US Congress Extends Statute of Limitations for Sanctions and Export Controls

On April 24, 2024, President Biden signed into law H.R. 815, the National Security Supplemental (the “Act”).¹ While much of the focus centered on the foreign aid package for Israel, Ukraine, and the Indo-Pacific, the bill contains a highly consequential provision that extends the statute of limitations under the International Emergency Economic Powers Act (“IEEPA”) and the Trading with the Enemy Act (“TWEA”). IEEPA is the statutory authority underpinning the US sanctions regime and grants authority to the US Department of Treasury’s Office of Foreign Assets Control (“OFAC”) and the US Department of Commerce’s Bureau of Industry and Security (“BIS”) to administer and enforce US sanctions programs, while TWEA grants authority for the OFAC Cuba sanctions program.

In addition, the Act impacts programs administered by the Department of Commerce that are authorized under IEEPA, including the Information and Communications Technology and Services (“ICTS”) program overseen by BIS.² The ICTS program has broad authority to prohibit or impose mitigation measures on any ICTS transaction subject to US jurisdiction that poses undue or unacceptable risks to the United States. The ICTS program also includes regulations that are in the rulemaking process stage, including proposed regulations that would require US Infrastructure as a Service (“IaaS”) providers to verify the identity of their foreign customers as well as authorize special measures to deter foreign malicious cyber actors' use of US IaaS products.³

Effective April 24, 2024, the Act doubles the statute of limitations under both Section 206 of IEEPA⁴ and Section 16 of TWEA,⁵ increasing it from five years to 10 years from the latest date of the violation, impacting those engaged in activities controlled under US sanctions and export controls as well as other programs authorized under IEEPA. The Act does not address how the extension of the statute of limitations will be applied for investigations initiated prior to its enactment.

Key Takeaways

The Act will impact businesses required to comply with US sanctions and export control laws in a number of ways.

• First, this change increases company exposure to liability as regulatory enforcement agencies now have twice the time in which to identify potential violations and issue penalties. As a result, lookbacks in internal investigations for violations of sanctions or other regulations based on IEEPA authority will need to expand their scope from five to 10 years.
• Second, businesses will need to reassess their recordkeeping policies and procedures to ensure adequate retention of records and documentation, considering the new 10-year limitations under the Act.
• Finally, in the context of acquisitions, businesses can expect expansion of the scope of M&A due diligence with respect to sanctions compliance given the increased successor liability exposure resulting from a longer statute of limitations. This will also result in updates to standard historical compliance representations to reflect the extended statutory period.

---

¹ National Security Supplemental, H.R. 815, 118th Cong. Sec. 3111.

² Office of Information and Communications Technology and Services (OICTS), U.S. Department of Commerce, https://www.bis.doc.gov/index.php/oicts.

³ 89 Fed. Reg. 5698 (Jan. 29, 2024), https://www.federalregister.gov/documents/2024/01/29/2024-01580/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious. For additional information, please see our Legal Update on the IaaS proposed rulemaking.

⁴ Penalties. 50 U.S.C. 1705.

⁵ Offenses; punishment; forfeitures of property. 50 U.S.C. 4315.