Seagate Fined $300M on Sanctions Failures
Some strong tea today for export control professionals: U.S. authorities have fined Seagate Technology Corp. $300 million for selling computer hardware to Chinese telecom giant Huawei Technologies, even after Huawei came under severe U.S. export control restrictions in 2020.
The fine, announced by the Bureau of Industry and Security on Wednesday, is the largest that BIS has ever imposed. Seagate also needs to hire an independent compliance consultant to perform an audit of the company’s export compliance program, and then perform two more internal audits for several years after that. BIS officials framed the enforcement action as a stern warning for U.S. companies to take export control rules seriously, or suffer the consequences.
“This settlement is a clarion call about the need for companies to comply rigorously with BIS export rules, as our enforcement team works to ensure both our national security and a level playing field,” Matthew Axelrod, the Commerce Department’s assistant secretary for export enforcement, said in a statement.
Seagate published its own statement, draped in the usual corporate-speak. The company believes it never made any compliance violations, CEO David Mosely said, but “we determined that engaging with BIS and settling this matter was the best course of action.”
Whatever you need to tell yourself, Seagate. The rest of the compliance community should give this case a close look. Earlier this year deputy attorney general Lisa Monaco warned the corporate world that more rigorous enforcement of export control violations is coming, and expressly said, “Sanctions are the new FCPA.”
Now this case lands in our laps. Yes, it’s only a civil enforcement action from the Commerce Department, but we can still extract numerous useful lessons here. Let’s get to it.
Under Scrutiny: Sales to Huawei
As described in the charging letter filed by BIS, Seagate’s problems began in August 2020. That’s when the Trump Administration imposed severe restrictions on exporting goods to Huawei, amid suspicions that China exploits Huawei telecom equipment to spy on other countries.
Within days of those export restrictions going into effect, two of Seagate’s top competitors announced that they would cease doing business with Huawei. Seagate, however, hugged Huawei even closer. In September 2020 the CFO of its U.S. subsidiary said at a conference, “from what I have seen until now, I don’t see any particular restriction for us in terms of being able to continue to keep [doing business with] Huawei or any other customers in China.”
Even if we want to dismiss that statement as a one-off blunder, it gets worse. In December 2020, Seagate signed a three-year “strategic cooperation agreement” to be Huawei’s primary supplier of hard drives. So Seagate’s legal team had ample time to correct the CFO’s mistake — and that didn’t happen.
Throughout most of 2021, Seagate and its subsidiaries then sent more than 7.4 million hard drives to Huawei in violation of export control rules, with a total value of $1.1 billion. The sales team was thrilled: “This is great!!!” one U.S. manager declared in an email after receiving the Huawei purchase order). The finance team extended lines of credit to Huawei three times, approved by Seagate U.S. executives.
The Huawei relationship finally ended in September 2021, for reasons not disclosed in the BIS settlement order. It’s also unclear whether Seagate might face criminal charges from the Justice Department or more civil charges from the Securities and Exchange Commission. (Seagate made $11.6 billion in revenue in 2022, so that $1.1 billion of goods shipped to Huawei does seem material.)
Points to Ponder
The most obvious question is why Seagate believed it could still sell to Huawei even as its competitors dropped the company like a hot potato. Its two direct rivals dropped Huawei immediately, and many other tech companies swiftly, publicly followed suit.
Perhaps we should recall here the Justice Department’s guidelines on effective compliance programs. Those guidelines stress that a company should pay attention to events happening in its industry, and when performing risk assessments the company should incorporate “lessons learned … from other companies operating in the same industry and/or geographical region.”
Now, that warning is primarily about the compliance violations that other companies have suffered, so that your own company can avoid a similar fate — but I see no reason why the inverse can’t be true, too. Look at what other companies are doing to avoid a compliance failure, and then do that too so you won’t encounter a failure yourself.
Second issue: Seagate’s poor understanding of U.S. export control law, and specifically the Foreign-Produced Direct Product Rule. That rule says that a company cannot export products to sanctioned entities (such as Huawei), even if those products are built outside the United States, if those foreign products are based on U.S. technologies.
Or, as BIS put it, Seagate “incorrectly interpreted the FDP Rule to require evaluation of only the last stage of its manufacturing process, rather than the entire process.”
Obviously Seagate’s failure to understand the FDP Rule led to that wrong conclusion that it could keep shipping goods to Huawei. It’s a reminder that sanctions compliance is difficult under the best of circumstances, and even large, sophisticated companies can make serious misjudgments.
Given the trade tensions between the United States and China these days, where the Biden Administration is using the FDP Rule to compel foreign tech companies to cease selling advanced technology to China — none of this challenge is going away any time soon. It’s more important than ever to understand what sanctions rules do or don’t apply to your company.
Third issue: it’s striking that so many in Seagate were perfectly happy to keep doing business with Huawei: the sales team thrilled at the deal, the finance team extending lines of credit, and even the U.S. CFO proclaiming that everything would continue as normal. That sounds like an enterprise operating separately from its sanctions compliance team, as if the sanctions team was stuck in some silo away from the business.
Contrast that idea to the sanctions enforcement action announced against Microsoft earlier this month. That settlement included a detailed description of how Microsoft has implemented a Three Lines of Defense model for sanctions compliance, with every part of the enterprise playing at least some role in staying on the right side of the law.
Something tells me a lot of companies will need to get a lot closer to the Microsoft model in years to come.