Tag: NSD

Categories
Red Flags Rising

Red Flags Rising: S01 E23 – $140M “High Probability” Enforcement Action

Mike and Brent break down the $140 million corporate resolution announced on Monday, July 28, 2025, by the U.S. Department of Commerce’s Bureau of Industry & Security (BIS) and the U.S. Department of Justice’s National Security Division (NSD). Of this amount, $95 million was imposed by BIS alone, which is the largest stand-alone BIS penalty since April 2023.

Mike and Brent discuss the geopolitical context (00:39), how the resolution responds to December 2024 criticism from the then-majority staff of the U.S. Senate’s Permanent Subcommittee on Investigations (01:58), why this is “where the juice is” for future BIS and NSD enforcement (03:05), how the settlement underscores that sustained compliance with national security-driven regulations requires a substance-over-form approach (04:45), the relevant facts related to the resolving company’s China subsidiary and customers (06:36), the relevant facts related to the parent company (08:59), why a letter of assurance and end-use/end-user certifications were not sufficient to respond to the “red flags” identified (10:38), how U.S. parent companies should be thinking holistically about export controls risk and strategies for mitigating that risk, including in responding to BIS outreach visits or queries to hopefully avoid administrative subpoenas or, worse, referrals to criminal authorities (12:37), the signals BIS and NSD expect companies subject to U.S. export controls to perceive from the public documents (16:37), the significance of BIS’s reference to General Prohibition 10 and to attempted violations of U.S. export controls (16:37), and the key takeaways for legal and trade compliance professionals (19:09).

Mike and Brent then conclude with the still-back-by-popular-demand segment, Brent Carlson’s “Managing Up” (19:52).

Resources:

The BIS Press Release, with links to the settlement documents

The NSD Press Release, with links to the corporate guilty plea and criminal information

Brent LinkedIn

Mike LinkedIn

Mike & Brent’s “Fresh Looks” Series

Categories
Blog

Declinations, Disclosure, and National Security: Key Lessons from the 2024 NSD Enforcement Policy

Yesterday, I wrote about a Declination issued by the Department of Justice issued a Declination to the Universities Space Research Association (USRA), a nonprofit organization working with NASA on advanced scientific research. The Declination is found here. Today, I want to dive deeper into the March 2024 update to the National Security Division’s (NSD) Enforcement Policy for Business Organizations. This document is a must-read for every compliance officer handling export controls, sanctions, or any business with potential national security implications. It was a policy update and a blueprint for navigating one of the highest-risk areas in global business today.

The NSD is central in safeguarding the United States from national security threats, particularly by enforcing export control and sanctions laws. Businesses and their employees are vital partners in this mission, given their roles as custodians of sensitive technologies and financial systems. NSD strongly encourages companies to voluntarily self-disclose potentially willful violations of key U.S. statutes, such as the Arms Export Control Act, Export Control Reform Act, and the International Emergency Economic Powers Act, alongside related offenses like money laundering and false statements. Such violations can pose serious risks to national security, and the NSD’s approach to corporate enforcement seeks to strike a balance between encouraging cooperation and deterring harmful conduct.

The updated Enforcement Policy outlines how the NSD, in collaboration with U.S. Attorneys and other DOJ components, determines appropriate resolutions for companies that self-disclose misconduct related to export controls and sanctions. It also sets parameters for how acquiring companies can qualify for protections under the Mergers and Acquisitions (M&A) Policy when disclosing violations by an acquired entity. While the policy’s primary focus is on export and sanctions laws, its principles are designed to guide enforcement decisions in other national security-related matters, such as FARA violations and CFIUS-related conduct. The overarching message is clear: companies should proactively report potential criminal conduct under the NSD’s jurisdiction to help mitigate legal exposure and protect national security.

Here are five key lessons compliance professionals should take away from the updated policy.

1. Voluntary Self-Disclosure Must Be Early, Unprompted, and Specific

In NSD’s world, timing is not just everything; properly seen, it is the thing. To earn credit, disclosure must happen before an imminent threat of exposure or investigation, and it must be made directly to NSD. That means you cannot sit on a problem while deciding whether to tell OFAC, BIS, or your outside counsel. If NSD doesn’t know, your organization does not even qualify for full credit.

The disclosure must include all relevant non-privileged facts, including those about individuals inside and outside the company involved in the misconduct. If your disclosure is vague, partial, or delayed, it may be too little, too late. NSD puts the burden squarely on the company to prove that the disclosure was voluntary and timely.

Compliance Lesson: Build your compliance playbook around immediate, well-documented self-reporting protocols. Simulate drills. Define who makes the call to NSD. Because once the clock starts, hesitation can cost you the deal.

2. Full Cooperation Means More Than Not Obstructing

NSD has redefined “full cooperation” in practical, prosecutorial terms. It is not enough to say your organization will assist. Instead, your organization must provide full assistance, and you must proactively help. That includes sharing key facts as you uncover them, providing timely updates, disclosing foreign-located documents, and making employees (even those overseas) available for interviews.

It also means identifying every opportunity where NSD could obtain relevant evidence, even when they have not yet asked for it. That may seem like a high bar, especially for multinationals operating in jurisdictions that block statutes or data privacy laws. The bottom line is that your organization bears the burden of showing why documents can’t be produced—and you must offer alternatives.

Lesson: Compliance teams should revisit their internal investigation protocols to ensure they enable real-time, proactive engagement with government investigators. This is no place for passive risk management.

3. Remediation Is Not Window Dressing—It’s Root Cause Surgery

NSD isn’t interested in cosmetic compliance. They want to see a thorough root cause analysis and real efforts to remediate the misconduct and the control failures that allowed it to occur. That includes changes to reporting structures, testing compliance effectiveness, employee discipline (up to and including termination), and even clawbacks when appropriate.

Critically, NSD recognizes that what counts as a “well-resourced” program depends on the size of your company, but the policy still requires evidence of authority, independence, and a clear line from the compliance function to senior leadership.

Lesson: Expect little sympathy if your root cause analysis is weak or superficial. Effective remediation means digging deep, taking hard actions, and documenting every step for potential DOJ review.

4. Compliance Programs Must Be More Than Just Policies

Your program must exist, be effective, and be tested to avoid monitoring and achieve declination eligibility. NSD’s standards align with the DOJ’s broader 2023 and 2024 guidance around program evaluation: Do your controls work in practice? Are they tailored to your risk profile? Are they embedded into day-to-day operations?

NSD also scrutinizes how you retain business records, especially regarding ephemeral messaging platforms and personal devices. If your team uses WhatsApp, Signal, or iMessage without proper controls, you could be viewed as undermining your compliance system.

Lesson: Modern compliance programs must integrate surveillance, technology, and behavior-based controls, especially where national security risks are involved. “Set it and forget it” programs will not fly.

5. There’s a Path for Acquirers—If You Act Quickly

One of the more notable additions to the 2024 policy is its treatment of M&A-related misconduct. If your company acquires an entity and discovers criminal export control or sanctions violations after the deal closes, the NSD offers a pathway to protection, but only if you act fast.

You have 180 days from the closing date to disclose the misconduct and 1 year to remediate it. Do that, and NSD will generally not seek a guilty plea, criminal fine, or asset forfeiture from the acquirer. And the kicker? The misconduct also won’t count as a strike against your compliance track record in future matters.

Lesson: Build post-acquisition compliance reviews into every integration plan. Don’t wait for a surprise; audit for red flags early and be ready to disclose. In today’s world, inherited risk is your risk.

Declinations Are Earned, Not Given

The 2024 NSD Enforcement Policy is a strong step toward encouraging ethical corporate behavior in a world where the risks are real, and the stakes are high. It rewards companies that do the right thing early, thoroughly, and transparently.

But it’s also a warning: the margin for error is razor-thin. Delayed disclosures, half-baked investigations, or weak compliance programs won’t cut it. And don’t forget, NSD still retains full authority to prosecute individuals, even if your company gets a pass.

Today, the compliance officer’s job is to prevent misconduct and design systems that respond effectively when things go wrong. The new NSD policy gives us the roadmap. We must ensure the car is gassed up, the brakes work, and the driver knows where to go.

Final Compliance Evangelist Tip:

Use this policy as a stress test for your program. Would your controls hold up if misconduct occurred tomorrow? Would you disclose it in time? Could you cooperate fully? If you’re unsure, now is the time to find out before the DOJ does.

Categories
Blog

A Textbook Declination: Lessons Learned from the USRA Declination

In the fast-moving world of enforcement actions and corporate misconduct, we rarely get an actual “bottle episode” of compliance—a neatly wrapped case that functions almost like a compliance case study come to life. That is precisely what we see in the recent declination issued to the Universities Space Research Association (USRA), a nonprofit organization working with NASA on advanced scientific research. The Declination is found here.

This declination tells us as much about what to do right as it does about what went wrong. USRA’s prompt and resolute response to employee misconduct provides a blueprint for companies, regardless of size, to attain the ideal result: a DOJ declination. This decline in the Trump Administration’s second term provided crucial lessons for compliance professionals.

The Story: Export Controls and a Rogue Employee

The facts are obvious. Between April 2017 and September 2020, USRA employee Jonathan Soong used his position to oversee export compliance and sell restricted software and source code to Beihang University in China. Mr. Soong did not simply mishandle sensitive materials; he willfully bypassed export laws, concealed his actions, and even embezzled from USRA in the process. Soong pleaded guilty to violating export control laws in connection with secretly funneling sensitive aeronautics software to a Beijing university.

But here is the key takeaway: once USRA learned of the misconduct, they acted fast. They alerted NASA. They conducted an internal investigation. They self-reported to the Department of Justice within days. They cooperated fully. And in the end, the DOJ rewarded them, not with a fine, but with a complete declination.

The Power of Prompt Self-Disclosure

USRA’s leadership did not wait to see if the issue would disappear or downplay it internally. Instead, they engaged with enforcement agencies early and often. This fits squarely within the DOJ’s National Security Division Guidance, which outlines how voluntary self-disclosure, cooperation, and timely remediation can mitigate or eliminate penalties.

Let’s be clear: this was a national security matter, not just a regulatory breach. The software involved may have had potential military applications, making USRA’s response all the more commendable and critical.

Internal Controls and Oversight: Where the Breakdown Happened

As much as this is a story of compliance success, it is also a reminder that internal controls must work in practice, not just on paper. There were three key control failures:

  1. Export compliance oversight was left to the same employee who committed the fraud.
  2. Internal monitoring failed to detect red flags.
  3. Supervisory negligence enabled the misconduct to continue for three years.

One of Mr. Soong’s supervisors was eventually disciplined or terminated. However, the lesson is that even well-designed controls fail when not executed or appropriately monitored.

What Made This Declination Possible?

  1. Voluntary, timely self-disclosure within days of learning of the misconduct.
  2. When the USRA discovered potential wrongdoing, they didn’t hesitate; they immediately self-reported the issue to NASA and the Department of Justice. This type of proactive disclosure is precisely what the DOJ expects when evaluating a company’s response to misconduct. The timeliness demonstrates a functioning internal control system and an ethical culture prioritizing transparency. Rather than hiding behind bureaucracy or launching a months-long internal cover-up, USRA made the call within days. That decision set the tone for everything that followed and paved the way for trust-based engagement with enforcement authorities.
  3. Full cooperation, including sharing internal findings and offering access to witnesses.
  4. USRA didn’t just make a phone call and then sit back. They actively cooperated with investigators at every stage. Their actions included providing access to key internal documents, conducting an internal investigation, and turning over their findings to the DOJ. Equally important, they facilitated interviews with relevant employees, supported the legal process, and ensured that authorities had all the resources necessary to pursue the case against the wrongdoer. In short, USRA became a partner to the government, not an adversary. Comprehensive, good-faith cooperation carries tremendous weight in a declination decision.
  5. Swift and meaningful remediation, including terminating the wrongdoer and disciplining supervisors.
  6. USRA didn’t stop at self-reporting. They took tangible steps to clean the house. Mr. Soong, the employee at the center of the misconduct, was promptly terminated. However, the company didn’t stop there; USRA also reviewed its supervisors’ actions (or inactions). At least one supervisor was disciplined or let go for failing to oversee export control responsibilities properly. The move sends a strong message internally and externally, emphasizing that accountability extends throughout the entire chain of command. This swift and meaningful remediation satisfies DOJ expectations and helps rebuild trust with business partners, regulators, and the broader public.
  7. Strong risk awareness of their role in handling sensitive, export-controlled material.
  8. USRA operates in a field where national security risks are inherent. As a NASA contractor handling sensitive aerospace research, they were well aware of the dangers posed by improper exports of data and source codes. The incident wasn’t just a case of a company claiming ignorance, as they were aware of the potential consequences. Their compliance failures came down to one rogue actor and a breakdown in oversight, not a lack of awareness. When problems surfaced, they acted with the urgency such risks demand. This situational awareness, recognizing how export control violations could ripple across global security, played a major role in helping the DOJ see them as a responsible actor.
  9. Responsiveness to the DOJ and NASA, including prompt answers and evidence production.
  10. Throughout the investigation, USRA maintained consistent and open lines of communication with both NASA and the DOJ. They promptly responded to any questions posed. They delivered the requested documents promptly and in excellent order. Such responsiveness isn’t just about meeting deadlines; it is about demonstrating respect for the investigative process and showing that the company values ethical resolution over self-preservation. By staying accessible, professional, and efficient throughout the inquiry, USRA signaled to prosecutors that they were committed to helping resolve the matter fairly and thoroughly. That level of responsiveness is precisely what the DOJ wants to see.

Lessons Learned for Compliance Professionals

  1. Speed Matters
  2. In the world of corporate enforcement, timing can be everything. Companies do not always receive declinations for self-reporting, but it often makes a significant difference when they do.  USRA moved within days to notify NASA and the DOJ of serious misconduct. That speed demonstrated a culture of integrity, robust internal reporting, and a commitment to doing the right thing even under pressure. Quick action also preserves evidence, signals accountability, and allows enforcement agencies to act more efficiently. The faster a company responds, the more credible its leadership appears and the more likely it is to be viewed as a trusted partner.
  3. Controls Must Work in Real Life
  4. Too often, compliance programs look good on paper but fail in execution. A policy isn’t controllable or effective unless it’s well-designed and implemented correctly. In the USRA case, while policies existed, execution faltered, and an employee responsible for oversight violated the law. That’s a stark reminder: your controls must work in the real world. We must regularly evaluate the effectiveness of supervisory review, dual controls, cross-checks, and audit testing. Failure to test a control could result in liability, enforcement, or worse.
  5. Know Your Risk Profile
  6. USRA dealt with export-controlled scientific software, which is a high-risk domain. Their failure wasn’t in identifying risk but in adequately mitigating and monitoring it. For every company, the starting point must be understanding your unique risk profile. Is it corruption and bribery? Data privacy? Sanctions exposure? What are the ethics of the supply chain? Compliance officers must align risk assessment, control design, and resource allocation accordingly. Implementing a universally applicable compliance program can lead to failure. Regulators expect a risk-based approach that demonstrates thoughtfulness and proportionality. You can’t mitigate what you don’t understand or defend a program that overlooks its most critical vulnerabilities.
  7. Use the Right Tone from the Top
  8. When the misconduct came to light, USRA leadership did not equivocate. They acted decisively, demonstrating a tone from the top that prioritizes ethical behavior and transparency. That tone matters. It influences how quickly issues are escalated, how freely employees speak up, and how credible regulators perceive your organization. Leadership must consistently communicate that compliance is not just a legal necessity but a core business priority. Words are important, but so is behavior: executives who support investigations, invest in controls, and respond to crises with accountability send a powerful message. That tone sets the cultural foundation for the entire compliance program.
  9. Partner with Enforcement, Don’t Oppose Them
  10. USRA’s interaction with NASA and the DOJ reflected a cooperative mindset. They partnered; they didn’t stonewall, delay, or obscure the facts. That approach is increasingly essential in today’s enforcement environment. Regulators are clear: they are looking for good-faith actors. A company that cooperates, provides relevant data promptly, and engages constructively in dialogue is far more likely to receive credit, whether in a declination, reduced penalties, or favorable settlement terms. Fighting regulators at every turn rarely results in positive outcomes. Instead, view enforcement as an opportunity to demonstrate integrity and operational maturity. Compliance should be a bridge, not a barricade.

Final Thoughts: Don’t Wait for the Crisis

USRA did not plan to become a compliance case study. However, they were ready when the time arrived. And preparation, coupled with integrity, made all the difference. This declination was not granted out of charity. We earned it. It resulted from a well-executed compliance framework, fast action, and an unrelenting drive to do the right thing. If your company faced a similar incident tomorrow, would you be ready to act like USRA? That’s the benchmark. And that’s the challenge for every compliance officer reading this.

So, take this as more than a good news story. Take it as your Monday morning prompt: check your controls, reassess your key risks, and remind your leadership that compliance isn’t about fear but readiness.