Office of Foreign Assets Control Publishes Cyber-Related General License 1
U.S. Companies May Again Submit Encryption Approvals to Import Commercial Information Security Products and Software into the Russian Federation
The Department of the Treasury's Office of Foreign Assets Control (OFAC) published Cyber-Related General License 1 as part of the Cyber-Related Sanctions Regulations in Title 31 C.F.R. 758. The issuance of this General License is critical for U.S. companies that market computers, software, telecommunications devices and similar products in the Russian Federation, as it allows U.S. persons to submit encryption notification requests and import license applications to Russia’s Federal Security Service (a.k.a. FSB), which are required under Russian law, without violating the U.S. cyber-related sanctions on Russia.
As we reported previously, in December 2016, the Obama Administration implemented new cyber-related sanctions on Russia under Executive Order 13964 in response to Russia’s cyber activities that were intended to influence the U.S. presidential election. Eleven (11) Russian intelligence agencies, individual intelligence officers and companies were specifically sanctioned, including Russia’s Federal Security Service (Federalnaya Sluzhba Bezopasnosti or FSB). The sanctioned individuals and entities were added to OFAC’s Specially Designated Nationals (SDN) List—U.S. persons are prohibited from dealing with Specially Designated Nationals (SDNs), or any company that is owned or controlled by listed SDNs, without prior authorization from OFAC. In addition, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) added the FSB and others to the Entity List. U.S. persons are prohibited from exporting or reexporting goods, software and technology (or engaging in in-country transfers of items) that are subject to the Export Administration Regulations (EAR) to individuals or entities designated on the Entity List without prior authorization from the BIS.
The inclusion of the FSB on the SDN List in particular alarmed many U.S. companies because the FSB is the Russian government agency responsible for handling encryption import notifications and import licenses for products that are exported to and sold in Russia. Under Russian law, all products that contain certain cryptographic features (e.g., many commercial computers, software applications, telecommunications devices, mobile devices, servers, etc.) require prior formal approval from the FSB before they can be imported and distributed. The approval process is accomplished though the FSB’s formal notification and import licensing processes. It appeared that the new cyber-related sanctions on the FSB effectively prohibited U.S. companies from filing notification requests or import license applications with the FSB as such activities could be construed to be “services” that would require prior OFAC Specific License. In addition, under the sanctions, an FSB-issued import license could constitute “property” in which the FSB has an interest—U.S. persons were prohibited from dealing in such “property” without prior OFAC authorization. As a result, many exporters and industry organization began reaching out to OFAC, and both OFAC and the BIS commenced consultations with U.S. industry on the impact of the inclusion of the FSB in the sanctions on U.S. companies.
General License 1, which was issued today by OFAC, seeks to remedy the collateral impact caused by the sanctions imposed on the FSB. OFAC General Licenses are akin to license exceptions or exemptions, and U.S. companies may rely on them as the authorization for a proposed activity or transaction involving a sanctions target without first seeking a Specific License from OFAC.
Under the new General License 1, U.S. companies are authorized to:
Request, receive, utilize, pay for, or deal in licenses, permits, certifications, or notifications issued or registered by the FSB for the importation, distribution, or use of information technology products in the Russian Federation, provided that: (a) the export, reexport, or provision of any goods or technology that are subject to the Export Administration Regulations is licensed or authorized by the BIS; and, (b) the payment of any fees to the FSB for such licenses, permits, certifications, or notifications does not exceed $5,000 in any calendar year;
Comply with law enforcement or administrative actions or investigations involving the FSB; and,
Comply with rules and regulations administered by the FSB.
However, the General License does not authorize: (a) exports, reexports or the provision of goods or technology to the FSB; (b) exports, reexports or the provision of goods, technology or services to the Crimea region of the Ukraine; or, (c) dealing in any blocked property.