BIS Voluntary Self-Disclosure: Penalty Reduction

Less than 3% of voluntary self-disclosures to BIS result in civil monetary penalties (BIS Penalty Guidelines, 2016; reaffirmed 2024). That statistic contradicts what most exporters assume about disclosure. After the September 2024 regulatory overhaul, the calculation shifted further in favor of companies that self-report—BIS now resolves minor violations within 60 days while treating deliberate non-disclosure as an aggravating factor that increases penalties for significant violations.

Key Takeaways

• BIS resolves minor or technical VSDs within 60 days via no-action or warning letter, with abbreviated narrative requirements (15 CFR § 764.5, effective September 16, 2024)
• Deliberate non-disclosure of significant violations is now a formal aggravating factor that increases penalties beyond what voluntary disclosure would have produced (BIS Penalty Guidelines, Supplement No. 1 to Part 766)
• The maximum civil penalty stands at $374,474 per violation or twice the transaction value, whichever is greater, as of January 15, 2025 (15 CFR Part 6, Commerce inflation adjustment)
• For egregious violations with VSD, base penalty caps at one-half of statutory maximum; without VSD, the full statutory maximum applies
• After announcing the aggravating-factor policy in April 2023, BIS reported an 80% increase in disclosures of potentially serious violations (Assistant Secretary Axelrod, January 2024)

What Changed in September 2024?

BIS formalized three years of policy memoranda into binding regulation on September 16, 2024. The final rule codified what enforcement officials had signaled since 2022: voluntary disclosure earns substantial mitigation, while deliberate concealment now carries quantifiable cost.

The dual-track system represents the operational shift. Track one handles minor or technical violations—the kind that don't involve aggravating factors like harm to national security or knowing violations. These get resolved in 60 days through either a no-action letter or a warning letter. We've seen companies bundle entire quarters of AES filing errors into single abbreviated VSDs and receive resolution within the timeframe BIS promised. No drama, no investigation, just administrative closure.

Track two addresses everything else. Significant violations trigger assignment of an OEE special agent and BIS Office of Chief Counsel attorney for full investigation. The process takes longer, but the disclosure still provides mitigation credit.

One operational detail matters more than the headlines suggest: BIS removed the percentage-based penalty reduction ranges that previously governed VSD credit. The old guidelines specified reductions—25% for first-time violations, for example—creating predictable calculations. Now, OEE exercises discretion based on timeliness, completeness, and cooperation quality. This introduces uncertainty, but it also removes the ceiling on potential mitigation. Companies that go above and beyond can potentially get more credit than the old formula allowed.

When Does Disclosure Actually Reduce Penalties?

The penalty reduction framework operates on a straightforward principle: disclosed violations receive a base penalty capped at one-half of statutory maximum, while undisclosed violations face the full maximum. For a violation with $1 million in transaction value, that's the difference between a $374,474 base penalty and a potential $2 million penalty.

The math gets more compelling when aggravating factors stack. Without disclosure, each aggravating factor—willful conduct, harm to national security, prior violations—compounds the penalty upward from an already-high base. With disclosure, mitigation factors can reduce the half-max base penalty down to full suspension in non-egregious cases.

We've tracked public BIS settlement orders since the September 2024 rule took effect. The pattern holds: companies that disclosed within 60 days of discovery and provided complete narratives in their initial submissions received measurably better outcomes than those that delayed or submitted incomplete initial notifications. Companies that bundled quarterly technical violations through the abbreviated process consistently received no-action determinations or warning letters. The fast-track pipeline works as advertised.

The non-monetary resolution option now codified in the regulations provides another path. For non-egregious conduct that rises above warning-letter territory but doesn't warrant civil monetary penalties, BIS can impose suspended denial orders with conditions—typically compliance training, audits, and reporting requirements. This option didn't formally exist before September 2024.

What Counts as a Minor or Technical Violation?

The regulatory text defines minor or technical violations through exclusion: they're violations where no aggravating factors are present. The BIS Penalty Guidelines enumerate what constitutes aggravating conduct, which tells you what minor violations aren't.

Aggravating factors include willful or reckless conduct, multiple violations over extended periods, violations that harm national security or foreign policy, prior administrative or criminal violations, and acting with knowledge that conduct was unlawful. If your violation doesn't touch any of these, it qualifies for the fast track.

Practical examples from recent BIS guidance include: immaterial Electronic Export Information filing errors where the correct information was otherwise available; inadvertent recordkeeping gaps that didn't affect screening or license determination; clerical errors in license applications where the underlying transaction was otherwise authorized; technical violations of License Exception conditions where the spirit of the exception was satisfied.

What disqualifies a violation from fast-track treatment? Exports to Entity List parties. Transactions with sanctioned destinations. Knowing circumvention of license requirements. Repeat violations within 24 months. Any pattern suggesting systemic compliance failure.

The subjective judgment happens at the boundary. We've seen OEE upgrade what companies submitted as minor violations to the standard track after investigation revealed additional facts. The initial classification isn't binding—BIS retains discretion to treat any VSD as potentially significant.

How Should Companies Structure Their VSD Process?

The operational framework for voluntary self-disclosure has specific procedural requirements that affect penalty outcomes. Timing matters most. The regulations contemplate initial notification followed by full disclosure within 180 days, but the September 2024 changes emphasize that timeliness itself affects mitigation credit.

Initial notification should happen within two weeks of discovering a potential violation. This doesn't require complete investigation—just enough information to identify the apparent violation, the parties involved, and the items or technology at issue. BIS uses the email address bis_vsd_intake@bis.doc.gov for all VSD submissions.

The full narrative comes later. For minor violations using the abbreviated process, the narrative can be summary-level: what happened, why, what corrective action was taken. For significant violations, the standard format requires exhaustive detail: transaction histories, involved parties, internal communications, root cause analysis, and remediation plans.

One procedural trap catches companies regularly. The regulations prohibit certain activities involving items that were part of violations—you can't dispose of, transfer, or store items without BIS authorization after disclosure. Companies that need to continue business operations with those items must separately request permission from the Office of Exporter Services, with a courtesy copy to OEE. The presumptive recommendation is approval, but the request must be made.

What Does Non-Disclosure Cost?

The September 2024 rule formalized what BIS had signaled in 2023: deliberate non-disclosure of significant violations is now an aggravating factor. This isn't theoretical—it changes the penalty calculation.

Before September 2024, companies that discovered violations and chose not to disclose faced whatever penalty the violation itself warranted. Now, if BIS discovers the violation through other means and determines the company knew about it, the non-disclosure itself increases the penalty. The company faces not only the undisclosed violation but also the aggravating factor of having deliberately concealed it.

The Haas Automation settlement from January 2025 illustrates the enforcement posture. BIS and OFAC jointly imposed $2.5 million in combined penalties for 41 violations involving CNC machine parts reaching Entity List parties in China and Russia through authorized distributors. The settlement order referenced failures to conduct sufficient due diligence over distribution networks and customer ownership structures. Critically, OFAC determined that while Haas reported the violations, "its submissions did not constitute a voluntary self-disclosure under the Enforcement Guidelines" (OFAC Enforcement Release, January 17, 2025). Reporting isn't the same as disclosing properly. The form matters.

Deliberate non-disclosure requires both knowledge and choice. A company that hasn't discovered a violation hasn't made a deliberate decision not to disclose. But companies that conduct internal investigations, identify potential violations, and then decline to submit VSDs—or submit incomplete reports that don't satisfy VSD requirements—face compounded exposure. The safe harbor for disclosure only exists when the disclosure meets regulatory standards.

Common Mistakes in VSD Preparation

The most frequent error we encounter isn't legal judgment—it's incomplete factual investigation before disclosure. Companies discover a potential violation, panic about exposure, and rush to submit initial notification before understanding the full scope. Then the 180-day clock starts running on a full narrative that requires information the company hasn't yet gathered. Rushed disclosure.

Better practice: conduct internal investigation sufficient to characterize the violation before initial notification. You don't need to know everything, but you need enough to determine whether you're dealing with a minor technical issue or something that involves aggravating factors. That characterization affects which track applies and how much detail the full narrative requires. Two weeks of investigation before initial notification beats six months of scrambling after.

The second common mistake involves over-disclosure. Some companies interpret the disclosure obligation as requiring confession of every possible compliance shortfall they've ever had. This creates legal exposure without corresponding mitigation benefit—you're handing BIS a roadmap to violations they wouldn't otherwise know about, without the targeting that makes VSD valuable.

Effective VSDs are precise. They cover the specific apparent violations discovered, with enough context to demonstrate thorough investigation and genuine remediation. They don't include speculation about what else might be wrong. They don't volunteer unrelated compliance concerns. They focus.

The third mistake involves timing of remediation. Some companies wait until after VSD resolution to implement corrective measures, assuming they need BIS guidance on what to fix. The regulations and enforcement practice suggest the opposite: companies that remediate promptly—before full disclosure, in parallel with investigation—receive better mitigation credit than those that wait for direction. BIS has explicitly stated that companies shouldn't expect credit for compliance program investments made after enforcement begins (BIS Penalty Guidelines, September 2024).

What Role Does Export Compliance Software Play?

Automated screening and classification tools affect VSD exposure at multiple points. They reduce violation frequency by catching problems before shipment. They create audit trails that support VSD narratives when violations do occur. They provide the kind of systematic compliance program that BIS considers a mitigating factor.

The September 2024 rules don't explicitly require technology—plenty of small exporters maintain adequate compliance through manual processes. But the enforcement statistics tell a story. Violations involving parties on the Entity List or SDN list almost universally involve screening failures. Violations involving ECCNs almost universally involve classification errors. Both categories respond to systematic technology solutions.

Platforms like Lenzo provide the data layer that supports both prevention and disclosure. When screening catches a hit, you don't ship and there's no violation to disclose. When screening misses because of an Entity List addition that occurred between your last batch and the shipment date, the audit trail shows what you knew when, which supports the narrative that disclosure was prompt once discovery occurred. The system logs become evidence of compliance program adequacy.

We're not suggesting technology eliminates VSD exposure. The Haas case involved a company that presumably had compliance processes but still faced violations through downstream distributor channels—their issue was insufficient due diligence on customer ownership structures, not the absence of screening. CNC machine parts classified EAR99 went to Entity List parties because the company didn't adequately monitor who its distributors were selling to. Technology shifts the violation profile from systemic failure to edge-case breakdown, and that categorization affects both the likelihood of minor-track treatment and the mitigation factors applicable to significant violations.

FAQ

Does submitting a VSD guarantee penalty reduction?

No guarantee exists, but the statistics strongly favor disclosure. Less than 3% of VSDs result in civil monetary penalties (BIS Penalty Guidelines, 2016; reaffirmed in September 2024 final rule). The remainder resolve through no-action letters, warning letters, or non-monetary resolutions. Even when penalties apply, the VSD caps base penalty at half of statutory maximum for egregious cases—non-disclosed violations face the full maximum.

Can I submit a VSD for violations I'm not certain occurred?

Yes, and BIS encourages disclosure when you believe a violation may have occurred. The regulatory language in 15 CFR § 764.5 uses "may have violated" rather than "definitely violated." Submitting based on reasonable belief, with appropriate caveats in the narrative, doesn't create additional exposure and provides the mitigation credit if BIS determines a violation did occur.

How long does BIS take to resolve a VSD?

Minor or technical violations processed through the abbreviated fast track should resolve within 60 days of final submission (15 CFR § 764.5(e)(1)). Significant violations take substantially longer—12 to 24 months is typical for complex cases. BIS assigns an OEE agent and Office of Chief Counsel attorney for significant matters but doesn't publish average resolution times for the standard track.

What happens if I discover additional violations after submitting initial notification?

Supplement the original VSD with the additional information. The 180-day deadline for full narrative applies to the original scope of disclosure, but supplemental violations discovered during investigation should be added promptly. BIS evaluates timeliness based on when you knew or should have known about each specific violation.

If my foreign subsidiary committed the violation, should the U.S. parent company file the VSD?

The VSD should come from the party that committed or is responsible for the violation. For violations by foreign subsidiaries of U.S. companies, the subsidiary typically files with the parent company's knowledge and involvement. The September 2024 amendments clarified that any person—not just the party that committed the violation—may notify OEE and request authorization to engage in corrective activities under General Prohibition 10.

The VSD framework rewards disclosure that is prompt, complete, and accompanied by genuine remediation. The September 2024 changes elevated both the benefits of disclosure and the costs of concealment, creating asymmetric outcomes that favor companies willing to acknowledge problems rather than hoping regulators never find them. For exporters with any regulatory exposure—which describes most companies shipping items subject to the EAR—building VSD-capable compliance processes isn't optional risk management. It's the difference between manageable incident response and potential seven-figure enforcement actions. The Haas settlement demonstrates what happens when reporting doesn't satisfy VSD requirements. Proper disclosure matters.