In what amounts to a material expansion of its existing sanctions program arising out of the conflict in the Democratic Republic of the Congo (“DRC”), on March 2, 2026, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced sanctions against the Rwanda Defence Force (“RDF”)—an organization described by OFAC as Rwanda’s military—along with four senior RDF officials. According to Treasury, the RDF has been “supporting, training, and fighting alongside” M23, an armed group already designated by both the United States and United Nations and operating in the eastern DRC. Treasury tied the action  to alleged violations of the “Washington Accords for Peace and Prosperity,” including a recent M23 offensive that resulted in the capture of the city of Uvira in eastern DRC.

Under this blocking action, all property and interests in property of the RDF and the designated officials that are in the United States, or in the possession or control of U.S. persons, are blocked and must be reported to OFAC. U.S. persons are generally prohibited from engaging in transactions or dealings with the designated parties unless authorized by OFAC.

OFAC’s “50 Percent Rule” also applies to entities owned, directly or indirectly, 50% or more– individually or in the aggregate– by one or more blocked persons, even if not separately identified on OFAC’s Specially Designated Nationals (“SDN”) List.  

Also on March, 2, 2026, OFAC issued Treasury’s General License No. 1 under the DRC Sanctions Regulations (31 CFR part 547). The General License authorizes transactions that are ordinarily incident and necessary to wind down pre-existing dealings involving the RDF, and any entity owned 50 percent or more by the RDF, through April 1, 2026.  The authorization is limited and it does not permit the initiation of new business, nor does it unfreeze blocked property.  Any payments involving a blocked person must be placed into a blocked account.  The General License also does not authorize transactions with any other persons blocked under the DRC program (or any other otherwise-prohibited conduct) unless separately authorized.

These actions build on Treasury’s February 20, 2025 designations of James Kabarebe and Lawrence Kanyuka Kingston, along with two associated companies registered in the United Kingdom and France. The March 2026 designations reflect a continued expansion of Treasury’s focus from individual actors to state-affiliated institutions alleged to be supporting destabilizing activities in the DRC.

Practically, companies with operations, counterparties, or financial flows connected to Rwanda, or the DRC region, particularly those with potential connections to regional military or defense sector or supply chains, should treat this development as an immediate compliance priority. In particular, businesses involved in regional logistics, extractive industries, commodities trading, defense-related activities or financial services should consider:

  • Conducting enhanced screening of counterparties and beneficial owners;
  • Reviewing existing contracts for potential RDF nexus;
  • Assessing whether wind-down activity is required before April 1, 2026; and
  • Confirming that any required blocking and reporting procedures are implemented.

Crowell & Moring will continue to monitor developments related to sanctions enforcement actions and their potential impact to industry.

On February 26, 2026, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) reached an administrative enforcement settlement with Teledyne FLIR LLC and its affiliates FLIR Optoelectronic Technology (Shanghai) Co. Ltd. and Teledyne FLIR Commercial Systems, Inc. d/b/a Teledyne FLIR OEM, (together, “Teledyne FLIR”), imposing a $1,000,000 civil penalty to resolve alleged violations of the Export Administration Regulations (“EAR”).

According to BIS, Teledyne FLIR voluntarily self-disclosed 19 alleged violations between 2017 and 2024 tied to exports, reexports, and related conduct involving thermal imaging cameras under export control classification numbers (“ECCN”) 6A003 and 6A993.a. The penalties broke into four types of violations:

  • Causation: BIS alleged that Teledyne FLIR caused nine exports from abroad of ECCN 6A003 thermal imaging cameras from a Swedish affiliate to China without required BIS authorization, based in part on incorrect calculations under the EAR’s de minimis rule in 15 C.F.R. Part 734.
  • Evasion: BIS alleged an evasion-related fact pattern involving a 2018 collaboration with a Chinese drone manufacturer concerning the Zenmuse XT2, a project involving the integration of a FLIR camera for use with civilian drones. This evasion scheme consisted of a pricing structure that BIS alleged was designed to keep U.S.-controlled content below the de minimis threshold and did not reflect the fair market value of the items.
  • Failure to Keep Records: BIS alleged failures to comply with license-condition recordkeeping requirements for certain demonstrations by the Shanghai affiliate.
  • Exports to Entity List Address: BIS alleged eight unlicensed exports of ECCN 6A993.a thermal cameras to company included on the Entity List for being an “address only” company (i.e., part of a shell company). Under EAR § 744.16, a license was required for exports of any items listed on the Commerce Control List.

This action is a useful reminder that conducting a “de minimis” analysis is not a box-checking exercise and can be more complicated that it seems. When you assess the valuation of the controlled U.S.-origin item, it should reflect the fair market value of that item when it was exported from the United States and account for items customarily included (and actually shipped) with the controlled U.S.-origin item. BIS can view any attempts to “engineer” pricing to fall below the applicable de minimis thresholds as an evasion violation.

The settlement also underscores that exporters should not rely solely on name-based denied-party screening; address-only Entity List entries require address-level controls and, often, manual review. Companies should be sure that their screening providers both screen for these address-only Entity List entries and that their algorithms and fuzzy logic appropriately capture those addresses.

Lastly, the settlement is a good reminder that companies should be mindful of all license requirements and have in place disciplined recordkeeping processes when authorizations are obtained. Without these controls, U.S. export violations can quickly multiply.

Crowell & Moring will continue to monitor developments related to export control enforcement actions and their potential impact to industry.

On February 9, 2026, the U.S. Department of the Treasury’s (Treasury) Office of Investment Security (OIS) published a request for information (RFI) seeking public comments on how the Committee on Foreign Investment in the United States (CFIUS) might streamline its foreign investment review process, including through the Known Investor Program (KIP). The RFI requests feedback on (1) proposed eligibility criteria and a draft questionnaire for the KIP, including certain defined terms, and (2) other ways that CFIUS and transaction parties can streamline aspects of the foreign investment review process. Written comments are due March 18, 2026.

Click here to continue reading the full version of this alert.

On February 6, 2026, the U.S. Department of Treasury’s Office of Foreign Assets Controls (OFAC) announced the launch of a new online Voluntary Self-Disclosure (VSD) Portal (the “New Portal”) intended to replace and reduce reliance on ad hoc submission methods with a more secure channel for reporting to OFAC potential sanctions violations. OFAC states that moving disclosures into the New Portal should improve process visibility for disclosing parties, including faster acknowledgment and clearer communication during OFAC’s review. Of note, “OFAC strongly encourages parties to begin submitting voluntary self-disclosures through” the New Portal.

From a submission mechanics standpoint, the New Portal’s form is designed to be completed in roughly 30 minutes and asks for core identifying information for the disclosing party and a primary correspondent (for example, if an entity or individual is represented by counsel), plus supporting documentation uploads.  The New Portal limits uploads to 15 files, restricts file size to no larger than 30 megabytes (MB), and accepts only certain common formats (.PDF, .DOC, .DOCX, .XLS, .XLSX, .JPEG, .JPG or .PNG). Previously, there was a 150 MB maximum, with a maximum of 50 MB per email, before OFAC required submitting through a large file transfer system. As before, the New Portal requires optical character recognition (OCR) on all PDFs prior to submission.

For extensive or document-intensive submissions, OFAC requests that submitters continue to use OFAC’s Production Submission Standards, which cover package organization, sequential pagination, Excel-compatible spreadsheets, and transmission protocols, including secure transfers with ID.me authentication. Compliance with these standards may factor into OFAC’s evaluation of cooperation.

The New Portal is a reminder that OFAC’s current Economic Sanctions Enforcement Guidelines (the “Guidelines”) explicitly note that a qualifying VSD is treated as a mitigating factor in any penalty assessment. In addition, where OFAC determines a civil monetary penalty is warranted, a qualifying VSD can result in a 50 percent reduction in the maximum possible penalty (with the precise calculation mechanics depending on whether OFAC treats the case as egregious or non-egregious), provided the VSD meets the criteria in the Guidelines. As we have previously noted, organizations that promptly report potential violations to OFAC may receive reduced penalties or even avoid enforcement altogether.

Crowell & Moring LLP regularly advises U.S. and foreign companies on VSDs to OFAC and related investigations. Please contact the authors regarding questions about VSDs or the New Portal.

On January 21, 2026, U.S. Customs and Border Protection (“CBP”) announced that its Forced Labor Portal is now live. This new online portal provides a single, centralized platform for importers to submit requests for review when their shipments are detained or excluded due to forced labor enforcement actions. By consolidating what was previously a patchwork of email and paper submission processes, the portal is intended to streamline communications and ensure that all forced labor-related documentation reaches the appropriate CBP officials for timely review.

Effective immediately, use of the Forced Labor Portal is mandatory for importers seeking to challenge or obtain exceptions for shipments held under U.S. forced labor laws. This includes filing admissibility review requests for goods detained under Withhold Release Orders (“WROs”) or forced labor findings, as well as review and exception requests related to the Uyghur Forced Labor Prevention Act (“UFLPA”) and other forced labor sanctions.

From a compliance and litigation standpoint, the Forced Labor Portal helps formalize CBP’s administrative record for forced labor enforcement actions. Information submitted through the portal is expected to form the basis of CBP’s admissibility determinations and may be relevant in subsequent administrative protests or judicial review before the U.S. Court of International Trade. As a result, the accuracy, timing, and completeness of portal submissions carry heightened legal significance.

Importers should be mindful of compressed administrative and statutory timelines, particularly for UFLPA detentions, which generally provide a shorter window to submit rebuttal evidence than traditional WRO cases. Companies should ensure that internal procedures and document retention practices are aligned with the portal’s submission requirements.

CBP has published a Quick Reference Guide and an instructional video on its website to assist users with the transition to the portal.

Crowell & Moring LLP continues to monitor developments in forced labor prevention enforcement, including CBP’s implementation of the Forced Labor Portal, and its impact on industry.

On January 29th, 2026 U.S. Customs and Border Protection announced a Withhold Release Order on all shipments of coffee harvested by Finca Monte Grande, a Mexican coffee farm in Chiapas, Mexico. Effectively immediately CBP will detain all shipments of coffee harvested by Finca Monte Grande at any U.S. Port of Entry for probable forced labor violations.

As a result of CBP investigation into the Finca Monte Grande plantation, evidence demonstrates that workers are subject to 6 of the 11 indicators of forced labor including:

  • Abusive Working and Living Conditions
  • Abuse of Vulnerability
  • Debt Bondage
  • Excessive Overtime
  • Retention of Identify Documents
  • Withholding of Wages

Under 19 U.S.C. § 1307, any good that is produced wholly or in part with forced labor is prohibited from entering the United States and if violations are found, goods are subject to detention and seizure at the time of importation. A 2024 US Department of Labor report found that multiple industries in Mexico engage in child labor and forced labor violations with the agricultural sector being the largest risk. These affected commodities include coffee, melons, sugarcane and other agricultural products.

This is the first issued WRO in 2026 and emphasizes the importance of supply chain tracing by importers to ensure compliance with US regulations, avoiding unnecessary disruptions and costly delays. For more information on implementing due diligence and supply chain management, please feel free to reach out to Crowell & Moring for assistance.

From Wednesday, 28 January 2026, the UK Sanctions List (“UKSL”), published by the Foreign, Commonwealth and Development Office, will act as the sole source of UK sanctions designations made under the Sanctions and Anti-Money Laundering Act 2018 (“SAMLA”). OFSI’s Consolidated List of Asset Freeze Targets (the “OFSI List”) and its search tool will not be updated beyond 28 January 2026.

The move to a single sanctions list is intended to simplify how businesses and individuals subject to sanction designations are identified, without altering sanctions scope or business obligations under UK law. The format of the UKSL will remain unchanged. This transition is a direct result of industry feedback received during a 2025 cross-government review, with an emphasis on removing the need to cross-reference multiple sources in hopes of reducing the risk of non-compliance.

Businesses should ensure that any internal systems which draw on the data from the OFSI List now draw from the UKSL. The UKSL will continue to be updated, and will be available in seven data formats.

In addition to these changes, any newly designated persons (DPs) subject to financial sanctions will no longer be assigned an OFSI Group ID; instead they will only have a Unique ID as an identifier. All UKSL formats will retain the historic OFSI Group ID data, meaning any historic Group IDs will continue to be valid for use.

On January 21, 2026, the U.S. Office of Foreign Assets Control (OFAC) announced the removal of Greek maritime company Altomare SA and its vessel, Kallista, from the Specially Designated Nationals and Blocked Persons Lists (SDN List).

OFAC originally designated Altomare SA and Kallista in November 2025 as part of a counter terrorism sanctions action targeting Iran’s “shadow fleet” and associated networks. OFAC alleged that Kallista had transported nearly four million barrels of Iranian oil on behalf of Sepehr Energy Jahan, a U.S.-sanctioned entity, between January and February 2025. Altomare SA publicly challenged OFAC’s allegations and sought review of the designation.

While OFAC never publicly comments on the reason for a delisting, Altomare SA stated that the company was the victim of maritime identity theft. It asserted that a U.S.-sanctioned vessel (Limas) posed as Kallista while trading to Iran, using fake AIS tracking signals and forged documents. OFAC did not confirm whether this information was the reason for OFAC’s decision to delist Altomare SA and Kallista.

This development underscores the increasing sophistication of sanctions evasion tactics, including spoofing and documentation fraud, particularly with respect to sanctioned vessels. Companies engaged in maritime trade should continue to closely monitor vessel activity (e.g., their AIS data, whether the timelines of their shipments make sense, whether the ports visited make sense), check for adverse information, and conduct due diligence screenings regularly. The delisting also highlights the value of prompt engagement and transparent communication with OFAC when parties believe they have been misidentified or otherwise designated based on inaccurate information.

Crowell & Moring will continue to monitor developments related to sanctions and their potential impact to industry.

On January 12, 2026, the U.S. House of Representatives overwhelming passed (369-22) the Remote Access Security Act, modernizing U.S. export controls to address foreign adversaries’ remote access to controlled technologies through cloud computing services.  

Currently, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) does not consider the provision of cloud computing services to be exports. If passed into law, the bill (H.R. 2683) would modify the Export Control Reform Act of 2018 to authorize BIS to regulate the remote access of items, in addition to the export, reexport, and transfer of items, as well as issue licenses and impose penalties related to remote access of export controlled items.

The bill, sponsored by Rep. Michael Lawler (R-NY-17), directly responds to concerns that Chinese entities have exploited cloud services to evade U.S. export controls on advanced semiconductors and AI technologies by accessing computing power remotely through offshore data centers. It would apply U.S. export control restrictions to remote access and cloud-based exposure of controlled items—including advanced AI chips and semiconductors. In addition, the bill could significantly disrupt cloud computing companies’ compliance operations, which have been based on the understanding that the provision of cloud computing power does not qualify as an export for nearly twenty years.

The Remote Access Security Act would not become law until passage in the Senate and signature by the President. Senators David McCormick (R-PA), Ron Wyden (D-OR), Tom Cotton (R-AR), and Chris Coons (D-DE) and the sponsors and cosponsors of the Senate version (S. 3519).

Key Takeaways

  • Companies should expect increased regulatory scrutiny of cloud service arrangements involving foreign users, particularly those with potential ties to China. Enhanced due diligence, customer verification, and transaction-level documentation procedures will be necessary for compliance.
  • The policy implications of this bill extend beyond traditional hardware manufacturers to cloud service providers, data center operators, and technology platforms offering remote computing capabilities.

On January 7, 2026, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) imposed a $1.5 million civil penalty on Exyte Management GmbH (“Exyte”), a Germany- headquartered engineering and procurement company, after its Shanghai affiliate Exyte Shanghai Ltd., (“Exyte China”) admitted to illegally causing the transfer of approximately $2.8 million in EAR-subject semiconductor equipment to Semiconductor Manufacturing International Corp. (“SMIC”), China’s largest chip manufacturer. BIS designated SMIC on the Entity List in 2020, resulting in the prohibition of the export, reexport, and transfer of all items subject to the Export Administration Regulations (EAR) to SMIC without specific authorization. Exyte must pay the penalty within 75 days to maintain its BIS export privileges.

The settlement continues an ongoing theme by BIS to enforce provisions of the EAR that prohibit activities other than exports, reexports, or transfers. Here, each of the violations were due to Exyte China “causing” another violation of the EAR, a penalty more akin to what is typical in a U.S. Department of the Treasury Office of Foreign Assets Control (“OFAC”) settlement. It also reflects a continued focus on transactions that involve companies that are listed on the Entity List and on transactions that involve sensitive technologies, including semiconductors.

Between March 2021 and March 2022, Exyte China facilitated 13 in-country transfers totaling 884 items, including voltage sag protectors, programmable logic controllers, flowmeters, and pressure transmitters from Chinese suppliers to SMIC. All items were classified as EAR99 and used in chip fabrication facilities. Despite knowing the items were destined for SMIC, Exyte failed to recognize that an export license was required.

BIS cited Exyte’s “inadequate corporate compliance controls” as the root cause, noting the company “did not appreciate” that EAR licensing requirements applied to in-country transfers from Chinese distributors to Entity List customers. Exyte’s voluntary self-disclosure after discovering the violations influenced the settlement outcome.

This action highlights a critical compliance gap: in-country transfers within China remain subject to the EAR when U.S.-controlled items are destined for Entity List parties, even absent cross-border movement. Companies using local affiliates or distributors in China must ensure their compliance programs capture downstream transfers to restricted end users as BIS continues expanding Entity List designations in the semiconductor sector.