Forensics Today: PwC

 A new era of export controls compliance for financial institutions

Financial institutions face increased regulatory scrutiny of how they manage export control risks, both related to customer activity and their own internal tech development.
Federal guidance has raised expectations for managing these risks in customer transactions, third-party relationships, and personnel hiring without setting clear boundaries, leaving firms struggling to understand their role and how to implement effective controls.
Firms that embed export compliance into business operations, as opposed to treating it as an ancillary risk, can be better equipped to manage rising expectations and respond effectively when trade compliance issues arise.

In October 2024, the Bureau of Industry and Security (BIS) issued guidance suggesting that financial institutions should incorporate export control screening into customer onboarding and consider assessing transactions for export control risks. Of note, a transaction involving items subject to the Export Administration Regulations (EAR) may trigger a need for additional awareness and controls—even when no US person or entity is directly involved. This underscores the need to manage and oversee these transactions carefully to help mitigate compliance risks.

Export controls aren’t new, but they haven’t historically been part of financial institutions’ core risk responsibilities. That’s changing. Export controls are becoming central to how financial institutions manage risk as these firms expand into domains traditionally occupied by tech companies. Two key trends are driving this shift:

Customer monitoring. Financial firms are expected to take a more active role in understanding not just who their customers are, but what they’re doing, funding, facilitating, or transmitting, and whether that activity could violate US export control requirements and expectations.

Tech development and tools. Some firms are increasingly becoming tech developers. As they build and deploy apps, software, AI tools, and encryption-based platforms, these may become subject to EAR requirements. Firms should assess export controls risks across their organization and product lifecycles, including risks related to personnel hiring and onboarding, customer transactions, internal tech development and engagement of non-US person support, and cloud storage across multiple jurisdictions. And, when marketing their services abroad, they should consider both US and local regulations, as appropriate (e.g., preventing a banking application from being downloaded in an embargoed country).

In practice, this has raised new compliance questions and revealed real operational issues.