DOJ, BIS, and OFAC Release Joint Guidance on Disclosing Potential Violations

July 27, 2023 – On July 26, 2023, the U.S. Department of Justice’s National Security Division (“NSD”), the Department of Commerce’s Bureau of Industry and Security (“BIS”), and the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published a joint "Tri-Seal Compliance Note" on policies encouraging voluntary self-disclosure (“VSD”) by private sector entities of violations of sanctions, export controls, and other national security laws. The compliance note also includes information on sanctions-related whistleblower incentives administered by the Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”).

Background

Historically, BIS, OFAC, and DOJ have maintained separate VSD policies applicable to administrative violations of export controls (in the case of BIS), administrative violations of sanctions (in the case of OFAC), and criminal violations of both regulatory regimes and other national security laws (in the case of NSD). However, since the Russian invasion of Ukraine in 2022, these agencies have placed increased emphasis on joint enforcement of sanctions and export control laws, for example via interagency initiatives such as Task Force Kleptocapture and the Disruptive Technology Strike Force and publishing joint guidance like a March 2023 compliance note on sanctions and export control evasion.

Over the past year, DOJ and BIS have also placed particular emphasis on the role of the private sector in promoting enforcement via VSDs. BIS issued a set of new policies in June 2022 and April 2023 to streamline the VSD review process and incentivize submissions. In March 2023, NSD updated its corporate enforcement policy to clarify its process for evaluating VSDs consistent with a September 2022 directive to all DOJ components. 

Separately, the Consolidated Appropriations Act, 2023 (“CAA”) established a sanctions-related whistleblower program administered to promote enforcement of sanctions, particularly targeting Russian oligarchs. (We previously reported on this program here). While the program introduced rewards to parties reporting sanctions violations, it did not extend similar rewards to reports of export control violations.

Content of the New Guidance

The new joint guidance does not itself contain new policy announcements, but rather highlights the key points of each agency’s VSD policies, including the following:

DOJ:

• Where a company voluntarily self-discloses potentially criminal violations, fully cooperates, and timely and appropriately remediates the violations, there will be a presumption that the company will receive a non-prosecution agreement. However, the presence of aggravating factors may overcome the presumption in favor of a non-prosecution agreement. In the March 2023 update to its corporate enforcement policy, NSD added that such aggravating factors include conduct that involves a “grave threat” to national security, and that as a practical matter willful (i.e., criminal) violations of sanctions and export control laws often involve “serious risks” to national security.
• A company must disclose to NSD within a “reasonably prompt time” after becoming aware of a potential criminal violation to benefit from NSD’s policy. In its March 2023 update, NSD added that disclosures made to regulatory agencies such as OFAC and BIS do not qualify under NSD’s policy, but that NSD will extend the policy to companies that make good faith disclosures to such agencies and the matter is transferred to NSD.
• A company must timely and appropriately remediate any violations to benefit from a disclosure. NSD will evaluate the effectiveness and resources of the company’s compliance program in assessing any disclosure.

BIS:

• BIS’s June 2022 policy changes introduced a “dual-track” system to handle VSDs, under which minor or technical violations are resolved on a “fast track” with the issuance of a warning or no-action letter within 60 days of submission. BIS will dedicate more time and resources to assessing VSDs indicating potentially more serious violations, but still adhere to the principle that voluntary disclosures deserve significant credit.
• BIS’s April 2023 policy changes established that deliberate non-disclosure of a “significant possible violation” of export controls will be considered an aggravating factor under BIS’s penalty guidelines. In addition, a party that tips BIS off to potential export control violations by another party will receive mitigation credit under BIS’s penalty guidelines if the first party becomes subject to an enforcement action (even if unrelated) in the future.
• BIS will assess a company’s compliance program, including its success at self-identifying and rectifying compliance gaps, in assessing violations. 

OFAC:

• OFAC will treat VSDs as a mitigating factor in determining proper enforcement actions, and where a civil monetary penalty is warranted, a qualifying VSD can result in a 50 percent reduction in the base amount of a proposed civil penalty. A party’s compliance program at the time of an apparent violation and corrective actions taken in response to an apparent violation also enter into OFAC’s assessment of a VSD.
• Qualifying VSDs must occur prior to or simultaneously with the discovery of an apparent violation by OFAC or another government agency, and a disclosure will not qualify as a VSD if a third party is required to and does notify OFAC of the apparent violation because the transaction was blocked or rejected by the third party.

The compliance note concludes with a summary of the whistleblower rewards issued by FinCEN, including under the recently established sanctions-related whistleblower program. The compliance note observes that, “in certain circumstances”, whistleblowers providing information leading to export control enforcement actions could qualify for rewards. This statement appears to reference situations in which a whistleblower provides information that leads to a sanctions enforcement action as well as to a related export control enforcement action.

Takeaways

The new compliance note illustrates how U.S. law enforcement agencies have significantly stepped up cooperation in sanctions, export control, and related national security matters since 2022. It also illustrates that parties whose operations implicate sanctions and export controls must maintain robust compliance programs to satisfy regulatory and law enforcement agency expectations in case of enforcement actions. In addition, to benefit from these agencies’ VSD policies, private sector entities must establish compliance programs that detect and address potential violations early and that provide them an opportunity to self-report in a timely manner. Such programs must also develop a culture of compliance and internal reporting across an entity’s operations that can contend with the incentives now available to whistleblowers, particularly with respect to sanctions violations.