Calder & Vance International Sanctions & Compliance Counsel

Sanctions Risk & Compliance · BIS / EAR

Sanctions compliance programmes under BIS / EAR: compared

A freight-forwarding group based in Europe learns that a subsidiary in Singapore has been shipping dual-use components to a distributor whose parent company appears on the BIS Entity List (a list of foreign parties subject to specific licence requirements under the Export Administration Regulations, commonly called the EAR). The subsidiary had a compliance programme – but it was designed around financial sanctions, not export controls. The Entity List hit was never configured into its screening logic. Now the group faces a potential EAR violation, a BIS inquiry, and uncomfortable questions about whether a voluntary self-disclosure (a proactive report to BIS of an apparent violation) will help.

Sanctions compliance programmes under BIS / EAR explained: a well-constructed export-control compliance programme under the EAR must address classification, screening against both the Commerce Control List and the BIS denied-party lists, end-use controls, and a licence-determination workflow – capabilities that a pure financial-sanctions programme typically lacks. As of July 2026, BIS sets out its expectations in published compliance guidance that mirrors a five-element structure: management commitment, risk assessment, policies and procedures, training, and programme testing. Firms that fail to meet those elements cannot expect remediation credit in a penalty proceeding.

This analysis compares the BIS / EAR compliance programme standard with OFAC's equivalent expectations, examines how the EU and UK regimes align or diverge, and identifies where cross-border businesses operating under multiple programmes face the sharpest structural gaps.

What governs BIS / EAR compliance programme requirements?

The BIS / EAR compliance programme standard is grounded in the Export Control Reform Act and given practical shape through the EAR itself, BIS enforcement guidance, and the five-element compliance framework that BIS publishes for exporters, re-exporters, and transferors. BIS does not mandate a single programme format, but its enforcement division – the Office of Export Enforcement – consistently uses those five elements when assessing whether a company exercised due diligence before an apparent violation occurred.

The five elements are: management commitment and resources; risk assessment; internal controls (written policies and procedures); training; and ongoing testing and auditing. Each element maps to a question an enforcement reviewer asks: did leadership treat this seriously, did the company identify where its export transactions carry risk, were the resulting controls documented and followed, did staff understand them, and did the company check that its programme actually worked?

The BIS regime is wider than many businesses expect. The EAR reaches not just US-origin goods but also items manufactured outside the United States where US-content or US-technology thresholds are met – the so-called de minimis rules and the Foreign Direct Product Rule (FDPR). A Singapore subsidiary shipping European-made components can be within BIS's reach if the controlled US technology used to produce those components crosses the relevant threshold. That extraterritorial reach is why a programme built solely around domestic export procedures will leave a cross-border group exposed.

The position above covers the standard case. Your facts – the goods, the end-user, the jurisdiction of manufacture, the US content – change the analysis significantly.

For an assessment of your exposure under BIS / EAR and to discuss your programme's coverage of the FDPR and de minimis rules, contact Calder & Vance at info@caldervance.com.

How does BIS compare with OFAC on programme structure?

OFAC and BIS apply comparable five-element frameworks, but the underlying controls look quite different in practice – and a programme designed for one will contain material gaps for the other. OFAC's compliance guidance focuses on the SDN List (OFAC's list of Specially Designated Nationals and blocked persons), ownership-and-control analysis under the 50 percent rule (OFAC's rule treating entities owned 50 percent or more in aggregate by blocked persons as themselves blocked), and transaction blocking and reporting workflows. BIS focuses on item classification, Export Control Classification Numbers (ECCNs), licence-exception applicability, and end-use verification.

The gaps matter. OFAC screening targets persons and entities. BIS screening targets persons, entities, and items. A company that runs strong SDN screening but has never classified its product catalogue against the Commerce Control List (CCL – the list of items subject to export controls under the EAR) may be compliant with OFAC expectations while carrying significant BIS risk. Conversely, a manufacturer that classifies items precisely but has no ownership-and-control methodology will fail OFAC's ownership test whenever a distributor's parent is a blocked person.

The dual-screening obligation is the structural lesson. We regularly advise multinationals whose programmes have a mature OFAC layer and a thin or absent EAR layer – or vice versa. The two programmes need to be designed as a combined system, not maintained as separate silos. That integration work is, in our experience, one of the most common gaps we find during a cross-regime compliance review.

Where do the timelines differ? OFAC imposes a reporting obligation when a firm blocks or rejects a transaction: it must report within a short, defined statutory window – currently 10 business days for a blocked-transaction report and a separate window for rejected transactions. BIS operates a different model: there is no equivalent mandatory real-time blocking report for most EAR transactions. Instead, the emphasis is on licence compliance, end-use monitoring, and the voluntary self-disclosure mechanism when a violation is discovered. That difference in pace – real-time blocking versus periodic end-use monitoring – means the two programmes need distinct alert and escalation workflows.

See the OFAC compliance programme design analysis for a detailed treatment of OFAC's framework, including blocking and rejection reporting timelines and the OFAC aggravating and mitigating factors matrix.

Where do EU and UK export-control programmes diverge from the EAR standard?

The EU dual-use regime and the UK's Export Control Order establish their own compliance expectations – and neither maps cleanly onto the BIS / EAR structure. The EU's relevant Council Regulation on dual-use goods creates a licensing and end-use framework administered by member-state authorities, with the EU General Court available for designation and licensing challenges. UK export controls are administered by ECJU and enforced under the Export Control Order; OFSI handles financial sanctions separately under the Sanctions and Anti-Money Laundering Act (SAMLA). None of these instruments mirrors the FDPR extraterritorial structure of the EAR, though the EU has adopted its own targeted extraterritorial tools in specific programmes.

Practically, a multinational running a single global export-compliance programme faces three classification hierarchies: the CCL / ECCN system (BIS), the EU dual-use list, and the UK dual-use list. These lists overlap substantially but do not align perfectly. An item that is EAR99 (not listed on the CCL, and therefore generally not subject to licence requirements absent an end-user or destination restriction) may still be controlled under EU or UK rules. Conversely, some items controlled under the EAR attract an ECCN that has no equivalent control entry in the EU list.

Where the regimes align most closely is in the five-element compliance structure. The EU's compliance guidance for dual-use exporters, and ECJU's published guidance, both reference elements consistent with the BIS framework – risk assessment, internal controls, training, and auditing. That structural overlap allows a multinational to build a common governance framework and then populate regime-specific controls beneath it. That is the architecture we recommend: a shared governance spine with jurisdiction-specific modules.

The UK financial-sanctions regime adds a further layer. OFSI's enforcement guidance applies its own culpability and mitigation analysis when assessing penalty cases; that analysis references the quality of the firm's compliance programme in ways that differ from BIS's enforcement calculus. Businesses operating in the UK therefore run parallel obligations under ECJU (export controls) and OFSI (financial sanctions), and must ensure their programme addresses both.

What does an EAR programme actually require in practice?

An effective EAR compliance programme requires, at minimum, five operational components that go beyond general policy statements: a product-classification register mapping each item or technology to its ECCN (or confirming EAR99 status); a licence-determination matrix that pairs ECCN with destination and end-user to identify applicable licence exceptions or licence requirements; a screening workflow covering the Entity List, the Denied Persons List, the Unverified List, and the Military End-User list; an end-use statement process for controlled items; and a red-flag recognition procedure that trains transaction staff to identify warning signs and escalate before a shipment moves.

Red-flag recognition deserves particular attention. BIS publishes guidance listing indicators that a transaction may involve a prohibited end-use or end-user: unusual payment terms, reluctance to provide end-use certificates, requests to omit item specifications from documentation, shipping routes inconsistent with the declared destination. A programme that lacks a documented red-flag procedure – a step-by-step escalation path when a flag is identified – cannot demonstrate that management committed to preventing violations before they occurred.

Record-keeping is another area where businesses consistently underperform. The EAR requires exporters to retain export-control records for a defined period. BIS enforcement guidance treats record gaps as an aggravating factor in penalty proceedings, both because gaps prevent BIS from verifying compliance and because they suggest the programme lacked the operational rigour to maintain documentation. The record-keeping obligation extends to electronic records, licence copies, end-use certificates, and screening records.

In a recent matter, a manufacturing business in the industrial-equipment sector retained us to review its EAR programme after an acquisition of a US entity brought it within the full scope of BIS jurisdiction for the first time. We worked through classification of the acquired entity's product lines, identified several items that had been treated as EAR99 without formal classification analysis, and restructured the combined programme to address the screening gaps that the acquisition had created. The matter did not involve an enforcement action; the early review preserved options that would have narrowed had the business waited for a BIS inquiry.

What are the principal risk flags in a cross-border EAR programme?

Several programme failures recur consistently across the businesses we advise on BIS / EAR compliance. The first is assuming that a general financial-sanctions screening pass covers export-control obligations. It does not. SDN screening and Entity List screening are distinct operations: the SDN List is an OFAC instrument; the Entity List is a BIS instrument. Many screening tools offer both, but they require separate configuration, and a tool set up only for financial-sanctions screening will not flag Entity List or Denied Persons List hits.

The second persistent gap is the absence of a technology and software control procedure. The EAR controls not just physical goods but also technology and software. Businesses that treat their export-compliance programme as a shipping procedure frequently overlook the deemed-export rule – the principle that releasing controlled technology to a foreign national within the United States is deemed an export to that person's country of nationality, requiring the same licence analysis as a physical shipment. R&D facilities and engineering teams that hire internationally are within this obligation whether or not they ship anything.

The third gap is the FDPR. As discussed above, non-US companies producing items outside the United States may be subject to the EAR where their production involved US technology or software above the relevant thresholds. Businesses that treat BIS jurisdiction as limited to US exports will miss this entirely. Have you reviewed whether your non-US manufacturing processes involve US-origin controlled technology?

The fourth gap is the treatment of licence exceptions. The EAR provides several licence exceptions that permit otherwise-controlled exports without a specific licence. Those exceptions carry conditions – end-user eligibility, item-value limits, destination restrictions. A programme that records "licence exception used" without documenting the analysis of whether the conditions were met is building compliance records that will not withstand BIS scrutiny. The documentation of the exception analysis is as important as the exception itself.

If a transaction has already been flagged, or a filing has been refused, an early review can preserve options that narrow with time. For a confidential review of a potential BIS / EAR breach, contact Calder & Vance at info@caldervance.com.

Does stricter prohibition govern when regimes conflict?

Yes – and this principle is one of the most practically important points for a cross-border programme. When a business is subject to both the EAR and another regime (EU dual-use rules, UK controls, or the financial-sanctions rules of OFAC, OFSI, or the EU Council), the stricter prohibition governs. A transaction that is permissible under the EAR but prohibited under the applicable EU regulation must not proceed. The hierarchy does not run the other way: EAR compliance does not cure a violation of another regime's rules.

The practical implication is that a cross-border compliance programme must route each transaction through every applicable regime before clearance. A sequential clearance model – check BIS first, stop if prohibited, otherwise proceed – is dangerous. The correct model is parallel clearance: all applicable regimes checked simultaneously, transaction cleared only when all checks pass.

The interaction between the EAR and OFAC is a common example. A transaction might be EAR-licensed – BIS has issued a specific licence – but the counterparty is an SDN. The OFAC prohibition is independent of the BIS licence; a BIS licence does not authorise an OFAC-prohibited transaction, and vice versa. Programmes that treat a BIS licence as a general clearance document are wrong on this point. Each authorisation runs to the specific regime that issued it.

This is also where the EU Blocking Regulation creates tension for EU-based businesses. The Blocking Regulation, in certain circumstances, restricts EU operators from complying with specific US extraterritorial measures. The interaction between BIS FDPR obligations and the Blocking Regulation requires careful jurisdiction-specific analysis; businesses facing this tension should seek advice from counsel who can address both regimes simultaneously.

When should a cross-border business involve sanctions compliance counsel?

A business should involve counsel before a problem arises – specifically, at the point of designing or redesigning a compliance programme that is subject to more than one regime. The cost of getting the architecture right at the design stage is substantially lower than the cost of remediation after an enforcement inquiry. That is a statement about resource allocation, not a guarantee of any outcome.

There are also defined trigger points where counsel involvement is urgent. If a screening hit on the Entity List or a Denied Persons List is identified after a shipment has already moved, the question of whether to make a voluntary self-disclosure must be addressed promptly. BIS's guidelines treat a timely, complete VSD as a significant mitigating factor; delay or incomplete disclosure can reverse that credit. The decision requires legal advice because the scope of the disclosure – how far back to look, which transactions to include – has consequences that are not always obvious.

A second trigger is M&A activity that brings a non-US company within the scope of BIS jurisdiction for the first time. The FDPR, the deemed-export rule, and the acquired entity's existing classification records all require review. In our experience, post-acquisition compliance reviews regularly surface classification errors in the target's records that create retroactive exposure for the acquirer if not addressed promptly.

A third trigger is programme testing that reveals gaps. Testing is the element most consistently underweighted in compliance programmes. A test that surfaces a gap is, paradoxically, a good outcome – it identifies the problem before an enforcement action does. But once a gap is documented internally, the business has an obligation to address it. A documented gap that goes unremediated will be treated as a serious aggravating factor in any subsequent enforcement proceeding.

A common myth in this space is that an EAR compliance programme designed for a US exporter transfers cleanly to the non-US subsidiaries of a US group. It does not. Non-US subsidiaries face the full weight of FDPR obligations, deemed-export analysis may not apply in the same way, and the interaction with local export-control rules creates an overlay that a US-centric programme does not address. A programme fit for the whole group requires design from a cross-border starting point, not a US template with foreign additions appended.

Related practices

Frequently asked questions

Where do the regimes diverge on sanctions compliance programmes?
BIS / EAR focuses on item classification, licence-exception analysis, end-use screening, and the FDPR's extraterritorial reach – none of which are features of a pure financial-sanctions programme. OFAC centres on person screening, the 50 percent ownership rule, and transaction blocking and reporting. The EU and UK regimes share structural similarities with BIS but maintain separate classification lists and do not replicate the FDPR. Each divergence creates a category of risk that a single-regime programme will miss entirely.
Which regime is stricter on sanctions compliance programmes?
Strictness depends on the transaction type and the goods involved. For technology and software exports, the EAR's FDPR and deemed-export rules impose obligations that have no direct equivalent under EU or UK controls. For financial-sanctions screening, OFAC's 50 percent ownership test is more mechanical than the control-based tests under OFSI and the EU Council regulations. In practice, the strictest obligation in any given transaction is the one that governs – and where regimes overlap, the stricter prohibition governs in every case.
What should a cross-border business do about sanctions compliance programmes?
A cross-border business should map every regime to which it is subject – including the EAR's FDPR reach for non-US entities – and design a compliance programme that addresses each. The recommended architecture is a common governance framework with regime-specific modules beneath it. Programme gaps identified through testing must be remediated promptly; documented gaps left unaddressed are treated as aggravating factors in enforcement proceedings. Involving sanctions compliance counsel at the design stage, rather than after a hit, substantially reduces remediation cost and risk.

Talk to Caldervance

For a scoped view of your exposure, contact info@caldervance.com.

Discuss your matter

This publication is general information and does not constitute legal advice. For advice on your situation, contact info@caldervance.com.