Over- and under-compliance in export controls and sanctions law
TCM workshop

Over- and under-compliance in export controls and sanctions law

We’ve polled industry insiders and consulted with experts on seven questions relating to over- and under-compliance in export controls.

Grappling with the effects of over- and under-compliance

In June 2022, a UN special rapporteur drew attention to human rights violations caused by over-compliance during checks against financial sanctions. In this context, the rapporteur published a public guidance note on over-compliance with unilateral sanctions and its harmful impact on human rights. It highlights how banks and other financial service providers over-comply when freezing accounts and banning the provision of economic and financial resources.

The link between over-compliance and human rights violations is not unique to the financial sector. It’s also a critical issue in the business sector when companies engage in excessive risk avoidance in the area of sanctions law and export controls. Such over-regulation often stems from uncertainties about how to cope with statutory provisions. Businesses that don’t properly understand the legal requirements are unable to implement appropriate organizational measures tailored to their specific business activities. 

For companies that generally act more pessimistically, this often results in over-complying out of an abundance of caution as cited by the UN special rapporteur. It is not uncommon to see over-regulation accompanied by considerable under-regulation. That’s because when too much time is spent over-complying in one area, other areas come up short, leading to under-compliance that in a worst-case scenario can even result in penal consequences.

Business examples: workshop on over- and under-compliance

Olga Pramberger and I channeled our observations from working with businesses to offer a session on this topic at the AEB event Get Connected 2022. The 60-minute workshop generated quite a buzz and drew a big crowd of over 150 attendees. The aim was for participants to collaborate in answering specific questions and identifying cases of under- and over-compliance in the implementation of statutory provisions for EU and US export controls and sanctions laws.

We kicked off the discussion by selecting seven short real-world examples of procedures or statements from our customers relating to goods classification, sanctions list screening, and US re-export controls, then surveying participants on their opinions. We fact-checked the results and discussed them with the group. The results showed us that we had indeed asked the right questions, uncovering various examples of under- or over-regulation.

This article presents the questions, survey results, and solutions from our workshop on over- and under-compliance. We hope it will leave you more confident in how to comply with export controls and sanctions regulations.

Question 1: Goods classification (dual-use items)

A satirical news show that aired on April 5 of this year looked at the EU’s foreign policy vis-à-vis Russia following the invasion of Ukraine. The show zeroed in on a few key terms in export controls, referring to dual-use items as “things that can be used for both civilian and military purposes, such as uranium or ... guns.”

We examined this statement and asked:

Is it true that dual-use items are “things that can be used for both civilian and military purposes, such as uranium or ... guns”?

Survey results
  • 83% of those present answered yes, saying that the defining attribute for classifying goods as dual-use is their potential use for civilian and military purposes.
  • 17% answered no, disagreeing with this definition of dual-use goods.
Correct answer

Dual-use goods are civilian goods listed in Annex I of the EU Dual-Use Regulation 2021/821 with reference to their technical attributes. It follows that the classification of a product must be based on its technical parameters. The decisive factor is whether or not it is included in the EU Dual-Use Goods List. If so, the product must be classified under the appropriate dual-use item number. The actual use of an item has no bearing on its classification.


Question 1 was answered incorrectly by the majority of all workshop participants. This makes it clear that in practice the procedure for classifying goods is often not in sync with the requirements of the EU Dual-Use Regulation 2021/821. This wrong approach can lead businesses to both under- and over-compliance.

Question 2: Goods classification (munitions)

Munitions are subject to stricter export controls than civilian goods. Companies that are conscientious in their internal organization need to understand the criteria distinguishing civilian goods from military equipment in order to properly identify and flag the latter in their product master.

We examined this situation and asked:

Is it true that a standard rotary swaging machine is classified as munitions if sold to the Mexican military and the company is aware of its use to manufacture rifle barrels in Mexico?

Survey results
  • 43% of the workshop participants answered yes, sharing the view that under these conditions a standard rotary swaging machine is classified as munitions.
  • 57% answered no, believing that the military use did not classify the machine as munitions.
Correct answer

The use or user have no impact on the goods classification. The rotary swaging machine would only be classified as munitions if specifically designed or modified for military purposes. The rotary swaging machine would be a dual-use item if listed in Annex I of the EU Dual-Use Regulation with reference to its technical parameters.


Almost half of all workshop participants answered question 2 incorrectly. This reveals uncertainty about how to proceed with the classification of munitions. Companies that have not taken organizational measures to accommodate the presence of special design attributes from the military sector run the risk of unauthorized munitions exports and thus under-compliance.

Question 3: Goods classification with the TARIC database

Classifying your own product master according to the export control lists is the key prerequisite for subsequent checks of whether pending exports are prohibited, subject to a license, or license-free. Classification can be time-consuming, so a commonly used shortcut is to run the commodity code against the EU Customs Union’s TARIC database to check for an export control classification.

We examined the following situation:
An automotive supplier manufactures various products for civilian and military vehicles. Military specifications are taken into account during product development when the request comes from defense companies.

We asked those present:

Do you see a problem if the TARIC database is used to classify goods based on the commodity code?

Survey results
  • 85% of all participants answered yes, regarding the export control classification of goods using the TARIC database as inappropriate.
  • 15% said no, seeing no risk in using the TARIC database to classify goods based on commodity code.
Correct answer

The commodity code does not reflect “especially constructed or modified for military purposes” as a criterion for distinguishing between munitions and civilian goods. The TARIC database does not indicate the potential classification as munitions in the scenario outlined above. This increases the company’s risk of coming under the scrutiny of the public prosecutor for unauthorized arms exports and transfers. Only for civilian goods does the TARIC database offer the option of running a plausibility check for export control classification using the commodity code.


Question 3 was answered correctly by the overwhelming majority of all workshop participants. The example illustrates, however, that classifying goods for export controls using the TARIC database can in practice carry a considerable risk to businesses of under-compliance.

Question 4: Match handling during sanctions list screening

The satirical news show “extra3” from German broadcaster ARD examined the EU’s bans on the provision of economic and financial resources in its “Genuinely Crazy” segment of April 25, 2019. A family man with an Egyptian surname was cited as an example to illustrate how a 100% match in a sanctions list screening can affect someone’s everyday life. The reported match made it impossible for the man to obtain the official documents he needed for the construction of his home.

We examined this situation and asked:

Is it true that the business partner is sanctioned if the screening software reports a 100% match between the screened business partner and a list entry?

Survey results
  • Only one of the workshop participants answered yes to this question.
  • Everyone else felt that the level of the match detected by the software does not allow any conclusions to be drawn as to sanctioning.
Correct answer

The software simply runs a comparison between the name of the screened business partner and the names on the integrated sanctions lists. If a match is found, the software provides a percentage value of the similarity between the two names. Since sanctions are linked to a person and not to similar or identical names, the business partner is sanctioned only if the person is identical to the list entry. Software matches must always be manually checked to ensure that both names are one and the same person. This verification is referred to in practice as match handling.


Question 4 was answered correctly by the majority of participants and illustrates how match handling, when performed incorrectly or skipped altogether, can lead to over-compliance.


Automatically updated sanctions lists

AEB's Compliance Screening software runs automated business partner screening in the background of your transactions. Optional integration into your ERP/CRM systems such as SAP®, Salesforce, Microsoft Dynamics 365, and more. And with extended content from Dow Jones and Reguvis.

Question 5: Who should be screened?

Screening software can be used to automatically check a virtually unlimited number of business partners. It is often used to check not only the companies themselves but also the contact persons or even the banks associated with the business partners in the system.

We examined this topic and asked:

Is it true that a company reduces its risk of violating EU or US sanctions if it checks the commercial banks of its customers?

Survey results
  • 56% of participants answered yes, agreeing that screening the customer’s commercial bank reduces the risk of violating EU and US sanctions.
  • 44% said no, disagreeing that screening the customer’s commercial bank reduces their company’s risk.
Correct answer

The risk of violating EU and US sanctions can be minimized through sanctions list screening only if the company falls within the scope of the sanctions to which the lists refer. Without a business relationship, the necessary link is missing. As for the question about screening the banks of business partners: An EU-based supplier, for example, has no business relationship with the bank of its foreign customer. The supplier does not fall within the scope of possible EU or US sanctions against the bank of its foreign customer.


Question 5 was answered incorrectly by a slim majority of participants, illustrating how the selection of entities to be screened can lead to over-compliance.

Question 6: US re-export law – list selection

Not only can screening software be used to automatically check a virtually unlimited number of entities, it also lets you screen against various lists from countries around the world. It quickly becomes evident that increasing the number of screened lists also increases the number of matches and the time required to handle these matches.

There is a lot of uncertainty in deciding which of the various US lists to select. Many EU companies screen against as many US lists as possible, assuming that more is always better.

We examined this topic and asked:

Is it true that EU companies with no US products in their product master are advised to screen against the lists from the US Bureau of Industry and Security (BIS)?

Note: This refers specifically to the Entity List, Unverified List, Denied Persons List, and Military End User List from BIS.

Survey results
  • 62% of participants said yes, agreeing that it is advisable even for EU companies without US products in their product master to check the BIS lists.
  • 38% answered no, seeing no reduced trade compliance risk from screening against the lists issued by BIS.
Correct answer

EU businesses fall within the scope of the aforementioned BIS lists only when trading US products subject to the US Export Administration Regulations (US EAR). German companies with no US products in their material master are not affected by US re-export controls under the US EAR, so they are not affected by these lists either.

An important thing to remember here: US lists can be found not only in the export control provisions of the US EAR but also in US sanctions law, which is governed by the Office of Foreign Assets Control (OFAC). OFAC administers two lists, the Specially Designated Nationals List (SDN) and the Consolidated Sanctions List (CSL). These lists have different criteria than the BIS lists and include secondary sanctions, especially with regard to the various US sanctions regimes against Iran.


Most respondents answered question 6 incorrectly, illustrating that navigating the requirements of US export controls and sanctions law without a basic understanding of what’s involved can quickly lead to both over- and under-compliance.

Question 7: US re-export control law – US products (“de minimis” rule)

A prime example of superficial knowledge passing for fact in the realm of US re-export law is how the de minimis rule is applied. The de minimis rule governs whether products manufactured outside the US fall within the scope of US re-export control law under the EAR due to US products they incorporate.

We examined this topic and asked:

Is it true that for most destinations of EU products, the percentage of incorporated US components is irrelevant, so the de minimis calculation is an example of over-compliance?

Survey results
  • 52% of participants said yes, believing that most EU-manufactured products with US content do not require a de minimis calculation.
  • 48% of participants answered no, regarding a de minimis calculation as necessary for most EU-manufactured products.
Correct answer

The majority of US products in EU companies have an EAR99 classification or a US domestic ECCN with “9” as the third character (900 series, ZB9ZZ). These products require a license under the EAR only for Syria, Cuba, Iran, North Korea, Russia, and Belarus. For all other destinations, these US products are not generally controlled, so they are not subject to de minimis calculations when incorporated.


Question 7 was answered correctly by the majority of respondents, highlighting significant over-compliance if the de minimis calculation is made for all products with incorporated US products.


Secure and efficient export controls with AEB

Export Controls from AEB automatically checks all your relevant transactions for license requirements and embargo restrictions worldwide. Ad hoc, fully automated, or company-specific. In the cloud or integrated in your ERP.