliance system.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Bosch and the Foreign Direct Product Rule: Lessons from the Export Controls and NSD Settlement

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it in greater depth. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss the recent Bosch export controls enforcement action involving two German subsidiaries that sold about $72 million in advanced microsensors and software to Huawei from 2020 to late 2024

Their actions violate U.S. export controls tied to the Foreign Direct Product Rule and 2020 “footnote one” restrictions. Although Bosch voluntarily self-disclosed, cooperated, remediated, disgorged profits, and received a DOJ criminal Declination, BIS imposed a $36.1 million civil penalty, citing fundamental compliance failures: an understaffed and underqualified export controls function, confusion between the de minimis rule and the foreign direct product rule (which has no de minimis exception), and mishandling repeated external warnings from business partners and suppliers. They highlight internal control and communication breakdowns (including external signals) and the need to build specialized export/sanctions compliance capacity, noting BIS issued a compliance framework in 2020 and offers training.

Key highlights:

  • Bosch case overview
  • Understaffed compliance fallout
  • Ignored partner warnings
  • Declination and remediation
  • COSO signals and controls
  • Building export compliance muscle

Resources

Matt in Radical Compliance

Tom in the FCPA Compliance Blog: Part 1, Part 2, Part 3, Part 4, and Part 5 posts on Thursday, June 25.

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 75 – The End of White Collar Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

 Stories this week include:

  • The Trump Administration retreats on white-collar crime. (The Dispatch)
  • Live Nation found guilty of monopolization. (WSJ)
  • White-collar defense lawyers are not busy under the Trump Administration. (FT)
  • Former LaFarge CEO guilty in corruption case. (Bloomberg)
  • How much does the Annoyance Economy cost you?  (NYT)
  • Justice Department Nears Filing Antitrust Case Against Egg Producers (WSJ)
  • $253M Settlement Raises the Bar on Re-Exports, ‘Dual‑Build’ Models & Entity List Risk (Corporate Compliance Insights)
  • The foundational importance of export jurisdiction – Corporate Compliance Insights
  • ‘Made in America’ Compliance! (Radical Compliance)
  • The Compliance Blind Spots Hiding Inside Financial Data (Corporate Compliance Insights)
  • Key West man accused of shining laser gloves into police cars faces 3 felonies

Resources:

Kristy Grant-Hart on LinkedIn

Order Kristy’s updated, 10-year new edition of How to Be a Wildly Effective Compliance Officer by clicking here.

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Red Flags Rising

Red Flags Rising: S01 E38: “Fallen Chips” – GIR’s Estelle Atkinson on her Three-Part Report

Mike Huneke and Brent Carlson welcome Estelle Atkinson, a reporter with Global Investigations Review (GIR), to speak about her recent three-part series, “Fallen Chips,” published on January 26, 27, and 28, 2026 (linked in the show notes). They discuss how Estelle learned of the U.S. government investigation of Zenith Semiconductor in Chandler, Arizona (01:14); that company’s background (06:03); when employees started to realize that things were not quite right at the company and how that led to employees going to the FBI (08:19); how Estelle got to know the employees and why they were willing to help her with her story (10:30); how her experience illustrates more broadly the challenge companies have in responding to whistleblower reports or allegations (11:48); how diversion starts close to home, and is not always in some exotic “offshore” location (15:31); how U.S. administration policies to promote the export of the U.S. AI “stack” are not without controls or national security considerations (15:58); why success under America’s AI Action Plan and the American AI Export initiative will depend on effective, risk-based export controls compliance programs (16:21); the role of media in American life (19:14); why the standard PR or IR “playbook” of asserting “full compliance with the law” creates risks if companies aren’t expressly incorporating the full definition of “knowledge,” to include “an awareness of a high probability,” into export controls compliance (20:14); and what GIR readers can expect to see (or read) next from Estelle (20:49). Mike and Brent conclude with yet another installment of Brent Carlson’s “Managing Up” (22:39).

Resources:

GIR 

Fallen Chips Part I: Inside the FBI Raid that Rocked an Arizona Chip Start-Up (Jan. 26, 2026)

Fallen Chips Part II: Silicon Secrets and the Risks Hiding in Plain Sight (Jan. 27, 2026)

Fallen Chips Part III: The Fault Lines of the US-China Tech War (Jan. 28, 2026)

More about:

Estelle: https://globalinvestigationsreview.com/authors/estelle-atkinson

Contact Estelle: estelle.atkinson@globalinvestigationsreview.com

Contact Brent: brent@redflagsrising.com

Contact Mike: michael.huneke@morganlewis.com

Categories
Red Flags Rising

Red Flags Rising: S01 E37: Carole Basri on Subsidizing World Peace: The U.S. Experiment, and the Dynamic Relationship between National Security & Corporate Compliance

Back in January 2024, Mike and Brent had the good fortune to meet Carole Basri at an event at NYU Law School. On this episode of Red Flags Rising, they welcome her as a guest to talk about her specialties: national security, geopolitics, and corporate compliance. They specifically discuss Carole’s extensive professional background (00:59), a new treatise on National Security Law that Carole, Mike, and Brent are writing for the Practising Law Institute (PLI) (04:00), an upcoming event co-hosted by the New York State Bar Association’s International Section, Corporate Compliance Committee and Morgan Lewis, to which the new Assistant Secretary for Export Enforcement David Peters is an invited keynote speaker (08:18), why public enforcement officials remarks are relevant under U.S. export controls and other probability-based (i.e., “red flags”-driven) national security laws (09:26), how the U.S. Foreign Corrupt Practices Act (FCPA) was not only an example of that but also was really a child of an era where economic interdependency required a level of transparency and clean commerce to continue (12:00), and the relationship between Bretton Woods, Belt and Road, and Mike’s favorite book, Tales of an Economic Hitman, and what could be viewed with hindsight as effectively a U.S. policy decision to trade its own economic security for decades of (relative) world peace, increased global productivity, and increased living standards (16:52). Brent then closes out the discussion with the latest installment of his “Managing Up” segment (21:57), after which Mike makes some (further) book recommendations based on the discussion for those interested in further exploring some of the idea and concepts covered during the discussion:

More about Carole

Contact Brent: brent@redflagsrising.com

Contact Mike: michael.huneke@morganlewis.com

Interested in learning more about the March 10, 2026, event? Contact Mike & Brent at the email addresses above.

Categories
Blog

Returning to Venezuela: Part 3 – Export Controls and the Illusion of “Reopening”

We continue to explore what the ‘reopening’ of Venezuela to US energy companies means for the compliance professional. Over the last two days, we considered the corruption issues in Parts One and Two of this blog post series. Today in Part 3, we look at export control and trade sanction issues. I spoke with Brent Carlson, founder of Red Flags Rising Solutions LLC, for his insights.

When the White House announces that U.S. oil companies may be returning to Venezuela, the business press immediately begins talking about opportunities. Compliance professionals should be talking about risk. Not hypothetical risk. Not academic risk. Real, layered, enterprise-threatening risk that sits at the intersection of export controls, sanctions, geopolitics, corruption, security, and board oversight. The conversation I recently had with Carlson makes one thing abundantly clear: Venezuela is not “opening.” It is recalibrating. And compliance programs that treat this moment as a return to business as usual will fail.

Venezuela Remains a High-Risk Jurisdiction by Design

Let us start with first principles. Venezuela remains designated as a D:5 country under the Export Administration Regulations (EAR). That places it in the most restrictive category, alongside jurisdictions such as Iran and North Korea. Even the shipment of EAR99 items can be problematic under the current framework.

That legal reality did not change simply because the President met with U.S. energy executives. Carlson is clear on this point. Whatever policy adjustments may come will be sector-specific, narrowly tailored, and aligned with geopolitical priorities, particularly oil production. There will not be a wholesale rollback of export controls or sanctions. For compliance professionals, this means one thing: the law today is the law as it existed yesterday. Until the Bureau of Industry and Security (BIS) and OFAC issue formal guidance, licenses, or regulatory amendments, nothing has changed.

Regulatory Enforcement Follows Politics, but Law Follows Process

One of the most important compliance insights Carlson offers is that regulatory enforcement follows political drivers, which in turn follow geopolitical drivers. That is undoubtedly true. But it is also where companies get themselves into trouble. Political signaling is not legal authorization. Tweets, speeches, and press briefings do not override the Export Administration Regulations, OFAC sanctions, or anti-money laundering laws. Compliance programs must be built to withstand whiplash, not chase headlines.

This is especially critical in Venezuela, where any meaningful restart of oil production will require billions of dollars, long project timelines, complex infrastructure, and sustained government engagement. These are not quick deals. They are multi-year commitments that must be compliant from day one.

Start With the Business, but Do Not Stop There

Carlson emphasizes that compliance analysis must begin with the business opportunity itself. What is the company actually trying to do? What products or services will be provided? Who will operate them? Where will the equipment go? Who will maintain it? For compliance professionals, this requires operational fluency that goes far beyond policy review. You must understand the business process step by step. Not in the abstract. Literally, transaction by transaction.

This exercise does more than identify export control risks. It exposes corruption, diversion, money laundering, security, and reputational risks. Venezuela is not a jurisdiction where silos survive.

Dual-Use Risk Is Not Theoretical in Venezuela

Any company operating in the energy sector must assume heightened scrutiny around dual-use items. Control systems, industrial machinery, software, and communications technology can all be repurposed. Carlson makes an important point here. Companies that manufacture or deploy these items already know where the risks are. The issue is not ignorance. The problem is prioritization and escalation.

This is where proactive engagement with the BIS becomes essential. Unlike some areas of compliance, export controls encourage dialogue with regulators. Companies can and should engage BIS field offices early to discuss proposed transactions, licensing pathways, and regulatory obstacles. This is not lobbying. It is compliance.

One of the most powerful insights in our discussion is the call for compliance professionals to sit down with business operations and map every operational step. This is not busywork. It is risk triage. Too often, compliance reviews occur after a deal is already emotionally committed. At that point, compliance becomes the obstacle rather than the enabler. Carlson is explicit: sales and operations teams do not want to waste time on deals that will collapse under regulatory scrutiny. When compliance is embedded early, it improves deal quality. It filters out bad opportunities and strengthens good ones. That is value creation.

Siloed Compliance Will Fail in Venezuela

If there is one jurisdiction where compliance silos are fatal, it is Venezuela. Export controls intersect with sanctions. Sanctions intersect with AML. AML intersects with corruption. Corruption intersects with security. Security intersects with human rights and ESG. Carlson cites enforcement actions where companies failed because information did not flow across functions. Finance saw one risk. Operations saw another. Compliance saw a third. No one saw the whole picture.

For Venezuela, companies must adopt a non-siloed, enterprise-wide risk model. Export control specialists must talk to anti-corruption teams. Treasury must talk to security. Legal must talk to operations. This is not optional.

Board Oversight Must Evolve Beyond Periodic Updates

Boards of directors will play a decisive role in whether companies succeed or fail in Venezuela. Carlson is clear that boards must demand updated, transaction-specific risk assessments focused on central compliance risks, not generic program health. This is not about micromanagement. It is about governance. Boards must understand that Venezuela presents a dynamic risk environment where geopolitical shifts can occur overnight. The right board questions are not “Do we have a compliance program? ” They are:

  • What export control risks are central to this opportunity?
  • What sanctions exposure remains?
  • How are we monitoring changes in real time?
  • What is our exit strategy if conditions reverse?

The Case for a Standing Enterprise Risk Committee

Carlson raises a critical governance concept: the need for a standing, cross-functional risk committee empowered to act quickly. Not an ad hoc task force. Not an annual review. A permanent capability. We are no longer in a stable geopolitical environment. Long-trusted partners can become sanctioned entities within weeks. Supply chains built over decades can collapse overnight. For compliance professionals, this reinforces the need for real-time risk sensing, escalation protocols, and decision authority. Venezuela is simply the proving ground.

Enforcement Is Coming, Not Fading

The most sobering warning Carlson offers is about enforcement. The U.S. government has been signaling for some time that export control enforcement will increase. DOJ’s Trade Fraud Task Force, BIS outreach visits, and expanded definitions of “knowledge” under the EAR all point in the same direction. Compliance professionals should recognize the parallel to early FCPA enforcement. Policies alone are not enough. Programs must demonstrate that they identify high-probability risks, escalate them, and act. Testing matters. Documentation matters. Integration matters.

Final Thoughts

The prospect of renewed oil activity in Venezuela is not a green light for compliance. It is a stress test. Companies that approach this moment with discipline, humility, and integrated risk management can create value while protecting themselves. Companies that treat it as a political reopening will find themselves exposed on multiple fronts. For compliance professionals, this is a defining moment. The question is not whether Venezuela is open for business. The question is whether your compliance program is ready for the real world.

Categories
FCPA Compliance Report

FCPA Compliance Report-Episode 788 – Beyond Borders: Navigating Export Control, Sanctions, and Vendor Risk in 2026 with Stephanie Font

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this episode, Tom welcomes Kristy Grant-Hart, Stephanie Font from Diligent delve into the intricate landscape of compliance challenges anticipated in 2026 and beyond. The discussion focuses on the dynamic regulatory environment, specifically around export control, sanctions, and vendor risk. Stephanie shares insights from her extensive background in due diligence, discussing how the scope and focus of due diligence have expanded over the years. The webinar covers compliance challenges associated with BIS and export control compliance, especially the affiliate rule, and the complexities surrounding China-related risk management. Additionally, they explore the DOJ National Security Division’s Data Security Program and its impact on compliance. The session emphasizes the necessity of a robust process to manage regulatory instability, highlighting the importance of proactive documentation, risk audits, and continuous monitoring.

Resources

Stephanie Font on LinkedIn

Diligent Website

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Red Flags Rising

Red Flags Rising: S01 E33: Back to Basics

As the geopolitical and national political winds continue to swirl, Mike & Brent go back to basics to level-set and provide some foundational first principles of export controls compliance. They discuss the roller-coaster of the Affiliates Rule suspension (01:44); why the real risks from a compliance and enforcement perspective lay just outside of the Rule (02:37); how General Prohibition 10, the full definition of “knowledge” to include “an awareness of a high probability,” and the various inchoate provisions (i.e., causing, aiding and abetting, solicitation and attempt, conspiracy, acting with knowledge, misrepresentation and concealment, intent to evade, and failure to comply with recordkeeping requirements) are the foundational anti-diversion provisions under the U.S. Export Administration Regulations (EAR) (03:02); great listener feedback about how the Affiliates Rule shaped the in-house discussion of diversion risk (05:23); developing and implementing a high probability protocol as the only way to stay grounded in dynamic and challenging times (08:33); recent legislative proposals and hearings, including a recent hearing by a subcommittee of the House Foreign Affairs Committee focused on export control loopholes, and the dangers of a dissatisfied U.S. Congress (09:42); why the definition of “knowledge” under the EAR is not mere legalese to be lost in the 1,467 pages (as of January 1, 2025) of the EAR but is instead the path forward for both government and industry (14:18); the details and implications of General Prohibition 10 (17:11); the details of the full definition of “knowledge,” including what we can learn from its history in the U.S. Foreign Corrupt Practices Act and, before then, the Model Penal Code (18:48); and recent enforcement activity by DOJ and BIS, and what the activity signals about the government’s next enforcement moves (22:30).

They then conclude with the latest installment of Brent’s increasingly popular “Managing Up” segment (27:14).

Resources:

Brent’s latest NYU Law School Program on Corporate Compliance & Enforcement post, from October 31, 2025

Brent’s email: brent@redflagsrising.com

Mike’s email: michael.huneke@morganlewis.com

Categories
Red Flags Rising

Red Flags Rising: S01 E30: Look Before You Leap, Think Before You Speak

Fresh off the October 15, 2025, WIT-NC/PAEI/TTRA “Global Trade Compliance Best Practices Conference” in Santa Clara, California, Mike and Brent discuss the practical takeaways of several recent media reports and statements from the U.S. Congress, including how compliance programs that incorporate the high-probability standard give executives and spokespersons the most options. Specifically, they discuss the conference (00:49); the recent Affiliates Rule (01:27); why straightforward statements that a company “complies with the law” might generate cynicism from the public and inquiries as to how from the government (02:59); why it’s important for companies to consider the context in which their public statements will appear, even where they might not agree with the facts asserted in that context (04:06); how delegitimizing the laws in the eyes of the public might be one of the smugglers’ objectives (05:47); how thinking about compliance as never being a one-and-done solution can help avoid pitfalls in public statements (06:54); why it’s dangerous to rely upon assertions by anonymous “legal experts” reported in articles about the existence of loopholes, including because those loopholes do not actually exist (08:49); the importance of keeping in mind, in the context of the Entity List and the Affiliates Rule, that the List is but one part of U.S. export controls and statements that fixate on the Entity List’s applicability expose corporations to questions about their compliance with other catch-all provisions, with General Prohibition 10, and with the various inchoate provisions (10:27); the importance of appreciating that U.S. regulators read the news too (11:40); how the “high probability” standard can help companies in making enhancements to their compliance programs to better support broader public statements as to their compliance with the law (14:41); recent reports about U.S. items being sold for crime control purposes and attention from the U.S. Congress on those reports (15:03); similar risks related to the recent report by the U.S. House of Representatives’ Select Committee on the Chinese Communist Party (17:23); keeping in mind that your own disagreement with U.S. national security policy is not a defense to export controls promulgated in support of that policy (19:02); and the importance of having advisors who are viewed by the government as honest brokers that are not clinging to legacy views about the government’s intentions or authorities (21:07).

Mike and Brent then conclude with another installment of Brent Carlson’s “Managing Up” (23:29).

Resources:

Contact Brent: brent@redflagsrising.com

Contact Mike: michael.huneke@morganlewis.com

Learn more about the conference’s organizing associations:

Women in International Trade – Northern California (WIT-NC)

Professional Association of Exporters & Importers (PAEI)

Technology Trade Regulation Alliance (TTRA)

Categories
Red Flags Rising

Red Flags Rising: S01 E29: Affiliates Rule Aftermath – Finding the Right Path Forward

Mike and Brent take an even deeper dive into the “Affiliates” or “50%” Rule announced by the Bureau of Industry & Security (BIS) on September 29, 2025. They identify several misperceptions in the public discussion, explain why they are misperceptions, and identify the pitfalls of operating under those misperceptions—especially in response to inquiries by BIS about pre-rule due diligence on affiliates of entities on the entity list. Specifically, they discuss why the Affiliates Rule is a close cousin to the Office of Foreign Assets Control’s own 50% rule, but why and how BIS’s Affiliates Rule serves different national security objectives and operates a bit differently (02:42); whether the Affiliates Rule brings new compliance burdens and, if so, risk-based due diligence strategies and likely questions from BIS regarding why (10:26); why in the current geopolitical context the benefit of local, boots-on-the-ground compliance might be overstated—or significantly discounted by the U.S. government—and what to do about it (16:18); why it would be a mistake to think that BIS is not today able to bring enforcement actions based on the Affiliate Rule, especially given their ability to bring enforcement actions on the “full” definition of knowledge to include “an awareness of a high probability” (19:26); and why it is dangerous to think of “knowledge” as only “actual knowledge,” and thereby misperceiving that the new Affiliates Rule—by reminding everyone that the catch-all provision under which the Entity List is promulgated is a strict-liability regulation, even as to awareness—has someone taken away a previously available “absence of actual knowledge” defense (23:00).

Mike and Brent then offer practical tips for applying for the license available under the Affiliates Rule for situations where the exporter, reexporter, or transferor is aware of “red flags” as to ownership that it cannot resolve through risk-based due diligence (28:20).

Mike and Brent then conclude with a special edition of Brent Carlson’s “Managing Up,” in which Brent offers some valuable self-reflection (34:58).

Resources:

More about Brent: www.redflagsrising.com

Contact Brent: brent@redflagsrising.com

Mike: https://www.linkedin.com/in/mhuneke/https://www.morganlewis.com/bios/michaelhuneke

Contact Mike: michael.huneke@morganlewis.com

BIS’s “Export Control Decision Tree”