Resources Archives - Compliance Podcast Network

The Bosch Delineation: Part 3 -Bosch and the ECCP: When Compliance Expertise and Resources Fail

As most of readers know, sometimes when I get going on a multipart blog series, I either get carried away or simply cannot stop. Maybe sometimes it is both. This week is beginning to appear to be one of those times. Today I recorded an episode of Compliance into the Weeds with my co-host Matt Kelly and we discussed some very interesting points from the enforcement action that I decided to keep going. (The episode will post Wednesday June 24.)

Over the past couple of blog posts, I have reviewed the DOJ Declination through the lens of the National Security Division. Today I want to look the BIS enforcement action and mine it for a different set of lessons learned.

The BIS enforcement is a useful case study for compliance professionals because it is not simply a story about a company with no compliance program. Rather, Bosch had export compliance processes, including U.S. export compliance processes. The failure was more subtle and more important: the compliance function did not have sufficient expertise and staffing to interpret a major regulatory change, translate that change into operational requirements, challenge incomplete business responses, and revisit advice when contrary facts emerged. BIS charged Bosch with 109 violations involving approximately $72.4 million in exports to Huawei without required authorization.

That is precisely the kind of failure the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) is designed to test. Under ECCP Section II, prosecutors ask whether the compliance program is “adequately resourced and empowered to function effectively.” Section II.B, “Autonomy and Resources,” directs prosecutors to examine whether compliance personnel have sufficient qualifications, seniority and stature; sufficient resources, including staff to audit, document and analyze; and sufficient autonomy from management, including access to the board or audit committee.

As laid out in the BIS enforcement action Bosch failed in the Expertise requirement. The enforcement action stated:

Bosch’s U.S. export compliance team did not have sufficient expertise or resources at the time to adequately address the August 2020 changes to the EAR, namely, the FOP Rule that expanded the restrictions for Huawei. Bosch’s failure to have an effective U.S. export controls compliance program in place for BST and ETAS at this time contributed directly to the violations at issue in these charges.

Bosch also failed in the Resources requirement. Here the enforcement action stated:

During most of the relevant time period, Bosch’s export controls compliance team in the United States primarily consisted of two employees. These employees were responsible for advising Bosch’s central trade compliance function based in Germany and Bosch’s non-U.S. businesses regarding compliance with U.S. export controls regulations. Only one of these employees was tasked primarily with advising on compliance with U.S. export controls. The second employee provided part time assistance with U.S. export controls compliance while also focusing on compliance with U.S. customs and tariffs. The U.S. trade compliance team included other employees primarily focused on U.S. customs and tariffs, who could occasionally assist with minor discrete export controls questions.

Did compliance personnel have the right experience and qualifications?

The ECCP asks whether compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities. That question sits at the center of the Bosch enforcement action.

During much of the relevant period, Bosch’s U.S. export controls compliance team primarily consisted of two employees. Only one was tasked primarily with advising on U.S. export controls; the second provided part-time export controls assistance while also focusing on customs and tariffs. Other U.S. trade compliance personnel were primarily customs and tariffs employees who could occasionally assist with minor export controls questions.

That staffing model proved inadequate for the risk. BIS found that Bosch’s U.S. export compliance team did not have sufficient expertise or resources to address the August 2020 changes to the EAR, and that the failure contributed directly to the violations. Communications between U.S. and German trade compliance personnel showed confusion about the Foreign Direct Product Rule (FDPR). That confusion produced erroneous guidance: a Germany-based trade compliance employee advised BST (a Bosch German entity) management that if products contained less than 25% U.S. content and the U.S. content was not classified under certain ECCNs, there was no impact and no license requirement. BIS explained that this advice improperly confused and conflated the De Minimis Rule with the FDPR.

For compliance professionals, the lesson is direct. Experience and qualifications cannot be evaluated generically. “Trade compliance experience” is not the same as deep expertise in a specific high-risk, fast-changing legal regime. A compliance team may be experienced enough for ordinary classification, screening and documentation work, but underqualified for a complex regulatory change affecting a major restricted customer, foreign production, production equipment, software, suppliers and end-user certifications.

The same issue appeared in Bosch German subsidiaries, collectively name ETAS in the enforcement action. Bosch trade compliance personnel reviewed automotive software sales to Huawei but incorrectly concluded that the FDPR applied only to physical goods, not software. BIS said Bosch personnel repeatedly advised ETAS that the restrictions did not apply to CycurHSM software.

The broader point is that qualifications must match the company’s risk profile. For a global technology company operating across complex supply chains, compliance expertise must be technical, current and operationally fluent.

Did the level of experience and qualifications change over time?

The ECCP also asks whether the level of experience and qualifications in compliance and control roles changed over time. Bosch is a warning about static capability in a dynamic risk environment.

After the original August 2020 advice, Bosch received repeated warnings that should have triggered reassessment. Company Four warned BST that equipment used in its factories included U.S. export-controlled equipment and that products worked on by Company Four for Huawei could be prohibited under the EAR. BST did not analyze whether that warning conflicted with Bosch’s internal understanding.

A Bosch trade compliance professional in the United States also sent a September 4, 2020 request for information to Bosch businesses, including BST. The request sought detailed information about production lines, production equipment, and U.S.-origin software and technology used in production. BST did not answer the specific questions. The BST Executive responded that the products had already been “clarified” as not impacted and cited a “dire allocation situation.” BIS found that had BST answered the questions, Bosch’s U.S. trade compliance personnel likely would have identified that the sensors were within the FDPR’s product scope.

The failure was not merely the first wrong answer. It was the absence of a mechanism to upgrade expertise, revisit assumptions and escalate conflicting information. A mature compliance program treats major legal change as a trigger for surge resources, specialist review and documented reassessment. It also treats repeated inconsistent data points as evidence that the original advice may no longer be reliable.

How did the company invest in training and development?

The ECCP asks how the company invests in further training and development of compliance and control personnel. Bosch shows that training cannot be limited to compliance staff alone.

Between 2021 and 2024, BST employees signed multiple compliance certifications for contract semiconductor manufacturers. Those certifications stated that items produced by the manufacturers were subject to the EAR and required BST to certify that it would not provide such items to an entity with a footnote 1 designation. The relevant employees later explained that they signed because they did not understand that Huawei was a covered entity.

That is a gatekeeper training failure. Procurement, logistics, production, contract management and customer-response personnel were all part of the control environment. They received supplier certifications, customer requests, internal guidance and external warnings. Yet the process did not ensure they understood what those documents meant or when they had to escalate.

The lesson is practical: high-risk certifications should not be treated as administrative paperwork. They are control documents. Employees who sign them need tailored, role-based training. They should understand restricted-party designations, escalation triggers, the consequences of inaccurate certifications, and the limits of relying on old guidance.

Compliance personnel also need continuing education. Where regulations are complex and fast-moving, development should include outside specialist support, second-level review for high-risk advice, lessons learned from enforcement actions, and technical briefings with engineering and supply-chain personnel. Obviously the regulations changed in 2020 but it appears Bosch trade compliance professionals received training on this change.

Who reviewed the performance of the compliance function?

The ECCP’s final question asks who reviews the performance of the compliance function and what the review process is. Bosch illustrates why that review must go beyond activity metrics.

BIS found that Bosch’s internal controls were insufficient to ensure that compliance advice was broadly distributed, independently reviewed or reassessed to confirm that it was correct or updated for new facts. Bosch also implemented internal blocks on Huawei orders, but German trade compliance personnel repeatedly released those orders based on the erroneous August 2020 advice from the US trade compliance team.

A meaningful review process would have asked different questions: Were high-risk legal interpretations independently validated? Were assumptions documented? Were unanswered business information requests escalated? Were supplier warnings reconciled against prior advice? Were order-block releases reviewed for quality, not just processed for speed? Were compliance personnel empowered to say, “No complete data, no release”?

Performance review of compliance should include legal quality, escalation discipline, documentation, red-flag closure, audit findings, and whether the function has sufficient staff to do the work expected of it. It should also include board or audit committee visibility when resource constraints affect the company’s ability to manage material compliance risks.

Lessons learned for compliance professionals

The Bosch order offers several broader lessons.

Compliance resources must be risk-based. A global company cannot judge staffing by historical headcount or budget inertia. Staffing must be measured against regulatory complexity, geographic scope, business volume, customer risk and the operational burden of collecting facts.
Specialist expertise matters. A general compliance function may identify issues, but complex regulatory regimes require personnel or advisors with deep subject-matter knowledge.
Business pressure is a control risk. The “dire allocation situation” response mattered because it showed how operational urgency can displace compliance fact-gathering. A strong program requires mandatory responses to compliance information requests.
Advice must have a lifecycle. High-risk compliance advice should identify assumptions, facts reviewed, legal basis, owner, date issued and reassessment triggers. It should not become permanent operating authority unless periodically reviewed.
Gatekeepers must be trained as gatekeepers. Employees who sign certifications, release orders, onboard suppliers, or respond to customers are part of the compliance control system.

The Bosch case is a reminder that a compliance program can have policies, procedures and blocks and still fail. The ECCP asks whether compliance is adequately resourced and empowered. Bosch shows why that question matters. The issue is not whether compliance was present. The issue is whether compliance had the expertise, staff, authority and review mechanisms necessary to function effectively when the business needed it most.

CCO Resources, Authority and Expertise Lessons from Star Trek: The Galileo Seven

Last month, I wrote a blog post on the tone at the top, exemplified in Star Trek’s Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) outlined 10 characteristics of an effective compliance program in the FCPA Resources Guide, 2nd edition. Today, I’ll continue my two-week series by examining them.

Today, I am looking at the episode The Galileo Seven, which offers valuable lessons for Chief Compliance Officers (CCOs) regarding resources, authority, and expertise. Here’s why this episode stands out and the lessons it provides: In The Galileo Seven, Spock, McCoy, Scott, and four other crew members are on a shuttlecraft mission to study a quasar-like phenomenon when they crash-land on a hostile planet. As they struggle to repair Galileo and survive the planet’s dangers, Spock, as the highest-ranking officer, must lead the group despite internal conflict and limited resources. Meanwhile, Captain Kirk faces pressure to abandon the search for the crew to deliver vital medical supplies on time.

Lesson 1 – Resource Allocation

The crashed crew has limited resources, such as a dwindling fuel supply and basic equipment, to repair the shuttle and defend against hostile creatures. Spock’s logical approach emphasizes the importance of maximizing the use of available resources to ensure survival. The lesson for a CCO is that efficient resource allocation is crucial in compliance. CCOs must prioritize and allocate resources wisely to ensure compliance programs are effective, especially when operating under budget constraints. This involves assessing the most critical areas that require attention and allocating resources to mitigate the highest risks.

Many Star Trek aficionados have long believed the Galileo Seven’s mission was doomed from the start due to insufficient resources. The crew needed to be equipped for the harsh environment, needing proper survival gear and communication systems. Prioritize resource allocation for critical functions. The CCO must ensure compliance resources are directed towards high-risk areas and essential functions. This includes adequate staffing, training, and technology. Finally, you must develop contingency plans for resource shortages. The crew lacked a backup plan when their primary systems failed. CCOs should anticipate potential resource constraints and develop contingency plans to mitigate risks.

Lesson 2 – Authority

As the ranking officer, Spock must assert his authority and lead the crew despite skepticism and resistance from others. His team’s emotional and survival-driven needs put his leadership style, based on logic and reason, to the test. The lesson for a CCO is that authority and leadership are vital for implementing and enforcing compliance policies effectively. CCOs must assert their authority to influence and guide the organization toward ethical practices. Balancing logical decision-making with emotional intelligence can help gain buy-in from employees and management.

Regarding authority, this episode highlights the need for clearly defined roles and responsibilities and a transparent chain of command. The crew’s lack of clear leadership contributed to their downfall. Your CCO should be able to make independent decisions and take necessary actions to ensure compliance. Finally, there must be accountability, as the crew’s failure to hold each other accountable for their actions led to a cascade of errors. CCOs should cultivate a culture where everyone understands their responsibilities and the consequences of non-compliance.

Lesson 3 – Expertise

The crew relies on Spock’s science and engineering expertise to solve technical problems, such as repairing the shuttle and navigating off the planet. Spock’s analytical approach enables them to overcome obstacles, even as unexpected challenges arise. The lesson for a CCO is that expertise in compliance with regulations and industry standards is essential. A strong foundation in compliance knowledge enables CCOs to identify risks, develop effective policies, and respond to challenges efficiently. Continuous learning and staying updated on regulatory changes enhance a CCO’s ability to solve complex compliance issues.

This episode emphasized the value of diverse expertise. The crew needed to gain the necessary knowledge in survival, navigation, and alien biology. CCOs should assemble a team with diverse expertise to address various compliance challenges. There must be an investment in ongoing training and development. The crew’s lack of training in survival techniques proved fatal. CCOs should prioritize continuing training and development so that their team stays current with evolving regulations and best practices. There are times when a CCO must go outside and seek external expertise. The crew could have benefited from consulting with experts in alien environments. CCOs should not hesitate to seek external expertise when facing complex compliance issues.

The Galileo Seven reminds CCOs that insufficient resources, unclear authority, and inadequate expertise can lead to disastrous consequences. By learning from the crew’s mistakes, CCOs can build robust compliance programs that mitigate risks and ensure long-term success. It also highlights key aspects of resource management, authority, expertise, decision-making, and communication that directly apply to the Chief Compliance Officer role. By drawing lessons from Spock’s leadership under challenging circumstances, CCOs can better navigate their complex responsibilities, ensuring their organizations uphold the highest standards of compliance and integrity.

Join us tomorrow as we consider the lessons on risk assessments from the Star Trek episode Balance of Terror.

Recent Posts

Recent Comments

Categories

What are you looking for?