Complex supply chains, distribution channels, and efforts to obscure questionable business practices highlight the need for in-depth research and regional expertise to ensure that firms are not engaging—however indirectly—with entities that use forced labor or engage in mass surveillance or other undesirable practices. A recent New York Times review of government procurement documents shows that DNA sequencers, test kits, and other products made by US firms Thermo Fisher and Promega are being sold to Xinjiang, where advanced biometric technologies are used to target Uyghur and ethnic-Turkic Muslim minorities. Although Thermo Fisher promised to stop selling its products to Xinjiang in 2019 and had designed a preventative, multi-level purchasing processes with which its authorized distributors must comply, security services there are still obtaining these tools.
- Based on Thermo Fisher’s public response to the controversy, asserting that the company’s purchasing process was designed to prevent its products ending up in the hands of Xinjiang’s security services, the company appears to have missed a third-party partner or another entity along its supply chain that is reselling its technology to Xinjiang.
- Promega claims it does not have customers or distributors in Xinjiang. Taken at face value, the company’s denial indicates that products identified in the media report were purchased from resellers in other parts of China, and that Promega’s due diligence process failed to detect possible high-risk transactions downstream.
These possible supply chain gaps highlight the need for an objective, in-depth review of firms’ current due diligence processes and better insights into third-party partners. Companies that fail to appropriately evaluate and investigate their entire supply chain ecosystem are at risk for backlash and significant fines.
- In April, German tech company SAP SE agreed to pay more than $8 million to the Treasury, Justice, and Commerce Departments for violation of US sanctions and export control laws for selling US-origin software to users located in Iran between 2010 and 2017. Most of these violations involved 14 Iran-controlled front companies, about which SAP partners in Turkey, the UAE, Germany, and Malaysia had full knowledge. Failure to conduct sufficient due diligence on third-party partners was one of the main causes of the violations.
- In 2019, the Office of Foreign Assets Control (OFAC) fined e.l.f. Cosmetics almost $1 million for importing false eyelashes from North Korea. Because of its “non-existent or inadequate” compliance program, the company’s production review failed to identify that about 80 percent of the false eyelash kits from two Chinese suppliers contained materials from North Korea.
In addition to regulatory risks, companies that fail to identify and control their supply chains to prevent technologies, tools, and other US products from winding up in the hands of human rights violators or other malign actors, may suffer significant reputational damage. H&M in September 2020 ended its relationship with a Chinese yarn producer after revelations that it and other international brands sourced cotton from the Xinjiang region, where mostly Muslim Uyghur minorities are forced into manual labor, caused an international outrage.
Recommendations
Last year, the Departments of Commerce, Homeland Security, State, and Treasury published an advisory on the risks of supply chain exposure to forced labor and other human rights abuses in Xinjiang, specifically highlighting “heightened risks” related to biometric devices. Despite the repeated warnings and recommendations to closely examine the end-users and supply chains through which their products and services transit, some companies still find their products in the wrong hands.
- Firms face significant challenges when engaging with third parties in China and other high-risk jurisdictions and performing due diligence research, according to the Xinjiang Supply Chain Business Advisory. Harassment and imprisonment of third-party auditors, pervasive surveillance, and the use of government translators in China that may result in inaccurate information are just some of the obstacles that hinder human rights due diligence in China. However, half-measures and region-related excuses are unlikely to satisfy public expectations for companies operating in these locations or US and EU compliance requirements.
Companies that value their reputation and business in these high-risk jurisdictions must ensure they have a thorough understanding of their supply chain ecosystem. A risk-based approach to due diligence starts with a comprehensive assessment of the company’s vulnerabilities that require an understanding of the nature of its product or service and its uses, its customers, and the jurisdictions in which they operate, as well as where the products and services may end up.
- The nature of the product or service and its potential uses is critical to developing an understanding of its possible destination. Is the product or service digital or physical? Can it be used for mass surveillance or other human rights violations? How will it be delivered to end-users? Will third-parties or resellers redistribute it, and does it represent a “heightened risk” flagged by the government for winding up in the hands of malign actors?
- Questions about end-customers are particularly important when ensuring that US goods and services do not fall into the wrong hands. Who uses the product and how? Do members of law enforcement typically purchase the technology and how do they use it, and can it potentially be used to violate human rights by foreign security services?
- Knowledge of the jurisdictions in which a company’s goods and services are used is particularly important in Xinjiang and Myanmar, where the nation’s military overthrew its democratically elected government and suppressed, detained, and killed thousands of civilians. Knowing the risks of doing business in particular jurisdictions and with local partners will help companies avoid not just regulatory, but also reputational risk.
Due diligence research on third-party distributors and partners is particularly important, and list-based screening may not be sufficient to mitigate risk. Especially in high-risk jurisdictions, a partner’s customers, track record, and compliance practices—both during onboarding and through periodic monitoring—can provide insight into possible problems with end-users.
When doing due diligence research, firms should ask specific questions of their potential distributors and resellers that will provide detailed insight into the reseller’s business practices and prevent US products from landing in sanctioned jurisdictions, being used by entities under military- or nuclear-end-use restrictions, or being exploited by malign actors. Research using local government databases, research into the business activities of other entities owned or controlled by individuals linked to your business partners, and reviews of previous publicly listed contracts and public tenders should help provide insight into possible sanctions evasion.
- Who are the local distributor’s target customers?
- Is the local distributor a certified government or military supplier?
- Does the distributor or reseller have government, police and/or military end-customers?
- What are the reseller’s due diligence policies and procedures?
- Do the distributors or resellers sell to other resellers, and if so, what mechanisms do they use to ensure that the products do not fall into the hands of sanctioned individuals, human rights abusers, or other malign actors?
US companies should consider making compliance and due diligence on customers and distributors prerequisites for potential partnerships. A periodic review of business partners’ compliance practices can be included as a contractual obligation, and renewals should be contingent on a renewed attestation, compliance, and due diligence commitments. Continued violations of company compliance policies by business partners should result in the suspension of the business relationship. Vigilant monitoring and regular training to ensure local partners understand the risks and consequences of violations can help ensure continued compliance with company policies and reduce penalties should a company be found in violation of US sanctions.
- Monitor media coverage of potential business partners and distributors from high-risk jurisdictions, including social media, for mentions of potential sanctions, human rights, and other violations.
- Design and implement a clear policy to investigate, remediate, and identify the root cause of potential violations, and engage with experts in remediation—including voluntary self-disclosures to regulators—and analysis of potential other violations.
- If possible, develop internal mechanisms to prevent access to digital products in restricted jurisdictions, such as GeoIP blocking, and prohibiting VPN use. For physical products, companies should consider using a registration process for users to gain access to services and add-ons. Purchasing processes that require direct approval from the parent company prior to activation is another possible alternative.
Additional Jurisdictional Challenges
Companies that have a commercial presence in foreign countries and take steps to ensure responsible business practices in high-risk jurisdictions may risk backlash from local adversarial governments that implement new operational requirements and regulations in response to foreign restrictions or firms that abide by foreign sanctions.
- The recent law to counter foreign sanctions implemented in June by Beijing could result in penalties for companies that comply with western sanctions deemed “discriminatory” in China. The new law also allows Chinese companies to sue their foreign counterparts for complying with foreign restrictions, possibly forcing firms such as Thermo Fisher and Promega by law to continue transacting with sanctioned parties, such as the Xinjiang Public Security Department.
- Efforts to shun forced labor practices in supply chains led to Communist Party-fomented boycotts in China of brands such as Adidas, Converse, Nike, and H&M, with the companies’ online stores blocked and China deleting H&M stores from some digital map applications. Chinese e-commerce companies Alibaba and JD removed H&M from their online platforms, and Chinese celebrities terminated their contracts with the clothing retailer. In China, one could not even hail a cab to a physical H&M store using an app after the store expressed concern over the forced labor policies in Xinjiang.
Conclusion
US firms that continue to operate in risky jurisdictions must be prepared to have well-documented compliance policies and clearly communicate them to local affiliates and partners. A Thermo Fisher customer services staffer in China, for example, told a state media outlet that she was unaware of US restrictions or bans on sales of DNA sequencers or similar products to China, and that the company’s exports to China continued as usual.
Firms that have a presence in risky jurisdictions should also engage with regional experts to help them effectively navigate international and local requirements and remember that shareholders are increasingly demanding that companies factor environmental, social, and corporate governance (ESG) considerations into their business plans and will be less likely to accept profits in exchange for due diligence failures.
Click here for PDF.
FiveBy is a specialized risk intelligence services firm. We give you the insight you need to move faster and further with the confidence to transform your risks into opportunity. The opportunity to grow your profits, strengthen your brand, and exceed your customer expectations.
Our unique point of view brings together expertise spanning security, technology, data science, and business operations to connect your dots. By turning data into an enabler, FiveBy designs adaptable responses—whether to an ongoing incident or to implement preventive measures—tailored to your business needs and always with a human touch.