Manual data entry error results in a half million dollar sanctions penalty

The US Department of Commerce’s Bureau of Industry and Security (BIS) has imposed a $500,000 civil penalty on GlobalFoundries US Inc. and its subsidiary, GlobalFoundries U.S. 2 LLC, for violating export regulations. Between February 2021 and October 2022, the company made 74 shipments of semiconductor wafers valued at approximately $17.1 million to SJ Semiconductor (SJS), a company on the BIS Entity List, without obtaining the necessary licence. This violation occurred despite GlobalFoundries being aware that such shipments required a BIS licence. The oversight resulted from a data entry error in the company’s transaction screening system, preventing proper screening of SJS.

GlobalFoundries said the company regrets “the inadvertent action, due to a data-entry error made prior to the entity listing.” This error resulted in an accidental shipment of legacy chips without a licence. “We strive to, and believe we have, a world-class trade compliance program that sets the standard for the foundry industry,” it added.

GlobalFoundries voluntarily disclosed the violations, cooperated with BIS’s investigation, and took remedial steps, leading to a substantial reduction in the original penalty. This reflects BIS’s policy that encourages voluntary self-disclosure and cooperation as a means of reducing potential sanctions. Assistant Secretary for Export Enforcement, Matthew S. Axelrod, emphasised the importance of U.S. companies maintaining stringent vigilance in their transactions with Chinese entities:

“We want U.S. companies to be hypervigilant when sending semiconductor materials to Chinese parties.”

The Bureau of Industry and Security’s Office of Export Enforcement Director John Sonderman said:

“GlobalFoundries’ voluntary self-disclosure (VSD) and extensive cooperation throughout the investigation resulted in a significant reduction in the monetary penalty, which is the main incentive of our VSD policies.”

The BIS case falls under the Export Administration Regulations (EAR), governed by the Export Control Reform Act of 2018. These regulations ensure U.S. dual-use technology exports do not compromise national security, and violations can result in severe criminal and administrative sanctions, including fines up to $364,992 per violation or twice the value of the transaction. The case was investigated by the OEE’s Boston Field Office.

The BIS’s approach underscores a broader message to US companies to exercise caution in dealings with Chinese entities. Meanwhile, other semiconductor giants, such as TSMC, have also faced scrutiny. TSMC recently halted shipments after discovering its chips were being used in Huawei devices, another entity on the restricted list. This suggests heightened vigilance and self-reporting could be pivotal for manufacturers navigating complex export regulations amid U.S.-China tech tensions.

The risks of manual processes in supplier onboarding

Without automation, you’re relying on people to manage critical checks and balances. But people make mistakes, overlook details, and sometimes simply run out of time. The risks of manual onboarding are too great to ignore.

  • Missed due diligence: Key documents, such as bribery policies or sanctions checks, are often missed, exposing companies to fraud and severe legal penalties.
  • Inconsistent background checks: Supplier financial stability, criminal background, and connections to known fraud are easy to overlook manually, but costly to correct.
  • Modern slavery and human rights violations: Increasingly, authorities are holding companies responsible for their suppliers’ actions, including human rights abuses. If your business is linked to unethical practices, the consequences can be devastating.
  • Cybersecurity Breaches: Your suppliers have access to sensitive data. Without automated controls, a supplier’s weak cybersecurity can become a direct risk to your company.

 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.