Supply Chain & Forced Labor: 25 Compliance Questions for SMBs

CBP stopped 7,325 shipments under uflpa in fiscal year 2025 — a 51% jump over the prior year (CBP.gov, 2025). FCPA penalties topped $1.5 billion in the most recent full enforcement cycle (DOJ/SEC enforcement data, 2025). And the EU Forced Labour Regulation will ban forced labor-tainted products from EU markets entirely once it takes effect (EU Forced Labour Regulation). If your compliance program still treats supply chain due diligence, anti-corruption, and export controls as separate buckets, the gaps are already showing. Our team put together answers to the 25 questions we hear most from mid-market exporters dealing with this convergence.

Key Takeaways:

• CBP denial rates for China-origin UFLPA shipments reached 77% in FY 2025, up from roughly 60% the prior year (CBP UFLPA Dashboard, 2025)
• Anti-boycott civil penalties hit $374,474 per violation as of January 2025; criminal violations carry up to $1 million and 20 years (BIS.gov, 2025)
• DHS added steel, copper, lithium, caustic soda, and red dates as UFLPA high-priority sectors in August 2025 (DHS.gov, 2025)
• The EU Forced Labour Regulation covers both imports into and exports from the EU, a scope that catches most exporters off guard (EU Forced Labour Regulation)
• Full multi-tier supply chain audits for forced labor compliance typically run $15,000-50,000 per supply chain and take 3-6 months (industry benchmarks, 2025)

1. What is the UFLPA and how does it affect my supply chain?

The Uyghur Forced Labor Prevention Act creates a rebuttable presumption that goods produced wholly or in part in China's Xinjiang region involve forced labor and cannot enter the United States (19 U.S.C. § 1307, as amended by UFLPA). As of August 2025, CBP has stopped over 16,700 shipments valued at $3.7 billion (DHS.gov, 2025). That same month, DHS expanded high-priority enforcement sectors to include steel, copper, lithium, caustic soda, plus red dates. Your tier-2 or tier-3 supplier may source these materials from Xinjiang without your knowledge, and that exposure belongs to you, not them.

2. How do I prove my products aren't made with forced labor from Xinjiang?

Burden falls entirely on the importer. The evidentiary standard, "clear and convincing evidence", sits near the top of the scale in U.S. law, and CBP denial rates for China-origin shipments reached 77% in FY 2025 (CBP UFLPA Dashboard, 2025). Generic supplier declarations don't survive review anymore. What works: tier-by-tier invoices, bank transfer records, bills of lading and factory production logs with input/output material reconciliation. Build the evidentiary package before a detention hits. We've watched companies burn 30-60 days scrambling for documentation after the fact, and still get denied.

3. What are the anti-boycott rules under EAR Part 760 and when do they trigger?

Part 760 prohibits U.S. persons from furthering or supporting an unsanctioned foreign boycott, primarily, the Arab League boycott of Israel (15 CFR Part 760). Civil penalties run up to $374,474 per violation or twice the transaction value, whichever tops the other (BIS.gov, January 2025). Criminal violations carry up to $1 million and 20 years imprisonment under the Anti-Boycott Act. A letter of credit from a Gulf bank requiring certification that goods didn't originate in Israel? That's a boycott request. A Saudi purchase order asking you to confirm no Israeli suppliers? Reportable. Most exporters have no idea these triggers exist until they trip over one.

4. How do I recognize and report a boycott request?

Boycott requests hide in shipping documents, L/C clauses, as well as supplier questionnaires. Report to BIS's Office of Antiboycott Compliance by the last day of the month following the calendar quarter of receipt (15 CFR § 760.5). The obligation exists regardless of whether you actually complied. Miss the deadline? Category C violation. Comply with the request itself? Potentially Category A, the most serious classification under BIS penalty guidelines.

5. How does the FCPA intersect with export compliance?

The overlap gets real when foreign officials control import permits, customs clearances, or end-user certificates in your destination markets. A local agent who "facilitates" license approval through an irregular payment triggers both FCPA anti-bribery provisions (up to $2 million per violation for corporations) and potential export control violations on the underlying shipment. The February 2025 FCPA enforcement pause and subsequent June 2025 DOJ guidelines shifted priority toward cartel and transnational criminal organization cases, but the core anti-bribery framework hasn't gone anywhere.

6. What's the UK Bribery Act and how does it differ from FCPA?

Three material differences. The Bribery Act criminalizes bribing private individuals, not just government officials. It creates strict corporate liability for failing to prevent bribery unless the company proves "adequate procedures." And it covers both giving and receiving. Under FCPA, your compliance program quality affects sentencing after a violation. Under the Bribery Act, proving adequate procedures beforehand can prevent liability entirely. Proactive spend in the UK context directly reduces legal exposure; in the U.S., it mainly softens the blow.

7. How does the EU Corporate Sustainability Due Diligence Directive affect exporters?

After the Omnibus I package narrowed its scope in December 2025, the CSDDD applies to companies with 5,000+ employees and €1.5 billion+ turnover (CSDDD), as amended by Directive EU 2025/794). Below those thresholds? Still affected. Covered companies must conduct due diligence on their business partners, meaning your EU customers will shove CSDDD requirements downstream through procurement terms. We're already seeing this, large European manufacturers tacking human rights questionnaires onto supplier qualification right now, well ahead of enforcement dates.

8. What are conflict minerals reporting obligations under Dodd-Frank Section 1502?

SEC-reporting companies must determine whether products contain tin, tantalum, tungsten, or gold (3TG) from the DRC or adjoining countries (SEC Rule 13p-1). Even non-filers get pulled in: your SEC-reporting customers will demand Conflict Minerals Reporting Templates from you. Incomplete CMRTs within a buyer's 30-day window can flat-out cost you the account. We've seen it happen to mid-market suppliers who couldn't pull the sourcing data together fast enough.

9. How do I screen a multi-tier supply chain for forced labor risk?

Single-tier screening misses most of the risk. Start with material-level mapping, not supplier-level. Identify which raw materials carry high Xinjiang exposure (polysilicon, cotton, aluminum, PVC, plus now steel, copper, lithium per the August 2025 DHS priority sector update) then work backward to figure out which finished components contain them. Faster and far cheaper than full multi-tier supplier audits, which typically run $15,000-50,000 per supply chain and eat three to six months.

10. What documentation does CBP require to rebut a UFLPA detention?

Transaction-level documentation proving complete chain of custody: commercial invoices linking each production tier, payment records (actual bank transfers, not just invoices), shipping documents tracking physical movement and factory production logs with material balance reconciliation (CBP UFLPA Operational Guidance, 2025). Here's where companies get tripped up: if a factory sources 60% of its aluminum from Xinjiang and 40% from Australia, a statement saying "your order used Australian aluminum" won't fly. You need batch-level production records tying specific material lots to specific production runs. Anything less and CBP sends it back.

11. How deep into my supply chain do anti-boycott reporting obligations go?

As deep as the boycott request travels. If your freight forwarder receives a boycott clause in shipping instructions and forwards it to you, both parties carry independent reporting obligations (15 CFR § 760.5). An L/C boycott clause from a Middle Eastern bank hits everyone in the documentary chain, you, your bank, your forwarder, your insurer.

12. What's the penalty for failing to report a boycott request?

Category C violation, up to $374,474 per occurrence (BIS.gov, 2025). Non-willful first-time failures often resolve through warning letters. For more context, see our guide on Trade Compliance FAQ: 25 Questions SMB Exporters Get Wrong. But unreported requests pile up into a pattern problem: when BIS audits, multiple quarters of missing reports signal either ignorance (which triggers a broader compliance review) or deliberate evasion (which pushes into Category A territory with the full statutory penalty on the table).

13. How do anti-corruption risks manifest in freight, customs brokerage, as well as logistics?

Logistics sits in the blind spot of most anti-corruption programs. Your customs broker in Lagos paying an "expediting fee." Your freight forwarder in Jakarta arranging "port handling" payments to dodge inspection delays. Your warehousing partner in Ho Chi Minh City making "administrative contributions" to local officials. Each scenario creates FCPA and UK Bribery Act exposure for your company. DOJ enforcement guidance holds companies responsible for corrupt acts by their agents, including parties several steps removed in the logistics chain.

14. What human rights due diligence do EU regulations now require from exporters?

The EU has built a layered system. The CSDDD sets broad corporate due diligence obligations across value chains. The EU Forced Labour Regulation creates a product-level ban on forced-labor goods. The EU Conflict Minerals Regulation covers 3TG importers. What matters for you right now: your EU buyers are writing these due diligence requirements into procurement contracts today, well ahead of their own enforcement timelines. No documentation from your side, no commercial relationship. That's the practical reality already hitting mid-market suppliers.

15. How does the EU Forced Labour Regulation differ from UFLPA?

Three critical differences. UFLPA targets a specific geography (Xinjiang). The EU regulation applies globally (no geographic limitation whatsoever. Second, UFLPA operates at the border through CBP detentions The EU regulation empowers authorities to pull products already circulating on the market. Third) and this catches exporters off guard, the EU regulation covers exports from the EU, not just imports. Manufacturing in the EU with forced-labor-tainted components and shipping them out? That's a violation under the regulation once enforcement begins (EU Forced Labour Regulation, Article 3).

16. What supply chain mapping tools actually work for forced labor compliance?

Honest answer from our team: no single tool handles end-to-end forced labor supply chain mapping. Not one. Sourcemap and Altana AI offer supply chain visibility using trade data and corporate registries for tier-2 and tier-3 connections, useful for initial risk assessment. What consistently fails: supplier self-declaration questionnaires as your primary mapping method. Suppliers rarely disclose Xinjiang connections voluntarily. Many genuinely don't know their own upstream sourcing beyond tier-1.

17. How do I handle a supplier operating in both Xinjiang and other Chinese provinces?

Some companies refuse to source from any supplier with Xinjiang operations. Period. Others keep the relationship but require dedicated production lines, third-party audits, plus material-level traceability, typically at 10-25% higher per-unit cost. The dedicated-line approach still depends on the supplier's willingness to maintain separate material inventories, and our experience with that has been mixed at best. No cheap answer exists here.

18. What's the relationship between export controls and AML obligations?

Both target the same evasion networks. Sanctioned entities using shell companies to procure controlled goods trip both export control regulations and AML statutes (Bank Secrecy Act, 31 U.S.C. § 5311 et seq.). Practical headache: your bank may flag a transaction your compliance team already cleared, because financial institutions screen wire transfers against OFAC List independently Mismatches mean delayed payments, frozen accounts and Suspicious Activity Reports nobody wanted. Align your screening lists and update cadences between both functions.

19. How does the Corporate Transparency Act affect my export compliance obligations?

CTA enforcement remains in flux, Treasury announced in March 2025 it would not enforce penalties under existing deadlines and proposed narrowing the rule to foreign companies (Treasury.gov, 2025). But the underlying need hasn't budged: beneficial ownership data overlaps directly with "know your customer" screening for export compliance. Screening a counterparty without knowing the UBOs behind it means screening the shell without seeing who's inside.

20. What are the reporting requirements when I discover corruption in my supply chain?

Under U.S. law, there's no general obligation to self-report, but voluntary disclosure under the DOJ Corporate Enforcement Policy typically cuts penalties 50-75% (DOJ Criminal Division, CEP, 2025). The UK Bribery Act creates different math: the "adequate procedures" defense effectively requires reporting and remediation as evidence your program actually functions. Get legal counsel before deciding whether and where to disclose. The sequence (which authority first, with what level of detail) materially changes your exposure across jurisdictions.

21. How do I conduct due diligence on foreign agents and intermediaries for anti-corruption?

Risk-tiered approach: basic screening for low-risk jurisdictions, enhanced checks for high-risk countries and government-connected intermediaries. Minimum baseline: verify legal registration, screen against OFAC/EU/UK sanctions lists, check for politically exposed persons among owners and directors. One thing that fails consistently in practice: relying on the agent's self-certification. We've seen intermediaries return flawless due diligence questionnaires who turned out to be fronts for government officials Trust documentation and independent verification. Not the paperwork they hand you.

22. What's the practical overlap between sanctions compliance and anti-corruption compliance?

Both boil down to knowing who you're actually doing business with. sanctions screening checks entity names and aliases. Anti-corruption due diligence digs into UBOs, PEPs, as well as relationship networks. When you combine both datasets for a single counterparty, the risk picture gets materially sharper. Companies running these programs in separate silos (different teams, different tools, different databases) are duplicating work while still missing the connections between them.

23. How does ESG reporting intersect with trade compliance obligations?

The CSDDD and CSRD sustainability disclosures require supply chain information that directly overlaps with forced labor and anti-corruption compliance data. Here's the question nobody wants to answer in most organizations: who owns this data? ESG reporting typically lives with sustainability or investor relations. Trade compliance sits under legal or operations. Same supply chain data, collected twice, from the same suppliers, by different consultants charging different rates. Expensive redundancy that fixes itself when someone finally puts both programs under one roof.

24. What insurance coverage exists for supply chain compliance violations?

Standard commercial liability policies don't cover regulatory fines, full stop. Specialty products exist: detention and seizure coverage (typically $50,000-500,000 per event for UFLPA holds), trade disruption insurance, plus D&O policies that may extend to regulatory investigations. What's universally excluded: actual fines from OFAC, BIS, or DOJ enforcement. Most policies also require evidence of a functioning compliance program as a coverage condition, so you can't skip the compliance work and lean on insurance instead.

25. How do I build an integrated compliance program covering sanctions, export controls, forced labor and anti-corruption?

Map your regulatory touchpoints by transaction. For every export shipment, identify which obligations apply, sanctions screening, export classification, anti-boycott, UFLPA if importing components, FCPA if using foreign agents, CSDDD if selling to EU buyers. This exercise typically reveals 4-6 overlapping requirements per transaction that most companies handle sequentially through separate teams. Platforms like Lenzo consolidate screening and classification data across regulatory frameworks, cutting the number of systems your team touches per transaction. But the tooling matters less than the org structure: someone has to own the integrated view and report the full compliance picture to leadership, not just one silo talking to itself.