On June 12, 2024, ahead of the 2024 G7 Summit, the Biden administration introduced new export controls and sanctions on Russia and Belarus in an effort to limit Russia’s ability to continue its war efforts against Ukraine. The Department of Commerce’s Bureau of Industry and Security (BIS), the Department of Treasury’s Office of Foreign Assets Control (OFAC), and the U.S. Department of State issued coordinated measures that expand export controls and sanctions against Russia and Belarus. Most notably, BIS published a new final rule and OFAC published a new Determination pursuant to Executive Order (E.O.) 14071. Together these rules imposed new licensing requirements for certain software classified under EAR99, restricted the provision of IT support services and cloud-based services related to newly controlled software, expanded the existing list of EAR99 items that require licensing, narrowed the scope of License Exception Consumer Communications Devices (CCD), and restricted the provision of IT consultancy and design services. In addition, BIS amended its Entity List to include restricted addresses, independent of an entity name, which will require companies to ensure that their screening process catches address matches. Some of these changes are effective immediately, while others come into effect 90 days after publication.
These new controls will require companies to take the immediate step of assessing their screening processes to ensure that all addresses are screened against the Entity List for potential matches and ensuring that processes are instituted for evaluating red flags for address matches of listed Entities as well as address-only listings. In addition, companies will want to begin to review their EAR99 software as well as the services they provide to Russian customers before the new licensing requirements are triggered on September 12, 2024.
BIS
New licensing requirement for certain EAR99-designated “software” destined to or within Russia or Belarus: BIS added a license requirement for the export, reexport, or transfer (in-country) to Russia or Belarus of certain EAR99 software that will go into effect on September 12, 2024. A new paragraph added at §746.8(a)(8) of the Export Administration Regulations (EAR) specifies that a license is required for the following EAR99-designated software and updates for such software:
These new controls mirror restrictions implemented by the European Union earlier this year. One exception to the licensing requirement applies to exports to wholly owned subsidiaries of U.S. or U.S. allied country headquartered companies, similar to the carveout that is currently in effect for mass market encryption items. Another exception eliminates the license requirement for the EAR99 software that is “destined to entities engaged exclusively in the agricultural or medical industries.”
BIS Expanded List of Items Subject to Licensing Requirements for Russia and Belarus: BIS added additional EAR99 items, to the supplements found in the EAR that require a license for export, reexport, or transfer (in-country) to or within Russia or Belarus. These items primarily include various mineral products, metal products, equipment, arms and ammunition, certain machine parts, and riot control agents. BIS also clarified that fasteners are included within the scope of these controls. A full list of the codes added can be found here.
BIS Narrows Scope of License Exception CCD: The final rule also narrows the scope of commodities and software that are authorized for export, reexport, or transfer (in-country) to or within Russia or Belarus under License Exception CCD. The regulations restrict the use of CCD to only eight of the 18 enumerated sets of items that previously authorized exports to Cuba, Russia, and Belarus. Now, §740.19 of the EAR distinguishes between items that are eligible for export to Cuba and those eligible for export to Cuba, Russia, and Belarus.
Consolidation of Russia and Belarus sanctions into a single section: BIS has consolidated the Russia and Belarus sanctions of the EAR into one section, now §746.8, and reserved §746.5 and §746.10. This change was primarily nonsubstantive.
BIS Adds Addresses to the Entity List Requiring Additional Screening: In an attempt to stay ahead of bad actors changing entity names and using shell companies to evade the Entity List restrictions, BIS has included eight independent entries on the Entity List designated as “Addresses with High Diversion Risk.” The export, reexport, or transfer of items subject to the EAR to any entity located at the designated addresses will be subject to a license requirement regardless of the entity name associated with the transaction. Prior to this change, Entity List restrictions were tied to the identification of particular entities, as the name of the list would suggest. These licensing requirements take effect immediately.
Going forward, it will be important to screen both the name and address for every party involved in a transaction. As noted above, for address hits on the new “Addresses with High Diversion Risk” entries, license requirements will immediately attach to the export, regardless of the name of the entity associated with the transaction. For address hits that match addresses that are listed for entities on the Entity List, companies should conduct due diligence to verify that the transaction does not involve the listed entity or an agent of the listed entity prior to clearing the transaction. Clearing such a “red flag” might occur when a listed Entity is co-located with a non-related business that does not have any connection with the transaction at issue.
In addition, the rule added five entities (three Chinese, one Hong Kong, one Russian) to the Entity List, which now imposes a license requirement for these entities to export, reexport, or transfer items subject to the EAR.
OFAC
IT and Software-Related Services Prohibition: OFAC published a new Determination under E.O. 14071, which takes effect on September 12, 2024. The new Determination prohibits the export, reexport, sale, or supply, directly or indirectly, from the United States or by a U.S. person to any person in Russia of:
OFAC defines “cloud-based services” to include the delivery of software as a service (SaaS) that provides the functionality of the newly designated EAR99 software. Accordingly, SaaS providers should carefully review the categories of additional EAR99 software to assess whether they are providing the newly added EAR99 software (as a service) to its customers.
These new restrictions do not affect: 1) entities owned or controlled by U.S. persons; 2) transactions in connection with the wind down or divestiture of an entity that is not owned or controlled, directly or indirectly, by a Russian person; or 3) any service for software (whether or not subject to the EAR) that would be eligible for a license exception or otherwise authorized for export or reexport to Russia by BIS. General Licenses are in place that cover certain agricultural and medical activities (General License 6D) and certain telecommunications-related transactions and internet-based communications (General License 25D).
Secondary Sanctions and New SDN Designations: Over 300 individuals and entities, both in Russia and outside of its borders, have been added to the SDN List pursuant to E.O 14024. Additionally, changes to OFAC sanctions allow OFAC to sanction foreign financial institutions that, among other things, have conducted or facilitated any significant transaction or transactions, or provided any service, involving Russia’s military-industrial base. OFAC also has broadened the definition of Russia’s military-industrial base to include anyone blocked pursuant to E.O. 14024. Additional guidance provided in FAQ 1181, clarifies that Russia’s military-industrial base include individuals and entities that support the sale, supply, or transfer, directly or indirectly, of critical items (which includes certain manufacturing materials for semiconductors and related electronics) identified by OFAC’s Russia Critical Items Determination pursuant to E.O. 14024, Section 11(a)(ii). That said, OFAC also clarified in FAQ 1182 that foreign financial institutions may continue to rely on OFAC’s general licenses, and thus, activities that would be permitted by a U.S. entity also would not result in secondary sanctions.
Key Takeaways
We recommend that companies refresh their screening process to: 1) ensure that the newly listed entities under the Entity List and SDN List are reflected; and 2) address the new address field screening that will be needed to catch “address-only” entries on the Entity List. In addition, we recommend a close look at software (including SaaS) and other services to determine if any of the newly restricted categories capture company offerings. If you have any questions or require additional information on these new rules, please reach out to Josephine Aiello LeBeau, Anne Seymour, Jahna Hartwig, Navpreet Moonga, or another member of Wilson Sonsini’s national security practice.