Of all the corporate responses so far from Russia’s invasion of Ukraine, one that looks heartening is the idea of companies “self-sanctioning” their products against Russia. Look closer, however, and there’s a lot more going on here that compliance officers need to consider.
By now you’ve probably seen early glimpses of self-sanctioning. Two examples are Boeing and Airbus, which both announced the other day that they have stopped providing parts and services to Russian airlines flying their planes, and ceased all operations in the country.
In theory, that could be a strong punch against Russia. Its airlines will start running out of spare parts within weeks. Flight technology and training are updated all the time, so its pilots will start falling out of step with the latest safety protocols. All of this will spook airport authorities around the world, which might prohibit Russian airlines from landing. That is just the sort of economic pressure the West should want to see, if the geopolitical goal is to isolate Russia from the modern global system.
The heartening part is that Boeing and Airbus didn’t necessarily need to put a full stop on all operations. So far the Biden Administration’s export control rules apply to technology used in military applications, not all services — but the rules are so sweeping that for many businesses, the safer move is simply to suspend all operations in Russia of your own accord.
That is self-sanctioning. Other businesses are doing it too, such as Oracle, Microsoft, numerous oil companies, and more. At first glance it looks like companies acting out of an abundance of caution that also neatly aligns with the moral and ethical sensibilities of the West. Good news so far, right?
When compliance officers look more deeply, however, nettlesome issues emerge that are going to need your attention.
Export Control Compliance Challenges
The Wall Street Journal had a good article today unpacking what some of those nettlesome issues will be. Compliance officers need to start thinking about retooling your policies and procedures to address those challenges, because sanctions against Russia are likely to stick around for a long while.
For example, many of the new export controls contain exemptions depending on who in Russia uses your product, and how. Consumer technologies such as phones and laptop computing devices can still be sold into Russia, so long as those goods only go to private Russian individuals or companies. In theory that exemption makes sense (why squeeze ordinary Russian people for the sins of Vladimir Putin and his cronies?), but in practice that means companies will need to sharpen their understanding of who their “end-use” customers are.
Worrying about end-use customers is nothing new for businesses that already sell dual-use technologies. The new Russia sanctions, however, will sweep many more Western businesses into that realm for the first time; or if you already sell some dual-use products, the sanctions might sweep many more product lines into that category for the first time.
This means many compliance officers will need to think about export compliance risks much more deeply. Do you have the right policies and procedures in place to identify end-use customers? Do you have the right program structure in place? (Namely, do you want operating units around the globe to run their own export compliance efforts, or do you want to handle it centrally for the whole enterprise?) Do you have sufficient due diligence capabilities, especially if you need to decipher Russian documents and screen against names that don’t use an English alphabet?
Another challenge: plenty of businesses use distributors to sell their products overseas.
The FCPA enthusiasts among us read that previous sentence and instinctively winced, because they already know how much risk distributors can bring in the anti-corruption realm. Now even more companies will need to consider how “distributor risk” could manifest as an export control issue.
That is, distributors might sell your goods into Russia, but if your goods typically aren’t sold to state-owned enterprises there, you might assume your corruption risk is relatively low. Export control risk, however, is different because it’s not just about who your customer is, but also how the customer might use your product.
So compliance officers will need to adjust their oversight of distributors to include that extra layer of complexity, before the distributors’ sloppy practices bite you on your export control rear end.
What’s the Enforcement Risk Here?
That’s a good question. As the Wall Street Journal article notes, the United States has a large and robust export control regime, but many other countries don’t — or at least, they haven’t until now, and suddenly they’re scrambling to develop one in response to Putin’s invasion.
That means lots of questions going unanswered, license applications going unreviewed, and enforcement cases taking far too long to resolve. Which pretty much describes the U.S. export control regime too, and we’re the ones who supposedly know what we’re doing the most.
That’s going to raise some interesting questions in the general counsel’s office or the boardroom, about whether so much attention is necessary for export control compliance when enforcement might be disjointed. (The FCPA compliance enthusiasts probably are probably experiencing another moment of déjà vu here.) Then again, does your board want to risk a headline someday saying, “Company caught selling high-powered goods and technology to Putin”?
Indeed, as Western governments add more sanctions against Russia every day, the compliance and reputation risks might become so unwieldy that some companies make a more strategic decision: “Let’s just stop doing business in Russia altogether.”