LenzoBlogBIS Warning Letters: Response Protocol
Last updated:
January 22, 2026

BIS Warning Letters: Response Protocol

Lenzo Compliance Team
BIS Voluntary Disclosure
Export Compliance
Export Violations
Export Documentation
Export Audit

BIS issued 89 warning letters in 2025, up 34% from the prior year (BIS.gov enforcement data). A warning letter isn't a fine. Not yet, anyway. But how you respond over the next 30–60 days determines whether this becomes a closed file or the opening chapter of a formal enforcement case. We've helped companies through both outcomes. The difference almost always comes down to the response.

Key Takeaways

  • Warning letters require written response within 30 days; failure to respond or weak response can trigger formal investigation (15 CFR 766)
  • BIS expects acknowledgment of the issue, explanation of root cause, and documented corrective actions—not denial or deflection
  • Voluntary self-disclosure of additional violations discovered during internal review typically reduces eventual penalties by 50–75% (BIS enforcement guidelines)
  • Companies treating warning letters as compliance improvement opportunities generally avoid escalation; those minimizing the issue often see follow-up enforcement

What a BIS Warning Letter Actually Means

A warning letter from the Bureau of Industry and Security signals that BIS spotted a potential Export Administration Regulations violation but decided—for now—not to pursue formal administrative action. Think of it as BIS saying: "We noticed. Fix it. Show us you fixed it."

The letter describes the apparent violation, cites relevant EAR sections, and requests a written response explaining what happened and what you're doing about it. No penalty amount. Warning letters aren't penalties. They're the step before penalties.

Here's what makes this different from an audit finding or internal compliance flag: BIS is already in the room. The government knows about your issue. Your response goes into a file that follows your company around. If similar issues pop up later—or if BIS decides your response was weak—that file gets reopened.

We've seen companies treat warning letters like parking tickets. Pay the fine, move on. Except there's no fine to pay, and "moving on" without proper response makes everything worse. Way worse. This is a conversation with your regulator. How you handle it shapes what comes next.

The 30-Day Response Window

BIS typically expects written response within 30 days of the warning letter date. Not always stated explicitly, but that's the standard based on enforcement practice. If you need more time—and for anything complex, you probably do—request an extension in writing before the deadline passes. They'll usually grant it.

What happens if you don't respond at all? Nothing good. BIS reads silence as indifference or inability to address the problem. Either interpretation increases the odds of formal enforcement. We've watched companies ignore warning letters and then act shocked when a charging letter showed up six months later. Don't be that company.

The 30-day clock creates real pressure. Especially for organizations that need to pull records, interview employees, figure out scope before responding intelligently. Start the internal review immediately. You can always file a preliminary response acknowledging receipt and promising a full response soon.

What Your Response Must Include

BIS wants four things in your response. Leave any of them out and you've weakened your position.

Acknowledgment of the issue. Not admitting willful violation—but confirming you received the letter, understand the concern, take it seriously. Companies opening with "we disagree with your characterization" set an adversarial tone that helps nobody. Save the disagreement for after you've shown you understand the problem.

Explanation of what happened. Walk through the facts. How did this transaction occur? Who touched it? What processes existed, and why didn't they catch this? BIS isn't looking for excuses. They're assessing whether you actually understand your own compliance gaps. If you can't explain why the violation happened, you can't credibly claim you've fixed it.

Corrective actions taken. Specifics matter enormously here. "We've improved our compliance procedures" means nothing. Literally nothing. "We implemented automated screening against the Entity List for all new customers, retrained our export team on ECCN classification, and hired a dedicated compliance manager who reports to the CFO"—that means something. What changed? When? How do you know it's working?

Commitment to ongoing compliance. BIS wants assurance this was a one-time failure, not a pattern. Describe your compliance program structure, audit cadence, escalation procedures. If you didn't have a formal Export Compliance Program before, now's the time to build one. Actually, now's past the time. But better late than in front of an administrative law judge.

Running the Internal Investigation

Before you can respond intelligently, you need to understand what actually happened. That means an internal investigation—and it needs to happen fast given the 30-day window.

Pull the transaction records. The warning letter references specific shipments, parties, or items. Get complete documentation: commercial invoices, packing lists, screening records, classification determinations, license applications (if any), end-user statements, shipping records. Everything.

Interview the people involved. Who processed this transaction? Who approved it? Did anyone flag concerns that got overridden? You're looking for the immediate cause and the systemic failure underneath it. Usually there's both.

Check for similar issues. This is where companies get squirmy. BIS sent you a letter about one transaction—but if that transaction reflects a pattern, BIS will eventually find the pattern. Better to find it yourself, disclose voluntarily, and demonstrate proactive compliance. More on voluntary self-disclosure in a minute. But the internal investigation is where you figure out whether VSD makes sense.

Document everything. Investigation notes, interview summaries, records analysis—all of it becomes the foundation of your response. Also becomes critical if formal enforcement follows. Sloppy investigation now means problems later.

When to Consider Voluntary Self-Disclosure

Here's the nightmare scenario: you get a warning letter about Transaction A, start investigating, and discover Transactions B through M have the same problem. Now what?

Voluntary self-disclosure to BIS typically cuts penalties by 50–75% when violations do result in enforcement (BIS Enforcement Guidelines). The logic is simple: BIS rewards companies that find their own problems, come forward proactively, and show genuine compliance commitment. They hammer companies that hide issues until investigators dig them up.

VSD makes sense when: your internal investigation reveals additional violations beyond what BIS identified; those violations are likely discoverable through records BIS could subpoena; you've implemented genuine corrective actions and can prove improvement; the math favors disclosure over hoping BIS doesn't find out.

VSD doesn't make sense when: the additional issues are genuinely minor and unlikely to draw attention; disclosure creates liability exposure way out of proportion to the underlying conduct; you haven't actually fixed the problem yet (disclosing ongoing violations is worse than not disclosing).

Talk to export counsel before making the VSD call. The disclosure has specific format requirements and timing implications. Done right, it demonstrates good faith. Done wrong, it creates new problems.

Structuring Your Written Response

Format matters less than substance. But a well-organized response makes BIS's job easier—and you want to make their job easier right now.

Start with a clear reference to the warning letter: date, reference number, the transaction or issue identified. Confirm you received it and take it seriously.

Provide factual background. Your company, your export activities, your compliance structure. Give BIS context. A 50-person electronics distributor exporting to 30 countries presents different risk than a 500-person manufacturer shipping one product to three countries. Help them understand who you are.

Walk through what happened. Your explanation of the violation itself—factually, without minimizing or deflecting. If employee error was involved, say so. If a process gap existed, explain it. If you simply didn't know about a regulatory requirement, acknowledge that. Honesty matters more than spin.

Describe corrective actions in detail. This section should be the longest part of your response. What changed? When? Who owns the new procedures? How are you monitoring whether they work? BIS wants evidence you've addressed root cause, not just papered over the specific transaction.

Close with forward-looking commitment. Your ongoing compliance program, your commitment to EAR compliance. Keep it genuine. Effusive promises ring hollow.

What Not to Do

Don't ignore the letter. We keep saying this because companies keep doing it.

Don't open with denial. Even if you think BIS got it wrong, adversarial tone rarely helps. You can disagree on facts or legal interpretation—but do it respectfully, with evidence, after you've demonstrated you understand the concern.

Don't minimize. "This was just a paperwork error" or "the items weren't really controlled" signals you don't get how serious this is. BIS takes EAR violations seriously. So should you.

Don't promise fixes you haven't made. If you claim you've hired a compliance manager, BIS may ask for their contact info. If you say new screening procedures are in place, BIS may want documentation. Overpromising and underdelivering destroys credibility fast.

Don't submit without legal review. Export counsel can help frame the response, spot issues you missed, make sure you're not creating new liability through careless language. Worth the investment.

After the Response: What Happens Next

Most of the time, BIS reviews your response and closes the file. You get a letter acknowledging your response, indicating no further action planned. Keep that letter forever. It documents resolution.

Sometimes BIS comes back with follow-up questions. Answer them promptly and completely. Not the time to get defensive or cagey.

Occasionally, BIS decides the violation warrants formal action despite your response. Usually happens when the underlying conduct was egregious, the response was inadequate, or BIS found additional issues during their review. If formal enforcement proceeds, you're now dealing with potential civil or criminal penalties. Different ballgame entirely.

The response protocol doesn't end when you mail the letter. Monitor your compliance program. Verify corrective actions are actually working. Keep records. If BIS sends auditors in two years, you want to show the warning letter prompted real, sustained improvement—not a temporary scramble followed by business as usual.

FAQ

How quickly do we need to respond to a BIS warning letter?

Standard expectation is 30 days from the letter date, though not always stated explicitly. Request extension in writing if you need more time—BIS generally grants reasonable requests, especially for complex situations requiring thorough investigation.

Should we admit to the violation in our response?

Acknowledge the issue BIS raised without necessarily conceding willful violation. Focus on explaining what happened, what you learned, what you changed. Your response isn't a legal admission—it's demonstrating compliance commitment.

Does responding to a warning letter create legal exposure?

Your response becomes part of BIS's file and could theoretically be referenced in subsequent enforcement. But failing to respond—or responding poorly—creates much greater exposure. Work with export counsel to frame it right.

What if we find additional violations during our internal investigation?

That's the VSD decision point. Voluntary self-disclosure typically cuts penalties by 50–75% and demonstrates good faith. Talk to export counsel before disclosing—the process has specific requirements and timing matters.

Warning letters give you a shot at demonstrating your compliance program works—or building one that does. Companies that take the response seriously, invest in genuine corrective action, and maintain documentation typically see the matter closed. Platforms like Lenzo help maintain screening records, classification documentation, and audit trails that make both response and ongoing compliance substantially easier to manage.

Sources

More to explore

View all
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Trade Compliance FAQ: 25 Questions Every SMB Exporter Gets Wrong

OFAC's maximum civil penalty hit $377,700 per violation in January 2025. BIS bumped its ECRA penalty cap to $374,474 the same month. The questions compliance teams ask haven't changed much over the years. They've just gotten a lot more expensive to answer wrong.
Last updated:
November 27, 2025
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Trade Compliance Glossary: Terms Every Exporter Needs

Your customs broker just emailed about an ECCN classification conflict with the freight forwarder's HTS determination. Legal wants to know if the end-user triggers EAR99 or needs a BIS license review. And someone in accounting keeps confusing OFAC with OFCCP. Again.
Last updated:
November 28, 2025
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Best Trade Compliance Software for SMB Exporters (2026)

OFAC civil penalties blew past $254M by mid-2025. BIS piled on with over 170 Entity List additions across 6 separate rulings between January and October. And the part that keeps compliance teams awake: none of those penalties landed because someone forgot to screen a counterparty.
Last updated:
February 12, 2026
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

License Exception Eligibility: Quick Reference

BIS published 2,847 updates to the Export Administration Regulations in 2025. Seventeen directly affected license exception eligibility for at least one ECCN category. For compliance teams processing 50–200 shipments monthly, tracking which exceptions apply to which items has turned into a puzzle that resets every few weeks.
Last updated:
February 11, 2026
Lenzo — Trade Compliance Platform
TOOLS
Tariff CalculatorCompliance ServiceCanada TariffsHS CodeUS Tariffs on ChinaOFAC SearchMexico TariffsHSN Code List
Legal
Acceptable Use PolicyAI Data Usage PolicyBilling & Refund PolicyCookies PolicyData Processing AddendumPrivacy PolicyTerms of Service
Lenzo - Trade Compliance © 2026 All rights reserved
Secure read-only integrations
AES-256 encrypted data
OAuth 2.0 access