U.S. Department of Justice's Recent Export Control Enforcement Action Reveals Potential Threats from China

U.S. Department of Justice's Recent Export Control Enforcement Action Reveals Potential Threats from China

Cadence Design Systems Faces $140 Million Penalty for Export Control Violations

In a significant move, American semiconductor company, Cadence Design Systems, has agreed to pay a $140 million penalty for export control violations related to the transfer of sensitive semiconductor design hardware and software tools to a restricted Chinese university. This resolution, announced by the Department of Justice (DOJ) and the Department of Commerce, serves as a signal of the US government's continued focus on national security risks from transfers of sensitive technologies to adversary nations.

The case against Cadence is the first corporate criminal plea following the DOJ's March 2024 revised NSD Enforcement Policy for Business Organizations. Artificial intelligence, semiconductors, and advanced computing technologies are priority areas for enforcement in limiting Chinese access to sensitive technologies.

The plea agreement highlights several aggravating factors such as the sensitive nature of the items and technologies at issue and knowledge of the violative conduct by Cadence through its subsidiaries. The National University of Defense Technology, the recipient of these transfers, has been restricted under the BIS's Entity List since February 2015 due to its use of US components to produce semiconductors that support China's nuclear weapons program and other military uses.

Cadence admitted to engaging in transactions with China's National University of Defense Technology, directly and through affiliates, between 2015 and 2020, involving items valued at more than $45 million. The plea agreement also specifies central compliance program elements and standards for Cadence's export compliance program.

A strong risk-based compliance program for companies operating in sectors with high national security risks, such as those demonstrated by the Cadence Design Systems case, includes the following key elements:

1. Robust internal controls and monitoring: To detect and escalate red flags promptly, especially when employees attempt to disguise transactions or use euphemisms to hide dealings with restricted entities. Cadence failed here, as employees used Chinese characters and aliases to conceal transactions with the National University of Defense Technology (NUDT).
2. Comprehensive export compliance policies: Clearly defining restrictions under regulations like the Export Administration Regulations (EAR) and ensuring all staff understand the importance of compliance and the risks of violations—especially regarding transfers to entities on the Entity List (e.g., NUDT).
3. Employee training and awareness: Regular training tailored to the risks associated with high national security sectors, addressing how to recognize and respond to suspicious activities or indicia of illicit end users, including those with military associations.
4. Effective supervision and escalation protocols: Ensuring that any suspicious transactions or red flags (e.g., shared personnel with prohibited entities, installation of equipment on restricted campuses, direct communications referencing such entities) are promptly escalated and investigated internally.
5. Third-party audits and ongoing reviews: The settlement with Cadence includes mandatory third-party internal audits through 2028 with detailed reporting to authorities, highlighting the importance of continuous external oversight and assessment of compliance effectiveness.
6. Prompt investigations and voluntary self-disclosures (VSDs): When potential violations are discovered, companies should conduct appropriate internal investigations and cooperatively engage with regulators, including considering voluntary self-disclosure to mitigate penalties and demonstrate commitment to compliance.
7. Strong governance and accountability: Leadership involvement to promote a compliance culture and proactively address national security risks associated with technology exports, including clear accountability for compliance failures demonstrated by Cadence’s criminal plea and heavy fines totaling over $140 million.

In addition, the plea agreement identifies mitigating factors such as Cadence's implementation of remedial measures including adding export control compliance personnel, improving internal compliance programs, formalizing its export compliance training program, and enhancing export control compliance screening procedures.

The resolution also includes provisions for Cadence to assign senior corporate executives to oversee the compliance program, develop and promulgate clear and visible policies and procedures addressing specific categories such as customer onboarding, know your customer and due diligence procedures, and periodic customer reviews for export and sanctions risk. Companies should consider strong risk-based compliance programs, enhanced screening measures, voluntary self-disclosure and cooperation, and contract provisions that address export control risks.

Moreover, the plea agreement requires Cadence to conduct periodic risk-based reviews of the compliance programs and the compliance policies and procedures, annually. It also mandates the company to establish internal reporting (whistleblowing) and investigation procedures, and to implement enforcement mechanisms and internal disciplinary measures for violations. Periodically benchmarking and testing compliance practices against evolving industry standards is also a requirement.

In conclusion, the Cadence Design Systems case serves as a stark reminder of the importance of robust risk-based compliance programs in high national-security risk sectors. Companies must integrate thorough risk assessment, employee training, internal controls, vigilant monitoring, clear escalation paths, external auditing, and active cooperation with authorities to prevent and address violations.

Technology exports are central to the Cadence Design Systems case, involving sensitive semiconductor design hardware and software tools that were transferred to China's National University of Defense Technology, a university restricted due to its use of US components to produce semiconductors supporting China's nuclear weapons program.

In the wake of this case, it's crucial for companies, especially those operating in sectors with high national security risks, to ensure strong risk-based compliance programs that prioritize robust internal controls and monitoring, comprehensive export compliance policies, employee training and awareness, effective supervision and escalation protocols, third-party audits and ongoing reviews, prompt investigations and voluntary self-disclosures, strong governance and accountability, and periodic risk-based reviews of compliance programs.

Read also: