US Export Controls on AI and Semiconductors Compliance Guide

What are the recent BIS updates regarding advanced computing and semiconductor manufacturing?

The Bureau of Industry and Security (BIS) has implemented sweeping new controls that restrict the export of high-performance integrated circuits (chips) and the equipment used to manufacture them. These updates specifically target Artificial Intelligence (AI) capabilities and advanced logic or memory chip production that could support foreign military modernization.

The regulations center on three primary pillars of restriction:

• Performance Thresholds: Chips meeting specific technical parameters for total processing performance and interconnect speed are restricted from export to certain jurisdictions without a specific license.
• End-Use Controls: Even if a chip does not meet the performance threshold, it may be restricted if it is intended for use in a "supercomputer" or by a facility involved in advanced semiconductor fabrication.
• Entity List Additions: BIS frequently adds international technology firms to the "Entity List," which effectively bans US companies from exporting any items subject to the EAR to those specific organizations.

Businesses must monitor the Bureau of Industry and Security (BIS) website for frequent updates, as the "Advanced Computing" and "Semiconductor Manufacturing" rules are subject to rapid revisions based on technological breakthroughs and national security shifts.

What are the due diligence requirements for international distributors and end-users?

Due diligence in the tech sector requires a robust "Know Your Customer" (KYC) program to ensure that products do not end up in the hands of restricted parties or used for prohibited purposes. Tech firms must screen every participant in the supply chain-including distributors, resellers, and final end-users-against multiple US government watchlists.

An effective due diligence process should include these mandatory steps:

1. Screening: Check all parties against the Consolidated Screening List (CSL), which aggregates data from Commerce, State, and Treasury departments.
2. End-User Statements: Obtain signed certifications from customers detailing where the product will be used and confirming it will not be re-exported to sanctioned regions.
3. Red Flag Identification: Train sales and logistics teams to recognize suspicious behavior, such as a customer who is reluctant to provide end-use information or a distributor with no prior experience in the semiconductor industry.
4. Transaction Monitoring: Periodically audit high-value or high-volume accounts to ensure the volume of tech being purchased aligns with the customer's known business capacity.

How do tech firms manage the risks of 'deemed exports' in research and development?

A "deemed export" occurs when restricted technical data or source code is released to a foreign national within the United States, whether through visual inspection, oral briefing, or digital access. For AI and semiconductor firms, this means that hiring a foreign national or collaborating with international researchers can trigger the same licensing requirements as shipping hardware overseas.

To manage these risks, firms should implement the following strategies:

• Technology Control Plans (TCP): Create internal documents that outline how restricted data is protected, including physical and digital "firewalls" to prevent unauthorized foreign national employees from accessing specific projects.
• I-129 Certifications: When filing for H-1B or O-1 visas, employers must certify to the US government whether a "deemed export" license is required for that specific employee based on their job duties and nationality.
• Badge Access & IT Permissions: Use role-based access controls to ensure that only US citizens or permanent residents can access servers containing restricted semiconductor designs or AI training methodologies.

What are the penalties for non-compliance under EAR and OFAC regulations?

Penalties for violating US export controls are among the most severe in the regulatory world, encompassing both civil and criminal liabilities. The Office of Foreign Assets Control (OFAC) and the BIS work in tandem to punish firms that bypass sanctions or export restricted technology to prohibited destinations.

The consequences of a violation typically fall into three categories:

1. Civil Fines: Under the Export Control Reform Act (ECRA), civil penalties can exceed $360,000 per violation (adjusted for inflation) or twice the value of the transaction, whichever is greater.
2. Criminal Prosecution: For "willful" violations, individuals can face up to 20 years in federal prison and corporate fines of up to $1 million per violation.
3. Denial of Export Privileges: Perhaps the most damaging to tech firms, the government can revoke a company's ability to export any goods, effectively cutting them off from global markets and supply chains.

What are the strategies for securing export licenses for restricted jurisdictions?

Securing a license from the BIS or OFAC is a complex process that requires demonstrating that the export does not pose a threat to US national security or foreign policy interests. For advanced tech like AI and semiconductors, the government often operates under a "presumption of denial," meaning the burden of proof is on the company to justify the shipment.

To improve the chances of license approval, firms should follow these steps:

• Utilize SNAP-R: All license applications to the BIS must be submitted through the Simplified Network Application Process - Redesign (SNAP-R) portal.
• Detailed Technical Specifications: Provide exhaustive data sheets on the technology to help regulators determine if it truly meets the restricted performance thresholds.
• Aggressive End-Use Monitoring: Offer to implement "post-shipment verification" protocols where the company (or a third party) periodically checks the hardware at the customer's site to ensure it has not been moved or repurposed.
• Legal Nexus: Clearly articulate how the export supports US economic interests or serves a benign civilian purpose, such as medical research or climate modeling, rather than military or surveillance applications.

Common Misconceptions

"Our products are commercially available, so export controls don't apply."

Many tech leaders believe that because their chips or software are sold on the open market, they are exempt from EAR. This is false. The US government regulates "dual-use" items-commercial products that could have military applications. Even a consumer-grade GPU can be subject to restrictions if it is powerful enough to train large-scale AI models.

"We are a startup/small business, so the government isn't looking at us."

Enforcement agencies do not prioritize companies based on size. In fact, small firms are often viewed as "soft targets" for foreign intelligence services looking to acquire restricted tech. The penalties for a $50,000 startup are the same as those for a Fortune 500 corporation.

"If we use a third-party distributor, they carry all the legal risk."

Under the principle of strict liability, the original manufacturer or exporter remains responsible for the final destination of their goods. If a distributor illegally diverts your AI hardware to a sanctioned entity, your company can still be held liable for failing to perform adequate due diligence.

FAQs

How long does it take to get a BIS export license?

The typical processing time for a BIS license is 40 to 90 days. However, for "sensitive" technologies like high-end semiconductors going to high-risk regions, the process can take six months or longer due to inter-agency review by the Department of Defense and Department of State.

What is the difference between BIS and OFAC?

BIS (Department of Commerce) focuses on "what" is being shipped-controlling the export of specific goods and technologies. OFAC (Department of the Treasury) focuses on "who" is being dealt with-administering broad sanctions against specific countries, individuals, and entities regardless of the product involved.

Does a "License Exception" apply to AI software?

While some license exceptions (like the "TSPA" for publicly available software) exist, most advanced AI software and source code used for semiconductor design do not qualify for exceptions and require a formal license when exported to restricted jurisdictions.

When to Hire a Lawyer

Navigating US export controls is not a DIY task for tech firms. You should consult a specialized international trade attorney if:

• You are expanding sales into markets with complex geopolitical relationships (e.g., China, UAE, or the Middle East).
• You have identified a "red flag" in a pending transaction that your compliance team cannot resolve.
• You have discovered a past violation and need to prepare a Voluntary Self-Disclosure (VSD) to mitigate potential penalties.
• You are hiring foreign nationals for R&D roles that involve access to "controlled" technology.
• Your company is undergoing an audit by the BIS or OFAC.

Next Steps

1. Conduct a Jurisdiction/Classification (J/C) Audit: Determine the Export Control Classification Number (ECCN) for every product, software, and technology in your portfolio.
2. Draft or Update your Compliance Manual: Ensure you have written Internal Compliance Programs (ICP) that reflect the latest 2023 and 2024 BIS updates.
3. Implement Automated Screening: Move away from manual checks and integrate automated screening tools into your CRM and ERP systems to catch restricted parties in real-time.
4. Train Your Teams: Conduct mandatory export compliance training for sales, engineering, HR, and logistics departments to ensure everyone understands their role in preventing "deemed exports" and illegal diversions.