Lost at Sea: Lack of BIS Guidance on New Russia/Belarus FDP Rule Creates Compliance Chaos | Torres Trade Law, PLLC | #itsecurity | #infosec


On March 2, 2022, as part of a string of sanctions and export controls, the Russia/Belarus Foreign Direct Product (“FDP”) Rule and Russia/Belarus-Military End User (“MEU”) FDP Rule took effect.1 These rules, generally, restrict the sale to Russia and Belarus of foreign-produced items produced with certain controlled U.S.-origin software or technology.

While the political aim of the Russia/Belarus FDP rules was to punish Russia for its invasion of Ukraine and punish Belarus for enabling Russia to do so, the practical outcomes and effects of the new FDP rules are unclear. Without guidance from the Bureau of Industry and Security (“BIS”), legal and compliance practitioners – as well as their clients operating in the global marketplace – are left to form their own interpretations of these already complex rules at the expense of their and their client’s reputations and businesses.

Previous FDP Rules

Under General Prohibition Three, BIS requires a license for the export from abroad, reexport, or transfer (in-country) of foreign-“direct products” subject to the Export Administration Regulations (“EAR”).2 The new FDP rules join the ranks of the National Security FDP Rule, the 9×515 FDP Rule, the “600 series” FDP Rule, and the Entity List FDP Rule.3

The Entity List FDP Rule, passed in May 2020, restricts the export of foreign-produced items that are the direct product of U.S.-origin software or technology controlled under an Export Control Classification Number (“ECCN”) in Categories 3 (Electronics Design Development and Production), 4 (Computers), and 5 (Telecommunications and Information Security) of the Commerce Control List (“CCL”) when there is knowledge that the foreign-produced item will be incorporated into any equipment by a “footnote 1” entity or that a “footnote 1” entity is a party to the transaction.4 This restriction includes items produced by plants outside the United States that are a direct product of Category 3 through 5 U.S.-origin software or technology.

The Entity List FDP Rule extends the jurisdiction of U.S. export controls to foreign-produced products that would normally not be subject to the EAR, requiring a license for their export from abroad, reexport, or transfer (in-country). Footnote 1 entities include certain non-U.S. affiliates of Chinese telecommunications giant Huawei, such as HiSilicon, the largest domestic designer of integrated circuits in China. The goal of the Entity List FDP Rule was to restrict Huawei’s supply chains and limit their ability to procure semiconductors and related components made from U.S.-origin software or technology that the company could incorporate into their products and telecommunications infrastructures across the globe. Under the Entity List FDP Rule, U.S. and non-U.S. companies could be liable for exporting or transferring equipment produced with controlled technology to Huawei or its listed affiliates, potentially facing civil penalties or denial of export privileges.

The Entity List FDP Rule came suddenly and took effect immediately to “prevent Huawei’s attempts to circumvent U.S. export controls to obtain electronic components developed or produced using U.S. technology.”5 As a result, there was no chance for public comment on the rule. Often, when a U.S. agency is contemplating issuing a regulation, it will issue an Advanced Notice of Proposed Rulemaking, a “formal invitation to participate in shaping the proposed rule [that] starts the notice-and-comment process,” or a Notice of Proposed Rulemaking, an “official document that announces and explains the agency’s plan to address a problem or accomplish a goal.”6 These commentary periods create a collaborative process between regulators and stakeholders, allowing for more certainty and stability in the wake of the implementation of the regulation.

However, given the national security stakes, there was no such prior notice in advance of the Final Rule that implemented the Entity List FDP Rule, meaning no opportunity for public commentary (advanced notice would give the targeted entities an opportunity to stockpile parts and components produced with U.S.-origin software or technology, defeating the purpose of the rule).

The comments in response to the Final Rule are illustrative of the public’s frustration with the means by which the Entity List FDP Rule was implemented as well as with the content of the Rule. SEMI, a semiconductor trade organization, responded that “this rule and others recently issued by BIS without the opportunity for industry comments have the potential to impact a large portion of this complex and fiercely competitive global industry without an opportunity for industry to engage policymakers on key details and potential ramifications.”7 The Semiconductor Industry of America (“SIA”) argued that the Entity List FDP Rule creates an almost impossible compliance burden for those not involved in the development or production of affected items. It stated in its comment that “it is extraordinarily difficult, if not impossible, to determine the origin status of the software or hardware that was used to produce the item they are exporting, particularly due to the typical multi-step supply chains.”8

These comments demonstrate that major U.S. industry organizations felt the practical ramifications of the change in the law, and found it difficult to comply with the law in the absence of BIS guidance. It should be noted that BIS did issue guidance, in the form of FAQs, over a year later.9 However, these FAQs did not address how to guarantee that a company’s supply chain is fully compliant – such as ensuring your foreign suppliers are not designing or manufacturing products using controlled U.S.-origin technology. For companies in the global semiconductor industry, the FAQs may have been too little, too late.

As of the publishing of this article, there have not been any enforcement actions made public by BIS regarding violations of the Entity List FDP Rule. Perhaps this is simply because investigations and legal proceedings take time, but without precedent of enforcement, it is virtually impossible to tell how BIS will enforce the Entity List (or any other) FDP Rule.

The Russia/Belarus FDP Rules

Fast forward to February 24, 2022, when BIS again implemented a Final Rule without an Advanced Notice of Proposed Rulemaking in response to global security issues. This time it implemented two FDP rules in response to the Russian invasion of Ukraine. The Final Rule was amended in early March to also subject Belarus to the rule for its assistance to Russia in the invasion.

The first new rule, the Russia/Belarus FDP Rule, targets Russia and Belarus as destinations. It restricts the export from abroad, reexport, and transfer (in-country) of foreign-produced items that are not EAR99 (a broad classification for most items, generally not requiring a license) and are a direct product of U.S.-origin technology or software (or a plant that is itself the direct product of U.S.-origin technology) subject to the EAR and classified in Categories 3 through 9 of the CCL, when there is knowledge that the item is destined to Russia or Belarus or will be incorporated into any non-EAR99 item produced in or destined to Russia or Belarus.10

The Russia/Belarus-MEU FDP Rule restricts the export from abroad, reexport, and transfer (in-country) of foreign-produced items that are the direct product of U.S.-origin technology or software (or a product of a plant or major component of a plant outside the United States that itself is a direct product of U.S.-origin technology or software) subject to the EAR and specified in any ECCN (meaning not EAR99), when there is knowledge that the foreign-produced item will be incorporated into any equipment by a “footnote 3” entity or that a “footnote 3” entity is a party to the transaction.11

These rules function similarly to the Entity List FDP Rule, but are generally broader in their product scope (they cover direct products of Categories 3 through 9 software or technology for the Russia/Belarus FDP Rule, and any non-EAR99 software or technology for the Russia/Belarus MEU FDP Rule). What’s more, the Russia/Belarus MEU FDP fairly closely tracks the language of the Entity List FDP Rule and applies it to footnote 3 entities (which are Russian and Belarussian military entities) instead of footnote 1 entities.

Ramifications of the Russia/Belarus FDP rules

As a show of its intent with the new FDP Rules, Commerce has stated that it will go after any Chinese companies that send semiconductors produced with U.S. software or technology to Russia.12 Because of the gravity of the new FDP Rules and the political circumstances that resulted in their implementation, companies would be wise to comply to protect their businesses and their reputations.

However, given the similarity in both the passage and operation of the Entity List and Russia/Belarus FDP rules, it is unsurprising that the public is left to fend for itself when it comes to compliance with the new FDP rules. But how is a company to comply with the Russia/Belarus FDP rules in the absence of clear guidance from BIS?

One option – the conservative option – has been taken by many large, multinational companies (either because of potential Russia/Belarus FDP Rule implications or as a form of corporate censure of Russia and solidarity with Ukraine): to suspend all sales to Russia. If you are a non-U.S. company and are not certain that your foreign-produced items are not the product of U.S.-controlled software or technology, it is safer simply to not sell them to Russia or Belarus.

One such company taking this route is Taiwan Semiconductor Manufacturing Company (“TSMC”), the global computer chip producer which manufactures, among other things, the Elbrus chip incorporated in computer systems used by Russia’s military and security services.13 As a result of Taiwan joining the international sanctions movement, and also, it is likely, because of the Russia/Belarus FDP Rule, TSMC suspended all sales to Russia and third parties known to supply products to Russia. TSMC stated it is “fully committed to complying with the new export control rules announced.”14 It comes as no shock that TSMC has decided to cut off Russia from its products, some of which are produced with U.S.-origin chipmaking equipment,15 after the company was caught in the crossfire of the Entity List FDP Rule, which imposed strict licensing requirements with a policy of denial, for the sale of TSMC chips to Huawei.

Of course, this extreme option cuts off what could be a major revenue source for some companies. But when weighed against the risk of exposure to enforcement under U.S. sanctions and export controls – including civil or criminal penalties, denial of export privileges, freezing of assets, or placement on a restricted parties list – this loss of revenue may simply be a cost that companies have to eat if they wish to remain compliant as long as the sanctions remain in place.

Another option is to conduct as thorough of an audit as possible of the supply chains of both a company and its business partners to determine whether its items are produced with U.S.-origin software or technology. It may be relatively easy for some non-U.S. businesses that are vertically integrated or have insight into their supply chains to determine this. For example, for a factory in Germany producing computer widgets to be sold to Russia, the question is whether their manufacturing machines were designed with controlled U.S.-origin technology or software, or were they wholly German? If wholly German, then, barring other U.S.-jurisdictional hooks, their products would not be subject to the EAR by means of the Russia/Belarus FDP Rule.

For companies whose supply chains are inextricably global, as argued by SEMI and SIA, or involve input on the origin of certain production-related software or technology from less transparent countries, it may be more difficult to determine whether their products are subject to the EAR under the Russia/Belarus FDP rules. In that case, it may be necessary to secure statements or letters from suppliers certifying that there are no U.S.-origin software or technology inputs in the parts or components. This is not a perfect solution, and may require taking suppliers’ words at face value. However, in the absence of any other insight into business partners’ supply chains, it is one possible piece of evidence documenting due diligence in compliance with applicable laws and regulations. In enforcement actions, BIS would likely consider such due diligence as a mitigating factor that could affect Administrative Sanctions and enforcement actions.16

Because there have not been any enforcement actions or settlements made public regarding either the Entity List FDP Rule or Russia/Belarus FDP Rules, it is difficult to say how much consideration will be given to supply chain due diligence as a factor affecting a settlement. However, having a robust compliance program in place is always a good recommendation when it comes to dealing with BIS export regulations.

Conclusion

Uncertainty abounds with respect to the new Russia/Belarus FDP rules. The consequences for violating the new rules – as they are for violating existing export control regulations – could be dire and costly. As such, non-U.S. companies that deal in items that may be subject to the EAR under the new FDP Rules should:

  • Examine all transactions in Russia and Belarus to determine if any items exported to those countries were produced with U.S.-controlled software or technology;

  • Audit supply chains to the extent possible to identify any U.S.-origin inputs in the production of items;

  • Obtain confirmation from their suppliers regarding the origin of parts and components, and document such confirmation; and

  • If necessary, suspend all sales to Russia and Belarus, at least until BIS provides further guidance.

 



Original Source link

Leave a Reply

Your email address will not be published.

33 + = thirty seven