Executive Summary

The US government is taking a more hardline posture to enforce sanctions and export controls, which almost certainly will result in increased financial and criminal penalties for violators. Since Russia began its invasion of Ukraine in February 2022, US regulators have significantly expanded sanctions and other restrictions against Moscow and widened the scope of export controls to prevent Russia from obtaining the critical goods and technologies it needs to continue its war.

We judge that the increased focus on enforcement of existing sanctions and export controls will substantially impact banking and financial services, technology companies, and manufacturers of defense materiel. Applying a heightened, risk-based approach to supply-chain and end-user research will become more critical to avoiding regulatory penalties and possible criminal prosecution.

Enhanced Global Efforts Against Evasion

The Justice and Commerce departments on February 16, 2023 launched the Disruptive Technology Strike Force that will investigate and prosecute violations of export controls. The strike force is part of an increased enforcement focus that could result in financial and criminal penalties for noncompliant companies. Its priorities include preventing authoritarian governments, such as China, Iran, Russia, and North Korea from acquiring equipment that supports their military and mass surveillance operations. Agencies such as the Bureau of Industry and Security (BIS), FBI, and Homeland Security Investigations will work to protect sensitive US-origin technologies “related to supercomputing and exascale computing, artificial intelligence, advanced manufacturing equipment and materials, quantum computing, and biosciences.”

But the United States is not alone.

• Germany plans to crack down on companies that help Russia evade sanctions and export controls, including threatening criminal prosecution for false export declarations. Companies will have to provide transparent “end-use statements,” guaranteeing their goods will not be sent to Russia.

• The European Bank for Reconstruction and Development in February began investigating a sharp increase in Russian imports from its neighbors, coinciding with a drop in western imports due to tighter restrictions. These neighboring countries are probably an evasion route for Russia to gain access to critical technologies and other goods.

• The G7 nations are creating a new tool to coordinate enforcement of existing sanctions against Russia in an effort to improve compliance. The “Enforcement Coordination Mechanism” will improve information sharing, including about countries and firms suspected of aiding Russia’s war in Ukraine by facilitating sanctions evasion or helping Russia access prohibited tools and technologies.

• The EU plans to ask third countries that have seen a surge in imports from the EU of advanced technologies and other goods that could be used for military purposes by Russia to enhance trade monitoring. The EU’s foreign policy chief Josep Borrell recently highlighted that the bloc will begin punishing third countries and third parties for helping Russia evade financial and export restrictions.

Recognizing the Risks

Russia’s military is highly dependent on western technology, lacking domestically produced analogues. As western export controls and sanctions enforcement efforts become more stringent, Russian individuals, entities, and their facilitators have increased efforts to develop more sophisticated evasion techniques that will allow them to acquire restricted products.

Despite Russia’s long history of sanctions and export-control evasion, many western companies had insufficient compliance measures in place even before last year’s invasion of Ukraine. However, stopping Russia’s aggression became a major US foreign policy objective last year, and increased enforcement almost certainly makes these companies vulnerable to regulatory penalties, criminal charges, and reputational risk.

A Tri-Seal Compliance Note released by the Commerce, Treasury, and Justice Departments this month highlights the increased risks of evasion and export control violations. The note calls for companies to “include controls tailored to the risks the business faces, such as diversion by third-party intermediaries.”

The joint Financial Crime Enforcement Network (FinCEN) and BIS alert released last year similarly outlines red flags indicating Russian sanctions and export control evasion, many of which are complex and require nuanced expertise to detect. To limit their exposure, companies must conduct comprehensive investigations into current and potential customers and business partners, adapt to the changing regulatory environment quickly, and develop a comprehensive understanding of the risks particular to its business.

Recent incidents examined by FiveBy Solutions show the importance of enhanced and tailored due diligence approaches that require more extensive research and understanding of supply chains, Russia’s business environment, and contract terminology, as well as sanctions, export controls, and other restrictions imposed against Russia after its invasion.

The nature of a customer’s underlying business (specifically military or government-related work), type of service(s) or product(s) offered, and geographical presence pose additional export control evasion risks by Russian and Belarussian entities. Inadequate Know Your Customer (KYC) measures can lead to product diversion—a critical threat to a company’s reputation and bottom line.

Last year, a Reuters investigation found that the publicly traded US company Extreme Networks provided Russian missile manufacturer MMZ Avangard with more than $500,000 in “computer networking equipment for its office IT systems.” MMZ Avangard possibly obtained the equipment through a surrogate buyer, “a seemingly innocuous corporation near Moscow.” Extreme Networks’ management also dismissed compliance concerns about the sales raised by multiple employees. Management commitment, which is one of the pillars of an effective sanctions compliance program, would have helped the company avoid the resulting adverse media, reputational damage, and possible regulatory penalties.

• Although Extreme Networks’ equipment was provided to MMZ Avangard through an intermediary, the company’s lack of concern about the end-user of its equipment undermined a major US foreign policy objective, damaged the company’s reputation, and possibly exposed it to fines or criminal prosecution. A more sophisticated analysis of the intermediary beyond a surface-level list check, including analysis of the company’s contracts and end-users, could have helped prevent these transactions.

The media this month reported that Haas Automation has sold machinery and components to Russian holding company Abamet, which is selling US technologies to Russian military entities. Although Abamet is not currently included on OFAC’s Specially Designated Nationals (SDN) list or the Entity List, it almost certainly will wind up restricted after being highlighted in media reports.

• Haas denied the allegations, claiming that it stopped doing business with Russia in March 2022. But Haas also admitted that its components and machinery could have changed ownership without its knowledge, highlighting the importance of identifying the end-users of products and considering possible reputational damage should they wind up in restricted hands.

Transactions involving entities whose website or business registration states the entities work on “special purpose projects.”

Russian companies rarely list “special purpose projects” as their primary business activity, and this is a red flag that indicates an entity’s possible involvement in military/security activities. These entities often list other, seemingly innocuous activities as their lines of business on their websites, and some entities do not have a web presence at all—another red flag. Linguistic expertise and knowledge and understanding of Russian business culture can be critical in determining the level of risk these companies represent.

Aiburg JSC has minimal web presence, but an in-depth investigation by FiveBy found that the entity develops systems for drones and manned aircraft. These activities on their own might not necessitate evasion of export controls, and Aiburg is not included on the Entity List or the SDN list. These, however, are dual-use technologies, and additional research found that the entity has worked on testing and documenting software for military unmanned aerial systems (UAS) control systems. An entity such as Aiburg JSC needs to be treated with extra caution and the end-users for US-origin technologies sold to Aiburg JSC need to be closely examined to avoid the risk of running afoul of export control restrictions.

Transactions involving companies that are physically co-located with or have shared ownership with an entity on the BIS Entity List or the Treasury Department’s SDN List.

Russia-based PNPPK-Kvantek LLC is not on the BIS Entity List or subject to OFAC sanctions, but it is registered at same address as its largest shareholder, BIS-listed Perm Scientific-Industrial Instrument-Making Company PJSC. PNPPK-Kvantek LLC’s main “official” activity is production of communication devices and manufacture of electronics and software. Its BIS-listed parent produces navigation, meteorological, geodetic, geophysical, and similar instruments, apparatus, and instruments for Russian military and intelligence agencies.

• PNPPK-Kvantek presented Perm products at Army-2019, Russia’s high-profile, annual military expo demonstrating new military technology developments. Although PNPPK-Kvantek does not appear on any sanctions lists, expert analysis indicates that the company is directly linked with its parent and could potentially divert US origin technologies to the restricted shareholder with which it shares an address.

Conclusion

Russia’s resolve to continue fighting in Ukraine and its dependence on western technologies for its military hardware indicates that Russian entities will continue developing new and more complex methodologies to evade export controls and financial restrictions. US firms must enhance their compliance measures, given regulators’ more aggressive approach to sanctions and export control violations aimed at preventing Russia from gaining access to prohibited US-origin technologies. Inadequate compliance programs will almost certainly result in severe fines, criminal charges, and negative media exposure.

FiveBy’s expert, certified analysts can help companies navigate the increasingly complex regulatory and evasion environment as Russia’s war in Ukraine rages on. In-depth analysis can help mitigate the increased risks for both US and non-US companies, and jurisdictional expertise will almost certainly help expose higher-risk customers and business partners, examine complex supply chains, and help strengthen controls.