By George Canovas, Vice President Compliance, FD Associates
Over the past 35 years, FD Associates has seen just about every version of an export control failure.
Not every compliance failure looks the same. Some companies lack a real program altogether. Others have policies, training, and approvals in place, but still fail because they rely on information that is never independently verified.
What is becoming more visible is not just enforcement activity, but how predictable the underlying pattern has become, even inside organizations that consider themselves compliant.
A recent indcitment of three individuals revealed a significant diversion of advanced US AI enabled servers worth billons of US dollars to China involving the co-founder of the company, who was also a board member and Senior Vice President of Business Development, its office in Taiwan and a third party broker. The FBI described a familiar set of tactics, false documentation, layered intermediaries, and even staged audit environments designed to pass inspection.
What stands out is not how sophisticated the scheme was, but how closely it mirrors structures FD Associates has seen in compliance reviews and audits over the years. The details change, but the underlying mechanics often remain the same.
The Pattern Behind the Headlines
If you take a step back from the headlines and look at how this AI computer diversion unfolded, the structure becomes clear. In this case, a US manufacturer was selling high performance AI servers that required an export license from the Department of Commerce for export to China. Instead of shipping directly, orders were placed through a company in Southeast Asia that did not require an export license and that company was presented as the end user.
Those servers moved through legitimate channels and were delivered as expected. On paper, everything aligned. The destination was permissible, the documentation was in order, and internal approvals for the transaction were obtained.
However, it was from this point that the transaction changed.
The servers were repackaged and redirected. As it turns out, the end user on paper was really a false intermediary and the real end user was in China. The documentation that supported the transaction had been structured to pass internal review, not to reflect reality.
At the same time, when both internal and government inspections were expected, dummy servers were staged to create the appearance that the equipment remained in place. Meanwhile, the actual systems had already moved to their final destination.
Communication between the parties took place outside normal channels, i.e., outside of company emails in encrypted messaging apps and the illegal diversion structure became more aggressive over time, eventually moving significant volumes of controlled technology.
None of this is particularly complex. But clearly it is effective and it is repeatable. Step back from the specifics and the pattern becomes obvious. A legitimate destination is used as a front door. Intermediaries are layered in to create distance from the actual end user. Documentation tells a clean and consistent story, while the logistics chain operates outside the exporters visibility.
By the time anyone looks closely, or even looks at all, the product is already somewhere it was never supposed to be. As mentioned, these are pretty consistent diversion playbook moves, and ones we have seen play out many times in the past.
When dealing in a high risk area such as AI computers, heightened awareness should have prevailed among the C-Suite and functional department leads.
When Everything Looks Right on Paper
In many of these situations, the company involved does not believe it has a compliance issue, in fact, they indicate they have a robust compliance program. There are policies in place, training and there are approval processes that appear to function as intended.
The bottom line is that on paper, the system works. The problem is, and this is important to focus on, that these systems are designed to validate the information they receive. When that information is incomplete, structured, or intentionally misleading, the outcome still appears clean.
We have seen transactions where the stated consignee was not the real end user, where the destination country was technically correct but only temporary, and where intermediaries were involved but never fully understood. In each case, the documentation aligned because it was built to align.
The compliance program did not fail in a traditional sense, it operated on a version of reality that was not accurate.
Where Companies Consistently get Exposed
After enough of these reviews, the same pressure points start to surface.
Third country routing is often treated as low risk, particularly when the initial destination does not require a license. What happens after delivery is assumed rather than verified. Intermediaries are accepted based on familiarity or past dealings, without a clear understanding of who they represent or how they operate within the transaction.
Audits tend to focus on whether documentation is complete and consistent, rather than whether it reflects what actually occurred. Red flags are noticed, but not always escalated in a way that changes the outcome. And in many cases, compliance is brought in after the structure of the transaction has already been set, rather than at the point where decisions are being made.
None of these issues are unusual. That is what makes them so difficult to detect.
The Uncomfortable Part
What makes cases like this resonate is not how unusual they are, but how familiar the underlying patterns feel. Many organizations will recognize elements of this in their own operations, whether they acknowledge it or not. Not at the same scale or with the same intent; but, the structure is often there and structure is what determines outcome.
In most cases, no one thinks they are doing anything wrong. The transaction looks reasonable. The customer seems legitimate. The paperwork is complete. Each step, on its own, makes sense. That is exactly why it gets through.
The best diversions work the same way good magic trick works. They are not about hiding everything. They are about controlling where you look.
- Your attention is on the paperwork, so the paperwork is clean.
- Your attention is on the stated destination, so the destination appears compliant.
- Your attention is on the approval process, so the approvals are in place.
While that is happening, something else is moving just outside that line of sight. Like in all organizations, the process is a checks-and-balances approach where everything is being reviewed in pieces or in steps. Each document checks out, each approval is based on what is presented, and each person is looking at their part of the process. It all checks out.
But what is clear is that no one is seeing the full picture, and by the time someone does, the product has already moved. This is what makes these situations so difficult to catch in real time. Everything is happening at normal speed, and each step looks reasonable on its own.
It is only when you slow down what happened, like an instant replay in sports, that the details become visible. In real time, the play looks clean, not out of bounds. But when it is replayed frame by frame, you start to see what was missed, the slight shift, the extra movement, the moment where the catch occurred out of bounds – something does not line up.
The best diversion schemes work the same way. In real time, the transaction looks complete and consistent. Only when you step back and reconstruct the full sequence do the gaps begin to appear. By then, the outcome is already decided.
The risk is not always in one obvious place. It lives in the gaps between what is documented and what is actually happening, and those gaps are easy to miss when everything is moving as expected. Something that most compliance programs are not designed to catch and this is the reason these situations keep repeating. Not because they are hidden, but because they look normal.
What Actually Works
So, how are these types of issues addressed, you may be wondering. Well, using traditional compliance corrective measures will not address these issues. Again, compliance programs are structures to address company process failures. In these types of cases it’s not about adding more policies or expanding training programs.
What tends to make a difference is how information is validated and how decisions are challenged. That includes independently verifying end use and end user, understanding the full transaction chain rather than just the immediate counterparty, and testing transactions in a way that goes beyond document review.
It also requires a clear separation between commercial pressure and compliance decision making, along with escalation paths that do more than record concerns and actually influence outcomes.
This is less about building a larger compliance program and more about building one that can see what is actually happening.
Final Thought
If there is one consistent lesson across the cases that FD Associates has seen over the years, it is this:
The biggest risk is not what companies do not know (although this is obviously important), it is what they believe to be true, but have never independently verified.
In real time, everything looks right using our normal compliance program lens. The transaction moves forward, all the paperwork aligns and the approvals are in place. There is no obvious reason to stop.
It looks like a clean play.
But as we have discussed, the best diversion schemes work like a well executed play that only reveals itself on replay. At full speed, nothing stands out. It is only when you slow it down and look at the full sequence do the details start to show. By then, it is too late.
From our experience, this is where most compliance programs begin to break down. Not because there are no rules, and not because there is no process, but because there is a belief that what is being seen reflects what is actually happening. As we note here, and in many other cases, it does not. And that gap, between what appears to be true and what is actually happening, is where serious compliance failures live.
If these issues resonate, maybe it is time to take a closer look at your compliance process before you need the replay.