A theme runs through every BIS and OFAC settlement worth reading. The company that got hit did not think the rule applied to them. Not because they were sloppy. Because export law has a long list of liabilities that attach to your business without you signing up for them, without you shipping today, and without you knowing they exist.
Here are five that an SMB exporter is already carrying right now.
OFAC strict liability. Intent is not required.
Most laws you grew up with require some form of intent. You meant to do the thing, or at minimum you should have known. OFAC sanctions do not work that way.
OFAC operates on strict civil liability. If a prohibited transaction touched your business, a wire to the wrong party, a sale that flowed downstream to a sanctioned end user, or a payment processor that routed through a designated bank, you are liable. "We did not know" is not a defense. It is a mitigating factor at most.
The OFAC statute of limitations was recently extended from five years to ten years. A questionable transaction from 2022 is live until 2032.
Reexport liability. U.S. goods stay U.S.-controlled.
When your product leaves your dock, U.S. export jurisdiction does not leave with it.
The EAR follows U.S.-origin items wherever they go. If your German distributor resells your part to a buyer in Iran, you can still be on the hook for not having reexport controls in your distribution agreement, for not having flow-down screening obligations, and for not auditing the channel.
The same logic applies to your foreign subsidiary, your overseas service center, and the contract manufacturer who finishes your parts in Mexico. U.S.-origin tech traveling through three sets of hands is still U.S.-controlled tech.
The de minimis rule. Your foreign partner's product can be your problem.
Here is the one almost nobody outside the regulated industries knows.
A product made in another country, by a company that is not yours, can still be subject to the EAR if it contains more than a threshold amount of U.S.-origin controlled content. The rule lives at 15 CFR 734.4. There are two thresholds and several "no de minimis allowed" carve-outs.
The 10 percent threshold applies worldwide, including the most restricted destinations. If a foreign-made item contains 10 percent or less U.S.-origin controlled content by value, the EAR does not reach it anywhere.
The 25 percent threshold applies everywhere except Country Group E:1 and E:2, which today covers Cuba, Iran, North Korea, and Syria. For the rest of the world, a foreign-made item containing 25 percent or less U.S.-origin controlled content is outside the EAR.
For specific technologies and destinations, there is no de minimis level at all. Some advanced semiconductor and encryption items, certain 600-series and 9x515 items destined for Country Group D:5, and a handful of other categories at 15 CFR 734.4(a) carry no threshold. Any U.S. content puts the item under the EAR.
Practical version: if a foreign company is building something using your U.S.-origin component, software, or design, they are operating under U.S. export rules whether they realize it or not. And if they violate, you, the U.S. supplier who handed them the input, can find yourself in BIS's reading of the file.
Your insurance will not cover the fine.
Most owners assume their commercial general liability, professional liability, E&O, cyber, or umbrella policy covers regulatory exposure. They almost universally do not.
Standard policy language excludes fines and penalties imposed by a governmental authority. OFAC and BIS penalties are exactly that. Standard language also excludes intentional acts and acts in violation of law. Even strict-liability violations sometimes get reclassified into those exclusions by insurers looking for an out.
There are specialty trade-credit and export-compliance policies that can cover some of this, but they require disclosure, they require an existing compliance program, and they are not what most SMB shops are carrying. Before you assume your broker has you covered, ask them in writing. The answer will usually be no.
Personal liability. The corporate veil is thinner here.
In most commercial law, a properly maintained LLC or corporation shields the owner from individual liability. Export law is one of the places where that shield is weakest.
Officers, owners, and signatories can be individually fined under both IEEPA (the statute behind most OFAC actions) and ECRA (behind most BIS actions). For willful violations, criminal exposure under both statutes includes prison time of up to twenty years.
You do not have to be the CEO. The compliance person who signed the Shipper's Letter of Instruction can be named. The engineer who emailed the file can be named. In settled cases, BIS has imposed personal denial orders, meaning the individual cannot be involved in any U.S. export activity for years, for any employer.
The through-line. Recordkeeping is the only thing that scales across all five.
Every one of these liabilities has the same defense, and it is not "we have good people" or "we use a freight forwarder." It is 15 CFR 762, the EAR's recordkeeping rule, with the five-year retention at 15 CFR 762.6.
Five years of records. Every classification decision, every screening result, every license determination, every denied-party hit, with the name of the human who signed off and the regulation they cited. If an OFAC subpoena arrives in 2030 about a 2026 transaction, the question is not whether you remember the deal. It is whether you can produce the memo.
That is the part of compliance ExChek is built to make trivial. Every determination it walks you through produces an audit-ready, timestamped, citation-bearing memo with you as the reviewer. Run an item, screen a party, check a destination, and at the end of it the record exists. In five years it will still exist.
What to do this week
Ask your broker, in writing, whether your current policies cover OFAC and BIS regulatory penalties. Save the answer.
Pull one transaction from the last six months and ask: could I produce the recordkeeping file BIS would want?
Run one item through ExChek and see what the memo looks like at exchek.us. Free, no card.
Want a thirty-minute walkthrough for your team? Book a call.
You do not have to outrun export law. You just have to leave a paper trail it can read.
The ExChek Team
ExChek is software, not legal advice. Every determination is reviewed and approved by you. American-owned, built to help American SMBs navigate export compliance.