On June 12, the Office of Foreign Assets Control (OFAC) and Bureau of Industry and Security (BIS) released new sanctions and export controls intended to further target Russia and Belarus, as well as those who transact with sanctioned entities and create diversion risks for export-controlled items.

New restrictions on certain IT and software services, effective September 12

In addition to sanctioning over 300 individuals and entities, OFAC issued a determination that prohibits the export, reexport, sale, or supply, directly or indirectly, of the following services by a U.S. person or from the United States to any person in Russia:

  • IT consultancy services[1]
  • IT design and development services for applications[2]
  • IT support services[3] for enterprise management or design and manufacturing software (collectively, “Covered Software”)
  • Cloud-based services[4] for Covered Software

“Enterprise management software” includes:

  • Enterprise resource planning (ERP) software
  • Customer relationship management (CRM) software
  • Business intelligence (BI) software
  • Supply chain management (SCM) software
  • Enterprise data warehouse (EDW) software
  • Computerized maintenance management system (CMMS) software
  • Project management software
  • Product lifecycle management (PLM) software

“Design and manufacturing software” includes building information modelling (BIM), computer aided design (CAD), computer-aided manufacturing (CAM), and engineer to order (ETO) software.

The determination does not affect services:

  • To an entity in Russia that is directly or indirectly owned or controlled by a U.S. person
  • In connection with the wind down or divestment of an entity located in Russia that is not directly or indirectly owned or controlled by a Russian person
  • For software subject to the Export Administration Regulations (EAR) that is authorized by the Bureau of Industry and Security (BIS) for export, reexport, or transfer (in-country) to or within Russia
  • For software that is not subject to the EAR but would be eligible for a license exception or otherwise authorized for export, reexport, or transfer (in-country) to or within Russia by BIS if it was subject to the EAR

Expanded definition of Russia’s “military-industrial base” under Executive Order 14114

OFAC expanded the definition of Russia’s military-industrial base to include all persons sanctioned under Executive Order 14024. Consequently, foreign financial institutions that conduct or facilitate significant transactions with any person sanctioned under Executive Order 14024, including VTB Bank and Sberbank, now have a secondary sanctions risk.

OFAC concurrently published a Compliance Advisory for foreign financial institutions.

Russia-related amendments to the EAR

On June 18, BIS will publish a final rule in the Federal Register amending the EAR to:

  • Require a license (subject to certain exceptions) to export, reexport, or transfer (in-country) Covered Software subject to the EAR and classified as EAR99 to or within Russia or Belarus. The license requirement includes software updates and will go into effect 90 days after the notice is published. Exports, reexports, and transfers (in-country) to wholly owned U.S. subsidiaries or subsidiaries of companies headquartered in Country Group A:5 or A:6 will not require a license.
  • Consolidate the Russia and Belarus-related controls into one section (15 C.F.R. § 746.8).
  • Add 522 additional Harmonized Tariff Schedule (HTS)-6 codes to Supplement No. 4 to Part 746. These products will require a license to export, reexport, or transfer (in-country) to or within Russia or Belarus.
  • Add new controls on certain riot control agents.
  • Narrow the scope of the items eligible for export, reexport, or transfer (in-country) to or within Russia or Belarus under License Exception CCD (Consumer Communications Devices).

New address-only Entity List entries that apply to all entities using that address

BIS’s final rule will add a new provision to the EAR (15 C.F.R. § 744.16(f)) allowing BIS to identify addresses on the Entity List that present a high risk of diversion. These addresses can be added without a specific entity name and will be labelled “Address #.” (e.g., Address 1, Address 2).

Each entry will identify the specific license requirements, review policies, and license exception restrictions that apply to that address. The restrictions associated with that address will apply to any entity using that address (unless the entity has its own Entity List entry, in which case the more restrictive entry will control).

If an Entity List entry has a named entity and an address, a party to a transaction that uses that same address will still only be considered a potential “red flag.” The exporter, reexporter, or transferor should then undertake sufficient due diligence to verify the party to the transaction is not the, in fact, the Entity List entity or acting on behalf of the Entity List entity.

[1] “IT consultancy services” include “providing advice or expert opinion on technical matters related to the use of information technology, such as: (a) advice on matters such as hardware and software requirements and procurement; (b) systems integration; (c) systems security; and (d) provision of expert testimony on IT related issues.” U.S. Dept’ of the Treasury, Off. of Foreign Assets Control, FAQ 1187 (June 12, 2024), https://ofac.treasury.gov/faqs/1187.

[2] “IT design and development services for applications” include “services of designing the structure and/or writing the computer code necessary to create and/or implement a software application, such as: (a) designing the structure of a web page and/or writing the computer code necessary to create and implement a web page; (b) designing the structure and content of a database and/or writing the computer code necessary to create and implement a database; (c) designing the structure and writing the computer code necessary to design and develop a custom software application; (d) customization and integration, adapting (modifying, configuring, etc.) and installing an existing application so that it is functional within the clients’ information system environment.” Id.

[3] “IT support services” include providing technical expertise to solve (1) “problems for the client in using software, hardware, or an entire computer system, such as: (a) providing customer support in using or troubleshooting the software; (b) upgrading services and the provision of patches and updates; (c) providing customer support in using or troubleshooting the computer hardware, including testing and cleaning on a routine basis and repair of IT  equipment; (d) technical assistance in moving a client’s computer system to a new location; (e) providing customer support in using or troubleshooting the computer hardware and software in combination”; and (2) “specialized problems for the client in using a computer system, such as:  (a) auditing or assessing computer operations without providing advice or other follow-up action including auditing, assessing and documenting a server, network or process for components, capabilities, performance, or security; (b) data recovery services, i.e. retrieving a client’s data from a damaged or unstable hard drive or other storage medium, or providing standby computer equipment and duplicate software in a separate location to enable a client to relocate regular staff to resume and maintain routine computerized operations in event of a disaster such as a fire or flood; and (c) other IT technical support services not elsewhere classified.” Id.

[4] “Cloud-based services” include “the delivery of software via the internet or over the cloud, including through Software-as-a-Service (SaaS), or SaaS cloud services in relation to such software.” Id.