Yesterday afternoon, the U.S. Department of State issued the first of two mandatory reports under the Hong Kong Autonomy Act (HKAA), identifying 10 Hong Kong and mainland China officials as materially contributing to the erosion of Hong Kong’s autonomy (the “Section 5(a) Report”).[1]  Because the same individuals were already designated on the List of Specially Designated and Blocked Persons (“SDN List”) maintained by the U.S. Department of the Treasury, Office of Foreign Assets Control (“OFAC”) on August 7, 2020,[2] the practical effect of the report is limited to setting a deadline of 30 to 60 days for the U.S. administration to issue the second required report under the HKAA identifying foreign financial institutions that knowingly conduct a “significant” transaction with the 10 individuals listed in yesterday’s Section 5(a) Report (the “Section 5(b) Report”).[3]  We discussed the reports required under the HKAA and the potential impact of those reports in our earlier blog post.[4]
Continue Reading State Department Releases Hong Kong Autonomy Act Persons Report, Starts the Clock for Foreign Financial Institutions Report

In the wake of one of the largest reported medical ransomware attacks in U.S. history,[1] the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) issued last week a pair of advisories to assist in efforts to combat the increasing threat of ransomware attacks and related sanctions and anti-money laundering (AML) compliance issues.[2]  Like our blog post last month on the same topic, the advisories highlight the importance of considering the legal risks relating to ransomware payments and confirm that OFAC may pursue enforcement actions against ransomware payments that violate U.S. sanctions.[3]
Continue Reading OFAC and FinCEN Issue Advisories on Cyber Ransom Payments

On September 18, 2020, the U.S. Department of Commerce (Commerce) released for public inspection substantively identical notices[1] specifying the transactions relating to mobile applications TikTok and WeChat to be prohibited pursuant to the executive orders related to both entities issued by President Trump on August 6, 2020 (the TikTok Notice and the WeChat Notice, respectively, and together, the Notices).[2]  Commerce withdrew both Notices before formal publication on September 22, presumably to address uncertainty regarding the effective dates in light of developments in both matters; the TikTok Notice has already been re-issued with revised timing, but negotiations over a possible partial sale of TikTok continue.[3]  The WeChat Notice has yet to be re-issued, possibly as a result of timing uncertainty regarding the preliminary injunction discussed below.[4]
Continue Reading Commerce Provides Clarity on the Potential Scope of the TikTok and WeChat Bans; All Else Remains Murky

On September 15, 2020, the U.S. Department of the Treasury published a final rule (the “Final Rule”) significantly changing the scope of the Committee on Foreign Investment in the United States (“CFIUS”) mandatory notification requirements for foreign investments in U.S. critical technology businesses and expanding it to investments in all industries.  The Final Rule, which

Last month, reports surfaced that fitness technology company Garmin may have made a multimillion dollar payment in response to a ransomware attack with reported links to Evil Corp, a Russian hacking group subject to U.S. sanctions.  This incident and other recent reports of ransomware attacks against large companies highlights that companies should consider potential civil and criminal liability under U.S. sanctions laws when responding to ransomware attacks.
Continue Reading Ransomware and Sanctions Compliance: Considerations for Responses to Attacks

The Court of Appeal confirmed[1] that a borrower under a Tier 2 facility agreement was excused from making payments because of the risk of U.S. secondary sanctions.

The court made it explicitly clear that whether or not non-performance may be excused will depend on the specific words of the affected contract and the wider context.  However, whilst fact sensitive, the decision also makes clear that the English court is likely to consider U.S. secondary sanctions as “mandatory” provisions of law.  
Continue Reading UK Court of Appeal Says Risk of U.S. Secondary Sanctions is a “Mandatory Provision of Law” Excusing Non-Payment

On August 20, 2020, the U.S. Department of Commerce, Bureau of Industry and Security (“BIS”) published a final rule[1] that further tightens restrictions under the Export Administration Regulations (“EAR”) on Huawei Technologies Co., Ltd. and its affiliates designated on the Entity List administered by BIS (“Huawei”) (the “Final Rule”).  The Final Rule: (i) expands the prohibition on providing items manufactured with controlled U.S. technology or software to Huawei to include all items transferred to Huawei or for a Huawei device, whether or not specifically designed by or for Huawei ; (ii) removes most of the Temporary General License (“TGL”) that permitted some transactions involving Huawei, including activities that support existing networks and equipment; and (iii) added 38 non-U.S. affiliates of Huawei to the Entity List.  The Final Rule was published in the Federal Register on August 20, but became effective upon being made available for public inspection on August 17.

In a contemporaneous final rule,[2] BIS clarified that license requirements for entities included on the Entity List apply regardless of the role that the listed entity has in the transaction (i.e., purchaser, intermediate consignee, ultimate consignee or end-user) (the “Entity List Final Rule”).  This clarification applies to all entities on the Entity List, not just Huawei.
Continue Reading BIS Further Tightens Export Restrictions on Huawei

Following completion of a review by the Committee on Foreign Investment in the United States (“CFIUS”), President Trump recently issued an Executive Order requiring ByteDance to, among other things, divest itself of assets and property that enable or support operation of the TikTok application in the United States within 90 days (the “CFIUS Order”).  This was not an unexpected outcome.  We previously reported on the unusual nature of CFIUS’s review here.  The week before, President Trump issued a different Executive Order authorizing the Commerce Department to prohibit transactions involving a U.S. person or within the jurisdiction of the United States with ByteDance (the “Commerce Order”), with details of the restrictions to come in 45 days.  We previously reported on the Commerce Order here.  According to press reports, negotiations for a possible acquisition of TikTok continue, and it remains to be seen whether those restrictions will come to fruition and on what timetable.
Continue Reading President Trump Orders TikTok Divestment; Sweeping Order Appears to Indicate a Broadening of CFIUS’s Jurisdiction

Last night, President Trump issued two Executive Orders establishing a framework for prohibiting transactions involving popular Chinese-owned communications apps WeChat and TikTok.[1]  Contrary to some press reports, the Executive Orders do not prohibit all transactions with their respective parent companies; they do not in fact set out the scope of the restrictions.  Rather, they give the Commerce Department authority to prohibit any transaction involving a U.S. person or within the jurisdiction of the United States involving the two services; each of the Executive Orders clearly states “45 days after the date of this order, the Secretary shall identify the transactions subject to subsection (a) of this section [which contains the broad authority to prohibit].”[2]  Furthermore, the scope of Commerce’s authority is subtly (and no doubt intentionally) different in the two Executive Orders: with respect to TikTok, the authority covers any transaction with ByteDance, TikTok’s parent; with respect to WeChat, the authority covers any transaction relating to WeChat involving its parent, Tencent Holding.  Commerce will, within 45 days, take further action specifying exactly which transactions will be prohibited; it is even possible, particularly with respect to TikTok if the mooted divestiture of U.S. operations occurs, that no restrictions will be imposed.[3]  Unless and until Commerce implements the Executive Orders, no restrictions are in place and their precise future scope is unknown.
Continue Reading President Trump Authorizes Restrictions on WeChat and TikTok; Details to Come

Initial press reports last November that the Committee on Foreign Investment in the United States (CFIUS) had commenced a review of ByteDance’s acquisition of Musical.ly, the service that was merged into ByteDance’s video-sharing site TikTok and helped fuel its expansion, were not particularly surprising to those familiar with CFIUS and its concerns.  However, recent departures from established CFIUS processes in the TikTok matter are striking and concerning for persons engaging in cross-border transactions involving the United States, calling into question the scope, apolitical nature, confidentiality, and security focus of the CFIUS process.
Continue Reading TikTok: Familiar Issues, Unfamiliar Responses