Export Without License: Penalty Ranges by Violation

BIS assessed a civil penalty of $374,474 against a British Virgin Islands company in September 2025 for a single unlicensed aircraft reexport to Russia (BIS.gov, 2025). That figure represents the current maximum administrative penalty per violation under the Export Administration Regulations — and the floor is far higher when the transaction value exceeds roughly $187,000 or when multiple shipments are involved.

Key Takeaways

• EAR civil penalties reach $374,474 per violation or twice the transaction value, whichever is greater (BIS.gov, January 2025)
• ITAR violations carry maximum civil penalties of $1,271,078 per violation or twice the transaction value (State Department, January 2025)
• OFAC maximum civil penalty under IEEPA stands at $377,700 per violation or twice the transaction amount (Treasury.gov, January 2025)
• Criminal penalties across all regimes can reach $1,000,000 and 20 years imprisonment per violation
• Denial of export privileges effectively kills a company's ability to participate in international trade

How EAR Penalties Break Down

The Bureau of Industry and Security enforces the Export Administration Regulations against dual-use items — technology, software, and commodities that have both commercial and military applications. When a company ships controlled items without the required license, BIS has two penalty tracks available.

The administrative track operates on something close to strict liability. BIS does not need to prove the exporter intended to violate the law. A 200-person electronics distributor that miscalculated its ECCN classification or failed to screen a customer against the Entity List faces the same maximum penalty as a company that deliberately circumvented controls. We have seen this play out repeatedly: Luminultra Technologies paid $685,051 in September 2025 for exporting EAR99 items to Iran through a Dubai freight forwarder, even though the items themselves carried no specific export control classification (BIS.gov, 2025).

The criminal track requires willfulness — proof that the exporter knew the conduct was illegal or proceeded with reckless disregard. Criminal penalties jump to $1,000,000 per violation and up to 20 years imprisonment. Nikolay Goltsev received 40 months in January 2025 after coordinating over 300 shipments valued at $7 million to Russian military end-users on the Entity List (Federal Register, December 2025). BIS issued a 10-year denial order against him on December 17, 2025. Cannot touch any EAR-controlled transaction until 2035. His wife Kristina Puzyreva got 24 months in July 2024 for laundering the proceeds — the scheme was a family business.

The proposed legislation from Representatives Self and McCaul in October 2025 would push civil penalties to $1.2 million or four times the transaction value. That bill has not passed as of Q4 2025, but the trajectory is clear.

ITAR Penalties Hit Differently

Defense articles and technical data fall under the International Traffic in Arms Regulations, administered by the State Department's Directorate of Defense Trade Controls. The penalty structure reflects the national security sensitivity of military technology.

Current ITAR civil penalties max out at $1,271,078 per violation or twice the transaction value — roughly three times the EAR equivalent. The RTX Corporation consent agreement in August 2024 demonstrates the scale: 750 alleged violations resulted in a $200 million settlement, with $100 million suspended for compliance remediation (State Department, August 30, 2024). That works out to approximately $266,667 per violation if you run the math straight, though the actual calculation considers aggravating and mitigating factors. Most violations originated from Rockwell Collins misclassifying items as EAR-controlled when they were actually ITAR — the kind of jurisdiction error that cascades into dozens of downstream violations.

Each unauthorized transfer counts separately. One file. One email. One drawing. A 150-person defense contractor that exports technical drawings to an overseas subsidiary without authorization is not committing one violation — each drawing represents a discrete violation. The Keysight Technologies consent agreement in August 2021 covered 24 violations arising from software exports during a commodity jurisdiction review, resulting in a $6.6 million fine with $2.5 million suspended (DDTC, 2021). Keysight got credit for cooperation, but the agency noted they'd continued exporting while the classification was still under review. DDTC treated that as aggravating.

Statutory debarment follows automatically upon criminal conviction. That is a mandatory three-year prohibition on any ITAR activity. Administrative debarment — discretionary action by DDTC for civil violations — achieves the same practical effect: the company cannot export, manufacture, or service any defense article.

OFAC Violations Operate Under Strict Liability

The Office of Foreign Assets Control administers sanctions programs against targeted countries, entities, and individuals. Shipping to a sanctioned party without authorization triggers potential liability regardless of intent or knowledge.

The IEEPA maximum civil penalty hit $377,700 per violation as of January 15, 2025 (90 FR 3688). OFAC's calculation method differs from BIS: the base penalty equals the applicable statutory maximum or the transaction value for non-egregious cases, then adjusts based on aggravating and mitigating factors detailed in the Economic Sanctions Enforcement Guidelines (31 CFR Part 501, Appendix A). The Guidelines run 23 pages. Worth reading before your first VSD.

A Q4 2025 settlement with an individual who served as fiduciary for a sanctioned Russian oligarch's trust illustrates the exposure. The base calculation totaled $6,245,136 across multiple apparent violations. The settlement amount of $1,092,000 reflected OFAC's determination of non-egregious conduct plus credit for cooperation — still over a million dollars for a single individual's trust management activities (OFAC, 2025).

Asset freezing compounds the financial impact. OFAC can block accounts, real estate, and other property connected to the sanctions violation. The property remains frozen indefinitely while the underlying violation is adjudicated.

What Actually Determines the Penalty Amount

Enforcement agencies maintain broad discretion within the statutory maximums. The factors that move the needle:

Voluntary self-disclosure provides the most reliable penalty reduction. BIS's September 2024 final rule formalized the dual-track VSD process: minor or technical violations follow a simplified procedure, while significant violations require full narrative reports. The Cadence Design Systems resolution in July 2025 — $140.6 million combined penalties for 61 EAR violations involving exports to Chinese military end-users including the National University of Defense Technology — included credit for remediation despite the severity of the underlying conduct (DOJ/BIS, July 28, 2025). Cadence China employees knew NUDT was Entity Listed. They kept shipping anyway through front companies.

Aggravating factors that push penalties upward include: exports to proscribed destinations (China, Russia, Iran); involvement of Significant Military Equipment; exports pending commodity jurisdiction determination; pattern of repeated violations; and statements during investigation that prove inconsistent with evidence.

The Honeywell consent agreement in May 2021 hit $13 million ($5 million suspended) partly because the violations involved F-35, F-22, and B-1B aircraft technical data exported to China — aggravating on multiple dimensions simultaneously (DDTC, 2021). Recurrence of similar violations previously disclosed also counted against Honeywell. They'd made the same mistake twice.

Mitigating factors work in the opposite direction: strong compliance programs in place before the violation; immediate remedial action upon discovery; full cooperation with investigation; low harm to national security from the specific items involved.

The Penalty That Matters Most Isn't Monetary

Denial of export privileges destroys export capability entirely. BIS Temporary Denial Orders take effect immediately to prevent imminent violations and can be renewed for up to one year. Section 1760(e) of the Export Control Reform Act authorizes denial periods up to 10 years following criminal conviction.

A company under denial order cannot participate in any transaction subject to the EAR — not as exporter, freight forwarder, financing source, or in any supporting role. Other companies become prohibited from dealing with the denied party. For a mid-market exporter doing $50 million annually in controlled shipments, a denial order is a death sentence regardless of whether accompanying fines reach six or seven figures.

DDTC administrative debarment operates similarly for ITAR purposes. VTA Telecom Corporation's 2023 consent agreement included debarment but no monetary fine — DDTC apparently viewed permanent exclusion from defense trade as sufficient punishment for unauthorized exports to Vietnam (DDTC, 2023). That outcome is worse than any fine for a company whose business model depends on defense-related work.

Per-Violation Multiplication Creates Catastrophic Exposure

Each shipment, each item, each unauthorized transfer counts as a separate violation. A compliance failure affecting a recurring route or high-volume product line generates exposure that compounds rapidly.

Consider a 175-person medical device manufacturer exporting reagent kits to Singapore. If the kits require an EAR license that the company failed to obtain, each kit in each shipment constitutes a distinct violation. Twenty monthly shipments of 50 kits over two years yields 24,000 potential violations at $374,474 each — theoretical exposure exceeding $8 billion before any negotiation begins.

The practical outcome rarely reaches theoretical maximum. RTX's $200 million settlement for 750 violations averaged roughly $267,000 per violation. Cadence's $140.6 million combined resolution covered 61 admitted EAR violations plus the DOJ criminal charges — $95 million to BIS, $118 million in criminal penalties with offsets for double-counting. Still enough to bankrupt a mid-market exporter three times over. The multiplication effect matters: it gives enforcement agencies enormous bargaining power in settlement negotiations.

What Doesn't Work

Relying on classification ambiguity as a defense fails consistently. Keysight continued exporting software as EAR99 while a commodity jurisdiction request was pending with DDTC. When DDTC determined the software was ITAR-controlled under Category XI(d), those exports became violations — and DDTC treated the continued exports during the review period as an aggravating factor. The charging letter specifically noted that DDTC had warned Keysight about misclassification concerns before the CJ was even filed.

Assuming EAR99 items require no controls also fails when destination or end-user triggers license requirements. Luminultra's items carried EAR99 classification, yet section 746.7(e) of the EAR required authorization for export to Iran regardless of classification. The Iranian buyer asked for a discount due to "sanctions and critical economic conditions." That's a red flag. Luminultra shipped anyway. The $685,051 penalty followed in September 2025 (BIS.gov, 2025).

Screening customers at onboarding but not at transaction time creates gaps. Entity List additions occur without advance notice. A customer cleared in January may appear on the April designation. OFAC published 2,847 designation changes in 2024 alone (Treasury.gov, 2025). Quarterly or annual rescreening leaves exposure windows measured in months. The Tuesday-Thursday designation cluster is predictable. The Friday afternoon drops are not.

Using freight forwarders or intermediaries to obscure destinations shifts liability but does not eliminate it. Luminultra routed items through Dubai; the penalty attached to Luminultra regardless. The EAR's knowledge standard includes "reason to know" — red flags that a reasonable person would recognize. When your Iranian customer explicitly mentions sanctions in their discount request, you've met the threshold.

The Compliance Calculation

Manual license determination takes 15-45 minutes per SKU for an experienced trade compliance specialist. At 200 distinct products, that represents 50-150 hours of specialist time before considering destination-specific requirements, end-user screening, or license exception analysis. Most mid-market exporters don't have 150 hours of compliance specialist time available per product cycle.

The economics favor automation when export volume exceeds roughly 10 shipments monthly. Screening latency — the delay between designation publication and database update — runs 4-14 days for commercial screening providers (Lenzo data, Q4 2025). OFAC drops designations on Friday afternoons; a shipment cleared Friday morning may involve a party designated Friday afternoon. The Goltsev network exploited exactly this gap — they knew OFAC and BIS couldn't move faster than their shipping schedules.

The penalty math runs one direction. A $374,474 minimum penalty per EAR violation covers the annual cost of any compliance platform on the market — including enterprise solutions from Descartes or SAP GTS that run $200,000+ yearly. The question is not whether compliance investment makes financial sense, but whether the specific approach catches the violations that generate seven-figure exposure. Batch screening once a week misses the Tuesday designation that affects your Thursday shipment. Real-time screening catches it. That difference is worth calculating.

FAQ

Can a company face penalties from multiple agencies for the same shipment?

Yes. A single unauthorized export can trigger parallel enforcement by BIS, DDTC, and OFAC if the item is controlled under EAR, potentially covered by ITAR, and destined to a sanctioned party. The agencies coordinate but pursue separate penalty authority. Cadence resolved DOJ criminal charges and BIS civil penalties simultaneously in July 2025.

Does voluntary disclosure guarantee a no-action outcome?

Disclosure provides significant penalty mitigation but does not guarantee avoidance of penalties. BIS's September 2024 final rule treats failure to disclose significant violations as an aggravating factor, but voluntary disclosure alone does not preclude enforcement action for serious violations. RTX voluntarily disclosed all 750 alleged violations yet still paid $200 million.

How long do enforcement agencies have to pursue violations?

Statutes of limitation vary by regime and violation type. OFAC issued guidance in recent years on extension of limitations periods. Many enforcement cases involve conduct occurring years before resolution — the RTX consent agreement in August 2024 covered violations occurring over extended periods. Companies may face exposure for historical conduct that current screening would catch.

What triggers license requirements for EAR99 items?

Classification alone does not determine license requirements. EAR99 items — those not listed on the Commerce Control List — require licenses when: destined to embargoed countries (Part 746); intended for prohibited end-uses (Part 744); involving denied parties (Part 764); or meeting end-user controls. The Luminultra case involved EAR99 items that required authorization solely due to Iranian destination.

Are individuals personally liable for corporate violations?

Criminal penalties apply to natural persons directly — Nikolay Goltsev received 40 months imprisonment as an individual. OFAC's Q4 2025 settlement with a trust fiduciary imposed $1,092,000 on an individual. Corporate officers who direct or knowingly participate in violations face personal exposure beyond their company's liability.