Why you can’t trust the UFLPA entity list

by Josiah Ponnudurai

Compliance on issues from forced labor to energy use can no longer be fulfilled by comparing a list of your known suppliers to a government record like the UFLPA entity list. That’s partly because the UFLPA entity list isn’t the only human-rights list out there, but also because news media and watchdog organizations can uncover connections and violations unrelated to government lists.

The public doesn’t accept ignorance as an excuse, so companies are digging in now to proactively uncover problematic relationships ahead of media blowups. Government lists are a good starting point, but they are far from comprehensive.

Here’s what you need to know about government watch lists, their limitations, and how to protect your operation from forced labor and other human-rights risk.

UFLPA Entity List

Media investigators, NGOs, and other research teams investigating forced labor violations spurred the passage of the Uyghur Forced Labor Protection Act (UFLPA). This list was developed by the U.S. government to target companies that have produced goods in Xinjiang, China, using forced labor; have worked with Xinjiang government entities to use forced labor; have exported into the U.S. products made with forced labor; or have sourced materials from Xinjiang or entities working with Xinjiang.


There are 21 companies on the UFLPA Entity List, which implicates the supply chains of major brands including Apple, Nike, Coca Cola, Dell, and more. More than half of the listed companies have been tied to the metals, electronics, and retail industries. Any company sourcing electronic components is exposed to ESG violations as some of China’s largest copper, nickel, and lithium producers have been accused of utilizing forced labor in Xinjiang.

table showing percentage of various industries on the UFLPA entity list

Figure 1: The UFLPA entity list includes a high percentage of metals, clothing, and electronics industry companies (source: Everstream Analytics).

U.S. Customs led Q1 2023 with strong enforcement, with 3,327 shipments detained and 424 denied, and around 1,700 shipments still “pending.”

Key impacted sectors so far appear to be the apparel and pharma sectors, comprising 41% and 36% of detained shipments denied entry into the U.S. In Q1 the electronics sector had the most detained shipments at 1,627.

Interestingly, most of the shipments detained by the CBP under the UFLPA arrived from Malaysia (927) and Vietnam (664) – meaning that the Xinjiang link is often coming from a company’s sub-tiers, not from direct Chinese suppliers.

Customs and Border Protection List

The CBP list is formally named the U.S. Customs and Border Protection Withhold Release Orders and Findings List.

Companies land on this list when the agency has reasonable evidence on the use of forced labor from Xinjiang in the company’s supply chain. Customs will detain all products that can be tied to Xinjiang, not just the ones with identified ties to forced labor. To pass through the border, importers must prove the absence of forced labor in the product’s supply chain.

Currently there are 12 Chinese companies and 53 Withhold Release Orders on the list. The CBP adds a WRO each time they find “reasonable evidence” of the use of forced labor in a company’s supply chain. These WROs allow border officials to seize materials at the port of entry.

U.S. Customs and Border Protection has already begun seizing imported product and materials at the border in conjunction with this list. To date, CBP officials have seized $806 million worth of imports from China.

BIS Entity List

The U.S. Bureau of Industry and Security (BIS) Export Administration Regulations Entity List is by far the largest and most inclusive. The BIS Entity List modifies a set of rules called the Export Administration Regulations (EAR) to place additional licensing requirements on entities. There are 2362 global entities on the list currently. Of these, about 560 are Chinese companies, including a smaller subset of 67 on the list for human rights violations in Xinjiang.

Global companies are placed on the BIS list when suspected of being involved in activities sanctioned by the U.S. Department of State or are contrary to national security or foreign policy interests. U.S. companies seeking to export products to those on the entity list must apply for approval from the Commerce Department.

More than 190 entities from China were added to the list since January 2021 following a sharp rise in the usage of the EAR during the Trump administration. This indicates that the EAR list will likely remain one of the main tools used by the U.S. government to restrict Chinese companies of concern from accessing advanced chips and chipmaking technology.

The list imposes additional licensing requirements for exports to sanctioned companies. Sanctions have also been applied to several Chinese electronics companies for their connection to foreign missile weapons programs.

Why entity lists are limited

Although there are multiple entity lists available from the U.S. government, those lists are far from comprehensive because each organization has its own guidelines, and the lists are continually updated. Compared to the government’s lists, Everstream’s proprietary risk-analysis combination of human and artificial intelligence has identified and mapped over 182 total sub-tier suppliers directly linked to forced labor in Xinjiang. Expect the brand names who do business with those suppliers to surface in media coverage in the coming year.

table shows Everstream’s entity list is much larger than the official UFLPA entity list

Figure 2: Official government CBP, BIS, and UFLPA entity lists don’t capture the full extent of exposure to forced labor from Xinjiang (source: Everstream Analytics).

Forced labor isn’t the only issue. Watchdog groups investigate supply chain environmental, social, and governance (ESG) violations, including air and water pollution, heavy energy use, waste dumping, and labor conditions.

The risk of exposure will increase because more countries are adopting supply chain due diligence laws. Germany’s Supply Chain Due Diligence Act came into force in January 2023, the EU supply chain act is in process of becoming law, and Japan is the first major Asian nation to formally introduce guidelines on responsible supply chains.

Organizations can’t even by surveying your suppliers directly about ESG issues — they likely don’t have enough visibility to know the answers.

Technology goes beyond UFLPA lists

Any entity list is going to be dynamic, so to stay compliant companies will need to map their supply networks, and then continually monitor and assess their level of UFLPA risk.

Advanced analytics can help. Everstream’s UFLPA solution combines computerized machine-learning predictions, historical supplier data with expert human analysis to dynamically assess and predict supplier compliance risk, helping companies adapt and build responsible networks.

Managers can monitor ongoing supplier risk with Everstream’s proprietary UFLPA risk-scoring and get alerts when potential threats arise. Everstream’s UFLPA risk solution creates expert insights including:

  • Multi-tier network discovery that reveals and maps supplier relationships
  • Real-time updates from Everstream’s extensive UFLPA watch list
  • Ongoing supplier 24/7 incident monitoring
  • UFLPA-specific supplier risk assessments, scoring, and dashboards

Lawmakers, border patrol, and independent investigators are working hard to uncover links between high-profile brand names and their sub-tier suppliers that utilize forced labor in Xinjiang, China. Get the protection you need to make sure your company stays out of the news headlines.


Share this post