Export Control Tracker First Edition: July & August 2021

Today we're launching the first edition of the Castellum.AI Export Control Tracker. We aim to inform those affected by export control policy, as well as those making it, by enriching the data, publishing the tracker regularly, and for the first time ever, presenting this data in a way that is accessible to the public. Our goal is not just to analyze ongoing actions, but to measure and predict their impact. The first edition focuses on July and August 2021.

What Are Export Controls?

Export controls are laws that regulate and restrict the release of critical technologies, information, and services to foreign nationals. Over 50 countries globally, from Argentina to Ukraine, have sophisticated export control regimes that focus on goods, technologies and locations. For example, carbon fiber from the United Kingdom cannot be exported to North Korea. But only the US and Japan have export watchlists that name individuals and entities, in addition to goods. Japan’s export control list, however, is very much driven by US listings, with over 65% overlap with US sanctions and export control lists; it also changes infrequently. For this reason, our export control tracker will initially focus only on US export control lists. Data from global map above, and the column chart below, highlight several trends:

• The US itself: The US government places export control restrictions on a lot of US citizens and organizations. While this initially seems strange, the goal of export controls is both to prevent foreign nationals from receiving certain goods, and to prevent Americans from exporting those goods. So the restrictions on individuals and entities inside the US are to prevent the designees from obtaining goods that are at high risk of abuse when exported. Ironically, if you dive deeper into the data, most of these addresses are at US jails, and include over 120 inmates. In other words, these folks won’t be exporting anything again for a while.

• Adversaries: China and Russia feature prominently, with over 400 designees each, as the US Department of Justice has issued countless indictments against Chinese and Russian nationals for thefts of US government technology and inventions. China and Russia’s presence on these watchlists is unsurprising, and will continue to grow.

• Commercial Hubs: The UAE, UK, Malaysia, Turkey, Germany and Ukraine are not US adversaries or enemies, but due to their prominent roles as regional commercial hubs, they host a fair number of companies engaged in reselling sensitive goods, often to Russia, China, Iran or North Korea. North Korea, for example, has for over a decade used Malaysia for commercial cover, and Iran has significant front company operations in the UAE and Turkey.

• Enemies: Iran does not have a significant presence in export control restrictions, while North Korea and Venezuela are completely absent. See why below the column graph.

Export Controls Are Generally Reactive, Not Proactive

The best evidence for the above statement are the 120 plus individuals who are incarcerated in US jails (generally for export control violations) and THEN watchlisted by the US Department of Commerce. This helps explain why there aren’t any export control listings in Venezuela and North Korea. Nobody from these countries has attempted to have sensitive technology imported directly to Caracas or Pyongyang because it would never be approved, and the person attempting to get the export would likely find themselves watchlisted. Instead - they use locations that are popular commercial intermediaries.

That the US government’s export control watchlisting is reactive and not proactive is not a critical statement, its almost impossible to do anything else. Even with Covid-19, in 2020 the US exported $1.43 trillion worth of goods, and so the US government approach to export control is to look for smoke, and where there’s smoke, there’s fire, followed by names being added to these watchlists. Taking a closer look at these restrictions, US export controls are run by two agencies, the U.S. Department of Commerce and the US Department of State.  Commerce’s Bureau of Industry and Security (BIS) maintains four lists, which are:

• Denied Persons List

• Entity List

• Military End User List

• Unverified List

Although all these lists have slightly different implications, the short of it is, you cannot export any sensitive items to individuals or entities on that list without authorization from the US government.

The Entity List is by far the most extensive, with over 1,600 designees in total. BIS first published the Entity List in 1997 as part of a campaign to inform the public regarding who is engaging in business that could result in export, reexport, or diversion of goods supporting weapons of mass destruction (WMD) programs. Since 1997, the Entity List has expanded to cover other sensitive items and weapons exports. Unlike some of the other BIS lists, being on the Entity List does not preclude receiving an export, but it means a certain license has to be granted.

Established in December 2020, the Military End User (MEU) List was designed to restrict the acquisition of certain US goods and technologies by those deemed ‘military end users.’ Specifically, the MEU List was designed to restrict exports to military end users in Russia, China, Myanmar, and Venezuela. While there are ‘reserved’ slots for both Myanmar and Venezuela, only Russian and Chinese designees are currently listed. 

BIS has made clear that the MEU List is not exhaustive, and that it is merely meant to assist exporters in their customer screening. Military end users in Venezuela and Myanmar, despite not being explicitly listed, are not necessarily exempt from the statutory prohibitions.

Those who are on the Denied Persons list have their Export Privileges denied by written order of the Department of Commerce. While these orders are often time limited and can be appealed, those listed are effectively “export radioactive” and will no longer be able to engage in any type of export oriented business involving US products.

The strangest of these lists, BIS Unverified is where the US government had concerns about an export, decided not to allow it, but also did not move to ban the parties in the transaction, (which would put them on the Entity or Denied Persons lists.

Unverified means that while the US government has “concerns” and cannot verify where the export is going, it is not ready to make the conclusion the export is illicit. Those named on this list are not subject to bans, instead US persons must conduct enhanced due diligence before dealing with the “unverified” even for items that do not require a license, and must now get a license for items which may normally have a license exception, in addition to other requirements.

A key part of dealing with the “unverified” is obtaining a “UVL Statement” from the named party, signed by the “unverified” where they state they will comply with US export control regulations and respond to US government queries.

What about The State Department?

The State Department maintains two lists, neither of which have any location information.

• US State Department DDTC Statutory Debarment

• US State Department DDTC Administrative Debarment

As such, there wasn’t any particularly relevant information for our first export control tracker, which focused primarily on geo-mapping these watchlists, but we’ll dive into these two lists for the next issue!

Methodology

Castellum.AI obtains global sanctions information from primary sources, and then proceeds to standardize, clean and enrich the data, extracting key information like IDs and addresses from text blobs. Castellum.AI enriches as many as fifteen separate items per entry. This analysis is based on the enriched primary source data that populates our database. The database consists of over 900 watchlists, covering over 200 countries and six different categories (sanctions, export control, law enforcement most wanted, contract debarment, politically exposed persons, regulatory enforcement, and elevated risk). Castellum.AI checks for watchlist updates every five minutes directly from issuing authorities.

The charts show the physical location of a designee, as provided by the US government. This information should be examined within the context of the entity’s legal registration within a respective country, which sometimes may actually be a branch of a multinational corporation that is headquartered elsewhere. For example, one these maps, the Costa Rica listing is not that of a Costa Rican company, instead it is the local branch of Huawei - a multinational Chinese corporation. Additionally, a small number of entries have addresses that cannot be with high confidence assigned to a specific country, and as such are left blank.  For reasons both geographic and political, all entries related to Hong Kong have been consolidated into China. Northern Mali has been recategorized as Mali due to the mapping provider not having an option for Northern Mali. State Department DDTC is not mapped in this issue because we are focusing on geographies, and the State Department DDTC lists do not have any location information.

Want to be ahead of the headlines?

We have you covered. Sign up to receive data alerts and original insights from Castellum.AI