BIS ‘Asking More’ of Banking Export Compliance Teams, Senior Official Says

Matthew Axelrod, the BIS assistant secretary for export enforcement, stressed that there is no legal requirement for companies to follow informal BIS guidance documents. “But, man,” he said, “you're leaving yourself open if you just sort of ignore all of this.”

BIS issued new guidance in October that outlined the agency’s due diligence expectations for banks and other financial institutions, including how they should screen customers, verify customer compliance with export laws, and create other “risk-based procedures” to catch and investigate red flags before following through with a transaction or onboarding a new customer (see 2410090027).

Axelrod, speaking during an event last week hosted by risk intelligence firm Kharon, was asked whether BIS views it as “mandatory” that banks implement the best practices described in the guidance. Although lawyers have said DOJ and other agencies are increasingly expecting companies to monitor government guidance (see 2410040014), Axelrod noted that it’s not a requirement.

“What's mandatory is compliance with our regulations,” he said.

Axelrod said banks may have compliance procedures they believe are “more effective” than the recommendations described in the BIS guidance. In those cases, “they should document what they're doing and why they think what they've crafted is more effective and better,” he said. The recommendations in the guidance aren’t “the only way to avoid violating our rules, but [they are] some concrete, best-practice tips that we thought we could give banks on a broad scale.”

The guidance was partially an effort by BIS to spread awareness of the Export Administration Regulations’ General Prohibition 10, which restricts companies from financing or servicing any item subject to the EAR if they have knowledge an EAR violation has occurred, is about to occur or is intended to occur. If, for example, a bank’s customer commits an export violation and there were “red flags all over the place that you didn't do anything about or pay attention to, then you have potential liability under our rules,” Axelrod said. “We want people to be aware that that legal liability exists.”

One portion of the guidance recommends that banks, during the onboarding process for certain new customers, should screen those customers’ customers against lists of parties believed to have shipped controlled items to Russia (see 2407100027 and 2406060041). Axelrod stressed that BIS doesn’t think banks need to carry out that level of screening on a “real-time” basis, and it’s recommending banks do that only for customers exporting sensitive items on the BIS Common High Priority List.

“I know that's unusual for financial institutions, and I get why it caught attention,” he said.

“If your customer is selling Common High Priority List items abroad, that's when it's appropriate to see whether their customers are known diverters of these items to Russia.”

Dane Shelly, who leads Kharon's work in Asia and previously held compliance roles with Citibank and other financial firms, said banks can follow this recommendation by asking new customers whether they export those common high priority items. If they do, the bank can request a list of their top customers and “counterparties” before screening that list for risky suppliers.

Shelly added that some of Kharon’s clients also screen transactions after they have been processed, because sometimes banks can glean more information post-transaction than before onboarding a customer.

“A customer might not necessarily know who their customers will be at the time when they're opening the account, and their customer base will shift over time,” Shelly said. “And so we've had [clients] that have done that post-transactional review and been very successful in finding activity that's concerning.”

Axelrod said BIS decided to publish this guidance after hearing from banks that were unsure about the level of due diligence they needed to undertake. He said he spoke at a recent American Bankers Association conference, as well as other financial industry events, and heard from banks that “export controls are different and more complicated to deal with at scale and at high volumes” than sanctions programs administered by the Office of Foreign Assets Control.

OFAC sanctions are mostly “binary,” Axelrod said -- they prohibit most transactions with a sanctioned party. “But the Commerce rules don't work that way,” he said, noting the various licensing requirements BIS has in place depending on the item, the end-user, the end-use and other factors.

“We're asking more of banks,” Axelrod said. The guidance is “an attempt to provide some concrete recommendations of best practices and to put some specifics around where we want you to do more to make sure that you're not participating or facilitating violations of our rules.”

Part of that effort has included asking banks to file suspicious activity reports (SARs) with the Treasury Department’s Financial Crimes Enforcement Network about transactions that banks suspect are connected to an export control violation (see 2311060055, 2212160027, 2207130014 and 2309110049). Axlerod said BIS has been able to "action" about 13% of the total reports it has reviewed so far, meaning that those reports have contributed to new leads for new or existing export investigations, Entity List packages and other enforcement efforts (see 2409270040).

Axelrod said banks can help BIS more efficiently review those suspicious activity reports by:

• including a summary at the beginning of the report with the names of the person and/or the company of concern.
• including details about the transaction in an attachment to the report and “not in the narrative section,” Axelrod said, which can interfere with the report’s formatting and make it “much harder for our analysts to use them."
• making sure there’s an “obvious” U.S. nexus to the transaction. Axelrod said BIS hasn’t been able to use many reports that deal with a “purely foreign” transaction.
• making sure the transaction involves “recent activity,” he said. “Anything beyond five years we're generally not able to do anything with. So the more recent, the better.”
• making sure the report “points us to the actual source of the derogatory information,” he said, instead of, for example, a link to a home page of a company’s website that doesn’t show any obviously concerning information.
• highlighting the foreign parties’ links to the country or other foreign party of concern. Axelrod said reports should show “why the foreign party is one that caused the bank to file” the suspicious activity report.

“When the SARs have had one or more of those six characteristics,” he said, “it's been way more likely that we've been able to action them on our end.”