How to approach an export-control and dual-use risk review
An export-control and dual-use risk review. A practical, step-by-step view for in-house counsel. The Hong Kong angle in focus. Write to info@lockhartyip.com.
The moment a Hong Kong-registered trading entity, a BVI holdco with operational subsidiaries, or a Mainland-linked supply chain routes goods or technology through multiple jurisdictions, a question rises to the top of the in-house agenda: which export-control regimes apply, and what does a defensible risk review look like? That question has grown more pointed as enforcement posture has shifted globally and as the payment channel – the point at which a bank compliance desk can freeze a transaction or exit a relationship – has become the practical chokepoint for cross-border trade flows.
An export-control and dual-use risk review is a structured, sequenced analysis that maps the goods, technology or software against the applicable control lists, identifies the jurisdictions whose rules are engaged, assesses the end-user and end-use position, and produces a documented compliance file – all before the transaction settles or the payment clears. The governing instruments are national and international in character: Hong Kong implements United Nations sanctions and maintains its own import and export control regime under the Import and Export Ordinance, while the dual-use dimension is shaped by the international regimes to which the relevant supplier jurisdictions subscribe. A sound review is conducted in a defined order; the sequence is not administrative preference but legal logic.
This guide sets out the decision the reader faces, the steps in order, the gate at each stage, the common mistakes, and a short decision checklist. The cross-border interface – Hong Kong as the operational or holding hub, the Mainland or an offshore centre as the counterparty or asset base – is addressed at each step.
What decision does the review actually address?
The export-control and dual-use risk review addresses a single commercial question: can this transaction proceed, on what conditions, and through which channel? That framing matters because the review is not a compliance exercise in the abstract. It is the documented answer to a question that a bank compliance officer, a regulator, or a counterparty may eventually ask.
The decision has three branches. The first branch is classification: does the product, technology or software fall within a control list? The second is routing: does the transaction touch a jurisdiction whose rules create a licensing or notification obligation? The third is channel: does the payment route – and the entities in that route – add a further layer of risk that must be documented before the instruction is sent?
Many in-house teams approach the review as if it were the first branch only. That is the common starting error. Classification is necessary but not sufficient. A product that falls outside every control list may still generate a banking access problem if the end-user is on a designated list, if the transaction is structured in a way that raises a red flag in a correspondent bank's screening system, or if the documentation trail is thin. Our cross-border practice regularly sees transactions stalled at the payment stage precisely because the classification step was completed and the file stopped there.
The practical centre of gravity for any Hong Kong-routed trade transaction is the payment channel. Hong Kong banks implement United Nations sanctions and maintain their own correspondent-banking risk frameworks. A transaction that is clean on classification and licensing may still fail if the payment instruction cannot be processed without triggering a compliance hold. The review must therefore address the payment channel as a discrete step, not as an afterthought.
Step 1: Identify the goods, technology and software in scope
The first step is a precise description of what is being exported, transferred or re-exported – including any intangible technology transfers, software licences, and technical assistance that accompanies a physical shipment. This sounds obvious. In practice, it is where reviews most commonly begin on an incomplete basis.
The scope of "export" varies across regimes. A technology transfer by email, a cloud-hosted software access, or a verbal briefing to a foreign national in a Hong Kong office may constitute a deemed export under certain systems. The review must therefore start with a full inventory: physical goods, software, technical data, and any service that carries technology content.
For each item, the review captures the technical specifications that will drive classification. Generic product descriptions are insufficient. Control list entries are typically keyed to specific parameters – performance thresholds, material compositions, design characteristics – that require the actual specification sheet, not a commercial invoice description.
Where a product straddles the boundary between commercial and controlled categories, the classification decision should be documented with the reasoning, not just the conclusion. That document becomes part of the defensible file.
Step 2: Map the jurisdictions whose rules are engaged
The second step determines which legal regimes apply. This is a jurisdictional analysis, not a product analysis. It turns on four variables: the jurisdiction of the exporter or supplier; the jurisdiction through which the goods or technology transit; the jurisdiction of the end-user or end-destination; and the jurisdiction of the entities in the payment chain.
Hong Kong as a hub raises a specific set of considerations. The Import and Export Ordinance governs the strategic trade controls that apply to goods moving through Hong Kong, including re-exports. Hong Kong implements United Nations sanctions. It does not give domestic effect to unilateral measures of other states. That distinction matters for in-house counsel advising a group with suppliers or counterparties in multiple jurisdictions: the applicable obligations at the Hong Kong entity level are not identical to the obligations that may apply at the level of an affiliated entity incorporated elsewhere.
Where the supply chain involves a Mainland China entity – whether as supplier, buyer, or intermediate processor – the review must address the Mainland's own export administration rules, which operate independently of Hong Kong's regime. The two systems share a border but not a regulatory perimeter. Groups that treat the Mainland–HK interface as a single compliance environment create a gap in their file.
The jurisdictional map should be completed before classification is finalised. The reason is that the same product may be controlled in one exporting jurisdiction and not in another, or may require a licence for one destination but not for a second. Working backwards – classifying first, then checking jurisdictions – risks missing an obligation that only appears when the routing is fully drawn.
Step 3: Classify the product against the applicable control lists
Classification is the technical core of the review. Each applicable regime maintains a control list – a structured index of goods, software and technology entries, typically organised by category and defined by technical parameters. The process is to match the specification of each item against the list entries across every applicable regime identified in Step 2.
Dual-use goods and technology – items designed for commercial use but capable of military or proliferation application – are the hardest classification cases. The international export-control regimes that address dual-use items include the Wassenaar Arrangement (conventional arms and dual-use goods and technologies), the Nuclear Suppliers Group, the Australia Group (biological and chemical precursors), and the Missile Technology Control Regime. These are not treaties with direct domestic effect; they operate through national implementing legislation. The review must therefore work at the national-law level, tracing the applicable national list back to the relevant international instrument.
Where a product does not appear on a control list, the review does not end. Many regimes include a general technology note or a catch-all that can extend control to items not expressly listed where the exporter knows or has reason to know that the item is intended for a controlled end-use. Documenting the analysis – including the conclusion that an item is not controlled and the reasoning – is as important as documenting a positive classification.
For groups operating through Hong Kong, a useful internal discipline is to run the classification against the Hong Kong strategic goods list and then cross-check against the list of the principal supplying or receiving jurisdiction. Where the lists diverge, the more restrictive position governs the entity that is subject to it.
Step 4: Assess the end-user and end-use position
Classification tells you what the product is. The end-user and end-use assessment tells you where it is going and for what purpose. Both are gates in every major export-control regime, and both require documentary support.
The end-user assessment begins with the counterparty. Is the stated buyer or consignee the actual end-user, or is there a further downstream party? Does the transaction involve an intermediary or agent whose own compliance position is unknown? In our cross-border practice, the most common red-flag pattern is a chain of trading entities in which the end-user is obscured by one or two intermediate parties whose commercial rationale is not apparent.
End-use certificates and end-user statements are standard tools, but they are not sufficient on their own. The review must assess whether the stated end-use is plausible given the product, the quantity, the price, and the destination. Inconsistencies between any of these variables – for example, a quantity far in excess of the stated application, or a destination where the stated end-use is commercially implausible – are red flags that must be resolved before the transaction proceeds.
The end-user screening step overlaps with the counterparty screening analysis that governs the sanctions and AML layer of the review. For groups operating through Hong Kong, this means running the counterparty against the United Nations consolidated sanctions list and, where the group has affiliates in other jurisdictions, understanding what those affiliates' compliance frameworks require. Our guide on counterparty screening in Greater China supply chains addresses that layer in more detail.
Step 5: Identify the licensing and notification requirements
Having classified the product and assessed the end-user and end-use, the fifth step is to determine whether a licence or prior notification is required. This is a jurisdiction-specific analysis: the obligation to obtain a licence, notify an authority, or file a report depends on the combination of product classification, destination, end-user, and applicable legal regime.
Where a licence is required, the review must address the licence application process before the transaction is committed. Export licences typically carry lead times measured in weeks. Committing to a transaction – and particularly receiving payment or issuing a letter of credit – before a licence is obtained creates a legal risk that no retrospective filing can fully cure.
For transactions routed through Hong Kong, the relevant authority for strategic goods licensing is the Trade and Industry Department. The review should document the applicable licence category, the application requirements, and the expected processing period. Where an exemption or licence exception is available, the conditions for reliance on that exemption must be documented in the file with the same rigour as a positive licence application.
Groups that operate across the Mainland–HK interface face an additional consideration: a product may be licensable in the Mainland leg of the transaction and exempt in the Hong Kong leg, or vice versa. The file must address both legs separately. A single compliance sign-off that covers only one jurisdiction creates a gap that a correspondent bank compliance desk or a regulatory inquiry will identify.
Step 6: Address the payment channel as a discrete gate
The payment channel is the step most frequently underweighted in export-control reviews conducted by in-house teams without cross-border advisory support. It deserves its own gate because the bank that processes the payment is not simply a conduit: it applies its own compliance assessment, independently of the exporter's classification and licensing analysis.
Hong Kong banks implement United Nations sanctions through their transaction monitoring and customer due diligence systems. A payment instruction that names a sanctioned party, references a sanctioned destination, or is structured in a way that obscures the underlying transaction will be flagged or rejected regardless of whether the exporter holds a valid licence. The practical consequence is that a transaction that is legally permissible under the applicable export-control regime can still fail at the payment stage if the instruction does not carry the information that the bank's compliance system needs to process it.
The review should therefore address three payment-channel questions. First, are any of the entities in the payment chain – the remitting bank, the correspondent, the beneficiary bank – the subject of any United Nations sanction or restricted-party designation? Second, does the payment instruction carry sufficient information – including the nature of the goods, the applicable licence reference where relevant, and the identities of the actual parties – to support the bank's own compliance review? Third, is the payment structure itself consistent with the nature of the transaction, or does it raise a typology flag?
Where a payment channel is unavailable or operationally constrained, the review should document that constraint and the alternative routes assessed. That documentation is part of the defensible compliance file. Our broader analysis of beneficial ownership and KYC file management across offshore holding chains sets out how the ownership-transparency layer interacts with the payment-channel assessment.
The sequence above describes the standard position. Your matter turns on the specific product, the jurisdictions actually engaged, the counterparty profile, and the payment route – which is where the review is won or lost. For a structured assessment of your export-control and dual-use position across the relevant jurisdictions, write to us at info@lockhartyip.com.
The common mistake: treating the review as a one-time event
The single most consequential error in export-control compliance is treating the initial review as a permanent clearance. It is not. Control lists are updated. Designated-party lists change. End-users can be added to restricted lists after a transaction begins. The product's application can change as the counterparty's business evolves.
A defensible export-control and dual-use compliance position requires a periodic review cycle, not a single sign-off at the point of first shipment. The frequency of that cycle depends on the risk profile of the product, the counterparty, and the destination. For groups with high-volume, lower-risk commodity trade, an annual review of the classification and counterparty screening may be proportionate. For groups moving technology with dual-use potential to destinations where end-use is harder to verify, a transaction-level review is appropriate.
The periodic cycle should also address changes in the group's own structure. Where a holding entity is added, an affiliate is acquired, or the beneficial-ownership chain changes, the review framework must be updated to reflect the new jurisdictional footprint. A BVI entity that was not previously in the payment chain may become relevant if it is added as an intermediate party; a new Mainland operating subsidiary may introduce a Mainland export-administration obligation that did not previously apply to the group.
If an earlier review, filing, or transaction produced an adverse or stalled result, a second read can identify the strategic error and the routes still open. To discuss how a refreshed review applies to your cross-border position, contact info@lockhartyip.com.
Decision checklist for the in-house team
The following checklist maps the principal decision points in the sequence set out above. It is not a substitute for the full review; it is a triage tool for identifying which steps require external advisory input and which can be completed in-house.
- Scope confirmed: Physical goods, software, technical data, and technology-transfer components are all identified and described to specification level.
- Jurisdictions mapped: The exporting, transit, and destination jurisdictions are identified. The applicable legal regimes for each entity in the transaction are confirmed.
- Classification completed: Each item is matched against the control lists of each applicable regime. The reasoning for controlled and non-controlled conclusions is documented.
- End-user verified: The actual end-user is identified and documented. The end-use is assessed for plausibility against the product, quantity, and destination. Inconsistencies are resolved.
- Designated-party screening run: All counterparties, intermediaries, and entities in the payment chain are screened against the United Nations consolidated sanctions list and any other applicable list.
- Licence position confirmed: The licence requirement or applicable exemption is identified. Where a licence is required, the application is submitted before the transaction is committed.
- Payment channel assessed: The payment instruction is reviewed for completeness, counterparty risk, and consistency with the underlying transaction. Banking documentation is prepared to support the bank's own compliance review.
- File assembled: The classification analysis, end-user documentation, licence or exemption basis, and payment-channel assessment are compiled into a single, retrievable compliance file.
- Review cycle set: The next scheduled review date is recorded. Triggers for an interim review (counterparty change, control-list update, structural change) are documented.
For groups operating through Hong Kong and interfacing with the Mainland, the BVI, or other offshore holding centres, a cross-border view of the checklist – addressing each entity's obligations separately – is the minimum standard. Our Sanctions & AML practice covers the full range of cross-border compliance analysis that typically accompanies an export-control review.
Related practices
- Sanctions & AML – cross-border compliance, counterparty screening, and AML advisory across Greater China
- Holding Structures – review and structuring of offshore and Mainland-linked holding chains for regulatory compliance
Frequently asked questions
What documents are needed for an export-control and dual-use risk review?
What is the first step in an export-control and dual-use risk review?
Do I need a Hong Kong adviser for an export-control and dual-use risk review?
Speak with Lockhart & Yip
For a scoped view of your matter, contact info@lockhartyip.com. Discuss your matter →
Related
- Sanctions Aml
- Beneficial Ownership Kyc File Offshore Holding Chain Analysis
- Counterparty Screening Greater China Supply Chain Guide
This publication is general information and does not constitute legal advice. For advice on your situation, contact info@lockhartyip.com.