Third-Country Shipments: Hidden Sanctions Risk

BIS added nine Turkish companies to the Entity List in a single October 8, 2025 action—one of the most sweeping designations against intermediary networks supporting Iran ever recorded (Bureau of Industry and Security, Federal Register, Docket No. 250929-0163). That designation sent a clear message: routing goods through third countries offers no protection when the final destination is sanctioned territory.

Key Takeaways

• Third-country transshipment through UAE, Turkey, and Central Asia accounts for a significant portion of sanctions evasion schemes identified in DOJ indictments since 2022 (Department of Justice, Tri-Seal Compliance Note)
• Maximum civil penalties for BIS violations reached $374,474 per violation as of January 2025, with criminal fines up to $1 million and 20 years imprisonment (BIS Enforcement Guidelines)
• The "50% ownership rule" implemented September 29, 2025 requires exporters to determine whether Entity List parties hold aggregate ownership stakes—creating new due diligence burdens even for routine transactions
• SMB exporters face disproportionate exposure because sanctions evasion networks specifically target companies lacking dedicated compliance teams

Why Third-Country Routes Create Liability

The direct answer: US sanctions and export controls follow the goods, not the immediate buyer. An item shipped to Dubai or Istanbul that subsequently reaches Russia or Iran creates liability for the original US exporter—even without direct knowledge of the final destination.

This concept trips up exporters who believe their obligations end at the first foreign port. Under 15 CFR Part 732, exporters must conduct "Know Your Customer" due diligence that extends beyond the immediate transaction party. The regulations explicitly identify transshipment through certain jurisdictions as a red flag requiring additional scrutiny.

BIS's Russia/Belarus export controls resources identify specific transshipment concern jurisdictions: China (including Hong Kong and Macau), Armenia, Turkey, Kazakhstan, Kyrgyzstan, Tajikistan, Uzbekistan, and the UAE. The UK's Office of Financial Sanctions Implementation flagged UAE among the top jurisdictions involved in suspected Russian sanctions breaches—accounting for the largest share of suspected breaches reported in Q1 2024 according to OFSI's February 2025 Financial Services Threat Assessment.

For a 150-person industrial equipment distributor shipping $40M annually, a single transshipment violation could trigger penalties exceeding annual operating profit. That math concentrates the mind.

The Intermediary Problem

Shell companies and front operations have become disturbingly sophisticated. In criminal cases unsealed by DOJ, shell companies located in third countries served as purported end users—but investigators found some had no visible signage, with their "place of business" consisting of an empty room in a strip mall.

The math doesn't work in the exporter's favor. Sanctions evaders need only one successful route. Exporters must catch every diversion attempt, forever.

What complicates this further is the mismatch between buyer legitimacy signals and actual intent. A company may have real employees, real offices, genuine-looking purchase orders. It might even have legitimate business alongside diversionary operations. German firm Aiotec GmbH secretly diverted a $9.7 million decommissioned Australian polypropylene plant to Iran piece by piece between 2016 and 2019—activity that only surfaced when an anonymous tip reached the US broker in 2018, leading to OFAC's $14.55 million settlement announced December 3, 2024 (OFAC Enforcement Release).

Commerce Secretary Howard Lutnick signaled at the March 2025 BIS Update Conference that the administration would pursue a "dramatic increase" in enforcement and fines, with priorities centered on diversion through China, Hong Kong, and sensitive technologies including semiconductors and dual-use industrial equipment (Gibson Dunn BIS Conference Summary).

Red Flags That Trigger Scrutiny

BIS maintains a non-exhaustive list of warning signs at Supplement No. 3 to Part 732 of the EAR. The agency's guidance on advanced computing items adds specific indicators, but the core patterns apply broadly:

• Transaction structure anomalies: Requests to change the destination or end user after the order has been placed. Customers willing to pay significantly above market price—sometimes 30-40% premiums that make no commercial sense unless you're buying a compliance workaround. Last-minute payment from a third party not named on documentation.
• End-user inconsistencies: Technical specifications don't match the customer's stated business. The stated end-use doesn't require the quantity ordered. Customer cannot or will not provide end-user certification with detailed information.
• Geographic indicators: Delivery to a free trade zone with subsequent unspecified re-export. Customer address matches or sits near known restricted entities. Routing through jurisdictions with weak export control enforcement.
• One pattern rarely discussed in compliance materials: customers who demonstrate unusual expertise about license exception eligibility. Legitimate buyers typically don't know the difference between TMP and LVS exceptions. A procurement agent who argues persuasively about authorization pathways has likely been coached—or is reading from someone else's playbook.

The SMB Exposure Gap

Large corporations maintain dedicated sanctions teams. They budget six figures annually for screening software subscriptions, external counsel, and trade compliance specialists. A 300-person medtech manufacturer doesn't have that luxury—and the sanctions evaders know it.

Research from Macquarie University and the University of Technology Sydney examined how sanctions operate against smaller firms. The finding was blunt: SMB exporters "must interpret constantly shifting rules with limited staff," making them "especially vulnerable to inadvertent breaches or manipulation by intermediaries."

Consider the operational burden imposed by BIS's September 29, 2025 "50% ownership rule." The interim final rule now requires exporters to determine whether Entity List parties hold—directly or indirectly, in aggregate—50% or more ownership of a foreign entity. A company shipping to a seemingly legitimate distributor in Singapore must now trace ownership chains that may extend through multiple jurisdictions and corporate structures. BIS even added "Red Flag 29" specifying an affirmative duty to determine ownership percentage when the exporter has knowledge of Entity List ownership involvement.

Financial institutions use specialized beneficial ownership databases costing $50,000 to $100,000 annually. SMB exporters lack access to equivalent tools—yet face the same compliance expectations and penalty exposure.

What Doesn't Work

• Annual batch screening: Running customer lists against the SDN or Entity List once per quarter misses designations that occur between screening cycles. OFAC published designation changes nearly every week in 2025. A customer screened clean on Monday could appear on the SDN list by Thursday.
• Relying solely on customer certifications: End-user statements have value for demonstrating good faith, but they offer limited protection when the customer is actively deceiving you. BIS treats certifications as one data point, not a compliance program substitute. The Aiotec case proved this—the German company provided fraudulent end-user certificates claiming Turkish destination while shipping directly to Iran.
• Treating transshipment hubs like any other destination: A shipment to the Netherlands warrants different scrutiny than one to Kazakhstan. Risk-based screening means actually calibrating effort to risk—not running identical checks regardless of where the container is headed.
• Assuming your freight forwarder handles compliance: Freight forwarders facilitate logistics. They don't determine export classification, verify end-user legitimacy, or obtain licenses. That responsibility never leaves the exporter of record. Some exporters learn this the hard way when they find themselves named in a BIS Red Flag letter.

Screening Beyond the Direct Customer

The compliance community sometimes calls this "chasing down UBO chains," and it's accurate. Ultimate beneficial ownership screening has become non-negotiable for high-risk transactions.

The process requires identifying not just who signed the purchase order, but who ultimately controls the purchasing entity. Shell company networks use layered ownership structures specifically designed to obscure this information. A Dubai trading company owned by a Cayman holding company owned by a Maltese nominee structure owned by...eventually, someone on a sanctions list.

For items on the Common High Priority List—goods frequently diverted to Russia—BIS recommends screening against the Trade Integrity Project database. TIP identifies third-country suppliers with documented histories of shipping CHPL items to Russia since 2022. The screening tool is free, but requires manual search and documentation.

This is where the hits pile up. Each layer of due diligence adds screening volume. A mid-sized exporter with 200 active customers, each with an average of three ownership layers, now faces 600+ screening events just for beneficial ownership—plus the standard sanctions list checks. Most compliance teams weren't built for that volume, and it shows in enforcement statistics.

Regulatory Coordination Intensifies

The days of agencies operating in separate silos have ended. DOJ, BIS, OFAC, and FinCEN coordinate through mechanisms like the Tri-Seal Compliance Notes (now expanded to five agencies with the Quint-Seal format). These joint advisories signal shared enforcement priorities and aligned investigative resources.

The April 16, 2025 OFAC maritime advisory on Iranian oil sanctions evasion outlined how networks span multiple jurisdictions—targeting vessel operators in the Seychelles, oil brokers in Hong Kong, trading companies in Dubai. The guidance described shell company proliferation, AIS manipulation patterns, and insurance red flags that apply beyond petroleum to any high-value transshipment scenario.

For exporters, the practical implication is straightforward: a violation touching one agency's jurisdiction likely triggers scrutiny from others. A BIS export control case may surface parallel OFAC violations. DOJ criminal prosecution often layers multiple statutory violations from different regulatory frameworks. The June 2025 Unicat settlement showed how an acquiring company that discovered violations and promptly disclosed to BIS, OFAC, and DOJ still faced a combined $3.9 million civil settlement—even with cooperation credit.

Building a Defensible Process

The McKinsey-ISSA 2025 Sanctions Benchmark Survey found that as of March 2025, approximately 82,000 individuals and entities carry global sanctions designations—nearly five times the 2017 figure. While most securities services firms implement basic anticircumvention controls, "only a few adopt more advanced measures, such as circumvention-specific monitoring via network analytics."

Advanced measures may not fit every budget. But certain baseline practices scale to smaller operations:

• Document the decision trail. Internal investigations, decision memos, and escalation records now serve as evidence the government reviews when assessing good faith. If you evaluated red flags and concluded a transaction was legitimate, that written analysis becomes a mitigating factor. No documentation means you're flying blind into an enforcement proceeding.
• Screen at multiple checkpoints. Initial customer onboarding, order acceptance, and shipment booking represent distinct opportunities to catch changes in customer status or transaction profile.
• Build in geographic triggers. Shipments to identified transshipment hubs—UAE, Turkey, Central Asian states, Hong Kong—warrant additional scrutiny. This doesn't mean refusing all business with these destinations, but calibrating due diligence proportionally.
• Maintain end-use visibility. For sensitive items, collect documentation beyond the immediate transaction: installation sites, service contacts, technical representatives. Patterns that don't add up often reveal themselves in these details.
• Platforms like Lenzo consolidate screening across multiple sanctions lists and provide monitoring for regulatory changes affecting transshipment routes—an approach that reduces the manual burden of tracking updates from OFAC, BIS, EU, and UK authorities simultaneously.

FAQ

Can a US exporter be held liable if goods are diverted without their knowledge?

Strict liability applies to many OFAC violations, meaning the exporter can face civil penalties regardless of intent or knowledge. BIS violations under the EAR can involve civil penalties without proof of willfulness, though criminal prosecution requires demonstrating knowing conduct. The practical effect: ignorance of diversion doesn't prevent civil enforcement.

What due diligence is considered sufficient for third-country shipments?

No bright-line standard exists. BIS guidance indicates that risk-based programs should be "tailored to the risks that the business faces." For high-risk transactions—sensitive items, transshipment hub destinations, new customers—this means enhanced screening, beneficial ownership investigation, end-user verification, and documented analysis of red flags. The government evaluates sufficiency case-by-case, considering the resources available to the exporter and the risk profile of the transaction.

How do re-export controls apply to goods shipped to intermediary countries?

Items subject to the EAR that transit or are transshipped through a country to a new destination are deemed exports to that final destination. A widget shipped to Dubai for onward delivery to Iran requires authorization for Iran—not just UAE. The transshipment country doesn't provide insulation from destination-based restrictions.

Are free trade zones treated differently for sanctions purposes?

Free trade zones offer customs benefits but no sanctions exemption. Goods in a UAE free trade zone remain subject to US export controls if they originated from US-controlled items or incorporate US technology. The FTZ location may actually increase scrutiny given documented patterns of diversion through these facilities.

What triggers a BIS \

BIS issues Red Flag letters when it identifies customers who may have re-exported or transferred items in violation of the EAR. Receipt of such a letter creates an affirmative obligation to resolve the identified concerns before proceeding with additional transactions. Ignoring the letter and continuing shipments constitutes an aggravating factor in enforcement. There's no playing dumb after you've been warned.

The Enforcement Environment Ahead

The expansion shows no signs of slowing. The UK and EU doubled their designations between 2020 and 2023. Russia-related enforcement remains the dominant category, but Iran and China actions accelerate. For SMB exporters, the question isn't whether to invest in sanctions compliance, but how to do so efficiently. The compliance costs of catching a diversion attempt pale against the penalties for missing one.

The operational reality is that transshipment risk won't disappear because exporters find it inconvenient. Networks seeking controlled items adapt continuously. Due diligence must adapt faster.