Export Controls and the Illusion of Control
There are few topics less likely to provoke an excited flutter in the corporate heart than export controls. Until recently, the subject was comfortably ignored by most compliance teams, particularly in Europe, where it was filed somewhere between archiving policy and rules on stapler procurement. Russia’s invasion of Ukraine changed the calculus.
Since then, export controls, alongside economic sanctions, have gone from a dusty footnote to a headline act. Suddenly, the subject is on the lips of every boardroom, in every C-suite, and on every pitch document from law firms breathlessly claiming long-standing expertise in a field they were Googling 18 months ago.
Predictably, with new attention came new confusion. And while confusion is rarely fatal in compliance (it’s practically the national language), in this case, it’s costing businesses actual money.
Easy Talk
Since the war began, the European Union alone has rolled out 17 sanctions and export control packages. A striking feat of legislative productivity.
These actions are invariably trumpeted as powerful statements of political will. But what they rarely come with is any clear guidance to businesses on what is expected, and more crucially, how to operationalise it. The regulatory equivalent of tossing someone a manual for flying a plane mid-air, with the polite encouragement: “Best of luck.”
Predictably, companies have responded in one of three ways: a few have managed it. Some have given up and exited markets entirely. And many have implemented something resembling compliance, only to discover that half-measures are just new liabilities in disguise.
Risk? Yes. But Not Like That.
Now, let’s talk about us — compliance professionals. Our risk-aversion is a point of pride. We live in the hedging of bets and the art of caution. And we like to imagine export controls fit neatly into our favourite framework: risk appetite, risk tolerance, risk fatigue.
Except, they don’t. Export controls aren’t merely about risk; they’re about end-to-end business process that actually works. They demand workflows, systems, technical fluency, and more than a passing acquaintance with how your own business actually operates. This, naturally, is where the problems begin.
Risk assessment is a component, but in the same way that flour is a component of cake. Necessary, yes, but not even close to sufficient.
And if we’re honest, the process isn’t something most compliance departments do particularly well.
Simple to Explain. Fiendishly Hard to Do.
Export controls, on the surface, sound disarmingly simple. Don’t export certain goods or technologies to certain countries or parties. It’s the regulatory equivalent of “don’t feed the bears.” Just read the UK’s Russia (Sanctions) (EU Exit) Regulations 2019.
But try putting that into practice and you quickly realise the bear has a complex supply chain, dual nationality, and a US-origin microchip in its paw.
Step one is classification and working out whether a product is controlled. That means understanding how it was designed, where it was built, what materials were used, which country supplied which component, and whether any of it came from, say, the US, which would immediately add its own rules. That’s before we even start talking about the US EAR, numerous Executive Orders or the EU’s cheerful 2021/821 regulation. Perfect bedtime reading for insomniacs with a high pain threshold.
This is not something a lone compliance analyst can intuit over coffee. You’ll need engineers. R&D. Legal. And then someone with the patience of a saint to decipher the regulation itself, which makes Tolstoy’s War and Peace look like a holiday brochure.
And still, that’s just the starting point.
Welcome to the Maze
After classification comes control. And not just for physical exports (think “deemed exports”), and not just based on one country’s rules, but potentially all of them. Design in Germany, raw materials from the US, manufacturing in Malaysia, shipping via Poland — congratulations, your product is now subject to the export laws of six jurisdictions and EU’s working group.
Try making that work in your ERP system.
Then there’s the matter of counterparties. Who’s buying? Where are they based? Are they really the end-user, or just a glorified mailbox? How will the goods be used? This is where end-user certifications, screening, ownership checks, and export control clauses like “No Russia/No Belarus Exports” start cropping up.
Assuming you’ve made it this far — and your hair is still the same colour — you now need to make sure all these controls are actually followed. In every cross-border transaction. In real time. At scale.
It’s at this point that even the most bullish compliance professional — perhaps fresh out of financial services, armed with an AML background and a can-do attitude — begins to understand just how far out of their depth they are. A few end-user declarations and a stern high-risk countries procedure won’t get the job done.
Why We Keep Falling Short
The unspoken reality is that most companies can’t do this well. Not because they’re ignorant, but because doing it properly requires operational capacity they simply don’t have. Unless your company produces three products and sells them to two countries, you’re going to need systems, technical fluency, integrated compliance checks, and people who genuinely know what they’re doing.
Export control is one of the most complex regulatory fields. Getting it wrong can land you in trouble with enforcement authorities, wreck relationships with regulators and business partners, or even result in losing your license to operate. For many companies, it’s simply easier — and safer — to walk away entirely.
Which brings us back to the core point: this isn’t about risk. It’s about capability. And, often, about humility — the humility to admit that as compliance professionals, we don’t always know enough. Export controls demand technical knowledge, regulatory precision, operational rigour, and cross-functional fluency. That’s a tall order, even on a good day.
The real compliance task here is less about saying “no” to risk and more about building something that works, and recognising when we need help doing it.
In Praise of the Experts
None of this is a rebuke. Twenty years ago, I was the know-it-all in-house lawyer staring down my first export control query with more confidence than clue. I’ve since run the full circuit — internal investigations, remediation plans, full program builds — and I still wouldn’t call myself an expert.
But I’ve had the good fortune to work alongside some who are. True specialists who understand not just the letter of the law, but the messy, operational reality of applying it. This piece is less a warning than a quiet thank you to those people and the vital work they do. For me: Pieter, Khalid, David, and now Pavlina.
They may not have the flashiest PowerPoints. But they’re the reason the rest of us stay out of trouble.
alimbay@comhla.co
If you find this article interesting or useful to advance on your compliance journey, visit Alimbay.me for more.
Breaking the Mould. Redefining Compliance Breaking the Mould (alimbay.me) is my newsletter dedicated to helping compliance professionals navigate the integrity and compliance landscape by highlighting key emerging risks and opportunities.
I aim to publish once every two weeks. The information provided in this newsletter is not intended to and does not render legal, accounting, tax, or other professional advice or services.