KYC & Due Diligence: 25 Questions for Export Compliance

BIS expanded its "Know Your Customer" red flags to 27 indicators in early 2025, then tacked on Red Flag 29 through the September 2025 Affiliates Rule (90 FR 47201). OFAC's maximum IEEPA civil penalty hit $377,700 per violation as of January 15, 2025 (31 CFR Part 501, Appendix A). Every one of those red flags creates an affirmative duty to investigate before goods ship. Not after. We compiled the 25 due diligence questions our compliance team gets asked most by mid-market exporters running 50–250 shipments a month, and answered each one the way we'd answer a peer across the table.

Key Takeaways:

• BIS "Know Your Customer" guidance now lists 27+ red flags, with 8 added in early 2025 targeting opaque ownership and entity list personnel overlap (BIS.gov), Supplement No. 3 to Part 732)
• OFAC IEEPA civil penalty maximum reached $377,700 per violation or 2x the transaction value, effective January 15, 2025 (31 CFR Part 501, Appendix A)
• The BIS Affiliates Rule (50% ownership threshold) was suspended November 10, 2025 but reimposition hits November 10, 2026, and screening obligations remain on the horizon (90 FR 50857)
• Qualifying voluntary self-disclosures can reduce OFAC civil penalties by up to 50%, but only when backed by documented compliance procedures (OFAC Economic Sanctions Enforcement Guidelines (Treasury.gov)

Verifying Entities and Ownership

What's the difference between end-user and end-use verification?

End-user verification confirms the identity and legitimacy of whoever receives your goods. End-use verification is a different animal entirely — it confirms what they plan to do with the item once it arrives. BIS treats these as separate obligations under General Prohibition 10. A customer can be a perfectly legitimate entity buying your product for a prohibited application: enrichment, weapons development, surveillance in restricted destinations. We've seen companies nail the entity screen and get blindsided by an end-use problem they never bothered asking about.

How do I identify the ultimate beneficial owner (UBO) of a foreign buyer?

Start with corporate registries. UK Companies House gives you free ownership data. For jurisdictions with less transparency (UAE, Singapore, most of Southeast Asia), request ownership documentation from the buyer and cross-check against Bureau van Dijk or Dun & Bradstreet. OFAC's 50% Rule applies: any entity 50%+ owned by a blocked person inherits sanctions restrictions (Treasury.gov). BIS went further through the Affiliates Rule on September 29, 2025, applying Entity List restrictions to majority-owned affiliates across the board. That rule was suspended November 10, 2025, but reimposition lands November 10, 2026.

What if my customer refuses to disclose ownership information?

That refusal becomes a red flag on its own. BIS Red Flag 21 specifically targets transactions where ultimate ownership remains uncertain. If you cannot determine who owns the entity you're shipping to, you can't resolve the red flag, and BIS guidance says you don't proceed (Supplement No. 3 to Part 732). A buyer who won't tell you who owns them doesn't want you to know. Walk away.

How do I screen shell companies and multi-layered holding structures?

Layer by layer. Pull the first ownership level from corporate filings. For each entity in the chain, screen across OFAC SDN, BIS Entity List, plus the denied persons list. Then trace the next layer. Stop when you hit a natural person or a publicly traded company with transparent reporting obligations. We've spent 4–6 hours on a single structure in places like BVI or the Channel Islands, and that's not unusual for complex offshore chains. The shortcut that breaks: trusting a single ownership certificate without independent verification.

Do I need to screen freight forwarders and logistics intermediaries?

Yes. BIS red flag guidance covers all parties in a transaction, not just the end-user. A freight forwarder routing shipments through a Dubai free trade zone or transshipment hub in Malaysia can introduce diversion risk you won't catch from the buyer alone. The forwarder your customer nominates may have connections that only show up when you screen independently.

Should I screen banks and financial institutions in the payment chain?

If a sanctioned bank processes the payment, you have an OFAC problem regardless of how clean the buyer looks. The enforcement record backs this up: OFAC has penalized exporters for transactions routed through sanctioned institutions even when the exporter had zero direct relationship with the bank. Screen the payment path (correspondent banks, intermediaries, the buyer's primary institution) for any transaction touching Iran, Russia, North Korea, Myanmar, or Syria.

Screening Operations and Red Flags

How often do I need to re-screen existing customers?

No regulation prescribes a cadence. Industry standard runs from continuous monitoring down to quarterly batch runs, scaled by risk tier. At bare minimum: re-screen before every controlled-item shipment to a high-risk destination, when transaction patterns shift and after OFAC or BIS publishes relevant list updates. The gap that kills programs: onboarding a customer with a clean screen in Q1 and shipping to them in Q4 without rechecking. Designations happen between those two dates.

What are the most common red flags for potential diversion?

BIS publishes 27+ red flags in Supplement No. 3 to Part 732. The ones that surface most in mid-market enforcement: a customer declining installation when included in the price, a delivery address that's a residential building for industrial equipment, payment from a third party with no connection to the deal, as well as orders inconsistent with the buyer's line of business. Red Flag 24, added in early 2025, targets new customers whose senior management overlaps with Entity List entities.

How do I document due diligence so it survives an audit?

Every customer file needs to answer three questions: what did you check, what did you find, plus what did you decide? Minimum contents: screening results with timestamps, ownership records, end-use statements, red flags with resolution notes and the name of whoever approved the transaction. Retain for 5 years under EAR recordkeeping (15 CFR 762.6). The Tri-Seal Compliance Notes from BIS, OFAC, as well as DOJ reinforced that documented processes carry weight in enforcement. The file often determines whether you get a warning letter or a six-figure penalty.

What's the difference between restricted party screening and customer due diligence?

Screening tells you whether a name appears on a government list. That's it. Due diligence goes deeper and tells you whether you should actually do business with the entity behind that name. A company can clear every restricted party list and still present serious diversion risk. Picture the trading company in Malaysia ordering $2M in signal analyzers from a one-room office with three employees. Screen comes back clean, but nothing about this passes the smell test. Screening takes minutes. Due diligence takes judgment.

Can I rely on my customer's self-certification for end-use?

Absent red flags, yes. BIS guidance explicitly permits reliance on customer representations when no suspicious circumstances exist (Supplement No. 3 to Part 732). Once a red flag surfaces, that self-certification won't cut it. BIS has stated that proceeding on a buyer's word after receiving contradictory information can establish "knowledge" of a violation. If a buyer certifies civilian end-use but their website shows military contracts, the certificate isn't worth the paper.

How do I handle customers with partial name matches on sanctions lists?

Partial matches eat more compliance hours than almost anything else. Compare all identifiers: full legal name, aliases, date of birth for individuals, registration numbers, addresses, nationalities. OFAC's SDN list carries 15–20 aliases per entry in some cases, generating far more false positives than EU or UK lists. If you can't rule out a match using secondary identifiers, contact OFAC's hotline at (800) 540-6322 or submit an inquiry through BIS. Document every investigation, including false positives.

What due diligence applies to distributors vs. direct end-users?

Higher scrutiny for distributors. Their business involves reselling to parties you can't see. BIS expects you to understand who the distributor's downstream customers are, especially for controlled items. Ask for customer lists, or at least the categories and jurisdictions of their buyers. For more context, see our guide on BIS Red Flags: All 29 KYC Indicators for Export Compliance. A distributor in Turkey who describes clients as "various industrial companies" and can't get specific presents a red flag. Direct end-users give you a shorter ownership chain, but diligence depth still scales with risk.

Do I need to verify the physical address of every foreign buyer?

Not every buyer. But every new buyer in a high-risk jurisdiction and every transaction involving controlled items. Yes. A Google Maps check takes five minutes and catches obvious problems: a vacant lot, a residential building supposedly housing a semiconductor manufacturer, a mail forwarding service. D&B provides registered-address verification.

Certificates, Country Risk, plus Special Scenarios

What's an end-use certificate and when do I need one?

An end-use certificate (EUC) states who receives the exported item and what they'll use it for. Some destinations require government-issued EUCs as import conditions. Under the EAR, BIS may require one as a license condition for items controlled under Country Column 1 or 2 reasons. Even when not required, collecting an EUC creates a written record that strengthens your audit file.

How do I assess country risk as part of customer due diligence?

Country risk isn't binary. BIS and OFAC maintain separate restrictions. For BIS: review Country Groups in Supplement No. 1 to Part 740, especially Groups D and E. For OFAC: sanctioned countries include Iran, North Korea, Syria, Cuba and the Crimea/Donetsk/Luhansk regions Beyond sanctions, the UAE, Turkey, Hong Kong, Malaysia, as well as Central Asian states appear repeatedly in enforcement actions as transshipment points. Country risk adjusts your diligence depth. It doesn't replace entity-level screening.

What due diligence obligations exist for deemed export scenarios?

Deemed exports don't involve shipping anything. Under EAR § 734.13(b), releasing controlled technology or source code to a foreign national inside the United States counts as an export to that person's home country. Diligence means screening the individual (not just their employer) and checking whether their nationality triggers a license requirement. Many companies screen customers carefully and forget to screen their own employees or visiting engineers. Deemed export violations show up frequently in BIS enforcement against universities and R&D firms.

How do I evaluate a new customer in a high-risk jurisdiction (UAE, Turkey, Hong Kong)?

More diligence, not less. For UAE: confirm physical presence, request trade license copies, verify through the relevant emirate's economic development department. Free zones (Jebel Ali, DAFZA, RAK) maintain separate registries. For Turkey: check the Turkish Trade Registry Gazette against submitted documentation. For Hong Kong: Companies Registry online search plus BIS Entity List screening, which added dozens of Hong Kong entities through 2025. Across all three, if the stated business doesn't match the equipment order, that mismatch tells you everything.

What role does negative media screening play in export due diligence?

It fills the gap that list-based screening misses. An entity can be knee-deep in sanctions evasion or weapons procurement without appearing on any government list yet. Running the buyer's name through news databases and enforcement press releases often turns up connections that screening hasn't caught. We've found BIS administrative orders and DOJ indictments that name entities months before those entities hit a consolidated list Not an EAR requirement. But enforcement agencies evaluate available information, and a news article you should have found counts against you.

How do I handle due diligence for government and military end-users?

BIS maintains the Military End-User (MEU) List in Supplement No. 7 to Part 744. Transactions with listed MEUs require a license for items in § 744.21, and the September 2025 Affiliates Rule extended this to entities 50%+ owned by listed MEUs. Beyond the MEU List: determine whether the government entity's function involves military, intelligence, or security activities. A civilian health ministry ordering medical imaging has a different profile than a defense institute ordering the same equipment. Document the distinction.

Making Decisions and Building Process

When should I walk away from a deal?

If a red flag can't be resolved through reasonable inquiry and the customer won't cooperate, don't ship. OFAC penalties reach $377,700 per violation or 2x the transaction value. One shipment to one unverified end-user can exceed the deal value in fines. The flags that get rationalized under revenue pressure: a distributor suddenly tripling volume for controlled items, a buyer requesting a different delivery address "just this once," payment through a third country with no visible connection.

What's the difference between OFAC due diligence and BIS due diligence requirements?

OFAC centers on sanctioned persons, countries, plus programs. Applies to all U.S. persons regardless of the item. BIS has a different lens: controlled items, end-uses and end-users under the EAR A transaction can pass OFAC and violate the EAR, or the reverse. The failure we see most: one screening workflow covering both, when in reality OFAC's SDN List and BIS's Entity List contain different entries with different legal consequences entirely.

How do I build a risk-tiered due diligence process for different customer categories?

Segment customers into three tiers. Low risk: established buyers in allied countries ordering EAR99 items, re-screened quarterly. Medium risk: buyers in countries with diversion history, controlled items, or unfamiliar intermediaries, enhanced diligence at onboarding and monthly re-screening. High risk: embargoed jurisdictions, Entity List-adjacent entities, or advanced technology (3A090, 4A003-equivalent), full UBO trace, negative media screening, address verification, re-screening before every shipment. The tier determines depth. It doesn't eliminate screening for anyone.

What technology tools actually help with KYC and due diligence for exporters?

Three categories matter. First, restricted party screening tools that aggregate lists from OFAC, BIS, EU, UK, UN, as well as local regimes into a single check (Descartes, SAP GTS, Lenzo), plus others operate in this space). Second, corporate registry and ownership databases like Bureau van Dijk, OpenCorporates, or local registry APIs that let you verify entity identity and trace UBO chains. Third, negative media and adverse screening services (Dow Jones Risk & Compliance, Refinitiv World-Check) that catch entities not yet on government lists. What doesn't work: bolting a sanctions screening API onto your ERP and calling it a compliance program. Screening without investigation behind it fails the first time BIS asks what you did after a partial match came back.

What's the single biggest due diligence mistake mid-market exporters make?

Treating screening as the finish line instead of the starting point. A clean result means the name didn't match a government list on that day, using that database. It doesn't tell you who owns the buyer, whether the stated end-use makes sense, or whether the delivery address belongs to a real operating facility. The companies that end up in enforcement releases almost always had a screening program. What they lacked was an investigation process behind it.

The trajectory on due diligence hasn't reversed once since the Russia sanctions expansion. BIS added red flags, pushed the Affiliates Rule and ramped up coordination with OFAC and DOJ. All of it points one direction: know your customer deeper than the screen shows, document everything, don't ship when something looks wrong. The mid-market exporters who get caught aren't doing zero diligence. They're doing enough to feel comfortable but not enough to survive an audit. That gap between "we screened them" and "we actually know who they are" is where enforcement lives.