15 Red Flags That Trigger Export Compliance Scrutiny

Cadence Design Systems agreed to pay $140 million in combined BIS-DOJ penalties in July 2025 for export violations that started with a single missed connection: software downloads to an entity that had been on the Entity List since 2015 (DOJ Press Release, July 28, 2025). The company's screening caught the direct customer. It missed the end-user link to National University of Defense Technology, a Chinese military university developing supercomputers for nuclear weapons simulations. That gap cost them $95 million in BIS administrative penalties plus $45 million in DOJ criminal forfeitures. Red flags aren't theoretical compliance exercises—they're the specific behavioral patterns regulators use to determine whether your export compliance program actually works.

Key Takeaways

• BIS maximum administrative penalty reaches $374,474 per violation or twice the transaction value as of January 2025 (15 CFR 744, 2025 inflation adjustment)
• 340+ entities were added to the BIS Entity List in 2024, primarily from China, Russia, and Iran (BIS Enforcement Year in Review, January 2025)
• OFAC issued a $215.9 million civil penalty against GVA Capital in June 2025 for Russia sanctions violations combined with failure to comply with an OFAC subpoena (Treasury.gov, June 12, 2025)
• The September 2025 BIS affiliate rule extended Entity List restrictions to all entities 50% or more owned by listed parties—expanding the screening universe substantially (Federal Register, September 30, 2025)

What Exactly Are Export Compliance Red Flags?

Red flags are abnormal circumstances in a transaction indicating the export may be destined for an inappropriate end-use, end-user, or destination (BIS "Know Your Customer" Guidance, 15 CFR Part 732, Supplement No. 3). Unlike restricted party screening, which checks names against government watchlists, red flags address situations where something about the deal feels off even when no party appears on any list.

BIS guidance draws a clear line between the two. Restricted party screening tells you who you cannot deal with. Red flags tell you when to stop and investigate regardless of screening results. A customer can pass every sanctions list check and still exhibit behavior triggering a license requirement or outright prohibition.

Commerce Secretary Howard Lutnick announced at the March 2025 BIS Update Conference that enforcement would see a "dramatic increase in enforcement and fines for people who break the rules" (Department of Commerce, March 2025). He named China explicitly as an enforcement priority. The Disruptive Technology Strike Force expanded from 14 to 17 field office locations in 2024, adding cells in Texas, Georgia, and North Carolina (BIS Enforcement Year in Review). When enforcement resources grow, red flag recognition becomes the difference between a voluntary self-disclosure and a criminal investigation.

The 15 Red Flags That Trigger Regulator Attention

The following indicators come directly from BIS guidance, OFAC advisories, and enforcement action patterns from 2024–2025. Some appear in official documentation. Others emerge from analyzing recent penalty cases.

1. Customer Address Matches a Listed Party

The customer's address matches or closely resembles an address on the BIS Entity List, OFAC SDN list, or other restricted party lists (BIS Red Flag Indicators). Address matching goes beyond exact matches—BIS agents look for slight variations, P.O. boxes within the same postal zone, and buildings known to house multiple shell companies.

The October 2025 BIS rule adding 29 new entities included 19 address-only entries: 18 in China and one in Turkey (Federal Register, October 9, 2025). These address-only entries indicate BIS has identified locations used repeatedly for circumvention activity. No company name attached. Just the address itself is enough.

2. Reluctance to Provide End-Use Information

The customer or purchasing agent refuses to answer questions about the final application of the product. A buyer evasive about whether goods are for domestic use, export, or re-export raises immediate concerns (BIS Know Your Customer Guidance). In the Haas Automation settlement from January 2025, OFAC found the company failed to conduct sufficient due diligence regarding ownership structures of blocked entities—information the customers had been reluctant to provide (Treasury.gov, January 17, 2025).

3. Product Capabilities Exceed Stated Business Need

The product's specifications don't fit the buyer's line of business. BIS gives the example of sophisticated computers ordered by a small bakery (15 CFR Part 732, Supplement No. 3). The Cadence case involved semiconductor design software sold to entities whose stated business activities didn't require that level of computational capability—but whose actual work involved military supercomputer development.

4. Unusual Payment Methods or Terms

Cash payments for expensive items, payments from third parties unrelated to the transaction, or routing through banks in high-risk jurisdictions. OFAC's April 2025 maritime advisory specifically highlighted "opaque payment mechanisms" as indicators of sanctions evasion for Iranian oil transactions (Treasury.gov, April 2025).

The GVA Capital penalty—$215.9 million in June 2025, the largest OFAC enforcement action of the year—involved investment management through intermediaries designed to obscure Suleiman Kerimov's beneficial ownership. GVA knew Kerimov was sanctioned. They proceeded anyway, through his nephew. That's not a compliance failure. That's willful conduct. OFAC said so explicitly.

5. Shipping Route Makes No Commercial Sense

Goods routed through multiple countries when direct shipping would be cheaper and faster. CBP's July 2025 transshipment alert identified Vietnam, Malaysia, Thailand, Indonesia, and the UAE as primary focus regions for illegal transshipment schemes (CBP CTPAT Alert, July 16, 2025).

The August 7, 2025 implementation of a 40% penalty tariff on transshipped goods brought renewed attention to shipping pattern analysis. Indicators like abrupt volume increases post-tariff implementation and minimal port dwell times have become red flags for heightened scrutiny. No mitigation allowed. No remission. If CBP catches it, you pay.

6. Request to Omit Standard Documentation

The customer asks you to alter invoices, remove end-user information from shipping documents, or provide incomplete bills of lading. Any request to modify documentation typically required for the product type triggers a BIS red flag.

7. Decline of Installation, Training, or Support Services

Customer purchases complex technical equipment but refuses installation assistance and training that would normally accompany such a sale. This pattern appeared in multiple 2025 enforcement actions involving dual-use machinery shipped to entities in Turkey later found to be diverting items to Russia (Federal Register, September 12, 2025).

8. Freight Forwarder Listed as Final Customer

The freight forwarder or a trading company shows up as the final consignee rather than the actual end-user. BIS best practices explicitly warn against routed export transactions unless a long-standing relationship exists among all parties (BIS Transshipment Best Practices).

9. Customer Newly Formed with Limited Operating History

Newly formed companies placing substantial orders for controlled items warrant additional scrutiny. OFAC's April 2025 maritime advisory flagged "newly formed companies or intermediaries" as indicators of sanctions evasion networks. The September 2025 Entity List additions included multiple entities formed within the previous 18 months specifically to facilitate procurement for restricted end-users.

10. Order Inconsistent with Normal Commercial Quantities

Orders dramatically larger or smaller than typical commercial transactions for that product category. A one-off order for thousands of units from a customer who has never purchased before, combined with cash payment and unusual shipping instructions. That combination should stop anyone.

11. Destination or Intermediate Stop in Embargoed Country

Any transaction touching Iran, North Korea, Cuba, Syria, or the Crimea region of Ukraine requires enhanced scrutiny. The 29 entities added to the BIS Entity List in October 2025 were designated specifically for diverting U.S.-origin items to Iran, including drone components and chemical manufacturing equipment (Federal Register, October 9, 2025).

12. Customer Requests to Change Destination After Order

Requests to reroute shipments to different countries after purchase, particularly to known transshipment hubs. Hard stop.

13. Packaging Requirements Inconsistent with Product

"Fragile" markings or special handling requests inconsistent with the commodity description. Military or aerospace items sometimes get shipped with consumer electronics packaging to avoid detection—a pattern enforcement agents have learned to recognize.

14. Known Connection to Foreign Military, Government, or Intelligence

Any indication the end-user connects to foreign military programs, government defense ministries, or intelligence agencies. The February 2025 NSPM-2 national security memorandum specifically directed agencies to close perceived loopholes in exports to China, Russia, and Iran related to military end-use (White House, February 4, 2025).

15. Prior Relationship with Denied or Restricted Party

Evidence that the customer previously transacted with parties now on restricted lists. Self-blinding—intentionally avoiding information that might raise red flags—is not a defense. BIS explicitly states that willful ignorance does not protect against liability (15 CFR Part 732).

What a Red Flag Requires: Stop, Inquire, Resolve

When any red flag appears, BIS guidance mandates a specific response: stop the transaction, inquire about the suspicious circumstances, and resolve the concern before proceeding (BIS Know Your Customer Guidance). Proceeding without resolving a red flag eliminates the "innocent until proven guilty" protection that might otherwise apply.

The Cadence case demonstrated this principle in painful detail. According to DOJ, Cadence employees knew that items previously exported to one customer "had in fact been exported to NUDT in violation of U.S. export control laws." Internal communications documented the concern. The company assigned contracts to a new entity anyway. Those documented concerns, combined with the decision to proceed, transformed what might have been a negligent violation into conspiracy to commit export control violations—which carries criminal exposure up to 20 years imprisonment and $1 million per violation (50 USC §§ 4801-4852).

Documentation cuts both ways. A centralized audit trail showing screening logs, escalation notes, and the resolution of flagged items can reduce penalties significantly when voluntary self-disclosure occurs. The same documentation becomes evidence of willfulness when you flag a problem internally, then ignore it.

Why Manual Processes Miss Red Flags

Tracking red flags across 200+ shipments monthly with spreadsheets and email chains creates systematic gaps. A customer might order from your California office in January, your Texas distributor in March, and through an overseas subsidiary in June. Without consolidated visibility, the pattern never emerges.

The Cadence case exposed exactly this problem. BIS found that "certain system-level gaps" allowed terminated customers to continue downloading controlled software after they were added to the Entity List. The termination happened in one system. The download permissions lived in another. Nobody connected the dots until enforcement agents did.

Platforms that aggregate screening data across Entity List, SDN, and consolidated lists—whether Descartes, SAP GTS, or Lenzo—reduce the data fragmentation problem. But aggregated screening alone doesn't solve for behavioral red flags. The challenge is connecting transaction patterns across your sales, logistics, and finance systems before shipments clear customs.

FAQ

What is the penalty for ignoring an export compliance red flag?

BIS administrative penalties reach $374,474 per violation or twice the transaction value as of January 2025 (15 CFR, 2025 inflation adjustment). Criminal penalties for willful violations can reach $1 million and 20 years imprisonment per violation. The July 2025 combined BIS-DOJ action against Cadence Design Systems totaled $140 million for 61 EAR violations.

Does a red flag mean I cannot complete the transaction?

Not necessarily. A red flag requires you to stop, investigate the suspicious circumstances, and resolve the concern. If investigation establishes legitimate end-use and end-user, the transaction can proceed. Proceeding without investigation creates liability—potentially criminal liability if the red flag evidence later surfaces.

How often should we update our red flag training?

BIS recommends training at least annually, with updates whenever significant regulatory changes occur. The September 2025 affiliate rule, which extended Entity List restrictions to 50%+ owned subsidiaries, represents the type of change requiring immediate training updates.

Are red flags the same as restricted party screening hits?

No. Restricted party screening checks names against government lists. Red flags are behavioral indicators warranting investigation regardless of screening results. A customer can clear every watchlist and still exhibit red flag behavior requiring enhanced due diligence. The inverse also happens: a screening hit that turns out to be a false positive still requires documentation of how you resolved it.

What if we discover a past transaction had red flags we missed?

Consider voluntary self-disclosure to BIS and/or OFAC. VSD typically reduces penalties by 50–75% and demonstrates the compliance program improvement that regulators look for (OFAC Economic Sanctions Enforcement Guidelines). BIS hired its first Chief of Corporate Enforcement in 2024 specifically to facilitate resolution of corporate investigations involving self-disclosure. Cadence did not voluntarily self-disclose to DOJ's National Security Division. The plea agreement explicitly noted this as a factor in the penalty calculation.

The Cadence penalty came down to a question enforcement agents asked during interviews: did your people know, or should they have known, that something wasn't right? Internal emails answered that question. Documentation of concerns that were flagged, then ignored, transformed export violations into criminal conspiracy charges. Red flag recognition isn't about checking boxes—it determines whether your next enforcement encounter ends with a warning letter or a guilty plea.