Legal Risks Under Supply Chain Restructuring – Understanding the Know Your Customer Guidance for U.S. Export Controls

I. To Prevent U.S. AI Chips from Being Exported to China, the U.S. Department of Commerce Will Enforce Strongly and Recommends Related Companies Implement Know Your Customer (KYC) Due Diligence

Just as U.S. President Biden was about to leave office in early 2025, he proposed the latest AI chip export control plan—the “Interim Final Rule on Artificial Intelligence Diffusion.” The public will have 120 days to submit comments, and the industry will have one year after the new law’s implementation to adjust to meet new security standards. According to this latest AI chip export control rule, the U.S. divides AI chip exports into three tiers. The first tier of key allies and partners includes Australia, Belgium, Canada, Denmark, Finland, France, Germany, Ireland, Italy, Japan, the Netherlands, New Zealand, Norway, South Korea, Spain, Sweden, Taiwan, and the United Kingdom, who will not be subject to export controls. Countries listed by the U.S. as third-tier controls include approximately 22 countries such as China (including Hong Kong and Macau), Russia, Iran, North Korea, Venezuela, Nicaragua, and Syria. Under second-tier controls, advanced AI chip purchases currently require prior permission, with a maximum of 320,000 advanced chips available over the next two years. Entities without verified status can also purchase, with a national cap of 50,000. Currently, this draft is still in the 120-day public comment period and has not been finalized.

However, also in late January this year during the Lunar New Year, mainland China’s launch of the open-source AI platform DeepSeek stunned everyone, claiming to achieve performance approaching OpenAI using fewer chip computing power and energy consumption. Many industry professionals and opinion leaders following AI development rushed to share user experiences and observations. However, in the eyes of some U.S. industry professionals following AI development, they don’t seem to believe DeepSeek could have such a performance that surpasses U.S. AI technology out of nowhere. Some further suspect DeepSeek obtained large quantities of Nvidia chips through informal channels and secretly trained with them. Since Nvidia’s mid-to-high-end chips were already listed under export controls in 2023, and many Chinese manufacturers potentially purchasing high-end AI chips were added to the export control Entity List, the U.S. Department of Commerce’s Bureau of Industry and Security (hereinafter referred to as BIS) began a series of investigations and enforcement actions. Under U.S. pressure, Singapore and Malaysia, identified as transit points for exporting controlled AI chips to China, also began a series of enforcement actions. In early March, Singapore apprehended three men, including individuals with Chinese citizenship, suspected of violating export control regulations by illegally reselling Nvidia’s controlled high-end chips to Chinese AI startup DeepSeek. However, as this author understands, many Taiwanese companies have also been suspected by the U.S. Department of Commerce of assisting China in obtaining high-end AI chips and have been placed on observation and investigation lists.

According to instructions from U.S. Commerce Secretary Howard Lutnick at an internal BIS update meeting in the last week of March this year, to prevent illegal AI chip exports to China, enforcement intensity and fines will be significantly increased. The U.S. will convey to the world the message of “enforcement, enforcement, enforcement,” vigorously investigating and penalizing those who violate U.S. export control rules. At the same time, Lutnick stated, “Someone, for money, is transshipping our chips to China… Therefore, if companies don’t conduct Know Your Customer (KYC) due diligence, or even Know Your Customer’s Customer (KYCC), then companies will face significant risks of violating U.S. export control regulations.” This further highlights that under the current dramatic developments in geopolitical supply chain restructuring, Taiwanese manufacturers urgently need to understand and establish comprehensive customer due diligence systems to respond to U.S. export control laws. Below is an overview of BIS’s Know Your Customer Guidance for U.S. export controls.

II. U.S. Department of Commerce Regulations on Customer Due Diligence

According to specific provisions of the U.S. Department of Commerce’s “Export Administration Regulations” (EAR), if an exporter “knows” that an export that would otherwise be exempt from license verification requirements involves nuclear weapons, chemical and biological weapons (CBW), or related missile delivery systems, and the destination is specific countries listed in the EAR, they must submit an individual verification license application. However, to help exporters or parties involved in U.S. export control laws determine their counterparties, the U.S. Department of Commerce BIS has issued the following guidance explaining and recommending how individuals and companies should act under such knowledge standards.

1. Decide whether there are “Red Flags”

For the latest Red Flag Indicators of U.S. export control law, see the author’s previously published article “[Legal Risks Under Supply Chain Restructuring – Understanding Red Flags for U.S. Export Controls].”¹

In transactions, consider any unusual circumstances that may indicate improper end-use, end-user, or destination for the export. Such unusual circumstances are called “Red Flags.” For example: ordered items don’t match the buyer’s needs; customers refuse installation and testing (even when such services are included in the sale price or would normally be required); ordered equipment specifications don’t match the claimed destination (e.g., a country with a standard voltage of 220 volts requiring 120-volt equipment), etc. Although the “Red Flags” published by BIS are not an exhaustive list of all possible situations, they can serve as reference indicators for parties to reasonably suspect and take further action. At the same time, these items also serve as primary reference indicators for Commerce Department enforcement personnel during case-by-case reviews. Additionally, parties should review U.S. government restricted lists to determine whether counterparties are prohibited or restricted from participating in U.S. export transactions, or whether counterparties or end-users have been placed on BIS’s “Unverified List” because BIS cannot confirm end-use checks or actual identity.

2. If there are “Red Flags”

If no “Red Flags” are discovered, parties may proceed with transactions based on obtained information. In other words, without Red Flags or explicit EAR requirements, parties need not actively investigate, verify, or otherwise “go behind” customer or counterparty statements. However, if U.S. enforcement personnel discover Red Flags, parties are responsible for further inquiring into suspicious circumstances and ensuring the transaction’s end-use, end-user, or destination country is appropriate.

Parties’ review obligations for “Red Flags” are not limited to transactions involving EAR provisions such as “know,” “reason to know,” or “is informed.” Parties participating in export transactions must obtain documentary evidence about transactions according to EAR; misrepresentation or concealment of material facts in license applications or all export control documents will be considered illegal. Without “Red Flags,” you can rely on customer statements and incorporate them into transaction documents, but if transaction-related arrangements do have “Red Flag” patterns, parties must take further verification measures.

3. Do not self-blind

Parties should not deliberately block potentially obtainable information in business operations. For example, do not instruct sales teams to ask potential customers to avoid discussing product end-use, end-users, or destinations. Do not turn a blind eye to relevant information, because intentionally avoiding “unfavorable” information will not exempt parties from liability. Conversely, this situation may be considered an aggravating factor in enforcement proceedings.

Parties’ employees should understand how to handle “Red Flags.” Because information held by employees may be considered knowledge by the party’s company, making the company liable for violations. Therefore, companies should establish clear policies and effective compliance procedures ensuring transaction-related information can be evaluated by responsible Senior Officials. If parties fail to do so, it may be considered self-blinding.

4. Reevaluate all the information after the inquiry

The purpose of parties’ investigations and reevaluations is to determine whether “Red Flags” can be reasonably explained or demonstrate counterparty integrity and transaction legality. If reasonably explainable, transactions may proceed; but if “Red Flags” cannot be reasonably clarified and one chooses to continue the transaction, parties may constitute “having knowledge,” leading to risks of violating EAR.

5. Refrain from the transaction, disclose the information to BIS and wait

If reasonable concerns remain after investigation, transactions should be suspended, and all relevant information should be submitted to BIS in the form of a verification license application or other BIS-designated manner.

Industry participants play an important role in preventing exports and re-exports that violate U.S. national security and foreign policy interests. BIS works with industry to ensure this line of defense operates effectively while minimizing BIS’s regulatory burden on exporters. When encountering questions about “Red Flags,” parties may consider contacting the BIS Export Enforcement Office or submitting anonymous reports using the Confidential Enforcement Lead/Tip Form.

III. Self-Examination Checklist Provided by the U.S. Department of Commerce for Parties

For extraterritoriality, administrative and criminal liability, and the latest Red Flag Indicators of U.S. export control laws, see the author’s previously published article “Legal Risks Under Supply Chain Restructuring – Understanding Red Flags for U.S. Export Controls.”

Additionally, because Red Flag indicators have reached 28 items and their individual pattern descriptions are quite complex, BIS provides the following 13-item self-review checklist to help parties improve customer due diligence and discover potential EAR violations. These 13 items are summaries of the aforementioned 27 Red Flag patterns, hoping to enable U.S. and other country manufacturers participating in U.S. controlled goods exports to make quick judgments to ensure EAR compliance.

• The customer or its address is similar to one of the parties found on the Commerce Department’s [BIS’] list of denied persons.
• The customer or purchasing agent is reluctant to offer information about the end-use of the item.
• The product’s capabilities do not fit the buyer’s line of business, such as an order for sophisticated computers for a small bakery.
• The item ordered is incompatible with the technical level of the country to which it is being shipped, such as semiconductor manufacturing equipment being shipped to a country that has no electronics industry.
• The customer is willing to pay cash for a very expensive item when the terms of sale would normally call for financing.
• The customer has little or no business background.
• The customer is unfamiliar with the product’s performance characteristics but still wants the product.
• Routine installation, training, or maintenance services are declined by the customer.
• Delivery dates are vague, or deliveries are planned for out of the way destinations.
• A freight forwarding firm is listed as the product’s final destination.
• The shipping route is abnormal for the product and destination.
• Packaging is inconsistent with the stated method of shipment or destination.
• When questioned, the buyer is evasive and especially unclear about whether the purchased product is for domestic use, for export, or for reexport.

Due to industry structure, many Taiwanese manufacturing companies adopt B2B rather than B2C business models. In an era of changing geopolitical situations and high-intensity trade controls on sensitive technology products and technologies, many Taiwanese manufacturing companies or traders can no longer be satisfied with simply complying with Taiwan’s import-export control and customs laws for supply chain and customer management.

Particularly technology manufacturers or tool manufacturing or sales companies, and even those engaged in re-export or triangular trade, should quickly establish basic understanding of U.S. export control laws and implement due diligence for Know Your Customer (KYC) and Know Your Customer’s Customer (KYCC), along with related compliance policies and procedures, to avoid inadvertently violating U.S. export control laws and suffering U.S. government administrative sanctions, or even criminal fines and imprisonment.

Our firm has recently assisted clients in responding to inquiries from U.S. government representatives regarding compliance with U.S. export controls and provided consulting recommendations for establishing internal compliance policies. If you have any related questions, please feel free to contact our firm for further consultation.

References:

• 美三級管制AI晶片出口：嚴打「繞道」銷往大陸！台、日、韓、荷不受影響，但輝達、台積電年營收恐受衝擊，2025年1月14日。工商時報：https://www.ctee.com.tw/news/20250114700032-439901
• 新加坡破獲非法轉售輝達晶片給中國組織，不容忍規避美國出口管制，2025年3月2日。財經新報(Tech News)：https://finance.technews.tw/2025/03/02/singapore-busts-illegal-resale-of-nvidia-chips-to-china/
• 美國商務部長：為防AI晶片違規出口到中國 將大幅增加執法和罰款，2025年3月28日。工商時報：https://www.ctee.com.tw/news/20250328701396-430801
• BIS Updates Red Flags Guidance: Eight New Indicators Added for Export Compliance, Jan. 17, 2025, Dentons (https://www.dentons.com/en/insights/alerts/2025/january/17/bis-updates-red-flags-guidance-eight-new-indicators-added-for-export-compliance)
• Supplement No. 3 to Part 732—BIS’s “Know Your Customer” Guidance and Red Flags, CFR: Supplement No. 3 to Part 732, Title 15 (https://www.ecfr.gov/current/title-15/part-732/appendix-Supplement No. 3 to Part 732)
• Know Your Customer Guidance, Bureau of Industry and Security, Department of Commerce, (https://www.bis.doc.gov/index.php/all-articles/23-compliance-a-training/47-know-your-customer-guidance)last visit on March 30, 2025.

1. Red Flags 或譯為「紅旗」，在此暫譯為「紅色警訊」。 ↩︎