1. Foreign Software Company Blocked from Selling Products and Services to U.S. Persons
On June 20, the Department of Commerce’s Bureau of Industry and Security (BIS) for the first time banned a software and cybersecurity company using authority provided by June 2023’s “Protecting Americans’ Sensitive Data from Foreign Adversaries” final rule. Starting September 29, Kaspersky Lab Inc. and all of its affiliates, subsidiaries, and parent companies are prohibited from directly or indirectly providing antivirus software and cybersecurity products and services in the United States or to U.S. persons. The Commerce Department determined Kaspersky posed an undue national security risk to U.S. consumers due to its cooperation with Russian military and intelligence authorities. The Commerce Department encourages those using Kaspersky software to transition to new vendors as soon as possible to limit potential exposure of personal and sensitive data. Secretary of Commerce Gina Raimondo commented that this action “shows our adversaries we will not hesitate to act when … their technology poses a risk to [the] United States and its citizens,” indicating the prohibition of Kaspersky products may be the first in a series of similar determinations.
2. New Russia Sanctions and Export Controls Increase Risk for Financial Institutions and Information Technology, Software, and Cloud Service Companies
On June 12, the Departments of Commerce, State, and the Treasury implemented sweeping and aggressive new export controls and sanctions to intensify pressure on Russia to end its continued war against Ukraine. Through these actions, the Treasury Department’s Office of Foreign Assets Control (OFAC) and the Department of State designated over 300 new Russia-related individuals, entities, and vessels whose products and services enable Russia to sustain its war effort and evade sanctions. OFAC broadened the definition of Russia’s military-industrial base to include all persons blocked pursuant to Executive Order 14024, including designated Russian financial institutions. As a result, non-U.S. financial institutions risk secondary sanctions if they conduct or facilitate transactions involving any specially designated nationals and blocked persons. OFAC also implemented new restrictions, which will go into effect on September 12, prohibiting U.S. persons from providing (1) IT consultancy and design services, and (2) IT support services and cloud-based services for enterprise management software and design and manufacturing software to any person located in the Russian Federation.
3. New Export Controls for Products and Software Going to Russia and Belarus
BIS expanded its industry sector export controls, adding 522 more Harmonized Tariff Schedule (HTS) codes for products that now require a license for export or reexport to Russia or Belarus. Additionally, the following types of EAR99 software will require a license for export, reexport, or transfer to or within Russia or Belarus beginning September 16: enterprise resource planning (ERP); customer relationship management (CRM); business intelligence (BI); supply chain management (SCM); enterprise data warehouse (EDW); computerized maintenance management system (CMMS); project management software; product lifecycle management (PLM); building information modeling (BIM); computer-aided design (CAD); computer-aided manufacturing (CAM); and engineering to order (ETO). BIS also established a new structural framework to allow for including addresses on the Entity List. BIS found that while listed entities can easily dissolve and reorganize under a new name, many entities consistently use the same address, regardless of changes to company names. BIS can now include addresses related to high diversion risk activities, and any company that uses such a listed address will face a licensing requirement under the EAR. Along with this change, BIS added five entities and eight addresses to the Entity List. Companies operating in or selling to high-risk markets and/or markets involving high-risk products or services, especially financial institutions and software as a service (SAAS) companies, should review these changes and ensure that all compliance mechanisms and controls are in place to reduce risk of diversion and evasion.
4. BIS Revokes Export Privileges of U.S. Forwarder After It Continued to Violate EAR During Probationary Period
BIS imposed a three-year denial order against USGoBuy LLC, a package forwarding company, just days before the company completed a three-year probationary period for unlicensed exports of rifle scopes. BIS Office of Export Enforcement Director John Sonderman explained, “BIS will respond aggressively to companies that knowingly fail to comply with the EAR.” USGoBuy settled with BIS in 2021 over shipments of rifle scopes to customers in the United Arab Emirates and China without required export licenses. To resolve these allegations, USGoBuy entered into a three-year probation period and paid a $20,000 penalty. Just three days before the anniversary of the settlement deal, BIS determined that USGoBuy continued to violate the EAR and did not comply with its compliance obligations under the settlement agreement. As a result, BIS revoked the company’s export privileges.
5. Funding of 12 New Tech Hubs Across the United States
The Biden administration announced funding for 12 new Tech Hubs across the United States to scale up the production of critical technologies, create jobs in innovative industries, strengthen U.S. economic competitiveness and national security, and accelerate the growth of industries of the future in all parts of the United States. The hubs include:
- Elevate Quantum Tech Hub in Colorado and New Mexico for quantum information technology
- Headwaters Hub in Montana for smart photonic sensor systems
- Heartland BioWorks in Indiana for biomanufacturing
- iFAB Tech Hub in Illinois for precision fermentation and biomanufacturing
- Nevada Tech Hub in Nevada for lithium batteries and electric vehicle materials
- NY Smart 1-Corridor Tech Hub in New York for semiconductor manufacturing
- ReGen Valley Tech Hub in New Hampshire for biofabrication
- SC Nexus for Advanced Resilient Energy in South Carolina and Georgia for clean energy supply chain
- South Florida ClimateReady Tech Hub in Florida for sustainable and climate-resilient infrastructure
- Sustainable Polymers Tech Hub in Ohio for sustainable polymers
- Tulsa Hub for Equitable & Trustworthy Autonomy in Oklahoma for secure autonomous systems
- Wisconsin BioHealth Tech Hub in Wisconsin for personalized medicine
These 12 Tech Hubs join the 31 regional centers designated in 2023. More information on the program can be found on the U.S. Economic Development Administration’s website.
TRADE TIP OF THE MONTH:
SAAS companies should review the new EAR and OFAC restrictions on the provision of SAAS software and certain digital services to Russia to determine whether their products or services are affected. Such reviews should be completed well before September 2024 to give companies time to make adjustments to their business activities as needed to ensure compliance.