Deemed Export: Definition and Use in Compliance

What is Deemed Export?

A deemed export happens when controlled technology, software, or source code is released to a foreign national inside the United States. U.S. law treats that disclosure as an export to the person's country of nationality, subject to the same licensing requirements as a physical shipment. No goods need to move. The release itself triggers the obligation.

The rule appears in two frameworks. The Bureau of Industry and Security (BIS) administers the Export Administration Regulations (EAR) at 15 CFR § 734.13, covering commercial and dual-use goods listed on the Commerce Control List. The Directorate of Defense Trade Controls (DDTC) administers ITAR at 22 CFR § 120.17, covering defense articles and services on the U.S. Munitions List. Both define "release" to include visual inspection of controlled equipment, oral disclosure of technical data, written communication, and application of personal knowledge to a controlled process.

Nationality, not immigration status, determines exposure. A lawful permanent resident from a country subject to export restrictions may still require a validated export license before accessing certain controlled technology. The test is country of birth, not visa status.

Here's a concrete example. A U.S. aerospace firm employs a software engineer who is a national of a country with EAR license requirements for certain Export Control Classification Number (ECCN) categories. That engineer is given access to a code repository containing export-controlled source code. The company has made a deemed export. Without a license or a valid license exception, it's in violation, and any bank financing that firm's contracts carries latent risk.

Financial institutions encounter this most directly in trade finance review and trade-based money laundering investigations. A letter of credit funding a semiconductor sale to a company whose engineers access the controlled technology without licenses may require the bank to have asked about export control compliance. BIS assessed over $1.1 billion in civil penalties across export control violations between 2019 and 2023, with financial intermediaries named in several enforcement actions.

How is Deemed Export Used in Practice?

Trade finance compliance teams apply deemed export analysis at origination and during client refresh reviews.

At origination, the team checks whether the underlying goods carry an ECCN other than EAR99. EAR99 items are effectively uncontrolled and don't require a license for most destinations. Anything with a specific ECCN entry needs a license analysis: What controls apply? What license exceptions might cover the transaction? Does the end-user company employ foreign nationals who would access controlled technology without a license?

We've seen banks struggle most with the workforce dimension. A corporate borrower in the semiconductor or defense space may have a multinational engineering team. Screening the company name and senior officers against restricted party lists, without asking about technology access inside the organization, misses the core deemed export risk.

Periodic review compounds the problem. A client onboarded 18 months ago may have changed materially: new funding rounds, new defense agency contracts, 300 new hires from restricted countries. Calendar-based reviews don't catch it. Trigger-based cycles tied to material events are more effective.

Compliance teams integrate export control questions into Know Your Business (KYB) workflows. The core questions: Does this client produce or handle EAR- or ITAR-controlled goods? Who has access to controlled technology internally? Are export licenses in place and current?

For higher-risk clients, Enhanced Due Diligence (EDD) means reviewing export license copies, technology control plans, and internal training records on export compliance. Where the team identifies a client operating without required licenses, and the unlicensed access involved a sanctioned party, a Suspicious Activity Report (SAR) is appropriate. The SAR narrative should document the ECCN, the nationalities of individuals with access, and the nature of the controlled technology.

Deemed Export in Regulatory Context

Deemed export sits at the intersection of export control law and sanctions compliance. BIS and DDTC administer it. But enforcement consequences converge with financial crime frameworks, especially when a deemed export involves a sanctioned party.

The Export Administration Regulations derive their current statutory authority from the Export Control Reform Act (ECRA) of 2018, which replaced the lapsed Export Administration Act of 1979. ECRA strengthened controls over emerging and foundational technologies, a category BIS continues to expand to include advanced semiconductors, quantum information science, and certain AI applications. Companies in these spaces may find their products now require a license even without a formal ECCN assignment.

Where deemed export intersects with sanctions screening, the analysis sharpens. A foreign national on OFAC's Specially Designated Nationals list who receives access to controlled technology creates simultaneous violations under ITAR or EAR and under the applicable OFAC sanctions program. BIS and OFAC coordinate enforcement in these cases, and penalties from both agencies can apply to the same transaction.

The Financial Action Task Force (FATF) has explicitly connected export control evasion to proliferation financing risk. FATF Recommendation 7 requires countries to implement targeted financial sanctions related to weapons of mass destruction proliferation. The FATF's 2021 guidance on proliferation financing risk assessment and mitigation specifically identifies technology transfers that circumvent export controls as a typology financial institutions are expected to detect and report.

FinCEN and BIS formalized that connection in a joint advisory issued in October 2022, directing financial institutions to identify customers attempting to evade U.S. export controls and to consider filing suspicious activity reports when such indicators appear. Banks that treat export control compliance as separate from financial crime compliance are structurally exposed at exactly that boundary.

Common Challenges and How to Address Them

The hardest part of deemed export compliance isn't knowing the rule exists. It's operationalizing it across a client base where technology access is informal, workforces change quarterly, and the boundary between commercial and controlled technology keeps shifting.

Classification gaps are the most common starting point for enforcement failures. Many companies default to EAR99 because no one has done a formal commodity jurisdiction determination. Banks can't rely on that self-certification. A written ECCN classification opinion from export control counsel, or a formal commodity jurisdiction request to BIS, gives the compliance file something defensible in an exam or enforcement action.

Dynamic workforces create the second gap. A U.S. biotech or semiconductor firm may have 50% foreign national employees at any given time. A compliance team that reviewed the client 18 months ago may have a materially stale picture. Trigger-based refresh cycles tied to M&A activity, new defense agency contracts, or significant hiring from restricted countries are more reliable than annual reviews.

Digital access is the third problem. Deemed exports happen on GitHub, Slack, and shared cloud environments. Companies that don't segment technology access by employee nationality are exposed in ways that don't appear in physical inventory audits. When banks finance those companies, their audit trail should show they asked about logical access controls, not just physical site locations.

The intersection with secondary sanctions is where cases escalate fastest. A foreign national from a country covered by U.S. secondary sanctions who receives access to controlled technology creates layered exposure spanning export control law and OFAC programs. Enforcement in those situations involves multiple agencies, higher penalties, and heightened reputational consequences for any financial institution that processed the transaction.

Building deemed export questions directly into onboarding questionnaires for technology-sector clients is the practical fix. This adds friction at origination. Finding the problem in an exam or enforcement action is far worse.

Related Terms and Concepts

Deemed export is one piece of a larger framework that compliance teams in financial services increasingly need to understand, particularly as technology-intensive industries become central to lending portfolios and sanctions exposure.

Export Control is the parent framework. The EAR and ITAR together cover physical goods, software, and technical data. Deemed export extends that coverage to disclosures made within U.S. borders to foreign nationals, which is the mechanism most often missed in financial crime compliance programs.

Dual-Use Goods are the most common trigger. Semiconductors, encryption software, advanced materials, optical equipment, and certain biological agents all carry Commerce Control List entries because they have both commercial and military applications. When a client's core product falls in one of those categories, deemed export analysis is part of the standard compliance review.

Denied Party Screening and Restricted Party Screening (RPS) are operationally adjacent. Before releasing controlled technology, companies must screen recipients against the BIS Entity List, BIS Denied Persons List, OFAC SDN list, and the State Department Debarment List. For financial institutions, that same screening applies to trade finance counterparties and the companies' key technical staff.

Sanctions Evasion and deemed export violations frequently appear together in enforcement cases. In 2023, BIS and OFAC jointly resolved a case against a U.S.-based technology firm for unlicensed transfers of controlled semiconductors to Chinese state-owned entities. The financial institution that processed the payments was a named party in the settlement.

Proliferation Financing is where deemed export connects to the financial crime framework most directly. Banks that finance transactions enabling prohibited technology transfers to weapons programs face coordinated enforcement from BIS, OFAC, and FinCEN. Compliance programs that treat export control as entirely separate from financial crime compliance are structurally exposed at exactly that boundary. The better approach is a unified risk picture that treats technology transfer risks as financial crime risks when sanctioned parties or weapons programs are involved.