How Cadence Paid $140M for Denied Party Screening Failures — And What SMBs Can Learn

In 2025, the Bureau of Industry and Security (BIS) and the Department of Justice (DOJ) levied a combined $140+ million penalty against Cadence Design Systems — one of the largest export control enforcement actions in U.S. history. The root cause wasn't a rogue employee or a deliberate sanctions-busting scheme. It was a systematic failure of denied party screening.

If you think this only happens to Fortune 500 companies, keep reading.

What Happened: The Cadence Case

Cadence Design Systems is a leading U.S. developer of Electronic Design Automation (EDA) software — the tools chipmakers use to design semiconductors. Between September 2015 and early 2021, Cadence committed 56 violations of the Export Administration Regulations (EAR).

Here's what went wrong:

They exported to a front company for a blacklisted Chinese military university. The National University of Defense Technology (NUDT) had been on BIS's Entity List — the export blacklist — since 2015. Rather than deal with Cadence directly, NUDT operated through an alias: Central South CAD Center (CSCC). Cadence shipped $45.3 million worth of EDA hardware, software, and semiconductor design technology to CSCC, knowing — or having clear reason to know — that NUDT was the real end-user.

They kept shipping after internal warnings. Internal Cadence communications showed that some employees knew CSCC was a front for NUDT. They exported anyway. Cadence also continued transfers to Phytium Technology, another Entity List company, until early 2021 — stopping only after an internal compliance review flagged the problem.

The penalty: BIS imposed a $95 million civil penalty. The DOJ followed with a criminal settlement totaling nearly $118 million, including $45 million in forfeitures. Total combined exposure: over $140 million. Mandatory compliance audits and enhanced oversight were also imposed.

"Cadence China employees installed EDA hardware on NUDT's campus … NUDT personnel downloaded EDA software and IP technology from Cadence's download portals while Cadence and Cadence China, through its employees, had knowledge that NUDT had been added to the Entity List." — U.S. Department of Justice

Why This Matters Beyond Big Tech

It's tempting to dismiss this as a large-company problem. Cadence had $550 million in China revenue in fiscal 2024. The violations involved sophisticated controlled technology — specialized semiconductor design software, ECCNs for semiconductors, EAR99 items.

But the underlying compliance failure is entirely ordinary: screening didn't catch a restricted party, and the business kept shipping.

That failure happens at companies of every size.

The U.S. Consolidated Screening List (CSL) contains over 25,000 entries across seven government-maintained lists:

• Specially Designated Nationals (SDN) — OFAC's list of sanctioned individuals and entities
• Entity List — BIS's blacklist of foreign parties requiring export licenses
• Denied Persons List (DPL) — companies and individuals denied U.S. export privileges
• Unverified List (UVL) — parties BIS couldn't verify in end-use checks
• Military End-User (MEU) List — parties subject to enhanced controls for military end-use
• Debarred Parties — State Department's ITAR debarment list
• Non-SDN Menus — Treasury's targeted sanctions lists

Any business that exports goods, shares technology, provides services, or processes international transactions is operating in this environment — whether they know it or not.

What the Regulations Actually Require

U.S. export control law doesn't require intent to violate — it requires reasonable care.

Under the EAR, businesses have an affirmative duty to check whether parties in a transaction appear on a restricted list. Ignorance is not a defense. The standard is whether you "knew or had reason to know" — which means red flags you saw and ignored count just as much as confirmed knowledge.

As of January 2025, the maximum administrative penalty is $374,474 per violation or twice the transaction value, whichever is greater. Criminal violations carry up to $1 million per violation and 20 years in prison.

Key obligations for U.S. businesses include:

Screen before every transaction — not just at onboarding. Lists change. NUDT was added to the Entity List in 2015; Cadence's violations started immediately after.

Screen all parties — not just your direct customer. End-users, intermediaries, freight forwarders, and beneficial owners all need to be checked.

Maintain an audit trail — BIS and OFAC expect documented evidence that screening occurred, who ran it, what was found, and what action was taken.

Act on red flags — a customer operating through an alias, unusually vague end-use representations, or a delivery address that doesn't match the stated business are all red flags that must be investigated.

BIS updated its Administrative Enforcement Guidelines in 2024 to explicitly link penalties to transaction value and the circumstances of each violation. Cooperation and compliance program quality directly affect outcomes — Cadence's cooperation reduced its penalty, but it didn't eliminate $140M in liability.

The SMB Risk Is Real

Small and mid-size businesses face the same legal framework as Cadence — with far fewer resources to absorb the consequences.

Consider common SMB scenarios:

• A manufacturer sells industrial equipment to a distributor in the UAE. The distributor's beneficial owner is on the SDN list.
• A software company offers trial downloads to international users. A user from a sanctioned country downloads without triggering any alert.
• A professional services firm engages a subcontractor overseas. The subcontractor is on the Unverified List.
• An e-commerce business ships products internationally without knowing that one product's ECCN requires a license for specific destinations.

None of these businesses set out to violate export controls. All of them could face BIS or OFAC enforcement if they haven't built denied party screening into their workflows.

The Cadence case is useful precisely because the failure mechanism was so simple: the entity was on a list, and the company shipped anyway. Automated screening against the current CSL would have flagged NUDT — or CSCC — before the first shipment.

What Good Denied Party Screening Looks Like

Effective denied party screening isn't complicated. It requires three things:

1. Comprehensive list coverage. Screen against all relevant government lists — not just OFAC's SDN list, which many businesses know, but also BIS's Entity List, Denied Persons List, Unverified List, and the other CSL components. The Cadence violations centered on the Entity List — a list many SMBs don't screen against at all.

2. Fuzzy matching. Restricted parties use aliases, alternate spellings, and transliterations. "Central South CAD Center" and "NUDT" don't match on a literal string search. Effective screening uses fuzzy name matching to surface close matches for human review — exactly the kind of check that would have caught the CSCC alias.

3. An audit trail. Every screen — clean or flagged — should be logged with a timestamp, the party screened, the lists checked, and the result. This documentation is your first line of defense in an enforcement inquiry.

BIS's new guidance for financial institutions, published in October 2024, calls out real-time screening as a best practice. The same logic applies to exporters: screening at transaction time, not just at onboarding, is what catches the NUDT problem before it becomes a $140M problem.

The Bottom Line

Cadence's $140M penalty is a landmark BIS enforcement action — but the compliance failure at its core is not exotic. They exported to parties on a U.S. government blacklist without adequate controls to stop it.

Every business that operates internationally faces some version of this risk. The lists are long. They update frequently. And the penalties for getting it wrong are severe, regardless of whether you're a $3 billion EDA company or a $3 million manufacturer.

Denied party screening doesn't require a compliance department or an enterprise software budget. It requires checking your counterparties against the right lists — every time — and keeping a record that you did.

ScreenShield provides denied party screening against the full U.S. Consolidated Screening List — including BIS's Entity List, Denied Persons List, and OFAC's SDN list. Screen a name in seconds and download your audit trail. Try it free at screenshield.dev.