Pace of Compliance Demands Accelerated With Russian Invasion, Experts Say
The Russian invasion of Ukraine changed export compliance dramatically, said Howard Mendelsohn, chief client officer for Kharon, "where the onus is on industry like it’s never been before to sort of find a way to be proactive." Mendelsohn, whose firm provides risk intelligence to businesses, spoke at an OCR Services trade compliance conference Oct. 17 in Bethesda, Maryland, outside Washington, D.C. He said exporters have to be proactive on blocking reports and applying for licenses, and importers have to find another supplier.
Josh Frazer, trade compliance director for DigiKey, an electronics components distributor, agreed that the full-scale invasion of Ukraine changed everything. He said Russia already had been trying to get around sanctions imposed after it invaded Crimea in 2014, but the scale of compliance changed after the new rounds of sanctions. He said the 45 Harmonized Tariff Schedule codes that the U.S. government listed as products that should be scrutinized so they don't go to Russia's war effort (see 2309260052) might account for about 9% of Digikey's million product line items.
"All of a sudden, our compliance teams had to deal with that," he said, and the number of sales that needed to be reviewed increased by an order of magnitude.
Frazer said it's not the case that sanctions compliance was given lip service before the war, "but [government regulators] are following up on an unprecedented scale. It feels like in the last three years that the government is actually trying to figure out how to make these [controls] meaningful."
Moderator Abhishek Kishore, managing director at OCR Services, asked the panelists how they are handling the pace of changes.
Frazer said the hectic pace is not yet stabilizing. "Risk analysis used to be an every six months or an every year kind of thing," he said. "That doesn’t work anymore. It has to be a living breathing risk assessment that’s changing every day sometimes."
Patrick Matsumara, trade compliance vice president for Hexcel, said his customers also expect responses faster. "Before, you'd see something coming out in the Federal Register and it would be implemented in a couple of weeks. [Now] it’s effective the day it was published." Hexcel makes carbon fiber composites used by commercial aircraft manufacturers.
The panelists agreed it's necessary to read news about what might be coming in export controls or sanctions to be prepared.
They also said that they treat U.S. entity lists as relevant even if a European office is making the sale. Matsumara said, "Even if the transaction is legal under French law, is this something we want to proceed with?"
Frazer said all denied party evaluations are done in the U.S. "We’re screening all transactions no matter where they’re originating or they’re going to," he said. "We evaluate as if they’re under U.S. law even if they’re not technically."
He said it's not only because DigiKey is concerned the U.S. government might try to find a nexus to U.S. operations but also to protect the brand. "If DigiKey Germany ends up in the news … for the fact that they serviced a customer that is on a U.S. list, then that's a huge risk to the whole structure."
Mendelsohn noted that once names are put on an entity list, "the parties are not going to transact in those names," so you need to work to identify obfuscation.
Frazer said it's expensive to do so. He gave the example of end-use restrictions -- there is no way for U.S. officials to enforce those restrictions with visits to China, so they are more suspicious of sales to China of products that could have a military use. "We have to have tons of analysts who are just looking at data," he said, including several compliance professionals in Hong Kong who have "a little more access to analyze extremely high-risk customers."
A member of the audience asked the panel how exporters can determine who the end customer is, since often, the firms don't have websites.
Mendelsohn agreed the opacity of China is a challenge. His company believes it has a pretty good idea of China's defense industrial base at this point, but it wasn't as simple as a Google search. "It’s an enormous, enormous investment in people that speak the language, software and data engineers," he said, and in combining various sets of data, such as procurement data, tender data, trade data and corporate data. "It is an enormous challenge to do it at scale," he said.
Both Frazer and Matsumara said classification is where compliance begins. Matsumara said his company has to ask if there's an Export Control Classification Number (ECCN) associated with a product, or if there's a question about military end use.
Frazer said classification "is as foundational as knowing what country your customer is in." He said if the classification is wrong, all the decision-making will be off. Sometimes vendors tell DigiKey what ECCN they think applies, but DigiKey always does its own analysis, since it is liable as the exporter, he said. Its own classification engineers either verify what the vendor said or decide what category it should be.
Sometimes a vendor will say an item doesn't require an export license, and DigiKey thinks it does. When there are discrepancies, they have a conversation, Frazer said. "Generally we’re able to arrive at consensus," he said. If they don't agree, sometimes DigiKey won't carry the product, or may tell the vendor it will label it with a more restrictive classification, and if the vendor is not comfortable with that, the company won't sell it, Frazer said.
Kishore asked the panelists for the most important advice they would give to other compliance professionals.
"Documentation is key," Frazer said. If the government has heard that a company in Armenia might be transshipping to Russia, or that a certain Chinese company is a problematic customer, and comes to you asking questions, you need to have records of your sales related to those firms.
"If you don’t have it for whatever reason, all of a sudden, you look like you're part of the chain, it wasn’t a mistake," he said. "That’s a much more enticing thing because you're sitting in the U.S., where they can get you."
He said firms also need compliance professionals who don't just know the regulations but are also watching geopolitical developments and can analyze data. "It’s hard to find people like that, or grow people like that," he said, but if you don't, you're going to fall behind, he said.
Matsumara said establishing the right culture is critical. "If we’re doing our jobs right, we’re going to find [export compliance] problems," he said. "There’s going to be errors." So people across the company need to know that if they realize there was a mistake, they should report it, because "we can fix it."
"It’s when they try to bury it, hide it, delete email chains" that the troubles get worse, he said.