Cadence Pays $140M on China Exports
Radical Compliance had said we’d be on vacation this week, but sometimes an enforcement action comes along that’s just so fascinating we can’t help ourselves. So from our remote office in a Catskills farmhouse, let’s talk about the huge export controls case just filed against Cadence Design Systems.
Cadence, a Silicon Valley company that makes equipment to design advanced microchips, pleaded guilty on Monday to criminal and civil charges of allowing its Chinese subsidiary to sell hardware and software to a Chinese university with ties to that country’s military.
We’ll get into the details presently, but in brief: Cadence will pay more than $140 million in penalties; and be on corporate probation for the next three years; and make annual progress reports to the Justice Department on compliance program reforms during that three-year term. Cadence will not, however, need an independent compliance monitor; and its compliance officer will not need to certify the effectiveness of the compliance program at the end of probation.
So in some ways, the Cadence enforcement action is almost traditional, in the way the company had weak oversight of subsidiaries and how it will need to improve its compliance program from here forward. At the same time, it also gives us valuable insight into the types of corporate misconduct at the center of the Trump 2.0 Administration’s radar and how prosecutors will handle such cases.
U.S. attorney Craig Missakian, whose office prosecuted the case, issued a statement that captures the issues here: “Export controls safeguard America’s advanced technological know-how from falling into the wrong hands, which is particularly important in Silicon Valley as the epicenter of groundbreaking innovation… Cadence’s remedial measures are a positive step toward rectifying the company’s violations of export control laws and demonstrating corporate responsibility.”
What compliance professional wouldn’t enjoy talking about that on vacation?
Subsidiary Governance Trouble
First let’s look at the misconduct in question, as described in the statement of facts against Cadence. As we so often see, weak oversight of an overseas subsidiary is the root problem here.
The misconduct happened from 2015 into 2021. Cadence had a subsidiary in China where several employees sold advanced design equipment to a long-time customer called Central South CAD Center, or CSCC. That business, however, was simply a front for the National University of Defense Technology (NUDT), which was controlled by the Chinese military and on the U.S. export control list. The Cadence China employees knew that, and sold their equipment to CSCC anyway.
Specifically, certain Cadence China employees installed Cadence hardware on NUDT’s Changsha campus, and certain NUDT personnel downloaded software from Cadence’s download portals. The Cadence China employees didn’t tell any of this to managers back at headquarters in Silicon Valley, including Cadence’s export compliance personnel.
As a result, Cadence ended up sending unlawful exports to NUDT at least 56 times from 2015 until late 2020, when Cadence ceased doing business with CSCC.
Then came an epilogue! Cadence had stopped doing business with CSCC, and agreed to transfer its CSCC contracts to another Chinese tech company, Phytium Technology. Cadence did perform due diligence on Phytium and determined it was a legit business rather than another front for NUDT; but published reports had documented that Phytium was selling high-end processors to NUDT anyway. Cadence finally cut ties with Phytium in early 2021, and the U.S. Commerce Department added Phytium to its export controls list two months later.
The Justice Department found at least four Cadence employees involved in the scheme. Three were employees of Cadence China, all of them mid- to senior-level sales executives. The fourth was based in Singapore and vice president of sales for the Asia-Pacific market. The first three employees reported to him, and he reported to Cadence’s chief revenue officer back in the United States.
Weak Export Controls Compliance
One problem here seems to be that Cadence had a weak export controls compliance program. For example, for most of the period in question (2015 through 2019), Cadence employed one export control officer with responsibility over the company’s export control compliance program. Yes, that compliance officer did provide training to Cadence China, including the three (now former) China employees who sold goods to CSCC knowing it was a cut-out for National University — but what good are policies and training without mechanisms to enforce those messages?
For example, Cadence China employees emailed software license keys for CSCC’s contract to NUDT personnel at NUDT email addresses. Could Cadence have designed its email systems to monitor communications to problematic parties, such as Chinese businesses on U.S. watch lists? Could it have imposed a block on certain email addresses, such as those affiliated with NUDT?
For the record, I don’t know whether Cadence did or didn’t try to impose controls like that; and perhaps if it did, the Cadence China employees would’ve found a work-around to such controls anyway.
My larger point is that clearly the Trump Administration is cracking down on the sharing of sensitive information with China. That means technology companies, and technology products, will be under scrutiny — and therefore, U.S. companies will need to think more about how you can intercept the sharing of controlled technology.
So export control compliance teams will need to do more than the routine sanctions screening checks; you’ll need to work with your IT department on process-level controls (such as scanning and blocking email communications) that can identify and intercept technology sharing. You’ll need to work on documentation policies for who meets with whom, and alerting when required documentation isn’t submitted. You’ll need to do more.
Cadence Remediation Measures
Things started happening in 2020 when the Bureau of Industry and Security (the civil agency in the Commerce Department responsible for export controls) sent a subpoena to Cadence. The company launched an investigation and things mostly, but not entirely, went well from there.
First, this means Cadence didn’t receive any credit for voluntary self-disclosure, since regulators were the ones who informed Cadence of the issue. Cadence did then cooperate with the ensuing investigation, but only received partial cooperation credit because the company “failed proactively to obtain and disclose to the government relevant communications, and it failed proactively to facilitate interviews of certain China-based employees with information relevant to the offense conduct.”
As a result, Cadence only received a 20 percent discount off the maximum possible criminal penalty for a case like this — cutting the penalty from a possible $90.6 million to $72.5 million. Now imaging how much more Cadence might have saved if it had caught and self-reported its own issues earlier.
Now let’s look at the compliance program remediation steps Cadence took:
- Hired additional experienced export control compliance personnel;
- Expanded and improved its export control compliance program;
- Formalized its export control compliance training program; and
- Implemented enhanced export control compliance screenings of its databases and customers.
We don’t know much more about exactly what Cadence did along those lines, but the Justice Department said those steps constitute an effective compliance program reasonably designed and implemented to detect and prevent similar misconduct in the future.
This means Cadence will not receive an independent compliance monitor, although that’s no surprise since the Justice Department’s new policy is that it won’t assign a compliance monitor for just about any misconduct short of supporting woke ideology the president doesn’t like.
Cadence will, however, need to submit annual progress reports to the Justice Department about the state of its compliance program. That’s not news either; the department had been moving away from monitors in favor of regular progress reports since the tail end of the Biden Administration.
Lastly — yes, Cadence will need to certify at the end of its probation period that the company has an effective compliance program, but the chief compliance officer will not need to be one of the executives who signs it. Only the CEO will need to certify that declaration, “other duly authorized officer of the company.”
That’s interesting. Maybe this is just U.S. attorney Missakian ignoring Criminal Division policy for CCO and CEO certifications (U.S. attorneys love to ignore the Criminal Division, after all), or maybe it’s a sign of things to come.
As a certain president out there likes to say, we’ll see.