BIS Red Flags: All 29 KYC Indicators for Export Compliance

Regarding BIS Red Flags: All 29 KYC, Supplement No. 3 to Part 732 of the EAR contained 13 numbered red flags from 1996 through 2022. Thirteen. For twenty-six years, that was the entire checklist. Then BIS rewrote the playbook. Red Flags 14-19 arrived October 25, 2023, targeting advanced computing and semiconductor manufacturing (88 FR 73488). Eight more followed on December 2, 2024, bringing the formal count to 27 (89 FR 96809). Red Flag 28 landed January 15, 2025, with the AI Diffusion Rule (90 FR 4557). And Red Flag 29 came September 29, 2025, through the Affiliates Rule (90 FR 47211), though BIS stayed it November 10 through November 9, 2026 (90 FR 50857).

We work with compliance teams that still limit denied party screening to the original 13 and call it a day. That gap between legacy checklists and current BIS expectations has real consequences For more context, see our guide on KYC & due diligence: 25 Questions for Export Compliance. The Cadence Design Systems case proved it.

The Original 13: Transactional Anomalies (1996-2014)

Anyone who has worked an export desk for more than six months has encountered most of these. BIS wrote them broadly on purpose. They cover every controlled item under the EAR regardless of ECCN. They've held up surprisingly well across three decades of enforcement.

Red Flag 1. The customer won't share end-use information. Oldest flag in the book, still the most common trigger we see in screening audits.

Red Flag 2. The product doesn't match the buyer's line of business. BIS used the example of a small bakery ordering sophisticated lasers back in 1996. That example still gets cited in enforcement proceedings.

Red Flag 3. The product exceeds the technical level of the destination country. Semiconductor manufacturing equipment shipped to a country with no electronics industry. Straightforward, but you'd be surprised how often this still happens with transshipment through intermediary countries.

Red Flag 4. The customer has little or no business background. Shell companies and recently formed trading entities trip this one constantly. If the company was incorporated six months ago and already ordering dual-use equipment, that should raise questions.

Red Flag 5. Cash payment for expensive items when the sale terms call for financing. This pattern shows up repeatedly in sanctions evasion cases, particularly through intermediaries in the Gulf and Southeast Asia.

Red Flag 6. The customer doesn't understand the product's performance characteristics but insists on buying it. Front companies almost never ask technical questions. Our team has noticed the same pattern across dozens of enforcement case studies: the buyer who can't explain why they need the specific configuration they're ordering.

Red Flag 7. The customer declines installation, training, or maintenance included in the sale price. If someone doesn't want you on-site, that's worth asking about.

Red Flag 8. Delivery dates are vague, or the destination feels off. BIS's original phrasing was "out-of-the-way destinations." Still applies.

Red Flag 9. A freight forwarder appears as the final destination. Legitimate freight forwarders move goods. They don't consume them.

Red Flag 10. The shipping route makes no sense. Routing controlled items through free trade zones or transshipment hubs when there's no commercial reason triggers this flag. We've seen Dubai, Hong Kong, Singapore, increasingly Istanbul show up as waypoints in diversion schemes.

Red Flag 11. Packaging doesn't match the shipment method or destination. Military-grade items repackaged in consumer-grade boxes. Or the reverse.

Red Flag 12. The buyer can't say whether the item will stay domestic, get exported, or get reexported. Evasiveness on final destination remains the single most litigated red flag in BIS enforcement history.

Red Flag 13. You receive an order for parts or components for a 9x515 or "600 series" end item, and the quantities make no sense. BIS gave a specific example: enough spares for a hundred systems when the destination country owns two. Added April 2013, revised May 2014 (78 FR 22706; 79 FR 27434).

Semiconductor and Advanced Computing: Red Flags 14-19 (October 2023)

The AC/S Interim Final Rule of October 25, 2023, marked the first time BIS tailored red flags to a specific technology sector (88 FR 73488). These six indicators exist because the October 2022 semiconductor export controls created new restrictions requiring due diligence that the original 13 never anticipated.

Red Flag 14. Facts suggest a 9x515 or "600 series" item may get reexported to a Country Group D:5 destination. An upgraded version of Red Flag 13, now explicitly naming China, Russia, other D:5 countries as destinations of concern.

Red Flag 15. The customer's website or marketing materials prior to October 7, 2022, advertised advanced-node IC production capability. BIS picked that date deliberately. It marks the original semiconductor export control rule. If a company was marketing fab capability before the controls dropped, they were probably already building it.

Red Flag 16. The customer claims the items won't touch advanced-node IC production, but the equipment has essentially no other use. This catches the "we're just doing mature-node work" excuse when someone orders tools exclusively designed for sub-14nm fabrication.

Red Flag 17. The customer produces items for companies in Macau or Country Group D:5 involved with supercomputers. An indirect supply chain indicator. Your buyer might be clean, but their customer isn't.

Red Flag 18. The exporter has knowledge that the customer intends to produce supercomputers or restricted ICs in the future. Forward-looking. Even if the customer isn't doing it yet, plans count.

Red Flag 19. The exporter knows production occurs at a facility making ICs with more than 50 billion transistors incorporating high-bandwidth memory, for a company headquartered in Macau or a D:5 country. Gets technical fast. BIS even included a technical note on how foundries should count transistors across chiplets in multi-die packages.

December 2024 Expansion: Red Flags 20-27

These eight indicators, effective December 2, 2024, were designed to close gaps that emerged after the October 2023 controls took effect (89 FR 96809, December 5, 2024). BIS watched Chinese companies restructure around Entity List designations and wrote these flags specifically to counter those tactics.

Red Flag 20. A non-advanced fabrication facility orders equipment designed for advanced-node IC production. Technology mismatch. If you're running a 90nm fab and ordering EUV lithography tools, that's a question BIS expects you to ask.

Red Flag 21. The ultimate owner or user of the items can't be determined. Semiconductor manufacturing equipment shipped to a distributor with no fab. That distributor will never operate the equipment, so the real end user stays unknown. Matters especially for customized tools that normally get installed on-site by the supplier.

Red Flag 22. license history for the item raises questions. If information suggests a required license was never obtained, or wouldn't have been approved given the end user's profile, that uncertainty itself becomes a red flag. BIS extended this obligation to servicing, upgrading, maintaining the item. Not just the original sale.

Red Flag 23. An item was modified after export by a third party for a more advanced end use requiring a license. Someone ships a tool for permitted use. A third party reconfigures it for restricted applications. The original exporter who then gets asked to service the modified equipment holds a red flag. An edge case that came up more than once in actual enforcement.

Red Flag 24. A new customer's senior management or technical leadership overlaps with an Entity List party. This catches the corporate restructuring play we keep seeing: Chinese companies spinning off operations under new legal entities while keeping the same engineers in charge. Name-and-address screening won't catch it. You need to know who runs the company, not just what it's called.

Red Flag 25. A new customer requests an item or service designed or modified for an existing or former customer now on the Entity List. Different company name, same program. The new entity inherited the restricted entity's operations.

Red Flag 26. A foreign-produced item described in a Category 3B ECCN contains at least one integrated circuit. This creates a presumption the item falls within the FDP rule's product scope for Footnote 5 entities. Purely technical, but it pushes the due diligence screening onto you to confirm whether the rule applies.

Red Flag 27. The end user's facility physically connects to a building where advanced-node IC production occurs. A bridge, tunnel, or walkway between buildings makes both a single facility under Section 744.23. The only way to resolve this: obtain an Advisory Opinion from BIS confirming the production technology node doesn't qualify as advanced. No other red flag in the entire Supplement requires direct agency engagement as the sole resolution path. We flagged this one internally when it first appeared because it essentially forces exporters to go to BIS before shipping, a significant procedural shift from the self-assessment model that governed red flag resolution for decades.

AI and Cloud: Red Flag 28 (January 2025)

Red Flag 28. An IaaS provider furnishes computing products or services to help train an AI model with weights classified under ECCN 4E091, for an entity headquartered (or whose ultimate parent sits) outside Supplement No. 5 to Part 740 countries (90 FR 4557, January 15, 2025). In practical terms: a Northern Virginia data center hosting training jobs for a U.S.-incorporated subsidiary of a Chinese parent company. BIS flagged the risk that trained model weights, being digital, easily cross borders. The provider must ask whether the customer plans to export the model and either apply for a license or inform the customer of their obligations.

Most compliance officers outside the tech sector won't encounter this one. But cloud infrastructure companies that never thought of themselves as "exporters" now sit squarely in BIS's enforcement scope.

The Affiliates Rule: Red Flag 29 (September 2025, Currently Stayed)

Red Flag 29. The exporter knows or has reason to know that a transaction party has owners on the Entity List or MEU List, or owners subject to EAR restrictions based on their ownership, but cannot determine the ownership percentage (90 FR 47211, September 30, 2025). Resolution requires one of three paths: confirm ownership falls below 50%, identify a license exception, or submit a license application.

BIS suspended the entire Affiliates Rule on November 10, 2025, for one year through November 9, 2026, as part of U.S.-China trade negotiations (90 FR 50857, November 12, 2025). Red Flag 29 went with it. But the suspension language makes clear this pause ends automatically. The rule snaps back without further BIS action.

Treating this year as free time would be a mistake. BIS explicitly stated it expects companies to prepare during the suspension period. When Red Flag 29 reactivates, exporters who haven't built ownership-tracing into their screening workflows face immediate gaps. The Consolidated Screening List, as BIS acknowledged in the Affiliates Rule preamble, "is no longer an exhaustive listing" of restricted entities. That sentence alone should change how compliance teams think about party screening.

What Doesn't Work Anymore

Supplement No. 3 paragraph (a) lays out a six-step process. Decide whether red flags exist. If they do, inquire. Don't self-blind. Make sure employees know how to escalate. Reevaluate after your inquiry. If concerns remain, walk away or file a license application.

The Cadence Design Systems enforcement action from July 2025 gave that framework teeth. BIS imposed a $95.3 million civil penalty for exports to Chinese military end users through front companies (BIS.gov, July 28, 2025). The case turned on the "reason to know, including awareness of a high probability" standard. First major corporate resolution where BIS treated unresolved red flags as constructive knowledge rather than requiring proof of actual intent.

Self-certifications don't cut it either. The Cadence settlement made clear that end-use certificates from customers are insufficient to overcome red flags absent independent due diligence. We've seen this mistake repeatedly with mid-market exporters: collecting a signed assurance letter, filing it away, and calling the red flag "resolved." Under the current enforcement posture, that paper trail actually works against you. It proves you identified a concern and then did nothing substantive about it.

Batch sanctions screening on a weekly cycle against the CSL was defensible when 13 generic indicators were all that existed. At least half the indicators added since October 2023 require understanding about customer leadership, facility connections, ownership chains, purchasing history. No party list contains that information.

FAQ

How many numbered red flags does BIS List as of early 2026?

Twenty-nine in Supplement No. 3 to Part 732, though Red Flag 29 remains stayed through November 9, 2026. Separately, BIS published 11 non-regulatory behavioral indicators for advanced computing ICs on May 13, 2025 (BIS.gov, May 2025).

What's the maximum penalty for proceeding despite a known red flag?

Administrative penalties reach $374,474 per violation or twice the transaction value, whichever proves greater, as of January 15, 2025 (BIS.gov, Enforcement Penalties). Criminal penalties for willful violations can hit $1 million and 20 years imprisonment per count.

Do I have a legal duty to investigate when a red flag appears?

Yes. Paragraph (a)(2) of Supplement No. 3 states that when red flags arise in information reaching your firm, you have a duty to inquire. Paragraph (a)(3) prohibits self-blinding, which BIS considers an aggravating factor in enforcement proceedings.

Can Consolidated Screening List checks alone satisfy red flag due diligence?

Not for the newer indicators. The CSL covers named parties but won't show you ownership structures, leadership overlap with Entity List entities, connected facilities, or historical purchasing anomalies. Ownership-tracing capability becomes mandatory when Red Flag 29 reactivates in November 2026.

The pace of red flag additions across the past two years signals a structural shift in what BIS considers adequate due diligence. Exporters running compliance programs built for 13 indicators now face 29 formal red flags plus 11 behavioral indicators with an ownership-tracing requirement on the horizon. We built Automated screening layer to surface exactly the kind of entity relationship data, ownership chain visibility, and facility connection intelligence that these newer red flags demand, because party-list matching alone stopped being enough the day Red Flag 24 took effect.

Platforms like Lenzo, Descartes, and SAP GTS offer consolidated screening and classification for SMB exporters.