Due diligence efforts aim to take systematic and proportionate steps to identify compliance obligations and other risks related to a transaction or relationship. While companies must always be compliant with relevant laws, in reality, companies will make decisions on how to best match compliance resources available with the numerous, often competing, compliance tasks. Thus, this section addresses a variety of practices that capture the compliance process more broadly than what may be considered due diligence traditionally. While red flags do inform due diligence best practices, there are risk management strategies that are not expressly linked to red flag identification, such as entity screening. Through the implementation of strategies that identify new red flags and check against known ones, the two necessarily inform each other as nefarious actors develop new strategies that go undetected by current due diligence practices. Thus, due diligence strategies are always already being built upon and improved. It is worth noting that while this is aimed at compliance teams within the private sector, effective due diligence requires coordination between the government and industry to be most effective. For more information on what types of tools governments can provide, see the What States Should Do section in this guidance. This section has three primary categories organized around different aspects of compliance – the company/partner, the technology being traded, and considerations for the transaction itself. Additionally, there is a section highlighting specific concerns surrounding academic and research institutes which are tech innovation hotbeds but get frequently overlooked. Each subsection contains a list of actionable due diligence best practices pertaining to the topic area as well as country specific considerations that inform the application of said practices. While some methods may be more cogent depending on the country in question, the methods listed can be applicable in a variety of compliance situations and should be considered for use more broadly. That said, the country specific considerations will provide insight into some current conditions that inform due diligence in an era of strategic competition. As always, a general awareness to security risks and industry developments, much of which is outlined throughout the rest of this guidance, will be essential to employing these due diligence strategies successfully. Company/Partner The goal of company / partner due diligence is to identify legal, reputational, and associated risks of cooperation with the entity. This includes ensuring you are looking at the correct entity, understanding its structure, ownership and control status, identifying any past activity of potential concern (including relationships with entities or programs of concern), and identifying any red flags. Category Element Source Nature of the Company Is it a distributor? Is it sanctioned? Is it involved in strategic technologies such as nuclear arms or missile development? Is it an authorized procurement agent for programs of concern? A due diligence survey completed by the company or partner could surface some of these points. The other points in this table can also help to get at these points. Company Website Do they have a website? Not having a website is a potential red flag. Does the native language version of the site include a 'party' page or otherwise detail programs of concern. Does an image search of the company's domain reveal images or activities of concern? Company’s website identified through google or by company itself. Past Activity Does the company have a history of work implementing contracts for government or military entities? Does the website mention problematic activity to include government contracts; does the website have photos of military, equipment or imagery that indicates involvement in military-related projects; does the website mention links to government initiatives such as 5-year plans; Is there other information about past activity of concern (see the news and media section below too) Official data sources concerning governmental contracts. Many corporate due diligence services and websites can be used and are tooled for different regions of the world. Please reach out to CNS for reccomendations. Company’s website in English and original language (noting that original language websites often contain more information). Company’s website may mention past projects or awards. Ownership and Control Is the entity privately owned or controlled by a foreign government’s state-owned enterprise? Is the company owned or controlled by a sanctioned entity? Is the company a subsidiary of a state-owned entity? Company registration documents, relevant company registers (provincial registries in China, national registry in Russia), Third party services. Social Media Does the company have a presence on LinkedIn or equivalent regional social media sites? Does the company’s social media show involvement in strategic projects? For determining if a company exists, the existence of a credible profile is usually sufficient. Company logos are usually used on social media and will often depict a strategic item (missiles, nuclear etc.) if the company is involved in that sector. Conducting media searches (i.e., for photos) linked to the company’s account is a good way to identify past projects. News and Media Are there news stories of the entity in question being involved in illicit transfers Are there news stories of the entity developing weapons for the military? Is there news of the entity winning government contracts and awards? Use of advanced search engine techniques to search domains such as .cn or .ru using the name in Chinese or Russia characters. Use Google but also relevant national search engines (Yandex and Baidu) For more information on this, see Annex 3. Searching for the company name plus words like ‘defense’ or ‘military’ can also identify connections of concern. Location of the Company Is the entity or claimed end-user located in a non-European former Soviet republic or Hong Kong? Some former Soviet republics, particularly in the Caucuses and Central Asia are increasingly being used as transshipment points to Russia, including the Russian government. Is the entity co-located with an entity of concern? Use best judgement in determining who the end user is or could be. Age of the company, purpose, declared end use and other factors must be used in combination with geography. Geography is a risk factor, but not a determiner. Identification of co-locations of concern can be challenging. However, it is worth Googling the address to see if webpages mentioning the address come up and looking at the address in Google maps (or national equivalents such as Baidu) or Yandex maps. Each of these mapping services can show the names of businesses overlayed on the map. China Specific Considerations Entities within the PRC use several strategies to obfuscate the identity of the end user or end use. This is largely due to the MCF nature of their economy when it comes to strategic goods. When performing due diligence for transactions relating to China, mentions of ‘convergent technology’ or ‘special projects’ are strong indicators that the entity is involved in MCF activities, and the transaction could end up with a military end use. This is also a useful method to assess if the company has empirically been a recipient of government or military awards. One of the most effective means to mitigate against these forms of transactions will be to cross-reference the English version with the Chinese version of the websites. Many times, companies will try to obfuscate their links to military or government contracts on the English version of the website when attracting business but in turn herald their connections to the government for a domestic audience. Additionally, checking for official military procurement tender announcements in the PRC can help identify the recipients of both present and past contracts. To this end, one of the most effective measures a company can take towards its compliance efficacy is to have a member of the compliance team fluent in Mandarin or with enough working knowledge of the language to detect these discrepancies. It is also common for there to be many Chinese companies with similar names that can be confused for the entity engaging in the transaction. This is just one area where Chinese language skills on a compliance team could be essential in conducting effective due diligence. This said, it should also be noted that a lot can be achieved simply using Google translate. Additionally, Wikipedia is often a good source of an entity’s name in Chinese characters (which can be verified by inserting the name into google translate). Conducting searches using these Chinese names is often revealing. Some additional considerations when researching an entity that can help inform whether to pursue business with a Chinese entity include checking for references to the Thousand Talents Plan which has been used to recruit researchers in strategic fields. Lastly, because the PRC leverages its university system as part of general MCF strategic technology development, it is valuable to see if companies have connections to academic institutions which may, in turn, have connections to the government or military. Alternatively, it is useful to determine if the company is founded by former professors as much of the start-up space in China is tied to MCF and are commonly outputs from former university projects. Russia Specific Considerations Russian entities do relatively little to hide their links to military and dual use entities. The links to these institutions are often advertised on the home page of their website or can be identified through other corporate data widely available in Russia. Since Russia’s February 24th invasion of Ukraine, some Russian companies have blocked their websites to users outside of the Russian Federation. This is often a good indicator that a company is doing business with, or is itself, a sanctioned entity. When Russian entities do attempt to obfuscate their links to military or dual use institutions, they are often third party wholesalers of goods. An advanced web search of the entities name in Russian alongside relevant search parameters can be used to identify these links or auditing services as much of this information is public and available on the open web. This web search must be done in the Russian language or it will not pull the relevant results. Due to the customs union with Kazakhstan and Kyrgyzstan, procurement of dual use goods is reportedly increasingly happening through these channels. This creates complications as the data available is still small. Critical judgement and know-your-customer procedures such as why a newly formed corporation in Kyrgyzstan is ordering large amounts of electronics or milling machines can help companies avoid legal and reputational risks. More sophisticated operations mask their ownership in weakly regulated U.S. jurisdictions such as Delaware. In this same vein, services are increasingly being created that openly and actively advertise their intent to buy goods to evade sanctions. At least one site reviewed by CNS had a map on their website showing the countries they use to transport goods into Russia and around sanctions. Company ownership, age of the company, requests for goods in bulk and other basic due diligence procedures when reviewing business in Russian allied or partnered countries is just as relevant as if doing business with a company inside the Russian Federation. Nature of Technology Category Element Source General Technology Assess if the technology in question is dual-use or strategic in nature, even if it is not explicitly on a control list. This could include determining whether it is relevant to the types of strategic technology that Russia and China are seeking to indigenize. Technical datasheets, scientists and engineers with knowledge of the product Control Lists Identify of the technology being traded is controlled on a current control list. Identify both physical and digital components of the technology that may be subject to control. Technical datasheets, scientists and engineers with knowledge of the product Cybersecurity If there is a digital component of the technology, implement appropriate cyber-security standards both internally and when transferring the technology. Potentially useful standards: NIST 800 Nature of Technology Determine if the technology being purchased is used in the manufacturing of other strategic goods. China Specific Considerations For the PRC, strategic technology development is more than just a commercial endeavor but also part of the national strategy, outlined by various Five-Year Plans. As the name suggests, these policy doctrines are released every 5 years and outline the goals for the government. This has included for the last 10 years or more an intentional effort towards indigenization of strategic technologies. These are outlined further in the specific FYP on science and technology. These categories are captured in detail throughout the earlier sections of this guidance. For the purposes of this section, it is simply worth noting that the technology areas the PRC is most intent on developing for strategic purposes are by and large publicly noted. Especially for professionals working in compliance in one of these strategic industries, considerations on the nature of the technology within the broader scope of Chinese indigenization efforts is essential to effective due diligence. Because the end-goal of the Chinese national strategy is to be self-reliant, it is especially critical that technologies which are used to manufacture additional advanced strategic goods are subject to control. This report outlines specific ‘chokepoint technologies’ which are technologies which the PRC does not currently have indigenous capability for, but should they obtain said technology, would be able to produce advancements in areas beyond the specific technology itself. The best example of this, detailed further in the Computing section above, is the interconnect technology required to scale up the processing power of supercomputers. Not all these technologies will be on control lists as the sectors naturally progress faster than the lists do in many cases. Thus, it will be important for entities to use their technical expertise within the sector they operate to help define what these technologies are over time and limit the export of such strategic goods. Inter-industry coordination in this regard will be useful for creating future standards for due diligence. Lastly, many modern strategic goods have both digital and physical components. While historical export control best practices focus on the security of physical goods, companies must implement effective cyber security standards on digital elements of transactions, so they are not diverted towards nefarious end uses. Common areas where this is most impactful are machine learning and additive manufacturing where digital files and algorithms are just as essential to the operation of the technology as the physical component being exported. Russia Specific Considerations Russia has spent a great deal of time, effort and money to rebuild itself as a technological powerhouse. Much like the Chinese government, the Russian government has put forward several strategies to make Russia 'great again'. The core of this is development of a business-friendly space people want to live and create new innovations in. However, while Russia produces excellent programmers, mathematicians, physicists and scientists, it has trouble building things. As such, most of the technology supporting Russia’s cutting-edge technology advancements are reliant on Western goods and services. Russia is currently struggling to achieve its proposed aims as hundreds of thousands of highly skilled workers flee a situation inside Russia which they view as increasingly unsafe or untenable. Since February 24th, many Russian companies have relocated offices to Armenia either to protect the safety of their employees, avoid sanctions, or both. As such, the question of what constitutes a Russian company can be a grey area for due diligence officers. Goods relevant to various emerging technologies, such as those powering research on quantum computing or machine learning need to be critically analyzed. Two questions which are vital to ask are: why does this company need this product? And, is there risk of diversion of the good into the Russian Federation? There is no legal or moral reason to suspend all ties with Russian nationals or Russian nationals doing interesting research and development. But basic knowledge about potential business partners is vital to making informed decisions. On the less sophisticated scale, the Russian military has become very adept at importing goods that while technically are not on control lists or considered dual use, can be adapted to those purposes. Businesses must be aware of links between their partners and Russian military contractors who build weapons and communications devices. Even if a good is not controlled, one can incur severe reputational damage if even outdated technology is diverted for non-civilian purposes. Transaction This section identifies due diligence steps that should be taken in relation to each transaction. This section focuses on measures that should be taken over and above the company / partner due diligence as detailed above. Category Element Shipping Confirm that shipping practices are standard for the type of product and region. This includes shipping routes, end destinations, etc. Shipping Check that the shipping destination is not another transshipment hub. Shipping Confirm that the dimensions of the package (weight and size) are appropriate for the order when finalizing shipping preparations of sensitive technologies. Geography Is the purchasing entity in a country of concern? Third Country Diversion Risks Is it first being shipped to a known diversion hub? Finance Avoid cash payments for orders that are usually financed. Finance Confirm that the paying entity is the same as the one placing the order and receiving the shipment. Finance Confirm that the financing is not through a state or military grant. China Specific Considerations When assessing the transactional factors in a Chinese context, there are a couple of important considerations. First, when considering shipping and geography, there is primarily a need to be cautious of transactions that go through territories such as Hong Kong and Macau as these locations may not be the ultimate destination but frequently have less serious barriers to trade than with the mainland. Because of the number of Chinese entities with subsidiaries in these territories, one aspect of due diligence should be understanding the risk of a subsidiary company ordering an item into Hong Kong and then sending it to the main office in mainland China. Last, there are not too many unique concerns when it comes to financing. The main goal of due diligence in this regard is to confirm that the government or military is not the financing agent for the organization or the specific project. There are domestic databases in the PRC where these government contracts and tenders are sought and distributed. However, accessing these databases can be difficult when outside of the country due to the firewall and require mandarin language skills to navigate. Alternatively, many company websites will highlight the fact that they won this award. When checking the entity websites, it is important to note any mentions of grant or project-based work for the government or military as these are signs the organization engages in MCF behavior. Russia Specific Considerations Given Russia’s financial isolation, almost all financial transactions to Russia currently involve some sort of suspicious behavior such as the use of cryptocurrency or multiple banks. Likewise, the use of fronts, bank accounts in third countries and other behaviors traditionally associated with money laundering are increasingly required to acquire even non-export controlled goods for Russian companies engaging in legitimate transactions.[1] As such, it is extraordinarily difficult to identify suspicious transactions, and beneficial ownership when all transactions are suspicious. Likewise, Russians will use “sanctions” to refer to export controls, financial blocking and self-imposed restrictions by companies. The resulting confusion makes it difficult, if not impossible, to discern craftiness from illegality even for the people involved in the transactions themselves.[2] This is compounded by the unknown number of Russian companies opening fronts in countries like Turkey and in Central Asia and other locales for the purposes of getting around banking restrictions that are legal under the U.S. sanctions regime. The scope means that again, behaviors traditionally associated with evasion and money laundering are used for the purchase of non-controlled, non dual-use goods. The use of a front in Turkey or a former Soviet Republic to transact may be functionally required for doing legitimate business with Russian companies, but opens the participants up to enormous and unknown risks given the fluidity and opacity of the overall situation. There are acute financial risks as well that money could be stolen or not reach its intended destination given the number of new financial instruments to avoid sanctions that have emerged. Social media postings by the few remaining foreign expatriates in Russia indicate a wild-west atmosphere where money can go easily missing. A core part of doing effective due diligence in the Russian context is a proper team with professional fluency in the Russian language. Many of the connections between certain entities and the military or security services are obvious to those with the language skills and regional experience, but difficult, if not impossible to decipher without proper experience with Russian business culture and bureaucracy. Given the ongoing war and continued high-profile attacks on civilian targets by the Russian military, businesses entail extreme reputational damage and legal risks for doing business with Russian entities and getting it wrong. Dealing with Academic and Research Institutes The focus on emerging technologies in the context of great power competition brings into focus the role of universities and research institutes. While the popular image of a university is a place in which students are taught and theoretical research conducted, the reality in most countries is that universities and research institutes are closely tied into the country’s commercial sector and national technology science and technology plans. This is true as much in Russia and China as it is elsewhere. Given this, engagement with academic and research institutes is a key pathway through which technology transfer and proliferation can occur. There is a need for due diligence when dealing with Chinese and Russia universities and research institutes. Case studies 4 and 16 showcase two different ways the PRC has leveraged university collaboration. In the first case, a professor is recruited to do research abroad for the PRC at a foreign university. In the second case, university collaboration resulted in the transfer of dual-use goods to the PRC under the auspices of academic collaboration. Category Element Source Connections Identify any connections the entity may have to academic institutions (or their operators) in a country of concern. This can include staffed professors/researchers, joint research, start-ups with a connection to academic programs, etc. Use the university’s website to see if staff or professors in a department have a dual-hat with military or security-linked entities. Critically approach who funds research at which faculties and departments in the institution. Academic institutions are sprawling and often isolated from one another. A handful of professors in one science faculty being tied to a government entity or lab does not mean another faculty in the humanities cannot be engaged with for the purposes of humanitarian work or citizen diplomacy. Finance Confirm that the financing of the research, grant, or exchange, is not through a state or military grant. Due diligence information - ask the foreign partner. Intellectual property and the right to publish Restrictions on publication and data. If contractual conditions prevent publication, it is likely not basic scientific research as the client is paying for proprietary information. Review the contracts One helpful resource for identifying universities of possible concern is the ASPI university tracker. However, effective use of academic repository metadata sites such as Scopus, the Chinese site CNKI, and the Russian site e-library can also be used to identify universities undertaking military-related research. Footnotes [1] See Usmall.ru and the litany of other new businesses designed to get around “sanctions” https://usmall.ru/ [2] Interviews with Russian nationals attempting to flee Russia 4/2022 [3] Social media postings in closed Moscow expatriate help board.