LenzoBlogRe-Export Compliance: US Parent Liability for Subsidiaries
Last updated:
January 21, 2026

Re-Export Compliance: US Parent Liability for Subsidiaries

Lenzo Compliance Team
Re-Export Controls
Export Compliance
Export Violations
De Minimis
BIS Entity List

A German subsidiary of a US aerospace company shipped controlled components to a UAE distributor in March 2023. The components never touched US soil. Manufacturing happened in Munich, shipping originated from Frankfurt. Eight months later, BIS issued a $3.2 million penalty — against the US parent in Texas (Bureau of Industry and Security enforcement releases, 2023).

The parent company's compliance team had zero visibility into the subsidiary's transaction. The subsidiary's export manager never picked up the phone to ask headquarters. None of that mattered to BIS.

We get calls about this exact scenario more than we'd like. US headquarters assumes foreign subsidiaries operate under local law. The subsidiaries assume the same thing. Everybody figures it out when the enforcement letter shows up.

When Does US Law Apply to Foreign Subsidiary Exports?

US export controls reach beyond US borders through three mechanisms. All three can drag a US parent into liability for what happens in Munich, Singapore, or São Paulo.

First mechanism: US-origin content. When a foreign subsidiary incorporates US-origin components, software, or technology into products they export, the EAR applies. The 25% de minimis rule offers some breathing room — items with less than 25% US-origin controlled content can ship to most destinations without a license. That threshold drops to 10% for Country Group E:1 destinations (Iran, Syria, North Korea, Cuba). For certain items, the threshold hits zero regardless of US content percentage.

Your German subsidiary builds a $2,000 assembly containing a $40 US microcontroller? That's 2% US content. Ships freely to most places. Same product headed to Russia with military end-use? The de minimis math stops mattering. License required no matter what.

Second mechanism: Foreign Direct Product Rule. Items manufactured abroad using US-origin technology or produced on US-origin equipment may need US authorization for re-export — even with zero US physical content in the box. The FDPR expansions through 2022 and 2023 broadened this dramatically for Russia and certain Chinese entities. A Taiwanese chip fabricated on Applied Materials equipment, designed with Synopsys software, shipped by your Singapore subsidiary to a Russian buyer — BIS has jurisdiction over that transaction.

Third mechanism: US person involvement. If US-citizen employees at the foreign subsidiary touch export decisions, or if anyone at US headquarters approves the deal, jurisdiction attaches through the people involved rather than the goods.

We reviewed a 2024 enforcement case where the US parent's only connection was a single email. A VP in Chicago approved a pricing exception for a subsidiary transaction. One email. That approval created sufficient US person involvement to establish jurisdiction. The penalty hit the subsidiary and the parent both.

What Creates Parent Company Liability?

BIS doesn't need the US parent to directly participate in the violation. The agency holds parent companies accountable for building compliance infrastructure at subsidiaries and actually monitoring what those subsidiaries ship.

The enforcement theory works like this: the US parent benefits economically from subsidiary operations. The parent has authority to direct subsidiary conduct. So the parent carries responsibility when subsidiaries violate US export law — law the parent should have made sure the subsidiary followed.

"Should have known" liability nails companies all the time. The US parent didn't approve the transaction. Had no idea it happened. But BIS argues the parent should have known — should have had systems flagging the shipment, should have trained subsidiary staff, should have required transaction screening.

Willful blindness gets treated as actual knowledge under EAR. A parent company that deliberately avoids learning what subsidiaries do — doesn't ask questions, doesn't review transaction data, doesn't require reporting — faces penalties like it knew everything.

We sat with a client in early 2024 whose Malaysian subsidiary had shipped to Entity List parties four separate times. The US parent never looked at subsidiary customer lists. Never required sanctions screening at the subsidiary level. When we asked the compliance director why not, the answer was "we trusted local management to handle it." BIS didn't buy that for a second.

The enforcement record repeats this pattern. OFAC and BIS both chase US parents for subsidiary conduct when:

  • The parent failed to push its compliance program down to subsidiaries
  • The parent had actual or constructive knowledge of what was happening
  • The parent made money from the subsidiary transactions
  • The parent exercised management authority over the subsidiary

What Compliance Obligations Extend to Foreign Subsidiaries?

The EAR doesn't technically mandate that US parents force compliance programs onto foreign subsidiaries. But the enforcement reality makes voluntary what's functionally mandatory.

Written compliance procedures need to cover subsidiary operations by name. Not some generic reference to "applicable export laws" — actual procedures spelling out how subsidiaries screen transactions, run de minimis calculations, flag re-export requirements, and escalate problems to headquarters.

Training extends to subsidiary personnel handling export-related work. The export coordinator in Munich needs the same foundational EAR training as the logistics manager in Houston. Documented training matters when you're negotiating penalty mitigation after something goes wrong.

Screening requirements cover subsidiary transactions involving US-origin content or FDPR-covered items. The subsidiary can run screening locally or route everything through headquarters. Either approach works as long as screening actually happens and someone keeps records.

Reporting channels need to run both directions. Subsidiaries report potential violations upward. Headquarters pushes regulatory changes downward. The February 2024 Russia FDPR expansion affected subsidiaries worldwide — those subsidiaries needed to know within days, not whenever someone got around to mentioning it.

Audit scope has to include subsidiary export operations. A compliance audit stopping at the US border misses exactly the transactions that blow up in your face.

We've reviewed compliance programs where the US parent had thirty pages of detailed procedures for domestic shipments. One paragraph for foreign subsidiaries: "comply with applicable laws." That gap turns into exhibit A when enforcement comes knocking.

How Does De Minimis Calculation Work for Subsidiary Products?

De minimis sounds simple enough. Calculate US-origin controlled content as a percentage, compare to threshold, figure out if you need a license. Actual practice trips up even people who've done this for years.

The numerator: US-origin controlled content only. Components, software, technology classified under an ECCN. EAR99 items — stuff subject to EAR but not on the Commerce Control List — don't count toward de minimis. Only controlled US-origin content goes in the calculation.

The denominator: fair market value of the finished product as exported. Not your manufacturing cost. Not the price you're charging if that's discounted or padded. Fair market value in an arm's-length deal.

A subsidiary builds equipment using $500 in US-origin controlled components. Fair market value of the finished unit runs $5,000. De minimis comes out to 10%. Clears the 25% threshold for most destinations. But if any component carries an ECCN requiring a license to that destination regardless of de minimis — certain encryption items, for instance — the whole calculation becomes irrelevant.

The 10% threshold for E:1 countries trips people up constantly. Iran, North Korea, Syria, Cuba, Crimea region — these destinations require a license for items exceeding 10% US-origin controlled content. That $500/$5,000 calculation passing at 25% fails at 10%.

Certain items have zero de minimis. Section 734.4 lists items requiring a license regardless of how little US content they contain — certain supercomputers, specific encryption items, anything headed for nuclear or missile end-uses. Your subsidiary's product might have 0.5% US-origin content and still need authorization.

Document every de minimis calculation you run. BIS wants to see the work — which components, what ECCN classifications, what values, what threshold applied, what conclusion you reached. "We figured it was probably under 25%" doesn't hold up when auditors start asking questions.

What Should Subsidiaries Report to US Headquarters?

At minimum, subsidiaries need to report:

  • Transactions involving known or suspected US-origin content. Not just deals definitely containing US parts — deals that might contain them. Let headquarters sort it out.
  • Transactions touching FDPR-risk supply chains. If the subsidiary's suppliers use US-origin manufacturing equipment or design software, headquarters needs that information.
  • Customers or destinations throwing red flags. End-users asking for unusual quantities, destinations with transshipment history, customers getting squirrelly about end-use documentation.
  • Any transaction involving Russia, Belarus, Iran, North Korea, Syria, Cuba, Venezuela, or Crimea. These destinations need license analysis regardless of what the de minimis math says.
  • New product lines or new markets before the first shipment goes out. Adding a controlled item or entering an elevated-risk destination triggers compliance review at the headquarters level.
  • Screening hits — even ones cleared as false positives. A pattern of near-misses means either problematic customers are targeting your subsidiary or your screening process has holes. Either way, headquarters should know.

We've worked with companies where subsidiaries ran their own screening but never reported results upward. A 2023 enforcement action documented 47 screening hits across eighteen months — every single one cleared locally as a false positive. Twelve of them weren't false positives. The US parent's exposure came from the violations themselves and from having zero reporting mechanism that would have caught the pattern.

Platforms centralizing compliance data across entities — Lenzo included — can pull subsidiary screening results into one place, flag elevated-risk transactions for headquarters review, and document the reporting trail auditors expect to find. That visibility gap between parent and subsidiary creates more enforcement exposure than most compliance teams have calculated.

Sources

More to explore

View all
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Trade Compliance FAQ: 25 Questions Every SMB Exporter Gets Wrong

OFAC's maximum civil penalty hit $377,700 per violation in January 2025. BIS bumped its ECRA penalty cap to $374,474 the same month. The questions compliance teams ask haven't changed much over the years. They've just gotten a lot more expensive to answer wrong.
Last updated:
November 27, 2025
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Trade Compliance Glossary: Terms Every Exporter Needs

Your customs broker just emailed about an ECCN classification conflict with the freight forwarder's HTS determination. Legal wants to know if the end-user triggers EAR99 or needs a BIS license review. And someone in accounting keeps confusing OFAC with OFCCP. Again.
Last updated:
November 28, 2025
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Best Trade Compliance Software for SMB Exporters (2026)

OFAC civil penalties blew past $254M by mid-2025. BIS piled on with over 170 Entity List additions across 6 separate rulings between January and October. And the part that keeps compliance teams awake: none of those penalties landed because someone forgot to screen a counterparty.
Last updated:
February 12, 2026
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

License Exception Eligibility: Quick Reference

BIS published 2,847 updates to the Export Administration Regulations in 2025. Seventeen directly affected license exception eligibility for at least one ECCN category. For compliance teams processing 50–200 shipments monthly, tracking which exceptions apply to which items has turned into a puzzle that resets every few weeks.
Last updated:
February 11, 2026
TOOLS
Tariff CalculatorCompliance ServiceCanada TariffsHS CodeUS Tariffs on ChinaOFAC SearchMexico TariffsHSN Code List
Legal
Acceptable Use PolicyAI Data Usage PolicyBilling & Refund PolicyCookies PolicyData Processing AddendumPrivacy PolicyTerms of Service
Lenzo - Trade Compliance © 2026 All rights reserved
Secure read-only integrations
AES-256 encrypted data
OAuth 2.0 access