AI Analytics

Technical writing

Not All Lists Are Sanctions: A Field Guide to US Restriction Regimes

· 9 min read· AI Analytics
OFACBISSanctionsExport ControlsOpen Data

“The company is on a US list.” The sentence sounds decisive, and it is almost useless. The United States restricts foreign companies through at least five separate regimes, run by four different agencies, with five different legal effects. Calling all of them “sanctions” is not just sloppy — it can be defamatory, and it misstates what a company can and cannot do. This is a field guide to the five.

The five regimes

  • Sanctions — asset freeze (OFAC, SDN List). The heaviest tool: all property and interests in property are blocked, and US persons generally cannot deal with the party at all. This is what “sanctioned” properly means. See OFAC SDN integration.
  • Export controls (BIS, Entity List). Not a freeze. It imposes a license requirement — usually with a presumption of denial — on exports and reexports of items subject to US jurisdiction. The company can still operate; it just can't easily receive controlled US technology. See BIS export enforcement.
  • Securities investment ban (OFAC, NS-CMIC List). Narrow and specific: US persons may not buy or sell the publicly traded securities of designated Chinese military-industrial-complex companies. It is not an asset freeze and not an export rule.
  • Import ban — forced labor (CBP, UFLPA Entity List). A rebuttable presumption that goods made by the listed entity are barred from import into the US. It governs goods coming in, the mirror image of export controls. See the UFLPA Entity List.
  • Equipment authorization bar (FCC, Covered List). Bars new equipment authorizations for national-security reasons. It does not freeze assets or ban all US sales of existing products — a frequently misreported distinction.

Same agency, different tools

Note that two of the five are both run by OFAC — the SDN asset freeze and the NS-CMIC securities ban — and they are still not the same thing. Each OFAC action also carries a program code (RUSSIA-EO14024, CMIC-EO13959, SDGT and so on) that pins it to a specific legal authority. The sanctions-programs reference decodes those codes; the point here is that even within one agency, the code tells you which authority — and therefore which effect — applies.

# The five regimes have DIFFERENT issuing agencies, lists, and legal effects.
# Resolving "is company X restricted?" means checking the right list for the
# right kind of restriction — a single yes/no flag is wrong.

REGIMES = [
  # name                       agency   list                       effect
  ("Sanctions (asset freeze)", "OFAC",  "SDN List",                "block all property & US-person dealings"),
  ("Export controls",          "BIS",   "Entity List",             "deny export/reexport licenses (presumption of denial)"),
  ("Securities investment",    "OFAC",  "NS-CMIC List",            "ban US-person purchase/sale of the issuer's securities"),
  ("Import ban (forced labor)","CBP",   "UFLPA Entity List",       "rebuttable presumption goods are barred from import"),
  ("Equipment authorization",  "FCC",   "Covered List",            "bar new equipment authorizations (not an asset freeze)"),
]

# A company can appear on SEVERAL at once, on NONE, or move between them over time.
# Always pair the listing with the ISSUING AUTHORITY before describing its effect.

Why the distinction is not pedantry

  • Legal accuracy. Saying a company is “sanctioned” when it is merely on the Entity List overstates the restriction and can be actionable. The verb has to match the regime.
  • Different remedies. Getting off the SDN List, the Entity List, and the UFLPA list are different processes before different agencies. The path out depends on which list you are on.
  • Multiple, simultaneous, and changing. A single company can sit on several lists at once, on none, or move between them as actions are added or rescinded — so a one-bit “restricted?” flag loses the information that matters.
  • Different data feeds. Each regime publishes its own list with its own schema; there is no single master file, which is exactly why due diligence has to query all five deliberately.

This taxonomy is the backbone of SpyLedger, which labels every designation with its issuing authority and legal type precisely so an export-control listing is never rendered as a flat “sanction.” Get the regime right and a government “list” becomes a precise statement; get it wrong and it becomes a liability.

Related writing: When a Breach Happens — the same fragmentation in cyber-incident disclosure: one event, three federal regimes, no shared key.

Related writing: Trade, Sanctions, and Export Controls — the broader synthesis joining these rules to the goods and entities that move under them.

See also: The Recall Web — another case where one question (“what's restricted?”) fragments across multiple agencies with no shared key.