Trade Compliance FAQ: 25 Questions Every SMB Exporter Gets Wrong

OFAC's maximum civil penalty hit $377,700 per violation in January 2025 (Federal Register, Vol. 90, No. 9, January 15, 2025). BIS bumped its ECRA penalty cap to $374,474 the same month. The questions compliance teams ask haven't changed much over the years. They've just gotten a lot more expensive to answer wrong.

We pulled 25 questions that show up most in practitioner forums, BIS counselor inboxes, and trade compliance trainings. Not the textbook definitions — the operational answers. The kind that keep shipments moving and auditors from setting up camp in your conference room.

Key Takeaways:

• OFAC civil penalties max at $377,700 or twice the transaction value, whichever hits harder (31 CFR Part 501, 2025 inflation adjustment)
• BIS commodity classification requests through SNAP-R average 30-45 days; self-classification can happen in hours but the liability stays with you
• The SDN list alone won't keep you compliant — 8-12 lists minimum depending on where you ship
• Voluntary self-disclosure typically cuts OFAC penalties by 50-75%, but the window to disclose closes faster than most companies realize
• EU and OFAC sanctions overlap roughly 60% for Russia-related designations; the 40% gap bites people

Sanctions Screening: The Questions That Keep Compliance Officers Up

1. How often does the OFAC SDN list actually update?

No fixed schedule. That's the whole problem. OFAC publishes roughly 200 modifications per year, which shakes out to 3-4 per week on average (Treasury.gov, 2025). But "average" hides the spikes. Designations cluster Tuesday through Thursday, with a disproportionate chunk dropping Friday afternoons. If your screening cadence runs weekly — Monday morning batch, say — you've got structural exposure every single weekend. Sixty-two hours where your records show "cleared" for a potentially fresh designation.

2. Do I need to screen against both OFAC and EU sanctions lists?

If you have EU banking relationships, EU subsidiaries, or ship goods containing EU-origin components — yes. OFAC SDN and the EU Consolidated List overlap about 60% for Russia-related designations. That remaining 40% includes hundreds of EU-only entries invisible to OFAC-only screening. Works both ways, too. OFAC designates entities the EU hasn't touched. Running a single list and calling it done hasn't been defensible for years now.

3. What lists should an SMB exporter screen against?

Depends on where you ship, but here's the floor: OFAC SDN, OFAC Consolidated Non-SDN, BIS Entity List, BIS Denied Persons List, BIS Unverified List, EU Consolidated List, UK Sanctions List. Shipping to Australia or Canada? Add theirs. The U.S. government's own Consolidated Screening List (CSL) aggregates 13 federal screening lists — decent starting point, but it won't cover EU or UK obligations. Most mid-market exporters handling 100+ shipments per month end up running 8-12 lists. Nobody enjoys it.

4. What happens if I accidentally ship to a sanctioned party?

Accidentally or not, OFAC doesn't care about intent for civil penalties. Maximum civil penalty under IEEPA: $377,700 per violation or twice the transaction value, whichever number hurts more (31 CFR 501, 2025). Criminal penalties for willful violations can stack to $1 million and 20 years.

The practical bit that nobody covers at conferences. Settlement negotiations drag 18-36 months. During that entire stretch, your banking relationships get strained, your board wants updates every quarter, and your D&O insurance carrier starts asking questions you don't want to answer. Most first-time violators who self-disclose and cooperate settle for significantly less — the base penalty for a self-disclosed non-egregious violation caps at $188,850. But the distraction cost alone will make you wish you'd screened properly.

5. What's the difference between the SDN list and the Entity List?

Different agencies, different consequences, different screening requirements. Companies confuse them constantly. SDN list: OFAC (Treasury). Getting caught transacting with an SDN means asset blocking, civil and criminal penalties. Entity List: BIS (Commerce). Shipping to an Entity List party without a license triggers EAR violations, penalties up to $374,474 per violation under ECRA (2025 adjustment).

Some entities sit on both lists. Some on only one. You screen against both or you're guessing.

6. How do I handle false positives in sanctions screening?

This is the single biggest time drain in operational compliance. Easily. OFAC's SDN list carries thousands of entries with extensive alias data, and those aliases generate far more false hits than the EU Consolidated List does. A 200-shipment-per-month operation screening against 10+ lists? Expect 40-60 false positives weekly. Each one needs a documented record — not a "looks fine" email. A record showing why the hit got dismissed, who made the call, and when.

The mistake I see over and over: treating false positive resolution like a clerical task. Handing it to an intern or a logistics coordinator who doesn't understand the screening logic. It requires someone who knows the customer, knows the screening parameters, and can explain the distinguishing factors if an auditor asks two years from now. Automate triage. Keep the final determination human.

ECCN Classification: Where Most Export Mistakes Actually Start

7. What's an ECCN and why should I care?

Export Control Classification Number. Five-character alphanumeric code that determines whether your product needs a license before it crosses the border. The Commerce Control List (CCL) assigns ECCNs for export control purposes. Get this wrong and everything downstream breaks: license requirements, screening obligations, record-keeping. A misclassified ECCN that leads to an unlicensed export triggers BIS enforcement, and "we didn't know" has never worked as a defense. Not once.

8. How long does ECCN classification take?

Two paths. Self-classification can happen same-day if your technical team knows the product parameters and can read the CCL. Most companies with fewer than 50 SKUs can grind through classification in a week. But self-classification means the liability sits squarely on you.

Submitting a formal commodity classification request (CCATS) through BIS's SNAP-R system? Longer. BIS targets 30 days for straightforward items, but complex products — dual-use semiconductors, certain chemicals, precision instruments — routinely stretch to 45-60 days. And BIS will kick the request back if your technical parameter data has gaps. I've personally watched classification requests bounce three times because the submitter kept missing polymer percentage specs and tensile strength numbers.

9. What if my product is EAR99?

EAR99 means your item falls under BIS jurisdiction but doesn't match any specific ECCN on the Commerce Control List. Most commercial products land there. Doesn't mean "no restrictions." EAR99 items still need a license if you're shipping to an embargoed country, a denied party, or for a prohibited end-use. The mistake that never stops showing up: companies treat EAR99 as a blanket clearance and quit screening the transaction entirely. That's not how any of this works.

10. Does ECCN classification ever change?

Regularly. BIS publishes Entity List modifications and CCL updates through the Federal Register. The CCL gets revised when multilateral control regimes — Wassenaar Arrangement, MTCR, Australia Group — update their control lists. A product classified 3A001 two years ago might pick up additional controls or lose them depending on technology threshold changes. Annual classification reviews aren't paranoia. They're baseline hygiene for anyone shipping controlled items.

Export Licensing: The Paperwork That Stops Shipments

11. When do I actually need an export license?

After you know three things: your ECCN, your destination country, and your end-user/end-use. Cross-reference the ECCN's "Reasons for Control" against the Commerce Country Chart (Part 738 of the EAR). There's an "X" in the box where your reason for control meets your destination? You need a license unless a license exception applies. For EAR99 items, check for end-user and end-use red flags: Entity List presence, military end-use in certain countries, WMD-related activities.

12. How long does a BIS export license take?

BIS has a statutory mandate to process applications within 90 days. In practice, straightforward licenses — commercial items going to allied nations — typically clear in 30-45 days. Applications involving items controlled for national security or regional stability, especially headed to China, India, or UAE, often stretch to the full 90. Some hit the "referred to other agencies" stage and vanish for months.

True story: a license for semiconductor manufacturing equipment going to a Southeast Asian buyer took 127 days because it got caught between Commerce and Defense review. The client missed their delivery window, the buyer threatened to source from a European competitor, and by the time the license came through, the deal had shrunk by 40%.

Submit through SNAP-R with complete technical documentation the first time. Every BIS request for additional information restarts the clock.

13. What are license exceptions and can I rely on them?

License exceptions (Part 740 of the EAR) are pre-authorized waivers that eliminate the license requirement for specific situations. Most commonly used: TMP (temporary exports), RPL (servicing and replacement parts), GOV (government agencies), TSR (technology and software under restriction). But they're conditional. Each exception has specific requirements, record-keeping obligations, and destination limitations.

Treating a license exception as a free pass without verifying every condition? That's how companies end up in enforcement proceedings. BIS expects the same documentation rigor for exception use as for a licensed export.

Compliance Program Basics: What Auditors Actually Look For

14. Do I need a formal export compliance program?

Legally, no. No federal regulation mandates a written program for commercial exporters. Practically, not having one costs you in two places: penalty calculations and insurance claims. OFAC's enforcement guidelines explicitly weigh "the existence, nature and adequacy of a compliance program" when setting penalties. A company with documented procedures, regular training records, and screening protocols will consistently settle 40-60% lower than one winging it. That's not speculation — look at the enforcement action settlements on Treasury.gov and compare.

15. How often should I train my team on export compliance?

Annual minimum. But annual-only training misses regulatory changes that land mid-year — and in this environment, they land constantly. The standard among well-run mid-market compliance operations: annual comprehensive session plus quarterly briefings on regulatory updates. New hires complete compliance orientation before they process their first export order.

And keep records. "We trained everyone" without dates, attendees, and topic documentation satisfies exactly zero auditors.

16. What records do I need to keep and for how long?

Five years from the date of export, reexport, or transfer for EAR-related records (Part 762). OFAC doesn't specify a statutory retention period in most programs, but five years aligns with the general enforcement statute of limitations. Keep: signed end-use certificates, shipping documentation, screening results, license copies, classification records, and correspondence related to any compliance determination.

The companies that struggle in audits aren't missing exotic documents. They're missing the mundane ones. Screening logs get deleted when someone cleans out a shared drive. Email chains about classification decisions get buried in someone's inbox. A logistics coordinator leaves the company and the filing system walks out with them. Boring problems, real consequences.

Penalties & Enforcement: The Numbers That Matter

17. What are the actual penalty ranges for common violations?

As of January 2025:

OFAC (IEEPA violations): up to $377,700 per violation or twice the transaction value. Criminal penalties reach $1 million and 20 years (50 U.S.C. 1705).

BIS (ECRA violations): up to $374,474 per violation or twice the transaction value. Criminal penalties can hit $1 million and 20 years per count.

State Department (ITAR violations): up to $1,271,078 per violation or twice the transaction value. Same criminal ceiling — $1 million, 20 years.

To put scale on it: Raytheon's settlement for ITAR and anti-corruption violations landed around $950 million. That's the extreme end. But even a mid-market enforcement action with five or six violations can clear six figures before legal fees.

18. Does voluntary self-disclosure actually help?

More than almost anything else you can do after the fact. For OFAC, voluntary self-disclosure in a non-egregious case caps the base penalty at $188,850 per violation — half the statutory max. Without self-disclosure, the base amount jumps to the full applicable schedule amount. For transactions over $200,000, that means the statutory maximum. BIS follows a similar structure.

The catch: disclosure has to be timely, complete, and paired with remedial measures. Filing a self-disclosure after you learn OFAC already knows about the violation? That doesn't count. And "timely" means weeks, not months.

19. Can OFAC penalize individuals, not just companies?

Yes. And it happens. Individual liability applies under both IEEPA and TWEA. Compliance officers, logistics managers, even C-suite executives have faced personal penalties. OFAC doesn't require proving intent for civil penalties — negligence alone gets you there. Criminal prosecution requires willfulness, but courts have interpreted that threshold pretty broadly. Knew the rules and chose to ignore them? That qualifies. Chose not to learn the rules in the first place? Some prosecutors argue that qualifies too.

Industry-Specific Questions

20. I export to the UAE regularly. Any special considerations?

UAE sits at the intersection of several risk vectors and regulators know it. Multiple UAE-based entities appear on the BIS Entity List for diversion concerns — re-export to Iran and Russia being the primary worry. OFAC has designated UAE-based individuals and companies connected to sanctions evasion networks. The UAE's role as a transshipment hub means your end-use and end-user diligence needs to be tighter than for direct-to-consumer markets.

Practical minimum: screen every UAE transaction against both OFAC SDN and BIS Entity List, verify end-use certifications with extra scrutiny, and document your diligence thoroughly. If an auditor asks "why did you trust this end-user?" you need a better answer than "they seemed legit."

21. Are there different rules for software exports vs. physical goods?

Yes. This trips up tech companies constantly. Software and technology have their own ECCNs (product groups D and E on the CCL). "Deemed exports" apply when controlled technology or source code becomes accessible to a foreign national inside the United States — no physical border crossing required.

Think about what that means. A Chinese national on your Austin engineering team accessing proprietary semiconductor design software triggers EAR obligations identical to physically shipping that software overseas. The deemed export rule catches companies that assume export compliance only matters at the loading dock. HR and engineering need to be in the loop on this, not just your shipping department.

22. Does de minimis still apply for items with U.S. content?

The de minimis rule (Part 734.4 of the EAR) allows foreign-made items incorporating controlled U.S.-origin content to escape EAR jurisdiction if the U.S. content falls below a threshold — 25% for most destinations, 10% for embargoed and E:1/E:2 countries. But the calculation methodology trips people up.

It runs on fair market value of the controlled U.S.-origin content relative to fair market value of the foreign-made item. Getting the denominator wrong — using cost basis instead of fair market value, or missing embedded U.S.-origin technology in a subcomponent — has generated more BIS enforcement actions than most compliance teams realize. If you're relying on de minimis, get your calculation methodology reviewed. Preferably by someone who's done it before and gotten it wrong at least once.

Getting Started & Staying Current

23. Where do I find official, primary-source regulatory information?

Stop relying on secondhand summaries and LinkedIn posts. Treasury.gov for OFAC sanctions programs, enforcement actions, and SDN updates. BIS.gov for the Entity List, Commerce Control List, licensing guidance. The Federal Register for all regulatory changes — Entity List additions typically appear in the FR 4-6 weeks before commercial databases catch up. EUR-Lex for EU sanctions packages. Council of the EU for designation lists. The Consolidated Screening List at trade.gov as a starting point on U.S. government lists.

Bookmark those. Read them. The number of compliance professionals who rely on trade publication summaries instead of reading the actual Federal Register notice is... alarming.

24. How do I stay on top of regulatory changes without it becoming a full-time job?

It already is one. That's the uncomfortable truth for companies at 100+ shipments per month. Sign up for OFAC email alerts from Treasury.gov — free. Subscribe to the BIS Export Control Notification list. Monitor the Federal Register for your specific product categories. But monitoring isn't screening, and reading alerts isn't applying them to your active shipment pipeline.

Platforms that aggregate sanctions lists across jurisdictions and run automated monitoring — Descartes, SAP GTS, Lenzo — reduce the data collection load. The operational question isn't whether to monitor. It's whether your monitoring cadence matches your shipping cadence. If you're screening Monday mornings and shipping Thursday afternoons, Wednesday's designation sits in the gap.

25. At what point should an SMB hire a dedicated compliance person?

The rough threshold from what we've seen: once you hit 75-100 international shipments monthly across multiple destination countries, splitting compliance duties across operations, sales, and logistics stops working. Not because the work can't be done — it can — but because the documentation, screening, and training obligations eat 25-40 hours weekly. At that volume, coverage gaps appear and they show up in audits.

First hire doesn't need to be a $200K trade compliance attorney. A trained specialist at the operations level — someone who can run screening, maintain classification records, handle license applications — costs a fraction of a single OFAC penalty. And once they're in place, your COO stops fielding compliance questions at 6pm on a Friday.

The penalty caps keep ratcheting — OFAC's 2025 inflation adjustment pushed the IEEPA ceiling up 2.6% to $377,700 (Federal Register, January 15, 2025). BIS and State followed with their own bumps. For mid-market exporters processing 100-250 shipments monthly, the compliance surface expands every time a new sanctions package drops or the Entity List grows. Screening tools from providers like Lenzo, Descartes, and SAP GTS compress the monitoring workload. But no tool replaces knowing what you're screening for and why — which is the whole reason these 25 questions exist.