EXPORT COMPLIANCE IN 11 WORDS
A Series on Export Compliance Essentials
(Part 8 of 12)
Failure to perform Restricted Party Screening was cited as either a root cause or a contributing cause in more than a few recent cases of export violations that resulted in severe penalties for U.S. companies. Protect your company by equipping your people with effective software tools for screening intermediaries and end-users in any potential export transaction.
In export control parlance, the process of checking and cross-referencing the entities involved in an export transaction against a variety of “black lists” prohibiting or curtailing trade with certain individuals, businesses, organizations, and nations is called Restricted Party Screening (RPS) or Denied Party Screening (DPS).
A number of such lists of “entities of concern” are maintained by the U.S. Government; similar lists are maintained by other governments (notably the UK, Canada, and Japan) and international bodies (notably the European Union and the United Nations). The “concerns” about the listed entities may be political or economic in nature (e.g., human rights violations, foreign policy and trade issues), security-related (e.g., terrorism, risk of diversion to WMD programs), or criminal law enforcement matters (e.g., narcotics trafficking, money laundering). All the lists are continually updated; names may be added or deleted at any time.
The U.S. Government takes the laws, regulations, treaties, and agreements that lie behind these sanctions lists very seriously and enforces them vigorously. Multi-million dollar fines and settlements for sanctions violations are not uncommon, and some U.S. firms have had their export privileges revoked or suspended. A breach of trade sanctions can also result in the commission of criminal offenses punishable by imprisonment.
Restricted Party Screening is a compliance control process designed to keep your company from breaking the law and prevent you from incurring penalties by inadvertently doing business with an embargoed country or restricted entity.
Screen. If you’re a frequent or regular exporter (or if you’re actively seeking to market your goods and services more widely overseas), you should be routinely screening not only your customers and potential customers, but any firms or individuals associated with your company’s export business.
Some candidates for RPS include:
- Countries—any places where your buyers, intermediate and ultimate consignees (if different from the buyers), or end-users are based or situated.
- Customers—not just foreign customers, but domestic customers, too, especially if they
- Prospective customers (e.g., RFQs, RFIs).
- Manufacturers, suppliers, and vendors of raw materials, parts, or components.
- Contractors and subcontractors.
- Freight forwarders and customs brokers.
- Shipping companies.
- Foreign banks and other financial institutions.
- Visitors and the companies or governments they represent.
- Brokers, sales representatives, and overseas agents.
- Consultants, including research partners, institutions, and universities.
- Business partners.
- Parties to a potential acquisition or merger.
- Employees and new hires.
- Contract workers.
- Service providers.
- Proposed recipients of software source code and technical data.
- Any “pay to” parties.
- Any “pay from” parties.
- Any “ship to” parties.
- Any other parties associated with an export transaction.
Some managers are under the mistaken impression that the legal requirements for business dealings with restricted or denied parties apply only to international sales or items shipped overseas. That is simply not the case: those prohibitions can also apply to domestic or in-country transactions. If any of the parties to a domestic transaction is listed on one of the U.S. Government’s Blocked, Denied, Entity, Specially Designated Nationals, or Debarred Persons lists, the transaction should be handled with the same caution as would be used in dealing with an overseas transaction — which means you are almost certainly legally prohibited from dealing with that party. So — depending on the nature of your business and products — Restricted Party Screening may be a wise idea for domestic transactions as well as exports.
Re-screen. Because governments and international agencies are continually updating their lists, you need to be continually re-screening your parties. Your Denied Party Screening isn’t really finished until you’re really finished doing business with the party. Repeated screening of previously screened parties may seem like overkill, but it isn’t. Re-screening is imperative to ensure that their names weren’t added to one of the lists since the last time you checked.
How often should re-screening be done? Many compliance professionals would answer, “Every day!” But while daily re-screening is a good practice, an even better answer is, “Real-time!” Today’s RPS screening software, much like your other software, updates continually and automatically, and can be configured to alert you immediately if the status of any previously cleared party has changed.
Even with the necessary screening software in place and properly configured to your company’s needs, continual vigilance remains important. Although the latest trade compliance software uses advanced search methods to return accurate matches, the search results still need to be eyeballed and evaluated by a real live person who is qualified to make an informed decision. Software developers continue to make improvements, but the process of matching the parties to a transaction with an actual restricted party is still far from an exact science, and that isn’t likely to change anytime soon. Part of the problem resides in the lists themselves: the information they provide is often scanty and unreliable. Part of the problem resides in the “entities of concern”: they can be tricky people whose names and addresses are continually morphing. Software can do amazing things, and the programmers I know are all incredibly smart; but it’s hard to write code for gut instincts and horse sense. Final screening decisions are best left to human beings.
Depending on the nature of the list and transaction, a “match” could mean that you are legally forbidden to contract with, sell to, ship to, receive payments from, make payments to, convey technology to, have technical discussions with, or buy from the restricted party. Some U.S. companies simply choose not to engage in any transactions whatsoever with listed entities, even when certain kinds of transactions may not, strictly speaking, be legally prohibited, or when they could pursue and possibly obtain an authorization from the relevant government agency. They may do this as a matter of company policy or corporate values, for the sake of the company’s reputation, from the standpoint of cost-effectiveness, or for other reasons.
Actually, nowhere in the ITAR or EAR is it explicitly stated that a business must perform Restricted Party Screenings or purchase RPS software. So, a failure to screen the parties to a transaction is not in itself an export violation. But the U.S. Government does require exporters to exercise due diligence to avoid violating U.S. laws and regulations in conducting their export transactions. That requires knowing the who, what, when, where, and how of all their business dealings. And that implies a careful and conscientious review of the denial lists. Realistically speaking, if RPS is not included in your company’s export compliance program, export violations are all but certain. In fact, you may have already committed some.
Keep records. Documenting your screening processes and decision-making, especially your responses to positive matches, is of the utmost importance. If you are asked about the export transaction at a later date, you should be able to explain the rationale behind your determinations clearly and confidently, demonstrating that the necessary level of due diligence was employed. Detailed notes regarding your incident response activities are a must so that facts are clear and your decisions are defensible in the event of a company visit or directed compliance audit.
You may know perfectly well that your company screens every single one of its export transactions thoroughly, but if problems should arise at a later date and it turns out there’s no record anywhere of your RPS activity, it might just as well never have happened. Specifics about who you screened, when you screened, which employee performed the screening, how it was done, and what the screening found must be included in your export recordkeeping.
Have a response plan in place. A compliance control process is worthless unless it includes an incident management plan. What should be done when RPS yields a match, and who should do it? What are your company’s policies and procedures for handling this situation? What’s the next step, and who is responsible to take that step? And what’s the step after that?
A positive screening match may be a cause for concern, but it shouldn’t be a cause for alarm. “False positives” are not uncommon, so you first need to ascertain whether the apparent match is genuine or not. Does the name on the sanctions list that was matched with the name of the party you are screening really refer to the same entity? Individuals and companies frequently have the same or similar names, after all. See if any further identifying details are provided in the search result, such as address, date of birth, the citation of an order in the Federal Register, or a photo. If so, you’re in luck! (Don’t get your hopes up too high, though; the information provided for some “parties of concern” is . . . well, disappointingly minimal.) Check your company’s records; they could also contain information that will help you make this determination, if you’ve had previous dealings with the party.
Sometimes identifying false positives is easy, and sometimes it isn’t. You might need to do a bit of detective work to clear up confusion caused by multiple given names, aliases, middle names, nicknames, abbreviations, alternative spellings, misspellings, different transliterations of foreign alphabets, international subsidiaries, branch offices, and divisions. You can’t skip this detective work, but don’t procrastinate or dilly-dally in getting it done either. Holding up orders and postponing shipments to perfectly legitimate customers is a good way to lose repeat business.
If you determine that a match is valid, however—and only trained and qualified employees should make such ultimate determinations—you must place the transaction on hold immediately and investigate further. That doesn’t mean you should panic. Remember that a match doesn’t equal a violation. If you haven’t exported anything yet, then plainly no export violation has occurred. But, equally plainly, the potential for an export control violation does exist, so additional due diligence is required. Proceed with caution.
The significance of a genuine match depends on the list your party’s name was found on. In some cases, exports of all kinds are strictly prohibited: some countries are subject to comprehensive trade embargoes, and some individuals are denied all trading privileges. In other cases, the restrictions are limited in scope, so you might still be able to export to, or do other business with, the sanctioned party, as long as you first apply to the listing agency and secure an export license or other permission. In still other cases, a name has been placed on a list to indicate that a “red flag” is present in the transaction—some information that couldn’t be verified and requires investigation and clarification.
Use software for screening. If your company engages in more than a handful of export transactions in the course of a year, you should not try to conduct Restricted Party Screening by scanning each party against each of the sanctions lists, one name and one list at a time. Yes, you can do this; and the U.S. Government has even tried to help you recently by creating a Consolidated Screening List (CSL). But it is very foolish and dangerous to go this route. There are simply too many lists to scan, they are changing too frequently, the information they provide about the restricted parties is too sketchy, evaluating the search results without support is too difficult, and the stakes are much too high to risk a human error resulting in a violation. This initial screening is clearly a task for software, not human eyes and brains.
Many kinds of automated systems are available. Which type of software is best will depend on the nature and size of your export business, your budget, and your business model. Some software systems allow your employees to screen transactions individually through a simple browser-based application. Some permit batch uploading and processing of multiple names and transactions. Some can be fully integrated into your company’s existing ERP software system. Some employ extremely sophisticated search algorithms incorporating “fuzzy logic” and phonetic or “sounds-like” name matching. Some UIs are more user-friendly than others.
If you find all this confusing and aren’t sure what kind of screening system would work for your company — which of the advertised features are truly critical to your compliance and which would be a complete waste of money, given your business model — get some independent, objective, and knowledgeable advice before you make this important decision. Hint: Sales reps from software vendors may be knowledgeable – about their software, at least — but they definitely don’t qualify as “independent” or “objective.” There are experienced export compliance professionals out there. Besides giving you an independent and objective assessment of your compliance risks and vulnerabilities, they can also help you sort out the competing claims of RPS service providers and determine the safest and most economical solution for your business.
Even the simplest and most basic software system, however, will surely save you a lot of time, and will guarantee that you are screening against a database that includes all the relevant lists and is automatically updated every day. Most screening software will also allow you to configure your searches to minimize time-wasting false positives and create detailed reports of your screenings that can serve as defensible compliance audit trails.
We have no horse in this race, and we don’t see this as a compliance process where “one software solution fits all.” There are plenty of reputable vendors out there, offering screening products with a wide range of capabilities and features. There is no dearth of choices. Prices vary from downright-reasonable to guaranteed-to-induce-sticker-shock. (We’ve seen a couple of price quotes that really made us gasp — but those were outliers.)
We have only one recommendation: The worst buying decision you can possibly make is choosing not to invest in an adequate RPS software solution for your business. Take it from us – that’s a choice you can’t afford.
(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)