Key Takeaways
- Interim policy openings do not equal deregulation. The quarter's most visible example is Iran: OFAC has created a time-limited pathway for specified Iranian-origin petroleum transactions, but that pathway is narrow, temporary and subject to transaction-specific conditions.
- Enforcement has not paused. OFAC, BIS and DOJ continue to use civil penalties, criminal enforcement tools and voluntary self-disclosure incentives to shape market behavior, particularly where national security risk is embedded in commodities flows, professional services, advanced technology, and global supply chains.
- National security regulation is moving from entity screening to relationship mapping. Regulators are focusing not only on named counterparties, but also on ultimate beneficiaries, payment flows, intermediaries, data access, ownership, governance rights, technology transfer, supply-chain inputs and government-contracting relationships.
- Congress is expanding the perimeter of regulation. Outbound investment, biotechnology, Chinese military companies, defense procurement, and foreign ownership, control or influence ("FOCI") are all receiving sustained congressional attention, with statutory deadlines and procurement restrictions becoming increasingly important compliance triggers.
- Deadlines matter. Temporary general licenses, divestiture orders, procurement prohibitions, proposed-rule comment periods and mitigation requirements all require active monitoring. Missed deadlines can shift control from the parties to the government, courts or monitors.
Iran Sanctions: A Temporary Opening, Not a Sanctions Reset
The most visible sanctions development this quarter was the reported U.S.-Iran Memorandum of Understanding announced in June 2026, followed by OFAC General License X. The reported MOU has not been published by the U.S. Government and should not be treated as an operative legal instrument. The binding legal development is GL X.
GL X authorizes, through August 21, 2026, transactions that are ordinarily incident and necessary to the production, sale, delivery or offloading of Iranian-origin crude oil, petroleum products and petrochemical products. The authorization also extends to certain related services, including banking, insurance, transportation, vessel management, classification, flagging, crewing, bunkering and related activities. Importantly, GL X also authorizes U.S. dollar payments and importation into the United States where otherwise within the scope of the license.
That said, GL X is not a general lifting of Iran sanctions. It is temporary, conditional and program-specific. It does not authorize transactions involving persons located or organized under the laws of North Korea, Cuba, Crimea, the covered regions of Ukraine, or other excluded persons identified in the license. It also does not authorize transactions otherwise prohibited by sanctions authorities not covered by the license.
The practical point for clients is that there may now be commercially meaningful activity that is legally permissible for a limited period, but reliance on GL X should be supported by transaction-specific analysis. Parties should diligence counterparties, vessels, cargo origin, payment routing, insurers, banks, intermediaries, ports, title transfer, and any non-Iran sanctions nexus. Contracts should address license expiration, snapback risk, force majeure, termination rights, representations, audit rights and documentation retention. Banks and insurers may move more slowly than the legal authorization permits, and that commercial friction should be built into transaction planning.
OFAC Enforcement: Red Flags, Intermediaries and the Limits of Paper Comfort
Adani Enterprises — $275 Million Settlement
On May 18, 2026, OFAC announced a $275 million settlement with Adani Enterprises Limited, an India-based diversified conglomerate, for apparent violations of the Iranian Transactions and Sanctions Regulations. OFAC alleged that, between November 2023 and June 2025, Adani purchased liquefied petroleum gas through a Dubai-based trader that purported to supply non-Iranian LPG, while red flags indicated an Iranian-origin nexus.
The case is a helpful compliance marker because OFAC did not focus only on denied-party screening. The issue was whether the company responded adequately to red flags beyond face-valid shipping documents and supplier assurances. Relevant indicators included vessel behavior, origin documentation, pricing anomalies, payment issues and other information inconsistent with the stated commercial narrative.
For commodities, shipping, energy, infrastructure and financial-sector clients, the lesson is direct: sanctions compliance cannot stop at counterparty screening. Where cargo origin, vessel history, routing, intermediaries or pricing raise questions, companies should escalate to enhanced diligence and document the basis for proceeding. Supplier representations are helpful but not dispositive.
FTI Consulting — $1.05 Million Settlement
On June 1, 2026, OFAC announced a $1.05 million settlement with FTI Consulting for apparent violations of Russia-related sectoral sanctions. OFAC alleged that FTI indirectly dealt in prohibited debt of VTB Bank OAO through a law-firm intermediary on six occasions.
The core message is that intermediary structures do not cure a prohibited sanctions nexus where the U.S. person knows the sanctioned-sectoral target and payment flow. Professional services firms, experts, consultants, law firms, asset managers and financial institutions should screen not only direct clients, but also ultimate beneficiaries, funding sources and payment mechanics. Engagement letters and intake procedures should require escalation where services are for, paid by, or materially benefit a sanctions-restricted party.
Outbound Investment: COINS, China and the Biotechnology Question
The U.S. outbound investment regime remains in force and should no longer be viewed as a narrow pilot program. The existing Outbound Investment Security Program became effective in January 2025, and Congress has since codified and expanded the framework through the Comprehensive Outbound Investment National Security Act of 2025.
The most important development this quarter is not a change in the current rule, but the direction of travel. On May 21, 2026, the House Select Committee on China urged Treasury to designate biotechnology as a prohibited technology sector in implementing regulations under the COINS Act. The letter focused on U.S.-China pharmaceutical licensing, co-development, clinical R&D, drug discovery platforms, biologics manufacturing know-how and the role of Chinese military-linked institutions in clinical trials.
Whether Treasury adopts that recommendation remains uncertain. But the signal is important. Outbound investment controls are likely to remain dynamic, and technology categories may expand as Congress identifies new areas where capital, know-how, data, governance rights or commercial collaboration may advance PRC national-security capabilities.
For asset managers, sovereign wealth funds, private equity sponsors and life-sciences companies, the practical diligence questions should now include: Does the transaction involve a covered foreign person? Does it provide governance rights, board or observer rights, veto rights, material nonpublic technical information, IP access, data access, co-development rights or operational collaboration? Does the investment structure include options, follow-on rights, side letters, contractual collaboration, or other features that may matter under current or future rules? Even where a transaction is not prohibited or notifiable today, the record should show that these issues were considered.
CFIUS: Review Backlog, Enforcement and Process Reform Move in Parallel
CFIUS practice has been affected by the partial government shutdown tied to the lapse in funding for the Department of Homeland Security, a CFIUS member agency. During the shutdown, CFIUS statutory deadlines were tolled, and review clocks for new filings were not initiated. Although the shutdown ended on April 30, 2026 and CFIUS has resumed operations, the practical effect is likely to be uneven: draft filing comments, acceptance of formal filings, declaration outcomes, mitigation discussions and final clearances may take longer than parties experienced before the shutdown.
For deal parties, the point is not that statutory timelines have changed. They have not. The point is that the operational cadence of CFIUS review may remain less predictable while the Committee works through delayed filings and re-engages on pending matters. Parties should review outside dates, financing commitments, interim operating covenants, regulatory-efforts provisions, reverse termination fee triggers and closing conditions to ensure they remain workable across an extended CFIUS timeline. Where a filing has not yet been made, parties should reassess whether a declaration or full notice best fits the transaction’s risk profile, timing needs and likelihood of receiving a conclusive declaration outcome.
CFIUS enforcement remains a live risk for transactions that close without clearance. The Suirui/Jupiter Systems matter is the clearest current example. Suirui International acquired Jupiter Systems in 2020. CFIUS later identified national security concerns involving Jupiter's products and customers, and the President ordered divestiture in July 2025. After Jupiter missed critical deadlines, DOJ filed suit in February 2026 to enforce the order. On May 26, 2026, the U.S. District Court for the District of Columbia granted the government’s motion for a preliminary injunction.
The practical lesson is that CFIUS risk does not expire at closing. If CFIUS has jurisdiction and the parties do not obtain clearance, the transaction can remain exposed to post-closing review and potential divestiture. Once a presidential order or mitigation agreement is in place, compliance deadlines should be treated as litigation-grade obligations. Missed milestones may result in court involvement, government-supervised divestiture, monitors, receivers or loss of control over the process.
At the same time, CFIUS process reform remains worth monitoring. Treasury is developing a Known Investor Program intended to collect information from certain repeat foreign investors in advance of a formal filing, with the goal of enabling more efficient review. Our prior coverage of these efforts is available here. For repeat institutional investors, including sovereign wealth funds and other frequent filers from allied jurisdictions, the program may become a useful process tool. It should not, however, be viewed as a safe harbor or pre-clearance mechanism. Treasury has made clear that participation alone would not guarantee any particular CFIUS outcome, and that verifying distance and independence from foreign adversaries or threat actors will remain central to the Committee’s risk analysis.
AML/CFT: Effectiveness Over Check-the-Box Compliance
On April 7, 2026, FinCEN issued a proposed rule to reform AML/CFT program requirements under the Bank Secrecy Act. The comment period closed on June 9, 2026. The proposed rule reflects Treasury's stated effort to move AML/CFT compliance away from technical checklist adherence and toward risk-based effectiveness.
Key elements include a mandatory formal risk assessment; explicit incorporation of FinCEN’s national AML/CFT priorities; governance expectations; a requirement that the AML/CFT compliance officer be based in the United States and accessible to regulators; and a mechanism requiring certain regulators to consult with FinCEN before significant AML/CFT supervisory or enforcement action.
For financial institutions, investment advisers, funds, banks, broker-dealers, money services businesses and fintech platforms, the significance is practical. Regulators are likely to ask whether the AML/CFT program is actually calibrated to the institution’s products, services, customers, geographies, distribution channels and illicit-finance risk. Policies that look mature on paper but are disconnected from onboarding, transaction monitoring, sanctions screening, escalation and audit may receive less credit.
Export Controls: Huawei Enforcement and Advanced Computing Guidance
Robert Bosch GmbH — $36 Million BIS Penalty and DOJ Declination
On June 17, 2026, BIS announced a $36 million settlement with Robert Bosch GmbH involving exports to Huawei Technologies Co. Ltd. and affiliates without required BIS authorization. The matter involved foreign-produced items subject to the EAR under the foreign direct product rule. Bosch voluntarily disclosed, cooperated and remediated, and DOJ’s National Security Division declined prosecution under the department-wide corporate enforcement policy.
The case has two important lessons. First, export-control compliance is product-specific and fact-specific. It is not enough to ask whether an item was manufactured outside the United States or whether a direct counterparty has been screened. Companies must analyze classification, U.S.-origin technology and software, foreign direct product rule applicability, end users, end uses, and Entity List licensing requirements.
Second, voluntary self-disclosure can materially affect enforcement outcomes. Bosch still paid a substantial civil penalty, but the DOJ declination is a meaningful precedent for companies assessing whether to disclose potential national-security violations. The case should be read together with DOJ’s broader corporate enforcement policy: prompt disclosure, full cooperation and timely remediation can change the enforcement posture even in significant matters.
BIS Advanced Computing Guidance
On May 31, 2026, BIS issued guidance clarifying advanced computing license requirements for entities headquartered in Country Group D:5 or Macau, or whose ultimate parent is headquartered there. The guidance addresses a market concern that advanced AI chips could be supplied to overseas subsidiaries or third-country data centers associated with China-headquartered groups without triggering licensing requirements.
The practical point is that destination is no longer the only relevant question. Exporters, cloud providers, data-center operators, lenders, investors and counterparties should diligence the headquarters and ultimate parent of the recipient, as well as the role of resellers, leasing companies, anchor tenants and end users. For GPU financing and data-center transactions, this is now a core diligence item.
Defense Procurement, Section 1260H and FOCI: Ownership Risk Moves into the Supply Chain
Section 1260H and Related Procurement Restrictions
In June 2026, DoD published an updated Section 1260H list of Chinese military companies operating directly or indirectly in the United States, including entity-specific justifications. Section 1260H itself is principally an identification and disclosure mechanism, not a blocking sanctions program. But designation has significant commercial consequences because other authorities and procurement restrictions rely on or respond to the list.
Two June 30, 2026 deadlines are particularly important. First, DoD procurement restrictions under Section 805 of the FY 2024 NDAA prohibit certain DoD contracting with 1260H-listed entities and controlled entities. Second, Section 851 restricts DoD from contracting with companies that retain lobbyists advocating on behalf of 1260H-listed entities, subject to statutory exceptions and implementation questions. Further indirect supply-chain restrictions become relevant in 2027.
Companies that sell to DoD, supply DoD contractors, receive defense-related funding, or participate in sensitive technology supply chains should screen the updated list against counterparties, vendors, customers, affiliates, lobbying relationships and supply-chain inputs. Recent litigation challenging particular designations should be monitored, but absent judicial relief or agency action, companies should not assume that litigation suspends compliance obligations.
Expansion of FOCI Reviews and Mitigation to Uncleared Defense Contractors
On May 6, 2026, the DoD issued a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement Section 847 of the FY 2020 and Section 819 of the FY 2021 NDAA. (Our prior coverage of the proposed rule can be found here.) The proposal expands FOCI reviews—and potentially mitigation—beyond traditional “cleared” contractors (i.e., contractors holding security clearances to perform on classified contracts) under the National Industrial Security Program to uncleared contractors and subcontractors performing (or that may perform) DoD work on unclassified contracts exceeding $5 million. Although contracts for commercial products and services are generally excluded, DoD would retain discretion to apply the requirements where it determines there is “risk or potential risk to national security” due to sensitive data, systems, or processes. This DFARS amendment is indicative of the heightened U.S. Government concern about FOCI risk throughout the defense supply chain even without classified contract requirements.
The expansion of FOCI reviews and mitigation is particularly relevant to uncleared defense contractors but should also be monitored by private equity investors and businesses with foreign investors and limited partners. This is because the U.S. Government’s FOCI analyses are largely based on expanded disclosure requirements regarding relationships that such contractors have with foreign companies or persons, including ultimate beneficial ownership and controllers, contracts or other arrangements with foreign entities or individuals, foreign employees, etc.
Anti-Corruption and Corporate Enforcement: Voluntary Disclosure as a Strategic Decision
Although this quarter’s most prominent national-security enforcement developments arose in sanctions and export controls, anti-corruption risk remains part of the same integrated enforcement environment. The DOJ’s department-wide corporate enforcement policy and the Bosch declination underscore a broader point: voluntary self-disclosure, cooperation and remediation are now strategic decisions across national-security and white-collar matters, not merely procedural choices.
For FCPA and anti-corruption risk, enforcement has not disappeared. Rather, enforcement in the near-term is expected to be more selective, focused on individual accountability, and closely tied to U.S. economic, national-security and geopolitical priorities. Companies operating in strategic sectors, emerging markets, defense procurement, infrastructure, energy, life sciences and advanced technology should continue to treat anti-corruption controls as part of national-security risk management.
Conclusion
This quarter's developments point in the same direction: national security regulation is becoming more integrated, more deadline-driven and more focused on real-world control over capital, technology, data, infrastructure and supply chains. Temporary licenses, enforcement declinations and process reforms create opportunities, but they do not remove the need for disciplined legal analysis.
For institutional investors, sovereign wealth funds, financial institutions and multinational companies, the practical response is not to build separate compliance silos for CFIUS, outbound investment, export controls, sanctions, AML/CFT, FOCI and anti-corruption. The better approach is integrated diligence: who owns or controls the relevant party; where the money comes from; what technology, data or know-how is being transferred; who the end users are; whether government contracts or defense supply chains are implicated; and what contractual rights could create influence, access or control.
Dechert's National Security Group advises clients across CFIUS, outbound investment, export controls, sanctions, AML/CFT, FOCI mitigation, government contracts and white-collar enforcement. We work with institutional investors, financial institutions and multinational businesses to provide advice that is legally grounded, commercially practical and sensitive to regulatory, geopolitical and reputational risk.
Contributors
The authors would like to thank Erin Bruce, National Security Advisor, for her contributions to this OnPoint.