The U.S. Department of Justice has made several pronouncements regarding new enforcement priorities, increased staffing, and resources dedicated to investigating and prosecuting sanctions and export control violations and recently announced several criminal charges stemming from interagency initiatives. As a result, companies are at increased risk of incurring severe criminal and administrative penalties if found to be in violation of U.S. sanctions and export controls. This alert highlights several initiatives and describes six steps companies can take now to mitigate this risk and prepare for increased government scrutiny.

Over the past year, the U.S. government has strengthened its sanctions and export control enforcement mechanisms — both criminal and administrative. Historically, enforcement of U.S. sanctions and export controls has primarily been administrative, but recent government actions, including by the U.S. Department of Justice (DOJ), indicate we should expect a rise in criminal enforcement. Indeed, earlier this month at a conference in Washington, D.C., Assistant Attorney General for National Security Matthew Olsen said DOJ is “going to drop the hammer” on sanctions and export controls violators. This tone has permeated DOJ’s approach to sanctions and export controls since last year, when Deputy Attorney General Lisa Monaco (DAG Monaco) said, “We have turned a corner in our approach ... I’ve given notice of that sea change by describing sanctions as ‘the new FCPA,’ ”1 or Foreign Corrupt Practices Act.

As part of that sea change, DOJ has partnered with the Department of Commerce Bureau of Industry and Security (BIS) and the Department of the Treasury Office of Foreign Assets Control (OFAC) to issue joint compliance guidance — such as the March 2, 2023, Tri-Seal Compliance Note focused on cracking down on third-party intermediaries used to evade Russia-related sanctions and export controls2 — and establish a number of multiagency task forces focused on sanctions and export control enforcement. These joint efforts include an interagency law enforcement task force targeting alleged violations of U.S. sanctions and export control restrictions directed at Russia (Task Force KleptoCapture),3 the Multilateral Russian Oligarch Task Force with like-minded countries (Russian Elites, Proxies, and Oligarchs, or REPO, Task Force),4 and the Disruptive Technology Strike Force, which targets “illicit actors, strengthen[s] supply chains and protect[s] critical technological assets from being acquired or used by nation-state adversaries.”5 Notably, on May 16, 2023, BIS and DOJ announced several enforcement actions that are “part of the first wave of actions” undertaken by the Disruptive Technology Strike Force.6

To support this new enforcement priority and collaboration, these agencies are increasing staffing. Specifically, BIS recently announced “multiple” openings for criminal investigators,7 and DAG Monaco announced in March this year that the DOJ National Security Division, which has responsibility for the investigation and prosecution of criminal violations of sanctions and export controls, would be adding 25 new prosecutors.8

These joint efforts are likely to result in more outreach to industry, more information gathering and sharing among enforcement agencies, and more risk to companies with outdated or inadequate sanctions and export control compliance procedures. Companies should therefore assess their risk, compliance mechanisms, and existing policies to ensure they are as prepared as possible when law enforcement agents come knocking.

What does this new level of coordination and resourcing mean for your company?

Although the government focuses criminal enforcement actions on companies and individuals who act willfully, fraudulently, or with intent to evade U.S. sanctions and export controls — that is, those considered to be “bad actors” — well-meaning companies may still get caught up in ongoing or related investigations as a result of the new enforcement priorities, coordination, and resourcing. Companies cannot control or predict government actions, but here we highlight six key things companies can do to prepare.

1. Companies should expect increased outreach from the government.

Companies regularly receive routine information requests from such government agencies as BIS and OFAC. These requests can come in various forms: informal requests for information; document requests and administrative subpoenas; scheduled and unannounced visits by agents from the BIS Office of Export Enforcement (OEE), the Federal Bureau of Investigation, and other agencies with enforcement responsibility. In fact, OEE agents routinely collect information and are required to reach out to companies in their jurisdiction to provide materials and remind companies of their compliance obligations. With additional resources and a new enforcement posture, enforcement outreach will likely become more frequent.

However, companies should not assume that any such outreach is purely routine. Even if the agents indicate the contact is routine, companies should remember that these agents have law enforcement powers and any information provided could lead to further inquiries or even an investigation. In other words, if a company does not carefully consider any such communications, the next time government agents knock, it might be less friendly. While companies are required by law to maintain certain records and agencies may request such records at any time, it is important to seek the advice of in-house or external counsel before responding to any informal or formal requests.

2. Companies should assume that once they provide information to the government, that information is being shared with other agencies and, increasingly, other countries.

With increased government outreach and information gathering comes increased risk that that information will end up in the hands of DOJ prosecutors who every day assess whether to initiate new investigations. These prosecutors are now better resourced and therefore poised to evaluate all available data for potential criminal enforcement. This is true regardless of whether the initial focus of the information gathering is the company itself or a vendor, supplier, customer, or business partner.

Moreover, international cooperation in this space has expanded markedly, as evidenced by the launch of the Multilateral Russian Oligarch — or REPO — Task Force discussed earlier.9 As responsible government agencies become more accustomed to these new information-sharing avenues, companies may see a rise in cross-border enforcement activities. In other words, an investigation that begins in one country may prompt an investigation by another country, which adds to the importance of consulting with counsel before responding to information requests.

3. Companies cannot assume they are not (or will not become) targets of the government investigation.

When companies receive a government inquiry, the target of the investigation is not always clear. Government agents are unlikely to be forthcoming about their intentions, and even if they were inclined to be transparent, agents are often barred from providing details regarding an ongoing investigation. Even if a company is not the initial target of an investigation, providing documents or other evidence related to dealings with potential bad actors could, for example, expose gaps in the company’s own compliance or compliance program. This increases the risk of the company itself becoming the subject of a related enforcement action.

4. Companies should assess their sanctions and export control risk and compliance mechanisms.

Although a company cannot control when or how the government conducts its outreach or information gathering, companies can mitigate their sanctions and export control compliance risk by carefully reviewing their own business risk profile and their existing compliance policies and procedures for gaps, improper implementation, and other concerns. Notably, BIS, OFAC, and DOJ have all stated in numerous enforcement actions that a robust compliance program is a significant mitigating factor that often leads to reduced penalties.

Companies should also consider the frequency with which they review and update their compliance policies and procedures. Over the past year, the government has continuously — and often without warning — implemented novel sanctions and export controls. Because of the unprecedented pace of change in this arena, companies should ensure their policies are adequate to meet the challenges of the current enforcement environment.

5. Companies should have a plan in place to respond to government inquiries.

To avoid missteps, companies should ensure they have clear policies and procedures in place for responding to any government requests or outreach. These internal procedures should include an escalation process and awareness raising directed at all employees. Because the government does not always direct inquiries to a company’s legal department, employees should know whom to contact if they receive such an inquiry.

Moreover, because of increased information sharing, companies should carefully consider, with the assistance of counsel, any upcoming agency examinations or assessments, meetings with regulators, or other avenues through which the government may obtain information about the company’s business practices. This will ensure the company fulfills all legal obligations while considering all possible implications of the information provided.

6. Companies should remember that while criminal penalties can be severe, administrative penalties can also be material, and the cost of being involved in a government investigation can be substantial.

Several administrative enforcement actions this year have highlighted how significant administrative penalties can be for violations of U.S. sanctions and export controls, including several in the hundreds of millions of dollars. Criminal penalties can also vary in severity but, unlike administrative penalties, can include prison time and asset seizures. For example, the British American Tobacco case resulted in a joint fine of nearly $630 million, of which approximately $510 million was paid to OFAC in civil penalties.10 Civil penalties can also include denial of export privileges (which are usually temporary but can last several years) and debarment, that is, exclusion, from government contracts. These penalties can prove more damaging to a company’s business than a monetary fine alone. And even where no violations are found, the cost and disruption of being involved in an investigation can be significant for a company.