Made Abroad Does Not Mean Outside U.S. Export Law: Lessons From the Bosch–Huawei Settlement

The United States’ recent enforcement action involving Robert Bosch GmbH demonstrates why that assumption can be wrong.

On June 17, 2026, the U.S. Department of Commerce’s Bureau of Industry and Security announced that Bosch had agreed to pay a civil penalty of approximately $36.2 million to resolve alleged violations involving foreign-produced sensors and automotive software supplied to Huawei and its affiliates.

According to BIS, two non-U.S. Bosch subsidiaries supplied approximately $72.4 million in micro-electromechanical systems sensor products and foreign-produced automotive software to Huawei-related entities between September 2020 and September 2024 without obtaining the required U.S. authorization.

The products were manufactured outside the United States.

The sellers were foreign subsidiaries.

The customer was outside the United States.

Nevertheless, the U.S. government determined that the items were subject to the Export Administration Regulations because of the Foreign Direct Product Rule.[1]

The Justice Department separately investigated the conduct but declined to prosecute Bosch after considering the company’s voluntary disclosure, cooperation, remediation, and the absence of aggravating circumstances. Bosch agreed to disgorge approximately $11.4 million in profits, with credit given for a portion of the Commerce Department payment.[2]

The case is significant for much more than Bosch or Huawei.

It demonstrates that U.S. export controls may follow American technology, software, production equipment, and technical know-how into foreign manufacturing operations.

For U.S. and international business owners, the central lesson is:

The location where a product was made is only the beginning of the export-control analysis.

A company may also need to determine:

  • Which technology was used to design the product;

  • Which software was used to develop or manufacture it;

  • Which equipment produced it;

  • Whether that equipment was derived from U.S. technology;

  • How the item is classified;

  • Who is purchasing it;

  • Who will ultimately use it;

  • Whether a restricted entity participates anywhere in the transaction; and

  • Whether the item will be incorporated into another controlled or restricted product.

Those questions must be answered before shipment, download, remote access, installation, or transfer—not after a government investigation begins.

What Happened in the Bosch Matter?

Bosch is headquartered in Germany and operates through hundreds of subsidiaries and affiliated businesses around the world.

The transactions at issue involved two German subsidiaries:

  • Bosch Sensortec GmbH; and

  • ETAS GmbH.

The subsidiaries supplied Huawei and Huawei-related entities with foreign-produced micro-electromechanical systems, commonly called MEMS sensors, and automotive software.

MEMS sensors can be used in products such as:

  • Smartphones;

  • Wearable technology;

  • Automobiles;

  • Navigation systems;

  • Consumer electronics;

  • Industrial equipment; and

  • Connected devices.

The fact that a product has a commercial or consumer application does not automatically place it outside export controls.

BIS determined that the products and software were subject to the EAR under the Entity List Foreign Direct Product Rule and that licenses or other authorizations were required before they could be supplied to Huawei.

Bosch filed a voluntary self-disclosure and cooperated with the government’s investigation.

The Justice Department’s declination letter states that Bosch’s internal investigation identified numerous errors in applying the Foreign Direct Product Rule. The government also identified continuing sales despite several occasions on which third parties raised the possible application of the rule to Bosch’s products or production equipment.

The Justice Department stated that Bosch’s compliance personnel were not adequately equipped to provide accurate guidance concerning the rule.

That point may be the most important practical lesson in the case.

The company was not accused merely of failing to run a customer’s name through a screening database.

The underlying problem involved the company’s inability to determine whether foreign-produced products were legally subject to U.S. regulations in the first place.

Restricted-party screening is necessary.

It is not enough.

What Are the Export Administration Regulations?

The Export Administration Regulations—commonly called the EAR—are administered primarily by BIS within the U.S. Department of Commerce.

The EAR regulate certain:

  • Commodities;

  • Software;

  • Technology;

  • Technical data and know-how;

  • Exports from the United States;

  • Reexports between foreign countries;

  • Transfers within a foreign country;

  • Foreign-produced products;

  • End users;

  • End uses; and

  • Activities involving specified U.S. persons.

The EAR cover many commercial and dual-use products, meaning items that may have ordinary civilian uses but also have military, intelligence, surveillance, aerospace, nuclear, semiconductor, cybersecurity, or other strategic applications.

An item subject to the EAR may be listed under an Export Control Classification Number on the Commerce Control List.

An item may also be designated EAR99, meaning it is subject to the EAR but not specifically described on the Commerce Control List.

EAR99 does not mean “not controlled.”

An EAR99 product may still require a license or be prohibited because of:

  • The destination;

  • The end user;

  • The end use;

  • A sanctions program;

  • The Entity List;

  • A military, intelligence, nuclear, missile, or other restricted activity;

  • A Foreign Direct Product Rule; or

  • Knowledge that the transaction would violate the EAR.

The correct inquiry is therefore not merely:

What is the product?

It is:

What is the product, where is it going, who is involved, what will it be used for, and how did it become subject to U.S. jurisdiction?

Export, Reexport and Transfer Are Different Events

Businesses frequently associate export controls only with a shipment leaving the United States.

The EAR also regulate certain later movements and disclosures.

Export

An export may occur when an item, software, or technology is sent from the United States to a foreign country.

Depending on the circumstances, an export may also occur when controlled technology or source code is released to a foreign person in the United States.

Reexport

A reexport generally involves sending or releasing an item subject to the EAR from one foreign country to another.

For example, a controlled item exported from the United States to Germany and later shipped from Germany to China may involve a reexport.

Transfer Within a Foreign Country

An in-country transfer may occur when possession, control, or use of an item subject to the EAR changes within the same foreign country.

For example, a product lawfully shipped to a distributor in China could require additional analysis before the distributor transfers it to a different Chinese end user.

The absence of a new international border crossing does not necessarily end the inquiry.

What Is the Foreign Direct Product Rule?

The Foreign Direct Product Rules are provisions within the EAR that can make certain foreign-produced items subject to U.S. export controls because of their connection to specified U.S.-origin technology, software, or production equipment.

There is not only one Foreign Direct Product Rule.

The EAR contain several versions directed at different items, destinations, end users, and national-security concerns.

Depending on the applicable rule, a foreign-produced item may become subject to the EAR if it is:

  • A direct product of specified technology or software subject to the EAR;

  • Produced by a complete plant that is itself the direct product of specified U.S.-origin technology or software;

  • Produced by a major component of a plant that is the direct product of specified U.S.-origin technology or software; or

  • In certain circumstances, contains a component produced through such a plant or major component.

The rule must then be connected to an applicable destination, end use, or end user.

In simplified terms, the analysis may ask:

  1. Was specified U.S.-controlled technology or software used to produce or develop the foreign item?

  2. Was the foreign item produced using a plant or important production equipment that was itself derived from specified U.S. technology or software?

  3. Is the item going to a covered destination, restricted activity, or designated entity?

  4. Does the company know, or have reason to know, that the covered destination, end user, or end use is involved?

If the applicable product scope and end-user, end-use, or destination scope are both satisfied, the foreign-produced item may become subject to the EAR.

A license analysis must then be completed.

Why the Rule Can Reach an Entirely Foreign Transaction

Consider a simplified example.

A German manufacturer produces a sensor in Germany.

The sensor itself is not physically imported from the United States.

But the sensor is produced using specialized equipment that was designed or manufactured using specified U.S.-origin technology or software.

The sensor is then sold from Germany to a listed Chinese technology company.

If the applicable Foreign Direct Product Rule’s product and end-user conditions are satisfied, the German-produced sensor may be subject to the EAR.

The German seller may therefore need a BIS license even though:

  • The seller is not a U.S. company;

  • The factory is not in the United States;

  • The product is not shipped from the United States;

  • The buyer is not in the United States; and

  • The payment does not pass through a U.S. bank.

This is one of the most expansive and frequently misunderstood features of U.S. export-control law.

The Rule Is Not Limited to American-Owned Foreign Companies

A foreign company does not need a U.S. parent to become subject to the Foreign Direct Product Rule.

The jurisdictional connection may arise from the technology, software, production equipment, destination, end user, or end use—not from corporate nationality.

The rule can potentially affect:

  • Foreign manufacturers;

  • Semiconductor foundries;

  • Electronics companies;

  • Automotive suppliers;

  • Software developers;

  • Telecommunications companies;

  • Cloud providers;

  • Equipment manufacturers;

  • Distributors;

  • Resellers;

  • Contract manufacturers;

  • Research organizations;

  • Logistics providers; and

  • Other participants in an international supply chain.

A foreign company may therefore have direct obligations under the EAR even when it has no U.S. subsidiary.

A U.S. company purchasing from or partnering with that foreign business may also face commercial, contractual, reputational, or enforcement exposure if the relationship is inadequately controlled.

U.S. Companies Must Understand Their Foreign Subsidiaries

A U.S. parent should not assume that foreign subsidiaries independently understand U.S. export controls.

The foreign subsidiary may view a transaction as an ordinary local or regional sale.

Local employees may believe that U.S. controls do not apply because:

  • The goods were made abroad;

  • The customer is in the same country;

  • The product is commercially available;

  • The sales contract is governed by foreign law;

  • No U.S. employee approved the transaction;

  • The product contains little or no physical U.S. content; or

  • The local government permits the sale.

Each of those assumptions may be incomplete.

A multinational compliance program should determine:

  • Which products are subject to the EAR;

  • Which foreign-produced products require Foreign Direct Product analysis;

  • Which subsidiaries may submit license applications;

  • Who has authority to stop a transaction;

  • Which customers require enhanced review;

  • Whether restricted-party screening is centralized;

  • How end-use information is verified;

  • How changes in production equipment are tracked;

  • Who monitors regulatory changes; and

  • How suspected violations are escalated.

A corporate policy stating “comply with all export laws” is not an operating procedure.

The Entity List Is Not Simply a List of Completely Prohibited Parties

The Entity List identifies foreign persons, companies, research organizations, governmental bodies, addresses, and other parties that the U.S. government has determined present specified national-security or foreign-policy concerns.

An Entity List designation generally creates additional license requirements.

But the exact consequence depends on the particular entry.

The Entity List specifies:

  • The listed name;

  • Known aliases;

  • Address information;

  • Applicable license requirements;

  • License review policy;

  • Relevant footnotes;

  • Available or unavailable license exceptions; and

  • Other entry-specific conditions.

The presence of a party on the Entity List does not always mean that every possible transaction with that party is prohibited under every legal regime.

It does mean the transaction requires careful, entry-specific analysis.

A company should not conclude either:

  • “They are listed, so all activity is automatically illegal”; or

  • “The item is commercial, so the listing does not matter.”

Both conclusions can be wrong.

Screening a Name Is Only the Beginning

Restricted-party screening is an essential component of export compliance.

The U.S. government’s Consolidated Screening List combines multiple lists maintained by the Departments of Commerce, State, and Treasury.

But screening software cannot independently determine:

  • Whether the product is subject to the EAR;

  • Whether a Foreign Direct Product Rule applies;

  • Whether an unlisted affiliate is acting for a listed party;

  • Whether the buyer is a front company;

  • Whether the address matches a high-risk listed address;

  • Whether the end use is restricted;

  • Whether a distributor will divert the item;

  • Whether the customer is using an alias;

  • Whether the transaction involves a prohibited party indirectly; or

  • Whether the screening information is incomplete or false.

A transaction may clear an automated name screen and still require a license.

Companies Must Identify All Material Transaction Parties

The purchaser shown on the purchase order is not necessarily the only party that matters.

A proper review may require identifying:

  • Purchaser;

  • Seller;

  • Exporter;

  • Reexporter;

  • Manufacturer;

  • Intermediate consignee;

  • Ultimate consignee;

  • End user;

  • Freight forwarder;

  • Bank;

  • Distributor;

  • Reseller;

  • Integrator;

  • Installer;

  • Service provider;

  • Beneficial owner;

  • Parent company;

  • Affiliates; and

  • Parties controlling the final use.

A customer may ask for goods to be shipped to an apparently unrelated logistics company or distributor.

The legal question remains: who ordered the item, who will receive it, who will use it, and for whose benefit is the transaction occurring?

Corporate Affiliates Require Careful Review

Large restricted companies often operate through numerous subsidiaries, affiliates, joint ventures, divisions, research centers, procurement entities, and regional offices.

A business should determine:

  • Whether the exact legal entity is listed;

  • Whether an entity operates under an alias;

  • Whether a listed party is the actual purchaser or end user;

  • Whether a transaction is being arranged for a listed party;

  • Whether an address is shared;

  • Whether personnel overlap;

  • Whether a customer’s website discloses an affiliation;

  • Whether corporate records identify common ownership or control; and

  • Whether the product will be incorporated into an item made for the listed party.

The analysis must follow the actual transaction—not merely the name placed on the invoice.

End Use Can Create a License Requirement Even When the Customer Is Not Listed

Some EAR restrictions depend on how an item will be used rather than solely on the identity of the customer.

Potentially restricted end uses include certain:

  • Nuclear activities;

  • Missile and rocket activities;

  • Chemical or biological weapons activities;

  • Military activities;

  • Military-intelligence activities;

  • Supercomputer and advanced-computing activities;

  • Semiconductor manufacturing;

  • Surveillance activities; and

  • Other designated national-security applications.

A transaction may therefore require a license even when no party appears on a screening list.

Companies should obtain enough information to understand:

  • The customer’s business;

  • The intended application;

  • The installation location;

  • The final product;

  • The customer’s customer;

  • The ultimate user;

  • The expected technical performance; and

  • Whether the product is being modified for a sensitive use.

A generic statement that goods are for “commercial use” may be insufficient.

Knowledge Includes More Than Actual Admission

The EAR’s concept of knowledge is broader than a written confession that the customer intends an unlawful diversion.

Depending on the provision, knowledge can include awareness of a high probability that a circumstance exists and deliberate avoidance of facts.

A company cannot always protect itself by refusing to ask obvious questions.

Potential red flags may include:

  • A customer reluctant to identify the end user;

  • A purchaser with no apparent need for the product;

  • A delivery address inconsistent with the customer;

  • Unusual routing;

  • Last-minute changes in consignee;

  • A vague end-use statement;

  • Payment from an unrelated company;

  • Technical requirements inconsistent with the stated purpose;

  • A freight forwarder selected by an unknown party;

  • Requests to omit information from documents;

  • A customer associated with a restricted entity;

  • Public reports linking the parties;

  • A reseller located in a known diversion hub;

  • An order far beyond the customer’s usual volume; or

  • A third party warning that the Foreign Direct Product Rule may apply.

The Bosch matter is particularly instructive because the Justice Department stated that third parties had identified possible applications of the rule, yet sales continued.

A warning should trigger documented escalation and legal review—not an informal assumption that the concern is probably mistaken.

Consumer and Commercial Products Are Not Automatically Exempt

Businesses sometimes assume that export controls apply only to weapons, military hardware, or highly classified technology.

The Bosch matter involved sensors and automotive software with broad commercial applications.

Modern consumer and industrial products may contain capabilities relevant to:

  • Navigation;

  • Motion detection;

  • Autonomous systems;

  • Robotics;

  • Communications;

  • Data collection;

  • Advanced computing;

  • Surveillance;

  • Aerospace;

  • Electronic warfare;

  • Industrial automation; and

  • Military systems.

The civilian nature of the company’s ordinary customer base does not answer how a particular product may be used by a particular end user.

Software and Remote Access Create Separate Risks

An export does not always involve a box moving through customs.

Software and technology may be transferred through:

  • Download links;

  • Cloud access;

  • Email;

  • Source-code repositories;

  • Remote maintenance;

  • Technical support;

  • System updates;

  • Application programming interfaces;

  • Shared drives;

  • Virtual meetings;

  • Screen sharing;

  • Remote logins; and

  • Employee access.

A foreign customer that lawfully received software may later request access for an employee, affiliate, contractor, or location that creates a separate license question.

Businesses should control:

  • Account creation;

  • User identity;

  • IP addresses;

  • Geographic access;

  • Downloads;

  • Administrative privileges;

  • Source-code access;

  • Technical-support requests;

  • Subscriptions;

  • Updates; and

  • Assignment of licenses.

Contractual restrictions should be supported by technical controls where feasible.

Manufacturers Must Understand Their Production Equipment

The Foreign Direct Product Rule can require a company to investigate not only what is inside the finished product but also how the product was made.

Relevant questions may include:

  • Which software designed the product?

  • Which electronic-design automation tools were used?

  • Which technology supports production?

  • Which machines fabricated or tested the item?

  • Where were those machines produced?

  • Were the machines direct products of U.S.-origin technology or software?

  • Does a foundry or contract manufacturer possess the necessary information?

  • Has the production line changed?

  • Is a major component of the plant within the applicable rule?

  • Are supplier certifications current and reliable?

Many businesses do not maintain this information in their sales or shipping systems.

The information may instead reside with:

  • Engineers;

  • Product developers;

  • Equipment suppliers;

  • Foundries;

  • Contract manufacturers;

  • Information-technology personnel;

  • Procurement teams;

  • Software licensors; or

  • Outside design firms.

Export compliance must therefore involve more than the logistics department.

Product Classification Must Be Coordinated With Engineering

A sales employee cannot reliably classify a complex sensor, semiconductor, encryption product, software platform, or technical service based only on a marketing description.

Accurate classification may require information concerning:

  • Technical performance;

  • Materials;

  • Encryption;

  • Frequency;

  • Accuracy;

  • Processing capability;

  • Memory;

  • Network functions;

  • End-use features;

  • Software functions;

  • Source code;

  • Design technology; and

  • Production methods.

The company may request an official commodity classification from BIS when appropriate.

But even an accurate ECCN does not complete the transaction analysis.

The business must still examine:

  • Destination;

  • End user;

  • End use;

  • Foreign Direct Product Rules;

  • License exceptions;

  • Entity List requirements;

  • Embargoes;

  • Sanctions; and

  • Other regulatory regimes.

Foreign Suppliers Should Be Contractually Required to Cooperate

A U.S. company may need information from a foreign manufacturer to determine whether a product is subject to the EAR.

That information may include:

  • Product classifications;

  • Technology used in development;

  • Software used in design;

  • Production equipment;

  • Facility locations;

  • Foundries;

  • Contract manufacturers;

  • U.S.-origin content;

  • End users;

  • Purchasers;

  • Reexport destinations; and

  • Changes in the supply chain.

The supply or manufacturing agreement should require cooperation.

Without a contractual obligation, a supplier may refuse to disclose its software, equipment, or production methods on the ground that the information is proprietary.

The contract should balance compliance needs with appropriate confidentiality protections.

Distributor Agreements Need Strong Reexport Controls

A foreign distributor may resell goods into countries or to customers that the original exporter did not approve.

The distribution agreement should address:

  • Approved territory;

  • Approved customer categories;

  • Restricted destinations;

  • Restricted parties;

  • Restricted end uses;

  • Resale and reexport;

  • In-country transfers;

  • End-user certifications;

  • Recordkeeping;

  • Screening procedures;

  • Audits;

  • Training;

  • Notice of suspicious orders;

  • Government inquiries;

  • Suspension;

  • Termination; and

  • Cooperation with license applications.

A contractual prohibition alone does not eliminate liability when the exporter knows or has reason to know that diversion is occurring.

The company must monitor performance and respond to red flags.

The Contract Questions Businesses Should Ask

1. Who Determines Whether the Item Is Subject to the EAR?

The agreement should identify which party is responsible for:

  • Classification;

  • U.S.-origin content analysis;

  • Foreign Direct Product analysis;

  • Destination review;

  • End-user review;

  • End-use review; and

  • License determination.

The party making the representation should have access to the necessary facts.

2. Who Obtains the License?

A contract should not simply state that the transaction is “subject to all required licenses.”

It should determine:

  • Who applies;

  • Who supplies supporting documents;

  • Who pays;

  • Whether production begins before approval;

  • Whether the buyer must wait;

  • What happens if the license is denied;

  • Whether license conditions affect the price;

  • Whether the license can be transferred; and

  • What happens if the rule changes.

3. May the Buyer Reexport or Transfer the Item?

The buyer’s rights should be clearly limited.

The agreement may require written approval before:

  • Reexport;

  • Resale;

  • Transfer within a country;

  • Change in end user;

  • Change in end use;

  • Relocation;

  • Integration into another product; or

  • Remote access from another jurisdiction.

4. What Information Must the Customer Provide?

The customer may be required to disclose:

  • Legal name;

  • Registration number;

  • Ownership;

  • Affiliates;

  • End user;

  • End use;

  • Installation site;

  • Intermediate consignees;

  • Final destination;

  • Integrators;

  • Customers; and

  • Changes after shipment.

The agreement should permit suspension if the information is incomplete or appears inaccurate.

5. Who Must Screen the Parties?

Each party may have its own legal obligations.

The agreement can require both parties to maintain reasonable screening procedures rather than shifting the entire obligation to one side.

6. What Happens When a Party Is Added to a Restricted List?

The contract should address:

  • Immediate suspension;

  • Goods in production;

  • Goods in transit;

  • Deposits;

  • Stored inventory;

  • License applications;

  • Refunds;

  • Alternative buyers;

  • Termination;

  • Return of technology;

  • Data deletion; and

  • Government reporting.

7. What Happens if the Law Changes?

Export controls can change quickly.

A change-in-law clause should establish:

  • Notice;

  • Suspension rights;

  • Cooperation;

  • Cost allocation;

  • License procedures;

  • Mitigation;

  • Alternative performance; and

  • Termination.

8. Who Bears the Consequences of Incorrect Information?

The agreement should address liability for:

  • False end-use statements;

  • Incorrect classification information;

  • Undisclosed affiliates;

  • Unauthorized reexports;

  • Diversion;

  • Penalties;

  • Seizure;

  • Storage;

  • Return freight;

  • Government investigations;

  • Legal fees; and

  • Customer claims.

Indemnification is not a substitute for the exporter’s independent due diligence.

A company cannot knowingly proceed with a prohibited transaction merely because the customer promised to reimburse any penalty.

Mergers and Acquisitions Require Export-Control Due Diligence

A buyer acquiring an international company may inherit significant export-control exposure.

Due diligence should examine:

  • Products and classifications;

  • Export destinations;

  • Foreign-produced items;

  • U.S.-origin technology and software;

  • Manufacturing equipment;

  • Restricted-party screening;

  • License history;

  • End-use certifications;

  • Foreign subsidiaries;

  • Distributors;

  • Cloud and software access;

  • Internal investigations;

  • Government subpoenas;

  • Voluntary disclosures;

  • Past warnings;

  • Compliance staffing; and

  • Remediation.

The Bosch matter illustrates why a general statement that the target “complies with applicable law” may be inadequate.

A buyer should determine whether the target actually understands the Foreign Direct Product Rules applicable to its products and production network.

Transaction documents may need:

  • Specific representations;

  • Disclosure schedules;

  • Indemnities;

  • Escrows;

  • Purchase-price adjustments;

  • Covenants;

  • Remediation conditions;

  • Government-notification obligations; and

  • Post-closing audits.

The Voluntary Disclosure Mattered—but Did Not Eliminate the Financial Consequences

Bosch voluntarily disclosed the matter to BIS and the Justice Department while its internal investigation was still underway.

The government credited:

  • Timely voluntary disclosure;

  • Full cooperation;

  • Preservation and production of documents;

  • Disclosure of relevant facts;

  • Prompt responses to government requests;

  • Remediation;

  • Organizational changes;

  • Increased compliance personnel;

  • Expansion of U.S. trade-compliance resources; and

  • Updates to internal policies and licensing procedures.

The Justice Department declined criminal prosecution.

That was a substantial benefit.

But Bosch still agreed to a civil penalty exceeding $36 million and disgorgement of profits.

Voluntary disclosure is therefore not the same as immunity.

It can materially affect the outcome, but the consequences depend on the conduct, timing, cooperation, remediation, harm, knowledge, aggravating circumstances, and applicable enforcement policies.

Bosch Added 66 Compliance Employees

The Justice Department specifically noted that Bosch added 66 employees to its trade-compliance organization and expanded its U.S. trade-control resources.

That fact demonstrates the scale of remediation the government considered relevant.

A company cannot necessarily correct a complex global problem by:

  • Issuing one policy;

  • Purchasing screening software;

  • Adding a checkbox to an order form; or

  • Providing a single annual training session.

An effective program may require:

  • Qualified personnel;

  • Clear authority;

  • Engineering participation;

  • Escalation procedures;

  • Audits;

  • Technology controls;

  • Supplier cooperation;

  • Distributor oversight;

  • Management support;

  • Recordkeeping;

  • Testing; and

  • Continuing updates.

The appropriate scale depends on the company’s products, markets, customers, technology, and risk profile.

A Voluntary Self-Disclosure Must Be Carefully Managed

When a company discovers a possible violation, it should promptly preserve relevant evidence and obtain qualified legal advice.

The initial questions may include:

  • Is the item subject to the EAR?

  • Which rule applies?

  • Was a license required?

  • Did an exception apply?

  • How many transactions are affected?

  • Is the conduct continuing?

  • Are goods in transit?

  • Are additional agencies involved?

  • Is there potential criminal exposure?

  • Must transactions be stopped?

  • Should customers or banks be notified?

  • Is a disclosure to BIS appropriate?

  • Is a separate disclosure to the Justice Department, OFAC, State Department, or another agency required?

  • What remediation should begin immediately?

An incomplete or inaccurate disclosure can create additional problems.

At the same time, a company should not delay necessary escalation merely because every fact has not yet been established.

BIS permits an initial submission followed by a fuller narrative and supporting documentation under the applicable procedures.

Corporate Declination Does Not Automatically Protect Individuals

The Justice Department’s Bosch declination letter expressly states that it does not protect individuals from prosecution.

That distinction is important.

A corporate resolution may not resolve the exposure of:

  • Executives;

  • Managers;

  • Compliance personnel;

  • Sales employees;

  • Engineers;

  • Export coordinators;

  • Freight forwarders;

  • Distributors; or

  • Other individuals involved in the conduct.

Companies conducting internal investigations should therefore consider:

  • Individual representation issues;

  • Privilege;

  • Document preservation;

  • Interview procedures;

  • Employment actions;

  • Government cooperation;

  • Accuracy of certifications; and

  • Potential conflicts of interest.

Eleven Steps International Businesses Should Take Now

1. Identify Foreign-Produced Goods With U.S. Technology Connections

Determine whether products manufactured abroad were designed or produced using U.S.-origin technology, software, plants, or major production equipment.

2. Classify Goods, Software and Technology

Confirm the applicable ECCN or EAR99 status and preserve the supporting analysis.

3. Map the Production Process

Identify design software, production equipment, foundries, test equipment, contract manufacturers, and relevant technology at each facility.

4. Screen Every Material Party

Screen purchasers, end users, consignees, distributors, banks, beneficial owners, affiliates, and known transaction addresses.

5. Investigate End Use

Obtain specific and credible information concerning what the item will do, where it will be installed, and who will ultimately benefit.

6. Escalate Red Flags

Create a documented process that prevents sales, logistics, or engineering employees from informally clearing high-risk transactions.

7. Review Foreign Subsidiaries

Confirm that local offices understand reexports, in-country transfers, Foreign Direct Product Rules, and the legal reach of the EAR.

8. Revise Contracts

Add classification, end-use, end-user, reexport, screening, audit, notice, suspension, licensing, and cooperation provisions.

9. Control Software and Remote Access

Use technical and contractual restrictions for downloads, user accounts, source code, updates, and remote support.

10. Test the Compliance Program

Conduct audits using actual orders, customers, products, and production facilities—not merely policy documents.

11. Prepare a Response Plan

Determine who will investigate, stop transactions, preserve evidence, contact counsel, evaluate disclosure, and communicate with regulators if a concern arises.

How TEIL Firms Can Help

The Foreign Direct Product Rule presents a particular challenge because the issue may arise far from the United States and several levels removed from the original U.S. technology.

A U.S. manufacturer may need to determine whether its foreign subsidiary can sell locally. A German, Asian, African, or Latin American company may need to know whether foreign-made goods are subject to the EAR. A business may need to screen an overseas distributor, investigate the ultimate end user, revise a technology license, or determine whether a customer’s requested use requires authorization.

An acquiring company may need to understand whether a target’s historical foreign sales create undisclosed liability.

The Evans International Law Firms, LLC—TEIL Firms—helps U.S. and international companies evaluate the export-control, contract, and international business issues that arise when technology and products move through global supply chains.

Our services include:

  • Export Administration Regulations issue spotting;

  • Foreign Direct Product Rule analysis;

  • Product, software, and technology classification coordination;

  • Restricted-party and beneficial-ownership reviews;

  • End-user and end-use due diligence;

  • Foreign-subsidiary compliance reviews;

  • International distributor and reseller agreements;

  • Manufacturing and technology-transfer agreements;

  • Export-control representations, warranties, and certifications;

  • Reexport and in-country transfer provisions;

  • License-responsibility and change-in-law clauses;

  • International software and cloud-access agreements;

  • Export-compliance policies and escalation procedures;

  • Mergers and acquisitions export-control due diligence;

  • Internal investigation and remediation planning;

  • Voluntary self-disclosure issue assessment; and

  • Cross-border transaction restructuring.

A targeted Foreign Direct Product and Export-Control Risk Review can help determine:

  • Whether foreign-produced products are subject to the EAR;

  • Which U.S. technology, software, or equipment creates the connection;

  • Whether a customer, affiliate, end user, or end use requires a license;

  • Whether foreign subsidiaries are applying the rules correctly;

  • Whether contracts restrict unauthorized reexports and transfers;

  • Whether screening procedures identify all relevant parties;

  • Whether prior transactions require investigation;

  • What remediation should begin; and

  • Whether a potential disclosure should be evaluated.

Businesses should conduct that review before entering a high-risk market, supplying an Entity List-related customer, transferring production abroad, acquiring a foreign technology company, or relying on the assumption that a foreign-made product is beyond U.S. jurisdiction.

Conclusion

The Bosch settlement provides a direct warning to companies participating in global manufacturing and technology markets.

A product does not escape U.S. export controls simply because it was manufactured outside the United States.

Foreign-produced items can become subject to the Export Administration Regulations because of:

  • U.S.-origin technology;

  • U.S.-origin software;

  • Production equipment derived from U.S. technology;

  • A covered destination;

  • A restricted end use;

  • A designated end user; or

  • A combination of those factors.

The case also demonstrates that restricted-party screening alone is insufficient.

Businesses must understand their products, production methods, customers, affiliates, end users, and the movement of goods and technology after the first sale.

Bosch’s voluntary disclosure, cooperation, and extensive remediation helped the company avoid criminal prosecution. They did not eliminate the civil penalty or disgorgement.

The best time to determine whether a foreign-made product is subject to U.S. export controls is before the company accepts the order.

The next best time is before the product ships.

Waiting until a customer, regulator, whistleblower, bank, supplier, or outside adviser identifies the problem can transform a licensing question into a multinational enforcement matter.

This article is provided for general informational purposes and does not constitute legal advice. Whether an item is subject to the EAR, whether a Foreign Direct Product Rule applies, and whether a license is required depend on the item, technology, software, production process, parties, destination, end use, and law in effect at the time of the transaction.

Agreement, Asia, BRICS, AGOA, Africa, ASEAN, Business, Business News, Business Operations, Business Structure, China, Compliance, Contract Law, Customs, Disclosure Controls, Due Diligence, Entreprenuership, Ethiopia, Europe, Export Controls, Foreign Trade, Foreign Policy, Ground Transportation, International Law, International Trade, International Business, Maritime Trade, Market, North America, Op-Ed, Outsourcing, Opinion Pieces, Politics, South America, Supply Chain Management, Tariffs, Trade Compliance, U.S. Politics, USMCA, Uganda, Valuation, ZambiaTEIL Firms, LLCBosch, Robert Bosch, Bosch settlement, Bosch export controls, Bosch Huawei, Huawei, Huawei Entity List, Bureau of Industry and Security, BIS, U.S. Department of Commerce, Department of Commerce, U.S. Department of Justice, DOJ, Export Administration Regulations, EAR, Foreign Direct Product Rule, FDPR, Entity List, Export Control Classification Number, ECCN, EAR99, Commerce Control List, CCL, export controls, export compliance, export law, U.S. export regulations, international trade law, international business law, global trade, cross-border trade, global supply chains, international manufacturing, international compliance, regulatory compliance, trade compliance, export licensing, export license, BIS license, voluntary self-disclosure, VSD, civil penalty, disgorgement, enforcement action, compliance program, compliance remediation, corporate compliance, corporate governance, trade controls, dual-use goods, dual-use technology, dual-use software, controlled technology, controlled software, technical data, technical know-how, U.S.-origin technology, U.S.-origin software, foreign-produced items, foreign-made products, overseas manufacturing, foreign subsidiaries, multinational corporations, multinational compliance, global operations, cross-border transactions, international subsidiaries, export jurisdiction, U.S. jurisdiction, extraterritorial application, foreign direct product analysis, semiconductor export controls, semiconductor manufacturing, semiconductor foundries, MEMS sensors, micro-electromechanical systems, automotive software, automotive technology, automotive suppliers, electronics manufacturing, consumer electronics, industrial equipment, connected devices, engineering software, production equipment, manufacturing equipment, design software, electronic design automation, EDA software, production technology, manufacturing technology, engineering teams, product classification, classification analysis, export classification, product classification review, software classification, technology classification, controlled commodities, commodities, software exports, technology transfers, exports, reexports, in-country transfers, deemed exports, cloud access, remote access, source code, source code repositories, software downloads, software licensing, cloud services, APIs, application programming interfaces, technical support, remote maintenance, technology licensing, technology transfer agreements, restricted parties, restricted-party screening, Consolidated Screening List, denied parties, sanctioned entities, sanctions compliance, Entity List screening, beneficial ownership, beneficial owner screening, end user, ultimate end user, end-use review, end-use controls, military end use, military intelligence, advanced computing, supercomputing, semiconductor manufacturing equipment, nuclear activities, missile technology, chemical weapons, biological weapons, surveillance technology, cybersecurity, national security, foreign policy controls, diversion risk, export diversion, diversion hubs, freight forwarders, intermediaries, distributors, resellers, logistics providers, contract manufacturers, OEM manufacturing, supply chain risk, supply chain security, supplier due diligence, customer due diligence, enhanced due diligence, compliance audits, internal investigations, document preservation, government investigations, whistleblower risk, regulatory enforcement, compliance staffing, compliance training, compliance policies, compliance procedures, escalation procedures, governance controls, risk assessment, enterprise risk management, trade risk, export risk assessment, licensing strategy, license exceptions, licensing obligations, denied transactions, prohibited transactions, change in law, contractual compliance, compliance clauses, export representations, warranties, indemnification, international contracts, manufacturing agreements, distributor agreements, reseller agreements, software agreements, technology agreements, reexport clauses, in-country transfer clauses, audit rights, customer certifications, end-user certifications, screening procedures, supplier cooperation, contract drafting, legal due diligence, mergers and acquisitions, M&A due diligence, acquisition risk, transaction due diligence, post-acquisition integration, compliance integration, international acquisitions, global expansion, foreign investment, global manufacturing strategy, cross-border restructuring, international distribution, supply chain management, technology supply chains, electronics supply chains, industrial automation, robotics, navigation systems, sensors, Internet of Things, IoT, connected technology, smart devices, commercial technology, commercial software, industrial software, manufacturing software, engineering compliance, export investigations, government enforcement, regulatory investigations, voluntary disclosure strategy, declination, criminal enforcement, civil enforcement, penalties, compliance failures, trade attorneys, export compliance attorneys, international trade attorneys, business compliance, legal risk management, international legal strategy, TEIL Firms, Evans International Law Firms, global business compliance, cross-border compliance, export compliance program, international risk management, foreign direct product compliance, global technology compliance, U.S. trade enforcement, export enforcement, international regulatory compliance, international commerce, business risk management, international operations, compliance best practices, export control audits, global compliance strategy, technology governance, cross-border technology transfers, international technology law, foreign market compliance, export compliance review, global legal compliance, U.S. trade law, international commercial law, international business strategy, supply chain due diligence, compliance consulting, export control strategy, global regulatory strategy, international manufacturing contracts, export licensing compliance, foreign technology transactions, restricted technology, export screening, global trade compliance, business continuity, risk mitigation, multinational risk managementComment