A theme runs through every BIS and OFAC settlement worth reading: the company that got hit didn't think the rule applied to them. Not because they were sloppy. Because export law has a long list of liabilities that attach to your business without you signing up for them, without you shipping today, and without you knowing they exist.
Here are five that an SMB exporter is already carrying right now.
1. OFAC strict liability — intent is not required
Most laws you grew up with require some form of intent: you meant to do the thing, or at minimum you should have known. OFAC sanctions don't work that way.
OFAC operates on strict civil liability. If a prohibited transaction touched your business — a wire to the wrong party, a sale that flowed downstream to a sanctioned end user, a payment processor that routed through a designated bank — you're liable. "We didn't know" is not a defense. It's a mitigating factor at most.
The lookback runs five years. A questionable transaction from 2022 is still live in 2027.
2. Reexport liability — U.S. goods stay U.S.-controlled
When your product leaves your dock, U.S. export jurisdiction does not leave with it.
The EAR follows U.S.-origin items wherever they go. If your German distributor resells your part to a buyer in Iran, you can still be on the hook — for not having reexport controls in your distribution agreement, for not having flow-down screening obligations, for not auditing the channel.
The same logic applies to your foreign subsidiary, your overseas service center, and the contract manufacturer who finishes your parts in Mexico. U.S.-origin tech traveling through three sets of hands is still U.S.-controlled tech.
3. The de minimis rule — your foreign partner's product can be your problem
Here's the one almost nobody outside the regulated industries knows.
A product made in another country, by a company that isn't yours, can still be subject to the EAR if it contains more than a threshold amount of U.S.-origin controlled content. The default threshold is 25% by value. For some destinations, it drops to 10%, and for some technologies it's 0% — no U.S. content allowed at all.
Practical version: if a foreign company is building something using your U.S.-origin component, software, or design, they are operating under U.S. export rules whether they realize it or not. And if they violate, you — the U.S. supplier who handed them the input — can find yourself in BIS's reading of the file.
4. Your insurance won't cover the fine
Most owners assume their commercial general liability, professional liability, E&O, cyber, or umbrella policy covers regulatory exposure. They almost universally do not.
Standard policy language excludes:
Fines and penalties imposed by a governmental authority. OFAC and BIS penalties are exactly that.
Intentional acts. Even strict-liability violations sometimes get reclassified into this exclusion by insurers looking for an out.
Acts in violation of law. Reading: the very thing you'd want coverage for.
There are specialty trade-credit and export-compliance policies that can cover some of this, but they require disclosure, they require an existing compliance program, and they are not what most SMB shops are carrying. Before you assume your broker has you covered here, ask them in writing. The answer will usually be no.
5. Personal liability — the corporate veil is thinner here
In most commercial law, a properly maintained LLC or corporation shields the owner from individual liability. Export law is one of the places where that shield is weakest.
Officers, owners, and signatories can be individually fined under both the IEEPA (the statute behind most OFAC actions) and the ECRA (behind most BIS actions). For willful violations, criminal exposure includes prison time of up to 20 years.
You don't have to be the CEO. The compliance person who signed the Shipper's Letter of Instruction can be named. The engineer who emailed the file can be named. In settled cases, BIS has imposed personal denial orders — meaning the individual cannot be involved in any U.S. export activity for years, for any employer.
The through-line: recordkeeping is the only thing that scales across all five
Every one of these liabilities has the same defense, and it's not "we have good people" or "we use a freight forwarder." It's 15 CFR 762 — the EAR's recordkeeping rule — and its ITAR equivalent.
Five years of records. Every classification decision, every screening result, every license determination, every denied-party hit, with the name of the human who signed off and the regulation they cited. If an OFAC subpoena arrives in 2030 about a 2026 transaction, the question isn't whether you remember the deal. It's whether you can produce the memo.
That's the part of compliance ExChek is built to make trivial. Every determination it walks you through produces an audit-ready, timestamped, citation-bearing memo with you as the reviewer. Run an item, screen a party, check a destination — and at the end of it, the record exists. In five years it will still exist.
What to do this week
Ask your broker, in writing, whether your current policies cover OFAC/BIS regulatory penalties. Save the answer.
Pull one transaction from the last six months and ask: could I produce the recordkeeping file BIS would want?
Run one item through ExChek and see what the memo looks like: exchek.us — free, no card.
Want a 30-minute walkthrough for your team? Book a call
You don't have to outrun export law. You just have to leave a paper trail it can read.
— The ExChek Team
———————————————————————————
ExChek is software, not legal advice. Every determination is reviewed and approved by you. American-owned, built to help American SMBs navigate export compliance.