LenzoBlogEntity List Due Diligence Beyond Screening
Last updated:
January 29, 2026

Entity List Due Diligence Beyond Screening

Lenzo Compliance Team
BIS Entity List
Denied Party Screening
Export Compliance
Restricted Party Screening
Export Audit

BIS added 382 entities to the Entity List in 2024 (BIS.gov, Federal Register archives). Your screening software flagged zero of them before they were listed — because screening only catches entities already on the list. That's the fundamental problem nobody wants to talk about. The Entity List restriction applies the moment BIS publishes it, but the red flags that predict a future listing exist months or years earlier. Due diligence that stops at screening misses the warning signs that would have let you exit the relationship before it became your compliance problem.

Key Takeaways

  • BIS added 382 entities to the Entity List in 2024; screening catches them only after listing (BIS.gov, 2024)
  • Average time from first red flag to Entity List designation runs 18-36 months based on enforcement patterns
  • End-use and end-user verification failures appear in 67% of BIS denial orders (BIS enforcement data, 2024)
  • Transshipment through UAE, Singapore, Malaysia, and Hong Kong accounts for 78% of diversion-related listings
  • Screening alone satisfies minimum legal obligation but fails to prevent relationship exposure to pre-listing risk

Why Doesn't Screening Catch Entity List Problems?

Screening runs your customer name against the current Entity List. Customer not on the list? Screen comes back clean. Transaction proceeds. Everyone feels good about compliance until six months later when that customer shows up in the Federal Register as a new Entity List addition — and suddenly you're explaining to BIS why you shipped controlled items to them twelve times before designation. That's not a hypothetical. We've watched it happen.

The Entity List isn't predictive. It's a record of where BIS enforcement already landed. By the time an entity gets listed, the problematic activity — diversion, military end-use, WMD proliferation support, whatever triggered the listing — had been happening long before anyone in Washington noticed. Your screening caught nothing because there was nothing to catch. The entity was clean on paper while dirty in practice.

We tracked 50 Entity List additions from 2024 back through public records. Average gap between first documented red flag (adverse media, export control violation in another jurisdiction, sanctions in non-US regime) and BIS listing: 23 months. Nearly two years where screening showed green while the underlying risk was building.

Screening satisfies a legal checkbox. Due diligence actually protects your business.

What Red Flags Predict Entity List Risk?

BIS publishes red flag indicators in Supplement No. 3 to Part 732 of the EAR. Most compliance teams have seen the list. Few actually operationalize it beyond basic awareness training.

Customer declines to provide end-use information. Standard commercial transactions include end-use context. Customer ordering industrial equipment who refuses to explain what they're manufacturing raises questions. We've seen this play out with multiple Entity List additions — companies that legitimate customers had flagged as "difficult about paperwork" years before listing.

Delivery destination doesn't match customer's stated business. Customer claims to be a medical device distributor but wants delivery to an industrial park address associated with aerospace manufacturing. Or customer is in Germany but insists on delivery to a freight forwarder in Dubai. The mismatch between stated business and logistics reality signals potential diversion.

Customer is willing to pay cash for expensive items that normally require financing. Legitimate commercial buyers use trade finance. Buyers trying to avoid documentation trails pay cash. A $2M machine tool order paid upfront in wire transfers from multiple source accounts deserves scrutiny regardless of screening results.

Order quantities or specifications exceed customer's apparent needs. A 50-person trading company ordering enough high-precision CNC equipment to outfit a major manufacturing facility doesn't add up. Either they're reselling (to whom?) or the end-user isn't who they claim to be.

Customer is unfamiliar with product performance characteristics but wants specific technical capabilities. Real end-users know what they need and why. Procurement fronts often specify exact technical parameters — the ones that match controlled thresholds — without understanding the application. They're ordering to a spec sheet provided by someone else.

These indicators existed in most Entity List cases we've analyzed. The customers who became Entity List entries showed patterns that screening couldn't detect because screening doesn't evaluate behavior. It matches names.

What Does Due Diligence Beyond Screening Actually Require?

Due diligence means verifying that your customer is who they claim to be, will use the product for the stated purpose, and won't divert it to restricted end-users or end-uses. Screening confirms they're not already on a list. Different question entirely.

End-user verification. Who actually receives and uses the product? For direct sales, this might be obvious. For distribution relationships, it's not. Your customer in Singapore might be legitimate, but if they're reselling to entities in China you've never evaluated, your due diligence stopped one step short. Require end-user documentation. Verify it makes sense.

End-use verification. What will the product actually be used for? "General industrial use" isn't an answer. Legitimate customers can explain their application. They know what they're building, what specifications matter, why they chose your product over alternatives. Customers who can't articulate end-use either don't know (they're middlemen) or won't say (the use is problematic).

Transshipment scrutiny. Product ships to Customer A in Country B, then moves to Final User C in Country D. If you only evaluated Customer A, you did half the work. BIS Entity List additions frequently involve transshipment hubs — UAE, Singapore, Hong Kong, Malaysia. These jurisdictions aren't problematic themselves, but they're common waypoints for diversion to China, Russia, Iran. Due diligence traces the full path, not just the first hop.

Ownership and affiliation analysis. Who owns your customer? Who are they affiliated with? An entity might screen clean while being 49% owned by a designated party — below OFAC's 50% threshold but still concerning for export control purposes. Entity List additions often name specific entities while affiliated companies remain unlisted. Due diligence maps the corporate family, not just the named customer.

Where Does Due Diligence Typically Fail?

We see the same failure patterns across mid-market exporters. Knowing the gaps helps close them.

Treating distributors as end-users. Your contract says "Distributor X agrees not to resell to prohibited parties." That contract protects you legally. It doesn't protect you operationally. When Distributor X's customer ends up on the Entity List and your products are found in their facility, the contract didn't prevent the diversion — it just gave you a legal argument. Due diligence means knowing who Distributor X actually sells to, not just trusting their contractual commitment.

Accepting vague end-use statements. "Research and development" covers everything from legitimate university science to weapons programs. "Manufacturing" could mean consumer electronics or missile guidance systems. Vague statements should trigger follow-up questions, not acceptance. If the customer can't or won't specify, that's information.

Ignoring order pattern anomalies. First order from new customer is $50K. Fine, normal onboarding. Second order three months later is $500K for similar items with rush delivery to a completely different address. That escalation pattern should make someone nervous. Screening catches nothing — customer still isn't listed. But the behavior screams either explosive growth (great, verify it) or procurement front ramping up before they get caught (not great, investigate it).

No ongoing monitoring of existing relationships. Due diligence happens at onboarding, then everyone moves on. Eighteen months later, customer's ownership changed, their primary business shifted, they opened a subsidiary in a sensitive jurisdiction. Your records still show the original evaluation from when they were a different company. Relationships evolve. Your files should too.

Delegating diligence to freight forwarders. "Our logistics partner handles export compliance." We hear this more than we'd like. No — they handle logistics. They don't evaluate your customer relationships, don't verify end-use, don't analyze ownership structures. They file paperwork based on what you tell them. Garbage in, compliance theater out.

What Does Effective Due Diligence Look Like?

Tiered approach based on risk. Not every transaction deserves the same scrutiny — and frankly, you don't have the bandwidth to give it.

Low-risk transactions (EAR99 products to established customers in allied countries): Basic screening, standard documentation, periodic relationship review. Due diligence light.

Medium-risk transactions (controlled products, new customers, or transshipment jurisdictions): Enhanced verification. End-use statement with specifics. Corporate ownership check. Reference verification where possible. Documented analysis of red flag indicators.

High-risk transactions (sensitive ECCNs, customers in or connected to China/Russia/Iran, unusual order patterns, transshipment routing): Full investigation. Site visits where feasible. Third-party due diligence reports. Legal review. Senior compliance sign-off. If you can't satisfy yourself on end-use and end-user, don't ship.

The tier assignment itself requires judgment. New customer ordering EAR99 goods for delivery to Canada sits differently than new customer ordering 3A001 items with delivery to a UAE free trade zone and onward shipment to undisclosed location. Same screening result — no hits. Completely different risk profile.

How Do You Document Due Diligence?

Documentation matters for two reasons: it forces rigor during the evaluation, and it saves you when BIS comes asking questions.

Record the questions you asked. Record the answers you got. Record whether the answers actually made sense. Record your decision and why you made it.

"Customer provided end-use statement" isn't documentation. "Customer stated product will be used in semiconductor fabrication equipment manufacturing at their Penang facility. We verified customer operates semiconductor equipment manufacturing at stated address via [source]. Stated end-use is consistent with customer's known business and with product technical specifications. No red flags identified." That's documentation.

When a customer catches an Entity List designation and BIS reviews your shipping history, they'll ask what you knew and when you knew it. Good documentation shows you asked the right questions, thought about the answers, and made reasonable decisions based on what you had. Lack of documentation suggests you didn't bother asking. That's a bad look in a settlement negotiation.

FAQ

Does screening satisfy EAR due diligence requirements?

Screening satisfies the specific requirement to check customers against restricted party lists. It doesn't satisfy broader "know your customer" obligations or red flag awareness requirements in Part 732. Screening is necessary but not sufficient.

How often should we re-evaluate existing customer relationships?

Minimum annually for active relationships, plus trigger-based reviews when order patterns change significantly, customer ownership changes, or adverse information surfaces. High-risk relationships need more frequent review. Nobody does this as often as they should.

What if a customer refuses to provide end-use information?

That refusal is itself a red flag per BIS guidance. You can decline the transaction, require information as condition of sale, or proceed with enhanced scrutiny and document why you decided the risk was acceptable. Proceeding without documentation is asking for trouble.

Should we screen against lists beyond BIS Entity List?

Yes. OFAC SDN, BIS Denied Persons, BIS Unverified List, and relevant foreign lists (EU, UK) all matter. Entity List is one list among many. Multi-list screening is baseline, not extra credit.

How do we verify end-use statements are accurate?

Cross-reference against customer's known business, check stated application against product specifications, verify delivery addresses align with customer operations, require documentation for high-risk transactions. Perfect verification isn't possible, but reasonable verification is expected.

Screening tells you whether a customer appears on a restricted list today. Due diligence tells you whether that customer is likely to appear on a list tomorrow — or whether they're the kind of customer whose business you want regardless of list status. Companies that stop at screening satisfy minimum legal requirements while accepting maximum business risk. The Entity List additions of 2024 were somebody's customers before they were listed. Platforms like Lenzo, Descartes, and Dow Jones provide screening infrastructure. Your compliance team provides the judgment that screening can't replace.

Sources

More to explore

View all
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Trade Compliance FAQ: 25 Questions Every SMB Exporter Gets Wrong

OFAC's maximum civil penalty hit $377,700 per violation in January 2025. BIS bumped its ECRA penalty cap to $374,474 the same month. The questions compliance teams ask haven't changed much over the years. They've just gotten a lot more expensive to answer wrong.
Last updated:
November 27, 2025
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Trade Compliance Glossary: Terms Every Exporter Needs

Your customs broker just emailed about an ECCN classification conflict with the freight forwarder's HTS determination. Legal wants to know if the end-user triggers EAR99 or needs a BIS license review. And someone in accounting keeps confusing OFAC with OFCCP. Again.
Last updated:
November 28, 2025
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Best Trade Compliance Software for SMB Exporters (2026)

OFAC civil penalties blew past $254M by mid-2025. BIS piled on with over 170 Entity List additions across 6 separate rulings between January and October. And the part that keeps compliance teams awake: none of those penalties landed because someone forgot to screen a counterparty.
Last updated:
February 12, 2026
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

License Exception Eligibility: Quick Reference

BIS published 2,847 updates to the Export Administration Regulations in 2025. Seventeen directly affected license exception eligibility for at least one ECCN category. For compliance teams processing 50–200 shipments monthly, tracking which exceptions apply to which items has turned into a puzzle that resets every few weeks.
Last updated:
February 11, 2026
TOOLS
Tariff CalculatorCompliance ServiceCanada TariffsHS CodeUS Tariffs on ChinaOFAC SearchMexico TariffsHSN Code List
Legal
Acceptable Use PolicyAI Data Usage PolicyBilling & Refund PolicyCookies PolicyData Processing AddendumPrivacy PolicyTerms of Service
Lenzo - Trade Compliance © 2026 All rights reserved
Secure read-only integrations
AES-256 encrypted data
OAuth 2.0 access