9 October 2025

Enforcement risks increase under BIS’s new 50-percent ownership rule for Entity List, MEU, and SDN affiliates

Written by:Nathaniel Edmonds Christian Ford David Stier Lindsey Dieselman Aurélie Ercoli Jana del-Cerro Nicholas Klein Michael Walsh

The US Commerce Department’s Bureau of Industry and Security (BIS) published an interim final rule (IFR) on September 30, 2025, extending export restrictions to entities or affiliates that are 50-percent or more directly or indirectly owned by parties on the Entity List, Military End User List (MEU), or that are designated as Specially Designated Nationals (SDNs) or blocked persons under certain US sanctions programs (together, Listed Parties).[1]

This alert provides an overview of the current enforcement landscape and what companies can expect going forward with the release of the new IFR.

Background

As discussed in a prior DLA Piper alert, the IFR established a 50-percent or more “Affiliates rule” under the Export Administration Regulations (EAR), mandating the application of the most restrictive license requirement, exception eligibility, and license review policy where multiple Listed Parties account for 50 percent or more of ownership. With this change, lists such as the Consolidated Screening List (CSL) will no longer provide a complete list of foreign entities subject to Entity List or MEU license requirements. While this new IFR may result in an increase in companies’ compliance spending, BIS stated: “The private sector should already be undertaking this analysis as part of a risk-based approach under OFAC prohibitions.”

Recent policy pronouncements and interagency coordination point toward an increase in risk for companies whose due diligence and screening fail to account for ownership by Listed Parties. Commerce Secretary Howard Lutnick has publicly signaled a “dramatic increase” in BIS enforcement and fines and described BIS as the “frontline” of a “reemerging great power conflict,” with priorities centered on China, Iran, Russia; diversion through China and Hong Kong; and sensitive technologies including semiconductors, defense articles, artificial intelligence, and quantum computing. Those remarks align with the Trump Administration’s directives, including the February 4, 2025 National Security Presidential Memorandum (NSPM-2) to close perceived loopholes and align US national security objectives via a “robust and continuous export control enforcement campaign.” As described below, recent enforcement actions reflect this focus.

In addition to Secretary Lutnick’s statements and the new IFR, the recent creation of a multi-agency Trade Fraud Task Force, and coordinated export enforcement actions involving BIS and the US Department of Justice (DOJ), companies can anticipate an increase in government investigations into violations of US export control laws and steeper penalties.

Civil enforcement risks and BIS exposure

Under the IFR, civil exposure for violations of export control laws expands because, as detailed in our prior alert, Entity List, MEU, and certain SDN-related license requirements now automatically extend to foreign entities owned – directly or indirectly and in the aggregate – 50 percent or more by Listed Parties, with the most restrictive license requirement, license exception eligibility, and license review policy applying if an entity is owned by multiple Listed Parties. The IFR imposes an additional affirmative obligation to determine ownership whereby if there is an Entity List individual or company anywhere in the ownership structure, but the percentage of ownership is unknown or undetermined, a license or applicable exception is now required before export, reexport, or transfer.

As a practical matter, similar to conducting risk-based Office of Foreign Assets Control (OFAC) compliance procedures, companies are encouraged to undertake “flow-down” ownership analyses and take seriously any scenario where they are not able to determine ownership, regardless of whether they have identified owners on the Entity List. As part of these changes, BIS has warned that the CSL is not exhaustive, because many newly covered affiliates of Listed Parties will not appear by name, thus increasing the risk that routine screening based only on the CSL will miss a prohibited end user under the new rule. Violations remain subject to strict civil liability, and lack of knowledge is not a defense (although knowledge can affect penalty calculations).

As a result, any company that knowingly or unknowingly exports, reexports, or transfers items subject to the EAR to any party that is 50-percent or more owned by a Listed Party can face potential civil penalties of up to $374,474 and $377,700 for any violation of the Export Controls Act of 2018 and any violation of the International Emergency Economic Powers Act (IEEPA), respectively, in addition to potential license suspension or revocation, audit, and/or additional compliance requirements.

In this environment, the BIS Office of Export Enforcement (OEE) can be expected to prioritize investigations and enforcement actions for violations of these new requirements where US national security interests are implicated – particularly those involving end users with ownership ties to Listed Parties or those presenting diversion risks to China, Russia, or Iran. OEE will also prioritize sensitive technologies and unlawful exports involving non-US companies. Companies with ongoing investigations or pending subpoenas should also be prepared for BIS to expand its scope to examine whether the same companies are meeting this newly established “affirmative duty” to conduct due diligence. In certain industries, especially those involving distributors, resellers, and channel partners, companies may need to significantly re-evaluate and enhance their compliance resources and procedures.

Criminal enforcement risks and DOJ coordination

Criminal enforcement risk for export control violations under this new rule is elevated, and cases will be overseen and closely coordinated by DOJ’s National Security Division (NSD). Criminal exposure could arise when an exporter, reexporter, or transferor takes any of the following actions:

Exports items subject to the EAR to end users, knowing that the end users are 50-percent or more owned by a Listed Party or where there is evidence that the exporter, reexporter, or transferor was willfully blind to or should have known these facts,

Conceals information about an end user’s affiliation with a Listed Party,

Knowingly or willfully fails to conduct adequate due diligence or identify the ownership of the respective end user, or

Intentionally fails to implement a risk-based compliance program that satisfies the affirmative compliance obligations of the IFR to identify ownership structures for foreign entities.

Like BIS, priority investigations and enforcement actions into criminal violations of export controls will involve exports of sensitive technology to US adversaries and diversion via aliases and front companies. DOJ is also likely to pursue diverters and front companies and coordinate closely with BIS on high priority investigations.

Similar to the recent enforcement action against Cadence Design Systems Inc., DOJ can leverage fact patterns demonstrating affiliations between end users and Listed Parties – such as shared personnel, co-location, and communications referencing or alluding to the Listed Party – to show reckless or willful failures to investigate or escalate red flags as required under the new rule. Intentional or willful failure to affirmatively determine ownership when there is a violation will also increase criminal exposure.

Criminal violations of the EAR or US sanctions regulations carry potential fines of up to $1 million per violation and up to 20 years of imprisonment. Criminal resolutions with DOJ for violations of export control laws also frequently require compliance enhancements and reporting, with NSD’s March 2024 Enforcement Policy for Business Organizations outlining incentives for timely self-disclosures, remediation, and cooperation. Importantly, criminal penalties can be layered on top of any civil penalties imposed by BIS. Thus, companies navigating dual civil and criminal enforcement actions for violations of export control laws can face even more significant monetary penalties, reputational risk, and business disruption.

Anticipated enforcement trends and practical implications

While the October 1, 2025 federal shutdown may temporarily slow some enforcement and investigative activity, national security investigations should be expected to continue. Even if there are interruptions or temporary pauses, companies are encouraged to remain mindful of the five-year statute of limitations for violations of the Export Control Reform Act (and, relatedly, that the statute of limitations is 10 years for violations of sanctions established under IEEPA or the Trading with the Enemy Act, going back to April 24, 2019). The following provisions of the IFR and broader trends point to heightened short- and long-term enforcement risk:

First, ownership opacity in higher-risk jurisdictions will collide with the new affirmative duty to determine ownership where percentage ownership by a Listed Party cannot be determined. Companies proceeding without clarity on the ownership of an entity that is a party to a transaction involving the export, reexport, or transfer of an item subject to the EAR are vulnerable to violating the IFR and resulting strict liability civil enforcement actions. Willful failure to satisfy that affirmative duty also carries criminal enforcement risk.

Second, the “most restrictive owner controls” rule in cases where multiple Listed Parties hold ownership interest in an entity increases the likelihood that a presumption of denial applies to a contemplated export, reexport, or transfer.

Third, expansion of Entity List Foreign Direct Product (FDP) and Russia/Belarus MEU FDP rules will draw additional items subject to the EAR and expand license requirements.

Fourth, BIS has increased interagency and multilateral coordination, including with DOJ, to pursue diversion networks, aliases, and procurement fronts. Companies can thus find themselves navigating requests and inquiries from multiple regulators and facing differing investigation timelines.

Finally, BIS has stated that companies can no longer rely on CSL-based screening alone for exports because it will no longer provide an exhaustive list of foreign entities subject to Entity List license requirements. Thus, a company’s failure to implement ownership diligence tools, escalate red flags, pause transactions pending resolution, or seek licenses where percentage ownership by a Listed Party cannot be determined could be viewed by BIS as aggravating factors when determining penalties for violations.

In practical terms, the application of the new rule will be particularly challenging when a party to an export, reexport, or transfer is a joint venture, distributor, or reseller in which Listed Parties hold 50-percent or more aggregate ownership. Companies may also face challenges when dealing with entities holding opaque beneficial ownership structures, when arrangements appear to involve aliases or front companies for Listed Parties, or where end users are not cooperative in providing information about their beneficial owners. Companies are encouraged to promptly assess and close program gaps to meet the IFR’s ownership and licensing requirements and ensure that, when they encounter red flags, appropriate diligence and follow-up are performed. As BIS guidance explains, “[i]f … ‘red flags’ cannot be explained or justified and you proceed, you run the risk of having had “knowledge” that would make your action a violation of the EAR.” (Supplement No. 3 to Part 732 – BIS's “Know Your Customer” Guidance and Red Flags).

Next steps for companies

The following steps are encouraged to mitigate compliance risks:

Conduct privileged risk assessment of ongoing compliance with the new IFR for highest risk jurisdictions,

Train deal, sales, and business development teams and gatekeepers; revisit and, if necessary, update red flag escalation protocols,

Update ownership due diligence procedures to identify direct and indirect, aggregate ownership by Listed Parties; document negative findings,

Maintain records required by the EAR for a minimum of five years,

Escalate and pause transactions when ownership cannot be verified; seek BIS licenses where required or in gray areas,

Strengthen contract clauses (information rights, audit, end user certifications),

Revisit voluntary self-disclosure decision criteria given elevated penalty exposure, and

Brief senior leadership on enforcement risk and potential need for conservative “go/no-go” decisions about existing and future business relationships.

Conclusion

In light of Secretary Lutnick’s stated intention to dramatically increase BIS enforcement and penalties, the Trump Administration’s priority of an “America First” enforcement strategy, and DOJ’s demonstrated readiness to coordinate parallel criminal actions, companies should evaluate their current risks and how to effectively respond to the IFR. Given the risks of enforcement, companies are encouraged to seek licenses as required (or even in gray zones), strengthen diversion monitoring and subsidiary oversight, and thoughtfully evaluate the risks and benefits of voluntary self-disclosure when potential violations are identified. DLA Piper’s lawyers focusing on Investigations and White Collar Defense and National Security and Global Trade work as an integrated team on these complex trade issues and enforcement defense strategies.

For additional information, please contact the authors.

[1] On September 30, 2025, House Foreign Affairs Europe Subcommittee Chairman Keith Self also introduced a corresponding bill – the Suppressing Tactics of Prohibited (STOP) Shells Act – intended to codify this IFR.