Recent enforcement actions by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) highlight a clear and consistent message for companies engaged in global trade: export control compliance programs are no longer optional—they are foundational risk management requirements.

Three recent cases—two involving unlicensed exports to Entity List parties and one addressing antiboycott violations—underscore the breadth of BIS enforcement priorities and the recurring compliance failures that continue to trigger enforcement exposure.

A Pattern of Foundational Compliance Breakdowns

The Coastal PVA Technology enforcement action is particularly instructive. BIS imposed a $1.7 million civil penalty (fully suspended) for multiple unlicensed exports to Chinese Entity List parties. The violations spanned 18 separate transactions over a three-year period, involving EAR99 items exported without required authorization.

What makes this case especially significant is not the nature of the products—they were relatively low-tech, EAR99 items—but the failure to implement even basic export compliance controls. The company lacked a formal compliance program and did not recognize that exports to Entity List parties require a license regardless of classification.

Similarly, a separate BIS enforcement action imposed a $1.6 million civil penalty for unlicensed exports to restricted parties, reinforcing that this is not an isolated issue but part of a broader enforcement trend.

These cases collectively demonstrate a critical point:

Export control liability is driven less by product sophistication and more by counterparty risk and internal control failures.

Third-Party Risk and “Willful Blindness”

Another recurring theme is the misuse—or misunderstanding—of third-party distributors. In the Coastal matter, exports were often routed through intermediaries, yet the company knew the ultimate end users were restricted entities.

BIS has made clear that reliance on distributors does not insulate a company from liability. To the contrary, knowledge of the ultimate end user—even indirect knowledge—creates licensing obligations and enforcement risk.

This aligns with a broader enforcement posture:

• Companies must understand end use and end users, not just immediate counterparties
• Distributor relationships require heightened due diligence and monitoring
• “Indirect exports” are treated no differently than direct shipments when knowledge is present

Antiboycott Enforcement: Small Penalty, Significant Risk

The Thales Defense & Security case involved a relatively modest $44,750 penalty, but its compliance implications are substantial. The violations stemmed from providing prohibited boycott-related certifications and failing to report boycott requests.

This case highlights an often-overlooked area of export compliance—antiboycott regulations—which impose dual obligations:

• Prohibit compliance with certain foreign boycott requests
• Require affirmative reporting of such requests

Even routine commercial documentation—contracts, invoices, certifications—can trigger violations if not properly reviewed.

The takeaway is clear:

Low-dollar violations can still create high-impact reputational and regulatory consequences.

Compliance Program Failures: A Common Root Cause

Across these enforcement actions, the root causes are strikingly consistent:

• Absence of a formal export compliance program
• Failure to screen customers and counterparties
• Lack of training for employees involved in exports
• Inadequate review of transaction documentation
• Weak escalation procedures for high-risk transactions

These are not complex regulatory gaps—they are basic compliance failures.

Indeed, BIS often structures settlements to require:

• Mandatory training
• Internal audits
• Ongoing reporting obligations

In the Coastal case, the suspended penalty was conditioned on precisely these remediation steps—highlighting that BIS views compliance program implementation as central to enforcement resolution.

Key Lessons for Compliance Programs

These enforcement actions reinforce several critical priorities for companies:

1. Entity List Screening Is Non-Negotiable

Automated screening of customers, intermediaries, and end users must be embedded into every transaction workflow.

2. EAR99 Does Not Mean “No Risk”

Items classified as EAR99 still require licenses when exported to restricted parties. Misunderstanding this principle is a recurring enforcement trigger.

3. Third-Party Due Diligence Must Be Strengthened

Distributors, resellers, and agents present heightened risk and require ongoing monitoring—not one-time vetting.

4. Antiboycott Controls Must Be Operationalized

Companies should implement controls to:

• Identify boycott-related language
• Escalate and reject prohibited requests
• Ensure timely BIS reporting

5. Training and Culture Matter

Employees across sales, logistics, legal, and finance must understand export control obligations—not just compliance personnel.

The Bottom Line

BIS enforcement activity continues to focus on preventable compliance failures—not obscure regulatory interpretations or highly technical issues. These cases send a consistent message:

Companies that fail to implement basic export control compliance programs will face enforcement exposure—even where the underlying transactions appear routine or low-risk.

At the same time, BIS is signaling that remediation matters. Suspended penalties and negotiated settlements provide an opportunity for companies to correct deficiencies—but only after violations have already occurred.

The better approach is clear:
Invest upfront in a robust, risk-based export compliance program that integrates screening, training, documentation review, and audit controls.

In the current enforcement environment, this is not just a compliance function—it is a critical component of enterprise risk management.