Beyond Sanctions and Export Controls: The Rise of Outbound Investment Rules

Most compliance professionals are familiar with two major national-security regimes: sanctions and export controls. But over the past year, a third regime has quietly entered the landscape, and one that many in financial services are only beginning to encounter.

This third regime is Outbound Investment Rules (OIR).

So what is OIR?

Think of it this way: while sanctions tell you who you can deal with, and export controls tell you what technology you can send abroad, OIR is about where your money is allowed to go, especially if that capital could help a foreign company build capabilities in sensitive technologies. That means areas like advanced semiconductors, quantum tech, AI, and anything with a potential military or dual-use angle.

It’s less about stopping a transaction today, and more about preventing the development of capabilities tomorrow. And although OIR gets talked about in geopolitical circles, it’s increasingly becoming a very real part of day-to-day financial-crime compliance. Regulators already expect firms to show they’re gathering information, assessing the risk, and documenting how they arrived at their decisions.

A few days ago, I sat down with a lawyer and a compliance specialist who’ve been living and breathing OIR since the early drafts. What surprised me most is how early we still are as an industry. Plenty of smart, seasoned compliance professionals are just beginning to recognise the terminology, let alone the operational implications.

So here’s my attempt to share the essence of what we discussed, and some of the things I wish someone had explained to me when I first came across this topic.

Why OIR exists in the first place?

To understand OIR, you need to zoom out a little. Governments are increasingly treating technology as national security infrastructure. With AI, quantum and semiconductor dominance becoming strategic priorities, countries are using everything from sanctions to tariffs to export controls to shape the playing field.

Outbound investment rules fit into that same toolkit. They’re meant to stop domestic capital from helping overseas players build sensitive capabilities. And once you see it from that angle, the rest makes a lot more sense.

It’s not sanctions, but it behaves like them

OIR technically governs investments rather than payments. But if you look at the workflow, anyone who works in sanctions will get déjà-vu very quickly:

• You still need to figure out who you’re dealing with.

• You still need to understand ownership and control.

• You still need to map activities against restricted categories.

• You still need to document your logic.

The processes all feel familiar, only applied to a different problem set.

The hardest part is figuring out who counts as a “covered foreign person”

All parties I’ve spoken to agrees this is the most painful piece. Some of the challenges everyone is facing:

• There’s no master list.

• There’s no vendor tool you can rely on.

• Corporate structures in these sectors are rarely straightforward.

• And then you run into vague definitions like “controlled by” or “material contribution.”

In other words, compliance professionals will have have to make judgment calls, and they’re going to need a methodology that they can defend to regulators later.

And yes, it overlaps with export controls

If a client is dealing in restricted technology, there’s a decent chance export controls already apply. OIR simply adds a new dimension: capital flows. And regulators increasingly expect institutions to consider these regimes together, not in isolation.

The “foreign person test” is trickier than it sounds

This isn’t just a standard nationality check. You need to think across multiple layers:

• the person or entity itself,

• who ultimately owns or controls it,

• the jurisdiction influencing the activity,

• and whether the underlying technology changes the risk profile.

That’s far more nuanced than traditional AML work.

So what does this mean for financial institutions?

In short: OIR is a due-diligence challenge disguised as a policy regime.

It requires asking questions we aren’t used to asking, like:

• “What does this company actually do?”

• “Is their R&D part of a sensitive area?”

• “Who are they collaborating with upstream and downstream?”

And governance needs to start early. It’s far easier to build a framework now than to scramble when enforcement begins. A cross-functional group (AML, sanctions, legal, product, front office) is no longer optional.

Documentation also becomes critical. Regulators aren’t expecting perfection, but they are expecting reasonable, well-thought-out decisions: how you interpreted definitions, what sources you relied on, and why your classification landed where it did.

And since vendors don’t have an OIR “list” yet, and probably won’t for a while, firms are going to have to rely on analyst judgment, OSINT, and solid decision logs.

The open questions

And here’s the part no one has fully solved:

• Where’s the line between “AI” and “advanced AI”?

• What qualifies as “quantum-related”?

• How much involvement counts as “material”?

• Does a small minority stake matter if it comes with a board seat or special access rights?

• And what do you do when US rules, EU consultations and China’s countermeasures don’t align?

Each to his own, and as reasonable as we all try to be, this is exactly the part where and why the audit log matters the most.

So how should firms prepare?

One key message I heard from the practitioners:
Treat OIR with the same seriousness as sanctions.

That means building internal expertise in geopolitics and technology, embedding OIR into onboarding and periodic reviews, setting up decision frameworks early, and aligning across regions where interpretations will inevitably diverge.

A closing thought

The more I look at this space, the more it reinforces a broader trend: financial-crime risk isn’t confined to traditional AML lanes anymore. Technology, geopolitics, capital flows and national security are colliding in ways we’ve never really had to deal with before.

Outbound Investment Rules might feel abstract right now, but the direction of travel is obvious. Capital itself is becoming a regulated vector of national security.

For compliance teams, this means we need to expand our fluency: not just in “who” and “what,” but increasingly in the “why.” And as with any emerging regime, the firms that start thinking about this early will be in a much better position when regulators start asking hard questions.

If you want to swap interpretations or compare how your firm is preparing, I’m always happy to chat. This is new territory for everyone and we’re all figuring it out together.

Thanks for reading,

Alexey