Monthly Archives: December 2015

Revising U.S. Export Controls: ISIS Network Poses Challenges

As the year 2015 draws to a close, fifteen of the twenty-one categories on the U.S. Munitions List (USML) have been revised as part of the U.S Government’s Export Control Reform Initiative (ECR). For three others— Categories XII (Fire Control/Sensors/Night Vision), XIV (Toxicological Agents), and XVIII (Directed Energy Weapons)—public comments have been received on new Proposed Rules, but have not yet been acted on. The revisions for the remaining three categories—I (Firearms), II (Artillery), and III (Ammunition)—have not yet been published in proposed form. As was the case with previous changes, the new rules are expected to create positive lists for each category and transfer the export jurisdiction for some types of ammunition, ordnance, and other items from State to Commerce. As the State/DDTC web site explains, the ECR initiative “is designed to better protect America’s most sensitive defense technologies, while reducing unnecessary restrictions on exports of less sensitive items.”

Precisely when these last three categories will be revised, and what the changes will be, is not clear. Work on them continues, but the wait shouldn’t be too long, because State has indicated that its goal is to finalize this initial review and revision of the entire USML in 2016.

What are the actual effects of the revisions so far? That’s a natural question at this point, but measuring and assessing the contribution of ECR is complex and challenging.

The Commerce Department has just made that task a little easier, however. On November 2, the Department’s Office of Technology Evaluation (OTE) launched a new BIS Data Portal, which makes available to the public, for the first time, regularly updated aggregate information on the numbers and kinds of export licenses issued and current U.S. export trends. The new web portal offers a valuable analysis of controlled trade with select countries, charting the ongoing impact of ECR, and exporter compliance, with tables, graphs, and Defense Industrial Base studies that users can download in either PDF or Excel format. Among the encouraging data items posted by BIS are numbers showing a steady decrease in the average processing time for a license, despite a dramatic increase in the number of applications processed.

As for the effects of ECR to date, according to the OTE’s early analyses, the regulatory changes that have been made since the initial implementation went into effect in October 2013 are already speeding up the export process significantly and helping U.S. defense companies export more goods, during a period when the U.S. defense budget is being cut and military spending is declining, while military spending in other parts of the world—especially Asia, the Middle East, Eastern Europe, and Africa—on the rise.

At this stage, it is probably fair to say that the shifting of many controlled items from the USML to the less restrictive Commerce Control List (CCL) has made exporting considerably easier for many small and medium-sized U.S. companies. For large firms in the U.S. defense sector, however, the very welcome expansion of export opportunities has been accompanied by an unwelcome sharp increase in compliance expenditures (in the short term, at least) as they grapple with the complexities and uncertainties of adjusting to the ECR changes, reclassifying products and product lines, reevaluating risk profiles and projected compliance costs vs. anticipated sales revenue, and making sure that the continuing stream of new compliance and cybersecurity requirements “flows down” to their subcontractors.

Transitioning has proved to be somewhat more difficult than anticipated. In recognition of this, on October 3, 2015, the DDTC posted an Industry Notice with updated guidance extending the two-year time periods originally permitted to defense exporters for transitioning to BIS export authorizations.

The extent to which some of the other hoped-for benefits of ECR—such forestalling the offshore outsourcing of high-tech production capabilities and generating jobs for U.S. workers— have been realized is harder to assess at this point.

Meanwhile, on the world scene, an in-depth investigative news story entitled “ISIS: The Munitions Trail” by Erika Solomon and Ahmed Mhidi, published in the Financial Times on November 30, sheds considerable light on how and where the militant movement calling itself the Islamic State, or ISIS, gets its guns, artillery, and ammunition—the three categories of military equipment on the USML that are still awaiting revision. It also raises hair raising questions about the effectiveness of the U.S. export control system, and highlights the enormous and growing challenges it now faces after two years of changes under ECR.

According to the FT investigation, the terrorist group is awash in funds from the sale of oil on the black market and several other sources, and is abundantly furnished with captured light and heavy arms (including a great deal of U.S.-made military equipment). Its most urgent, ongoing need is for vast quantities of ammunition:

ISIS seized weapons worth hundreds of millions dollars when it captured Iraq’s second city, Mosul, in the summer of 2014. Since then, in every battle that it has won, it has acquired more material. Its arsenal includes US-made Abrams tanks, M16 rifles, MK-19 40mm grenade launchers (seized from the Iraqi army) and Russian M-46 130mm field guns (taken from Syrian forces).

“But dealers say despite this, there is one thing ISIS still needs: ammunition. Most in demand are rounds for Kalashnikov assault rifles, medium-calibre machine guns and 14.5mm and 12.5mm anti-aircraft guns. ISIS also buys rocket-propelled grenades and sniper bullets, but in smaller quantities.”

The details of the organization’s operations, as reported in the article, make it evident that any nation or coalition seeking to halt the flow of needed military supplies to ISIS— which (in addition to ammunition) include agricultural chemicals and mining materials that are used to manufacture explosives for the bombs that have made ISIS infamous, and common electronic devices that are made into bomb triggers—faces a nearly impossible task. With a complex, state-like infrastructure, a multinational network of black-market traders, and a sophisticated logistics operation capable of moving large supplies of munitions to its fighting men in many fields with remarkable speed, it would appear that the “world’s richest Jihadi group” is having no difficulty procuring whatever military supplies it requires.

“They buy like mad. They buy every day: morning, afternoon and night,” says Abu Ali, who, like others who have operated inside Isis territories, asked not to be identified by his real name. . . .

These materials come from all over the world, says one Iraqi official: “Just put your finger on a map, and they’ve got something from there.”

Historically, one major stated goal of U.S. defense export controls has always been to make it as difficult as possible for unscrupulous arms dealers, terrorist organizations, and proliferators of weapons of mass destruction to obtain goods that are militarily useful.

A closely related goal has been to deter human rights abuses and prevent the stoking of violent civil disorder in certain countries, or the inflaming of regional instability. For this reason, the State Department has long sought to block the sales of small arms (such as semiautomatic rifles), light weapons (such as artillery rockets), arms parts, artillery shells, and ammunition (i.e., the “less sensitive” defense items controlled by USML Categories I, II, and III), as well as communications and surveillance equipment, and certain other goods, to governments and other entities with a consistent record of committing atrocities.

Still another goal of defense export controls has been to combat illicit arms trafficking and prevent retransfers to transnational criminal organizations via black-market middlemen. Tracking U.S. small arms and other military equipment after export has often led to the apprehension and prosecution of criminals involved in the illicit trafficking of drugs, money, art, and human beings.

Other nations and international organizations are actively involved, along with the U. S., in these arms control, nonproliferation, and international crimefighting efforts.

If the description of the “munitions trail” to ISIS in the November 30 Financial Times report is accurate, however, it plainly casts doubt on the effectiveness of past and present U.S. export controls. It is hard to avoid the conclusion that, whatever measures were taken by the U.S. and other nations to stem the flow of weapons, munitions, and other military equipment to the Islamic State and similar terrorist groups, they have largely been ineffective.

Somehow, an elaborate system of export licensing, re-export and retransfer authorizations, end-user assurances, end-use monitoring, marking, and tracking, not to mention a U.N. arms embargo on ISIS, has failed to prevent the group from acquiring a massive arsenal of weapons and equipment—weapons it has used, and continues to use, to carry out indiscriminate attacks on civilian populations and commit multiple atrocities, posing a dire threat to millions of people in the Middle East region and beyond.

The DDTC has repeated stated that the initial review and revision of the twenty-one USML categories, now in its last phase, is not intended to be the end of reforms to the U.S. export control regime. State readily acknowledges that there is still work to do on ECR; ongoing review and further input from industry and the public is expected and encouraged.

The growing terror threat posed by the Islamic State group strongly underlines the need for a great deal of further thought and discussion of U.S. export controls on arms and munitions with a view to enhancing end-user/end-use controls, ensuring effective monitoring, verification, and enforcement, and minimizing diversion and re-export risks—especially for small arms, light weapons, and ammunition.

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

The Key Elements of an Effective OFAC Compliance Program

Question: What advice can you offer on how to set up and maintain a successful OFAC compliance program?

Because each company has different risks and different risk tolerances, there is no simple and clear formula for creating a successful OFAC compliance program. Nevertheless, the “Compliance Program Guidelines” issued by DDTC, the “Compliance Guidelines” issued by BIS, and the summary of “Regulations for Exporters and Importers” issued by OFAC identify certain elements that each agency considers essential for a program to be effective. The advice given by the three agencies has a great deal in common. Here are the key elements of any effective corporate export compliance program, with a few comments about each.

Management Commitment and a Strong Compliance Culture

In order for any compliance measures to be effective, the Board of Directors and senior management must buy into and commit to the success of the program. By clearly demonstrating their support and participation, the company’s leadership can set the tone for the entire staff and foster a culture of integrity—which includes transparency and compliance—throughout the organization. That means, among other things, a culture of self-reporting possible violations and inquiring to assess their scope and the extent of program exposure, instead of a culture of covering up and writing off penalties for violations as “a cost of doing business.”

A Qualified and Empowered Export Compliance Officer

Unless your company is very small, the appointment of a dedicated Export Compliance Officer (ECO) with a clear mandate to focus on this critical function is highly desirable. Consider that your ECO is charged with protecting you from risks where penalties can reach hundreds of millions of dollars. With a roster of laws and regulations that is continually changing, managerial staff in internal control roles today have a more challenging job than ever before, with ever-wider responsibilities.

Your company’s ECO should:

—     have a direct line of communication to the Board of Directors and senior management.

—     be knowledgeable concerning the ITAR, EAR, and OFAC regulations, and have a good working understanding of your company’s products, services, technologies, suppliers, and customer base. Don’t hire an inexperienced individual, unqualified for the role, and don’t skimp on his/her ongoing education and training.

—     have full authority to look into all compliance-related matters and put together a project team to address and resolve problems when they arise.

—     have sole responsibility for managing communications with regulatory agencies (such as Commerce/BIS, State/DDTC, and Treasury/OFAC) for all compliance-related issues.

—     be responsible for monitoring official announcements and press releases from DDTC, BIS, and OFAC daily for developments or enforcement actions that could impact your company’s line of business or its suppliers, and for communicating changes in regulations, policies, or procedures to company personnel by means of in-house e-mails, newsletters, announcements, or notices posted on the company intranet.

Thoughtful, Clearly Articulated Internal Policies, Procedures, and Controls

The level of sophistication of your internal compliance controls will naturally depend on the nature and scale of your business. What is essential is that policies, procedures, and controls be carefully thought out, clearly set down in writing, and effectively communicated to all employees, agents, and business partners. Individual compliance responsibilities should also be expressly included in job descriptions and performance evaluations of personnel, as appropriate.

You need to provide your employees with an easy way—such as an anonymous hotline or “help line”—to report potential violations of U.S. export laws and regulations or of the company’s export compliance policies without fear of reprisal; and you need to be consistent in investigating each report, and in implementing disciplinary procedures to address violations when they are encountered.

Effective Use of Information Technology

To avoid OFAC violations, it is crucial that companies have robust screening procedures in place that cover transactions, customers, suppliers, personnel, and business partners. This is a daunting task, because OFAC is concerned not only with a relatively small number of country sanctions (such as those found on BIS’s Commerce Country Chart and DDTC’s Country Policies and Embargoes chart), but also with many thousands of Specially Designated Nationals (SDNs), an ever-changing list of individuals, business entities, groups and organizations, banks, and even ships (or “vessels of concern,” as OFAC calls them). Nor is the SDN List the only list against which transactions should be screened. There are also the BIS’s Denied Persons List, Entity List, and Unverified List, the DDTC’s Debarred Parties List, the FBI’s Most Wanted Terrorist List, United Nations 1267 List, the European Union Sanction List, the HM Treasury Sanction List, and others as well.

Even if your company is small, reliance on manual screening and monitoring processes alone now carries an unacceptably high risk and should no longer be considered a viable option. Today it is imperative that U.S. exporters use information technology to the maximum extent feasible in seeking to implement the know-your-customer rule (KYC) and other due-diligence measures for preventing unlawful diversion and ensuring that their shipments will reach only authorized end-users for authorized end-uses. A reliable screening software solution that uploads changes to the list as close to real-time as possible is a critical element in any company’s compliance program.

Many “off-the-shelf” transaction monitoring systems—most of them web-based—are available, at a wide range of prices and with a range of features that include basic screening against multiple denied parties lists, batch screening, sophisticated search algorithms employing “fuzzy logic,” the ability to generate custom reports of all kinds, automated recordkeeping, and real-time monitoring with immediate notification of any changes. But even with the purchase of commercial software, developing and implementing a screening system that will protect your company effectively is going to require the investment of some time and effort to calibrate, configure, and fine-tune the screening algorithm to match your business’s specific needs. The failure to do so will render even the best screening software ineffective and leave your company at risk. Screening software also brings with it certain inevitable limitations, including the potential for false positives, even after the screening algorithm has been optimally configured for your company’s risk profile. In some cases, it will be necessary to follow up the screening with manual reviews of entities or persons.

In the course of performing compliance audits and risk assessments for exporters, both large and small, in the U.S. and overseas, our audit teams still encounter far too many companies who employ a manual transaction screening procedure that consists of logging on to a series of web sites, screening customers, vendors, personnel, and other entities of concern, one at a time, against a hodgepodge of lists, and then updating the results of the search on a tracking spreadsheet. Not only is this manual method time-consuming and limited in the number of lists you can reasonably screen against, but also it does not lend itself well to compliance records retention. Spreadsheet programs, such as Excel, were never meant to function as databases. They are not secure and are notoriously error-prone. They cannot handle attachments of documents, photos, licenses, verifications, and other evidence. While it is true that they are easy to use and convenient to update, because they lack the ability to track changes over a period of time and have no audit trails for data or formulas, they are an auditor’s nightmare. Even the most basic IT-based screening solution and monitoring is clearly preferable.

Ongoing, Relevant Employee Training

Regular employee training ensuring that all staff understand the applicable laws and regulations as well as the business’s policies, processes, and specific risk profile, has always been a key component of any corporate compliance program. But for OFAC compliance, training is even more critical than it is for ITAR and EAR compliance, due to the dynamic nature of U.S. trade embargoes and the speed with which some programs are announced and evolve. Even automated screening can go only so far in helping to detect sanctions violations. Consider that entities on the SDN List can open fake bank accounts, individuals can create false identities, and both can use proxies or agents to place orders on their behalf internationally. There is always some degree of risk that you are doing business with someone you shouldn’t and are violating OFAC’s rules. Alert trained employees will spot red flags and inconsistencies that software can’t.

For that reason, you need to identify your company’s frontline employees from a compliance perspective—those whose duties require an awareness of ITAR, EAR, and OFAC regulations—and train them to understand the sanctions vulnerabilities you face and how serious these are, spot potential problems quickly, and respond appropriately. Those men and women are your ultimate line of defense. Even when there is a strong commitment on the part of management and when sound internal processes are in place, a work force without proper training will leave your company exposed and at high risk. All the compliance policies, procedures, and “best practices” in the world are worthless unless they are known, correctly understood, and followed by your employees. Even worse, they may create a sense of false security.

Export compliance training needs to start right away, with new employee orientation. Regular retraining events should provide updates to internal polices, procedures, processes, and monitoring systems. In order for compliance awareness training to be fully effective, it needs to include realistic practical illustrations of potential violations and credible scenarios of suspicious activities with “red flags” that should put a transaction on hold and trigger a report to Compliance. For that reason, off-the-shelf employee training materials should never be simply purchased and deployed “out of the box”; they must first be tailored to the specifics of the company’s business. This is definitely not a situation where “one size fits all.”

The following are some of the most common weaknesses our teams have observed when assessing corporate training programs:

—     Employee training is not conducted regularly or frequently enough.

—     Deadlines for completing or renewing training are not enforced.

—     Training content is not being updated.

—     Training is deployed, but without any test or questionnaire to verify knowledge retention.

—     When employees were found to have breached either U.S. export regulations or the company’s stated compliance policy, additional employee training was not conducted to remedy the situation and prevent repetition.


“Every one of your employees has the ability to damage—or to protect
and enhance—the reputation of the company.”

Independent Reviews and Risk Assessments

Regular compliance reviews and assessments, conducted by experienced outside auditors, consultants, or other qualified independent parties, are really the only reliable way to verify that your OFAC compliance program is operating as effectively as possible and is fully compliant with the law. It is imperative that these assessments be performed by an individual or team not directly tied to or responsible to the Compliance Department. In very large corporations, they could be conducted by the Internal Audit Department, if one exists, but only if Internal Audit has proper specific export compliance expertise. Otherwise, the company should hire experienced external consultants.

The frequency of these reviews should be commensurate with your company’s risk profile. Every 12 to 18 months is typical. Ask the reviewers to report their findings directly to the Board and/or senior management—not only to the compliance officer or department. And it’s always a good idea to ask that an Executive Summary be included in the written report. The report should aim at giving management practical insight into the programmatic strengths and weaknesses. It should also suggest specific remedial actions to bring the company back into full compliance. Those suggestions should not be ignored.


“A single weak or missing element will undermine
your entire OFAC compliance program.”

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)