The Department of Justice (DOJ) and the Department of Commerce recently announced a $140 million resolution of criminal and civil charges against Cadence Design Systems (Cadence) for admitted export control violations relating to transfers of semiconductor design hardware and software tools to a restricted Chinese university.
This resolution signals that the US government is continuing to focus on national security risks arising from transfers of sensitive technologies to adversary nations. As the first corporate criminal plea following DOJ's March 2024 revised NSD Enforcement Policy for Business Organizations (NSD Enforcement Policy), the case demonstrates that companies involved with US technology transfers to certain countries, particularly China, should be prepared to navigate an aggressive regulatory enforcement environment.
Cadence's Conduct and Settlement
On July 28, DOJ's National Security Division (NSD) and the US Attorney for the Northern District of California announced that Cadence had agreed to plead guilty to export control violations relating to semiconductor design hardware and software tools transferred to a restricted Chinese university. At the same time, the Department of Commerce's Bureau of Industry and Security (BIS) announced a parallel civil enforcement action for the same conduct. The combined criminal and civil penalties, after negotiated credits, totaled more than $140 million.
In the plea agreement, Cadence admitted to engaging in transactions with China's National University of Defense Technology (NUDT), directly and through affiliates, between 2015 and 2020 involving items valued at more than $45 million. NUDT has been restricted under the BIS's Entity List since February 2015 due to the US government's findings that NUDT used US components to produce semiconductors that support China's nuclear weapons program and other military uses.
The plea agreement highlighted aggravating factors in the matter, such as the sensitive nature of the items and technologies at issue and knowledge of the violative conduct by Cadence through its subsidiaries. The agreement also identified mitigating factors, such as the company's implementation of remedial measures, including adding export control compliance personnel, improving internal compliance programs, formalizing its export compliance training program, and enhancing export control compliance screening procedures.
Notably, in addition to three years of ongoing reporting to DOJ regarding remediation steps and prospective compliance program implementation, the plea agreement specifies the following central compliance program elements and standards for the company's export compliance program:
- Obtaining high-level commitment from directors and senior management to provide support to the compliance program
- Developing and promulgating clear and visible policies and procedures addressing specific categories such as customer onboarding, know your customer and due diligence procedures, and periodic customer reviews for export and sanctions risk, among other requirements
- Conducting periodic risk-based reviews of the compliance programs and the compliance policies and procedures, annually
- Assigning senior corporate executives to oversee the compliance program
- Implementing periodic training and certification of completion of training requirements
- Implementing internal reporting (whistleblowing) and investigation procedures
- Establishing enforcement mechanisms and internal disciplinary measures for violations
- Conducting risk-based due diligence reviews for mergers and acquisitions
- Periodically benchmarking and testing compliance practices against evolving industry standards
These requirements elaborate upon the general compliance program guidelines, which contemplate a risk-based approach subject to discretion in implementation to reflect the entity's size, sophistication and business practices. The agreement thus helps clarify the government's expectations for companies of similar size, sophistication and industry sensitivity, although further general lessons can be drawn from the Cadence enforcement action, as discussed below.
Implications
This case underscores the government's resolve to investigate and prosecute companies that pose risks to US national security by violating export control laws and regulations designed to prevent the flow of sensitive technology to adversary nations. The steep penalties, together with prospective compliance program requirements, are a clear signal that DOJ and Commerce remain committed to continuing their joint efforts to hold accountable those companies that commit national security-related export violations.
Export control remains an area of significant bipartisan consensus in Congress, and the Trump Administration appears prepared to continue its efforts to limit Chinese access to sensitive technologies, such as semiconductors and advanced computing technologies suited for artificial intelligence, which appear likely to remain priority areas for enforcement. Companies operating within these sectors should take a heightened posture of risk mitigation and compliance operations. Specifically, companies should consider:
- Strong risk-based compliance programs. A strong compliance program is multi-pronged and relies on policies and procedures that are tested, audited and reviewed on a periodic basis to ensure that the program works and evolves with restrictions that are promulgated. A parent company's policies and procedures should also extend to its foreign subsidiaries or delineate when the policies and procedures may differ for a foreign subsidiary, and what such differences may be.
- Enhanced screening measures. Screening and due diligence should be conducted at all levels of business operations, including screening customers, suppliers and users. Screening should be conducted against all relevant restricted lists, including the Office of Foreign Assets Control and BIS lists, the Uyghur Forced Labor Prevention Act (UFLPA) list, and others. Additionally, screening a name alone may not be enough. In some instances, regulators match to restricted parties by physical or IP address, which creates new due diligence burdens. The burden of the "reasonable due diligence" standard is likely to continue shifting.
- Voluntary self-disclosure and cooperation. As discussed in our prior Client Alert, the existence (or absence) of a timely voluntary self-disclosure (VSD) mechanism is likely to be a key element and factor for consideration in any regulator enforcement action. Government agencies are also growing increasingly communicative across agencies; so if one regulator is aware of a matter, there is a high likelihood that other regulators are also aware of the issue. Preemptively addressing potentially violative conduct—or even engaging in an internal investigation to determine whether a violation has occurred before considering VSD—will be a key factor in mitigating any potential enforcement action if a violation is ultimately found.
- Contract provisions that address export control risks. To a certain extent, some risk can be mitigated through appropriate contractual provisions that address export control risks through required due diligence or through representations of compliance with applicable law. Companies can require that counterparties in their business operations (whether as a customer, supplier or user) engage in a certain level of due diligence, such as for third-party vendors, to reduce the likelihood of inadvertent violative conduct. Furthermore, if a relationship is deemed a higher risk, a company should consider seeking attestations, representations or warranties to mitigate that risk.
A strong risk-based compliance program will help companies prevent inadvertent or intentional actions by employees from causing national security regulatory violations and provide a solid foundation for an appropriate internal investigation and a possible VSD if a potential violation is discovered. Now is the time to promote a robust export control compliance program.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
