In their first call following President Trump’s inauguration, Presidents Trump and Putin reportedly spoke on Saturday, January 28, about the prospects for improving the U.S.-Russia relationship. Prior to the call, amid rumors that sanctions against Russia would be eased and statements by some congressional leaders that they would work to pass legislation to codify sanctions to prevent the president from terminating sanctions against Russia, Trump stated that it is “very early” to start discussions about lifting sanctions. Nonetheless, this call may be considered the first step in the possible rolling back of sanctions against Russia by Trump despite recently-introduced congressional legislation to prevent such action.

The most recent sanctions against Russia, which were announced at the end of December by President Obama pursuant to Executive Order 13757, listed, among others, the Federal Security Service (“FSB”) as a Specially Designated National (“SDN”), effectively banning any U.S. person from interaction with the FSB. The inclusion of the FSB on the SDN list has created obstacles for U.S. persons doing business in Russia.

Meanwhile, a new bill entitled “Countering Russian Hostilities Act of 2017” (S.94) has been introduced in the U.S. Senate which would codify existing sanctions relating to Ukraine and cyber-security and would significantly expand sanctions to target certain activities by any person, including non-U.S. persons, in Russia’s energy sector, privatizations and other areas.

New Cyber-Security Sanctions Targeting Russian Actors

The U.S. Government announced new sanctions against Russian individuals and entities on December 29, 2016, for their role in interfering in the presidential election. The new U.S. sanctions do not impose any broad territorial, governmental or sectoral restrictions regarding Russia – instead, they only limit transactions with specified individuals and entities determined to have been involved in Russian cyber-attacks against U.S. political institutions.

U.S. intelligence agencies have concluded that the Russian government interfered in November’s U.S. presidential election by organizing cyber-attacks against the Democratic National Committee and other political groups and selectively disclosing hacked information to influence the election’s outcome. In response, President Obama amended and reissued an executive order previously issued in April 2015 that authorized sanctions against persons involved in malicious “cyber-enabled activities” that harm or threaten the national security, foreign policy or economic health or financial stability of the United States. The amended order now also authorizes sanctions against persons determined to be responsible for tampering, altering or causing the misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.

Under this amended authority, five entities (Autonomous Noncommercial Organization of Professional Association of Designers of Data Processing Systems, Federal Security Service, Main Intelligence Directorate, Special Technology Center and Zorsecurity) and six individuals (Vladimir Alexseyev, Aleksey Belan, Evgeniy Bogachev, Sergey Gizunov, Igor Korobov and Igor Kostyukov) were added to the U.S. List of Specially Designated Nationals (“SDN List”). As a result, U.S. persons are prohibited from engaging in practically all transactions with such persons and are required to block any property or interests in property of such persons. The United States also expelled numerous Russian diplomats citing Russia’s interference in the election. Russia did not respond through counter-sanctions, choosing to wait out the remaining days of President Obama’s administration rather than retaliate.

Impact of Recent Cyber Sanctions on U.S. Business with Russia

Sanctioning of FSB Creates Impediment, Particularly in the Financial and IT Sectors

The sanctioning of the FSB poses – perhaps inadvertently – certain legal issues for U.S. companies operating in Russia. In particular, the FSB’s inclusion on the SDN List could hinder U.S. companies from complying with Russian regulations on the import of encryption technology, as they are unable to deal with the FSB to obtain prior approvals or licenses required to import and engage in other activities involving data encryption products and technology.

Since the U.S. sanctions in this case only cover U.S. “persons” (i.e., entities organized under the laws of the United States or any U.S. jurisdiction, foreign branches of such entities, U.S. citizens/legal permanent residents and any person physically located in the United States), independent activities of U.S. companies’ Russian subsidiaries would generally not be covered. However, the U.S. parent company and any other U.S. persons involved in the operations of the Russian subsidiary (including any directors or officers of the subsidiary who are U.S. citizens or permanent residents) are subject to these restrictions and cannot engage in, approve or otherwise facilitate prohibited transactions involving the FSB. Moreover, many U.S. companies take a conservative approach in applying sanctions compliance obligations on their wholly-owned subsidiaries and require such entities to act as if they are “U.S. persons” covered by U.S. sanctions laws.

The sanctioning of FSB will particularly impact operations in the U.S. financial services sector, such as those of banks, credit-card companies, brokerages, accounting firms and insurance companies, which utilize data encryption extensively for security. These U.S. financial services companies and their foreign branches – especially banks – generally would import encryption software. For example, without an FSB notification, a U.S. bank branch operating in Russia would be impeded from importing data storage devices or other hardware with software encryption functionality (e.g., the bank’s encryption keys).

U.S. information technology companies and their foreign branches are similarly affected by the sanctioning of FSB. Such IT companies that develop controlled technology outside of Russia may not be able to obtain the necessary notifications or permits to import it into Russia. Companies in other sectors may also be affected given the definition of encryption products under Russian law and the broad authority of the FSB.

The FSB’s Regulatory Role

Under Russian law, any person wishing to (1) import data encryption products into Russia or (2) engage in domestic activities concerning controlled encryption technology (e.g., providing encrypting services and technical maintenance services of encryption products, and developing, producing, distributing, marketing or modernizing/upgrading certain encryption products within Russia), must obtain the appropriate prior approval (e.g., a notification, permit and pre-authorization) or license(s) from the FSB.

Foreign manufacturers may obtain FSB notifications to import certain products, and foreign individuals may obtain FSB permits to do the same, but only Russian registered legal entities can obtain an FSB pre-authorization for importing or an FSB-issued license for certain domestic activities relating to encryption technology (e.g., developing, distributing, etc.). If a foreign manufacturer has obtained an FSB notification for an encryption product, the subsequent import of this encryption product (with the exact same encryption functionality) by another person would not require obtaining a separate FSB notification (all FSB notifications with the names and description of the encryption products are publicly available on the website of the Eurasian Economic Union).

An encryption product may require an FSB notification, permit or pre-authorization (as a prerequisite to obtain an import license from another Russian authority) for importation, depending on the level of encryption. An FSB notification is required for import of “light encryption products” (i.e., using symmetric algorithms with a key length less than 56 bits or asymmetric algorithms with a key length less than 512 bits). In practice, however, most commonly-used encryption protocols utilize “strong” encryption functionality (i.e., key lengths exceeding the above bit levels, such as AES 128, 1024 RSA and 1024 DH) and thus are subject to the FSB pre-authorization for import licensing, which can only be obtained by Russian legal entities.

The scope of products covered by the import controls is very broad and may include: laptops, smartphones, printers, copiers, fax machines, telecommunications equipment, internet access equipment, data storage devices, integrated electronics and remote control devices. Obtaining an FSB notification is required to import “encryption equipment that is specifically used for banking and financial transactions” into Russia. All hardware that has a VPN function requires a pre-authorization from FSB as well as an import license from the Russian Ministry of Industry and Trade, which cannot be obtained by a non-Russian entity. The import of encryption products that are custom-developed for internal corporate-wide use also are subject to FSB notification or pre-authorization requirements, depending on the level of encryption functionality.

Potential Legislative Sanctions Action

As discussed in our prior update, “U.S.-Russia Business Climate Likely to Change Under Trump Presidency”, President Trump has tremendous authority to re-shape U.S. foreign relations with Russia, including the removal or easing of sanctions at his discretion. While he may face resistance from Congress and potentially his own cabinet members, President Trump could proactively remove some or all of the executive sanctions against Russian and Ukrainian individuals and entities (e.g., those on the U.S. Treasury Department’s SDN List and Sectoral Sanctions Identification List, and the U.S. Commerce Department’s Entity List). Alternatively, President Trump could simply allow the Executive Orders authorizing the various Russian sanctions to expire without renewal. The principal Executive Order is set to expire in March unless the President renews it.

Some members of Congress have raised concerns that President Trump may weaken current sanctions against Russian and Ukrainian persons imposed by former President Obama related to Ukraine and the cyber-attacks.

The Countering Russian Hostilities Act of 2017 (“CRHA”), introduced by a bipartisan group of senators earlier this month, would codify current U.S. sanctions regarding Russia and Ukraine and require President Trump to certify that Russia has ceased engaging in the activities giving rise to the sanctions before such measures could be modified or revoked. Other U.S. congressmen reportedly are planning to introduce similar legislation restricting President Trump’s ability to potentially modify sanctions on his own.

Notably, the CRHA also would significantly expand sanctions against Russia by imposing a range of so-called “secondary” sanctions targeting persons that engage in certain activities with Russia – even if such activities are conducted by non-U.S. persons and have no U.S. nexus – including certain transactions involving:

  • Russian petroleum, natural gas, pipeline or civil nuclear projects;
  • Russian defense or intelligence sectors;
  • Privatized Russian state-owned assets; and
  • New Russian sovereign debt.

The proposed measures are similar to U.S. secondary sanctions targeting persons that engage in certain Iran-related activities, which largely have been suspended since early 2016 under the Joint Comprehensive Plan of Action. Persons engaging in the enumerated activities in Russia could be subject to a range of penalties, including potential asset freezes and exclusion from the U.S. financial system. The bill, however, does include typical provisions that would grant President Trump the authority to waive sanctions if doing so is in the U.S. national interest. Congress also may hesitate to push through legislative sanctions if doing so would mean contradicting President Trump’s foreign policy towards Russia. Moreover, President Trump would have veto power over any legislation.

In addition to the concerns raised by certain members of Congress, it also will be important to monitor developments in the European Union, which maintains sanctions against Russia similar to those imposed by the United States. While the EU measures recently were extended until July 2017, support reportedly varies significantly among EU member states. Some officials have called for EU sanctions against Russia to be lifted regardless of whether the United States maintains its sanctions. Other officials, including most recently the Italian foreign minister, have stressed that the European Union and United States should work together to decide if sanctions should be lifted and that the United States should not unilaterally decide to ease them.

We will continue to monitor relevant developments and issue updates as appropriate.