Three BIS Rules That Changed Export Compliance Forever

For decades, the compliance playbook was stable: classify exports under the Export Administration Regulations, check the Denied Persons List, screen against Entity and Unverified Lists, and clear shipments if no matches appeared. Since October 2022, the U.S. Department of Commerce’s Bureau of Industry and Security has issued three major rules rewriting the compliance standard. These rules do not abandon list screening; they add affirmative obligations requiring compliance teams to investigate whether unrestricted parties are secretly controlled by restricted entities, whether items are being diverted through transshipment networks, or whether cleared end-users are actually acquiring items for prohibited purposes. You cannot satisfy obligations by checking lists alone. You must affirmatively verify the legitimacy of trade relationships before transactions move forward. Compliance programs must shift from reactive list monitoring to proactive due diligence.

Rule 1: Advanced Semiconductor Manufacturing Controls

On October 7, 2022, BIS published the Advanced Computing and Semiconductor Manufacturing Equipment rules restricting exports of advanced semiconductors and equipment to China. The rule was extraordinary: it redesignated previously unrestricted items as controlled, retroactively extended licensing requirements, and imposed affirmative obligations on U.S. exporters to verify end-users and end-uses in Chinese territory. Subsequent rules in October 2023 and 2024 tightened performance thresholds and closed loopholes. Items below performance thresholds but destined for certain Chinese entities required licenses, even if the item itself was not restricted. Exporters had to know customers, map corporate ownership structures, and determine connections to restricted entities. BIS guidance made clear it would evaluate exporter knowledge broadly. If an exporter had reason to know a customer was acquiring items for restricted end-use, they could not rely on stated end-use if red flags suggested otherwise. The rules created an affirmative due diligence standard making list screening necessary but insufficient.

Rule 2: Russia Transshipment Red Flags

Following Russia’s invasion of Ukraine in 2022, BIS imposed sweeping export controls on Russia and Belarus. BIS defined a new duty: if an exporter has reason to know that items subject to the EAR will be transshipped through a third country to Russia or Belarus, the export is prohibited without a license. “Reason to know” was defined not as actual knowledge, but as red flags combined with failure to inquire. BIS published detailed Red Flag guidance identifying markers: new customers with no trading history, upfront cash payment, unusual shipping routes, reluctance to discuss end-use. For the first time, BIS made affirmative customer investigation a regulatory requirement. Exporters could not assume neutral third countries were legitimate end-use locations. If circumstances suggested otherwise, exporters had to ask questions and document results. Failure to inquire when red flags existed constituted knowledge of a violation. A joint DOJ, BIS, and OFAC enforcement advisory reinforced this with a case study describing an exporter who shipped to a third country intermediary, failed to investigate reluctance to discuss end-use, and was held liable when items reached Russia. The message is clear: list screening cannot substitute for questioning customers when circumstances warrant.

Rule 3: The Expanded “Knowledge” Standard

Underlying Rules 1 and 2 is a broader legal principle that BIS has consistently reinforced: the EAR’s definition of “knowledge” requires affirmative action when red flags are present. You “know” a violation is likely if you have actual knowledge or if red flags exist and you deliberately avoid confirming the truth. BIS has published successive “Know Your Customer” guidances spelling out this obligation, defining red flags as unusual payment terms, secrecy around end-use, sudden customer interest in unfamiliar items, and transactions structured to obscure ultimate recipients. When these flags appear, a compliance officer cannot simply run a list check and move forward. The officer must document red flags, make specific inquiries, evaluate responses, and decide whether to proceed. Compliance programs will be judged on whether they identified red flags and documented responses. A program relying exclusively on list screening-even comprehensive, automated systems-will be vulnerable in enforcement if the exporter failed to investigate when red flags existed.

What These Rules Require

The shift from list-based screening to affirmative due diligence creates concrete operational demands. First, compliance programs must perform entity resolution at scale. When a customer applies for a purchase order, the compliance team cannot simply check whether the entity’s name appears on a BIS list. The team must determine whether that entity is owned or controlled by a restricted party, whether it has restricted corporate affiliates, and whether it sits within a transshipment network including restricted destinations. This requires access to corporate registry data, beneficial ownership records, and trade transaction histories across jurisdictions.

Second, compliance programs must implement formal red flag assessment protocols. When transactions present unusual characteristics-atypical payment terms, vague end-use declarations, geographic routing not matching the customer’s stated business-the compliance team must document the red flags, make specific inquiries, document responses, and make explicit decisions about whether to proceed. BIS expects written policies, checklists, and decision logs.

Third, compliance programs must develop transshipment and trade flow analysis capabilities. Understanding whether customers have historically imported items from the United States, re-exported them through intermediaries, or shifted shipping routes requires access to historical trade data and pattern identification capabilities.

Finally, compliance programs must map corporate structures and beneficial ownership chains that control customers. An entity can be de-listed and yet remain under the control of a restricted party through complex ownership structures.

These three rules have rewritten the compliance standard. The new standard is not “Does the party appear on a list?” but “Do you actually know this customer, have you investigated their legitimacy, and can you affirmatively justify your decision to trade with them?”

List screening must remain the foundation, but it can no longer be the entire program. You need tools and data to perform entity resolution, investigate corporate ownership, identify transshipment risk, and document due diligence in ways that will withstand enforcement scrutiny.

Request a demo of Sayari’s Global Trade Compliance platform to see how integrated corporate records from 190+ countries, billions of international trade transactions, and entity resolution across billions of records can support your due diligence at scale.