On March 7, 2017, the U.S. Department of Justice ("DOJ"), the Treasury Department's Office of Foreign Assets Control ("OFAC"), and the Commerce Department's Bureau of Industry and Security ("BIS") together levied the largest ever export and sanctions related penalty against Chinese telecommunications firm ZTE Corporation ("ZTE"). ZTE agreed to the combined $1.19 billion fine to settle a number of alleged violations of U.S. sanctions targeting Iran.

In particular, the agencies alleged a sophisticated, years-long effort by ZTE to evade U.S. sanctions in order to sell U.S.-origin telecom equipment into Iran. These alleged violations were taking place even as ZTE represented to the U.S. government and their own outside counsel—as suggested in the DOJ press release—that the company had ceased its Iran business. According to the information released by DOJ, OFAC, and BIS, ZTE engaged in a broad scheme of activities to conceal its Iran business from U.S. authorities, including, for example, removing ZTE logos from products destined for Iran and developing a system of codenames for customers and destinations in Iran.

For most companies—particularly a good corporate citizen with an appropriately risk-based compliance program—the ZTE case may not, on its face, seem to offer much more than interesting reading. However, while few companies may undertake the same willful and egregious tactics alleged in the DOJ, OFAC, and BIS releases, there are a number of lessons even a well-meaning organization can take from the ZTE case.

ZTE Tactic: Directing mitigation of "export compliance risks" (i.e., the risk of detection by relevant authorities) associated with the company's Iran business from the most senior levels, including the CEO.

ZTE's senior management appears to have had full knowledge of—and indeed directed and/or approved—the company's efforts to evade U.S. sanctions and illegally export U.S.-origin items to Iran. As part of the settlement, BIS agreed to lift the denial order it had placed on ZTE, but concurrently imposed a denial order on ZTE's CEO based on his involvement in the activities for which ZTE was fined.

Lesson Learned: Messaging from senior management should be unequivocal in directing employees to comply with applicable law.

Developing a culture of compliance starts at the top. It's vital that senior management sets the appropriate tone by periodically affirming the company's intent to comply with the laws applicable to its business, including export controls and economic sanctions. Such a statement should establish compliance as a corporate policy and should alert employees to the consequences of neglecting their export compliance responsibilities—specifically, severe penalties for the company and potential discipline for the employee. More than this, though, senior management must understand the risks and vulnerabilities associated with the company's export activities and commit to allocating the necessary resources to ensure compliance.

ZTE Tactic: Utilizing intermediaries to mask transactions.

ZTE is alleged to have established or utilized third party companies to serve as intermediaries between its U.S. business and its Iran business. The company would route transactions through these third parties in an attempt to mask the ultimate destination.

Lesson Learned: Ensure third parties in a transaction comply with applicable laws.

Especially when operating in high-risk jurisdictions, it's critical for manufacturers and exporters to ensure that third parties in the distribution chain comply with applicable laws. In many cases, this can be accomplished by doing appropriate due diligence on transaction parties and by obtaining contractual assurances that all parties will comply with U.S. sanctions. If the manufacturer or exporter will again become involved later in the transaction (e.g., through relationships with dealers at the point of sale or through providing warranty or aftersales services to the end users), companies should consider taking additional steps to maintain visibility into the distribution chain and obtaining even more robust compliance language, including the ability to walk away from a transaction or void a contract, if necessary, to avoid a sanctions violation.

ZTE Tactic: Requiring employees to sign NDAs affirming they would conceal ZTE's Iran business.

According to the DOJ, ZTE required certain of its employees to sign non-disclosure agreements in which the employees agreed not to disclose its Iran-related business outside the company.

Lesson Learned: Empower employees to report potential or suspected violations and establish a clear line of communication.

As a central component of any effective compliance program, companies should encourage employees to report any potential or suspected violations of law (including export controls or economic sanctions) or of company policies. Such explicit encouragement can be particularly useful in preventing violations before they occur and can also help companies detect and remedy violations or gaps in the compliance program. The compliance program should clearly outline procedures for reporting such potential or suspected violations and companies should, where possible, establish a mechanism for anonymous reporting, such as a hotline.

ZTE Tactic: Deleting data and records, as well as employee emails, relating to Iran.

According to the DOJ, ZTE formed a "contract data induction team" ("CDIT") to monitor the company's databases and remove any data related to the Iran sales. The company also went so far as to initiate a nightly auto-deletion of the emails of the 13 CDIT members.

Lesson Learned: Implement a strict recordkeeping policy that preserves all relevant types of records.

Recordkeeping is another key element of an effective compliance program. Such a policy should align, at the very least, with the relevant statute of limitations—five years for export or sanctions related transactions. The policy should specify the types of records required to be retained, including licenses, purchase orders, bills of lading, and other export documentation, and, if possible, should identify a central repository or person responsible for maintaining records. Additionally, the recordkeeping policy ought to identify procedures for implementing a hold on the destruction of any documents in the event of an unintentional violation.

The press releases and accompanying materials can be accessed here:

DOJ Press Release

OFAC Press Release

BIS Press Release and Settlement Agreement

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.