Category Archives: Compliance

EXPORT COMPLIANCE IN 11 WORDS (Part 9 of 12)

EXPORT COMPLIANCE IN 11 WORDS
A Series on Export Compliance Essentials

(Part 9 of 12)

MONITOR!

Once you have an export compliance program in place, continuous monitoring is critically important to provide reasonable assurance of its effectiveness, enable you to make incremental adjustments to changing situations, and show you ways to improve the program’s efficiency. Annual compliance audits and assessments will be limited in their effectiveness and afford inadequate protection unless they are supported and complemented by the ongoing review processes that should be an integral part of compliance management.

Congratulations! It took a lot of hard work, and more time than you’d expected, but you’ve finally succeeded in getting a comprehensive export compliance program up and running at your company. You’re satisfied that it’s all there—the works, the whole enchilada, all the compliance essentials we’ve been looking at in this series:

  • Risk analysis and planning
  • A thorough manual with written policies and detailed procedures
  • Upper management commitment and involvement
  • Initial and repeated multi-level employee training
  • Clear delineation of roles, responsibilities, and accountability
  • Procedures for jurisdictional determination and product classification
  • Obtaining approval for licenses and agreements
  • Tracking the use of exemptions and exceptions
  • Labeling and marking controlled items and technical data
  • Real-time screening of customers, suppliers, service contractors, business partners, new hires, and other parties
  • Physical security
  • IT security
  • Mandatory recordkeeping and records-retention practices
  • Mandatory reporting to the government agencies
  • Periodic internal and external reviews, with follow-up of findings

All good. Sounds fantastic. We’ve got just a few more questions for you before you take off on that well-earned vacation you’ve been looking forward to. Here’s one:

What provisions have you made for monitoring the operation of your program? In other words, how do you plan to make sure your policies and procedures continue to be adequate and continue to function properly? And how do you plan to make sure you won’t be the last to know if they aren’t working as they should?

In compliance management, as in every other part of life, no matter how carefully you’ve planned and how well you’ve done your homework, there are sure to be some unforeseen challenges. Issues will surface that were not initially identified. A procedure that looked good on paper will be put into practice and turn out to be . . . not so good. Situations and personnel will change without warning, giving rise to a whole new set of problems.

Even the best-designed compliance program is bound to require fine-tuning and frequent adjustments in response to:

  • Changes in business needs
  • Changes in U.S. export laws and regulations
  • Changes in federal agency enforcement policies
  • Changes in technology
  • Changes in the national economy
  • Changes in the global marketplace
  • Changes in the global threat environment.

Yes, the annual risk assessments and compliance audits that you wisely included in your compliance plan are one important tool for coping with those challenges, but periodic audits cannot be the whole solution. All too often compliance audits are conducted too long after non-compliance events have already occurred to allow you to correct the issues and problems they uncover before a great deal of damage has been done.

If your company is committing an export violation today, or is about to do so, do you really want to be first apprised of the situation by the annual compliance audit report?  Don’t put off tomorrow what can be done today!

As a compliance officer, you need windows into your compliance program that allow you to view the current state of your company’s internal processes and see which areas need more attention right now. Periodic company-wide audits and assessments are most effective when they are informed and supplemented by day-to-day and week-to-week feedback from operational management, as well as frequent tests, checks, surveys, and “mini-audits” of specific processes and risk points.

Preventing the occurrence of export violations, or at least stopping them before they can multiply, is nearly always less costly and stressful than dealing with their aftermath. Successfully detecting intentional deviations from processes and procedures—such as when an employee purposely ignores or contravenes compliance safeguards for his or her own advantage or convenience—has the added benefit of reinforcing the perception that management prioritizes export compliance, is watching, and will take prompt action when problems occur.

That’s undoubtedly why the DDTC’s Compliance Program Guidelines counsel “internal monitoring” that involves “measurement of effectiveness of day-to-day operations” with “emphasis on validation of full export compliance, including adherence to license and other approval conditions.”

It’s also why the BIS’s Office of Exporter Services included “internal and external compliance monitoring,” along with periodic audits, as one of the Nine Key Elements of an Effective Compliance Program. In the agency’s 145-page handbook for U.S. exporters, Compliance Guidelines: How to Develop an Effective Export Management and Compliance Program and Manual, the BIS recommends “a transaction-level and process-level review of compliance efforts with a special emphasis placed on areas of high risk,” noting that such monitoring can “successfully focus attention at the business-unit level on risk areas at an early stage, affording the opportunity to correct deficiencies before they result in major problems.”

The DDTC and BIS guidance documents agree that internal and external monitoring are both important. Every company or organization, in addition to actively monitoring itself, needs outside assurance from an independent third party that its compliance efforts are on the right track.

The following compliance “best practices” also fall under the general rubric of export compliance monitoring:

  • Self-monitoring and reporting by operations staff in all export-related departments and divisions of the company on the effectiveness of specific compliance processes and procedures is requested and implemented.
  • Timely crosstalk is encouraged among employees in export-related departments, divisions, and branches within the company to ensure that practical compliance experiences and lessons learned are communicated throughout the entire organization, with a view to improving the effectiveness and efficiency of export controls and promoting consistency of procedures.
  • Clear and specific internal procedures have been established and communicated to all employees, including contract employees, for the reporting of potential export compliance problems to management, including the option of reporting export violations anonymously through a mailbox, website, or helpline.
  • Employees understand that management considers the reporting of suspected export violations to be the duty of each employee and know that they will be protected from retribution or retaliation of any kind if they raise questions or concerns about compliance in good faith.
  • On-site end-use monitoring of personnel performing defense services is performed frequently by qualified export compliance staff to ensure that their activities remain within the scope of the relevant export authorization.
  • Previously identified export compliance problems or high-risk areas are revisited to ensure that the prescribed corrective actions were implemented and that they have been effective.

Unlike banks and financial institutions, who may choose to concentrate their compliance monitoring on those transactions with the highest impact on revenue, exporters of defense articles and services, dual-use commodities, technical data, and controlled technology, when monitoring ITAR, EAR, and OFAC compliance, may sometimes need to focus on business areas that have a relatively small revenue impact but carry a large compliance risk. Manufacturing or distribution operations in a developing country, for example, or exports to new trading partners in a formerly embargoed nation whose U.S. trade sanctions were only recently lifted, might be relatively small now, when measured by current sales or profits, but multiple compliance challenges and the potential for serious penalties may call for close and continuous monitoring.

Monitoring day-to-day compliance may seem unexciting, like performing routine maintenance on your car. It undoubtedly requires a significant investment of time, effort, and money, and the benefits may not be immediately evident. But most car owners understand that failure to do so is a sure recipe for disaster.  In other words, don’t let procrastination get in the way of success and continuously monitor your compliance program!

 

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

EXPORT COMPLIANCE IN 11 WORDS (Part 8 of 12)

EXPORT COMPLIANCE IN 11 WORDS
A Series on Export Compliance Essentials

(Part 8 of 12)

SCREEN!

Failure to perform Restricted Party Screening was cited as either a root cause or a contributing cause in more than a few recent cases of export violations that resulted in severe penalties for U.S. companies. Protect your company by equipping your people with effective software tools for screening intermediaries and end-users in any potential export transaction.

In export control parlance, the process of checking and cross-referencing the entities involved in an export transaction against a variety of “black lists” prohibiting or curtailing trade with certain individuals, businesses, organizations, and nations is called Restricted Party Screening (RPS) or Denied Party Screening (DPS).

A number of such lists of “entities of concern” are maintained by the U.S. Government; similar lists are maintained by other governments (notably the UK, Canada, and Japan) and international bodies (notably the European Union and the United Nations). The “concerns” about the listed entities may be political or economic in nature (e.g., human rights violations, foreign policy and trade issues), security-related (e.g., terrorism, risk of diversion to WMD programs), or criminal law enforcement matters (e.g., narcotics trafficking, money laundering). All the lists are continually updated; names may be added or deleted at any time.

The U.S. Government takes the laws, regulations, treaties, and agreements that lie behind these sanctions lists very seriously and enforces them vigorously. Multi-million dollar fines and settlements for sanctions violations are not uncommon, and some U.S. firms have had their export privileges revoked or suspended. A breach of trade sanctions can also result in the commission of criminal offenses punishable by imprisonment.

Restricted Party Screening is a compliance control process designed to keep your company from breaking the law and prevent you from incurring penalties by inadvertently doing business with an embargoed country or restricted entity.

Screen. If you’re a frequent or regular exporter (or if you’re actively seeking to market your goods and services more widely overseas), you should be routinely screening not only your customers and potential customers, but any firms or individuals associated with your company’s export business.

Some candidates for RPS include:

  • Countries—any places where your buyers, intermediate and ultimate consignees (if different from the buyers), or end-users are based or situated.
  • Customers—not just foreign customers, but domestic customers, too, especially if they
  • Prospective customers (e.g., RFQs, RFIs).
  • Manufacturers, suppliers, and vendors of raw materials, parts, or components.
  • Contractors and subcontractors.
  • Freight forwarders and customs brokers.
  • Shipping companies.
  • Foreign banks and other financial institutions.
  • Visitors and the companies or governments they represent.
  • Brokers, sales representatives, and overseas agents.
  • Consultants, including research partners, institutions, and universities.
  • Business partners.
  • Parties to a potential acquisition or merger.
  • Employees and new hires.
  • Contract workers.
  • Service providers.
  • Proposed recipients of software source code and technical data.
  • Any “pay to” parties.
  • Any “pay from” parties.
  • Any “ship to” parties.
  • Any other parties associated with an export transaction.

Some managers are under the mistaken impression that the legal requirements for business dealings with restricted or denied parties apply only to international sales or items shipped overseas. That is simply not the case: those prohibitions can also apply to domestic or in-country transactions. If any of the parties to a domestic transaction is listed on one of the U.S. Government’s Blocked, Denied, Entity, Specially Designated Nationals, or Debarred Persons lists, the transaction should be handled with the same caution as would be used in dealing with an overseas transaction — which means you are almost certainly legally prohibited from dealing with that party. So — depending on the nature of your business and products — Restricted Party Screening may be a wise idea for domestic transactions as well as exports.

Re-screen. Because governments and international agencies are continually updating their lists, you need to be continually re-screening your parties. Your Denied Party Screening isn’t really finished until you’re really finished doing business with the party. Repeated screening of previously screened parties may seem like overkill, but it isn’t. Re-screening is imperative to ensure that their names weren’t added to one of the lists since the last time you checked.

How often should re-screening be done? Many compliance professionals would answer, “Every day!” But while daily re-screening is a good practice, an even better answer is, “Real-time!” Today’s RPS screening software, much like your other software, updates continually and automatically, and can be configured to alert you immediately if the status of any previously cleared party has changed.

Even with the necessary screening software in place and properly configured to your company’s needs, continual vigilance remains important. Although the latest trade compliance software uses advanced search methods to return accurate matches, the search results still need to be eyeballed and evaluated by a real live person who is qualified to make an informed decision. Software developers continue to make improvements, but the process of matching the parties to a transaction with an actual restricted party is still far from an exact science, and that isn’t likely to change anytime soon. Part of the problem resides in the lists themselves: the information they provide is often scanty and unreliable. Part of the problem resides in the “entities of concern”: they can be tricky people whose names and addresses are continually morphing. Software can do amazing things, and the programmers I know are all incredibly smart; but it’s hard to write code for gut instincts and horse sense. Final screening decisions are best left to human beings.

Depending on the nature of the list and transaction, a “match” could mean that you are legally forbidden to contract with, sell to, ship to, receive payments from, make payments to, convey technology to, have technical discussions with, or buy from the restricted party. Some U.S. companies simply choose not to engage in any transactions whatsoever with listed entities, even when certain kinds of transactions may not, strictly speaking, be legally prohibited, or when they could pursue and possibly obtain an authorization from the relevant government agency. They may do this as a matter of company policy or corporate values, for the sake of the company’s reputation, from the standpoint of cost-effectiveness, or for other reasons.

Actually, nowhere in the ITAR or EAR is it explicitly stated that a business must perform Restricted Party Screenings or purchase RPS software. So, a failure to screen the parties to a transaction is not in itself an export violation.  But the U.S. Government does require exporters to exercise due diligence to avoid violating U.S. laws and regulations in conducting their export transactions. That requires knowing the who, what, when, where, and how of all their business dealings. And that implies a careful and conscientious review of the denial lists. Realistically speaking, if RPS is not included in your company’s export compliance program, export violations are all but certain. In fact, you may have already committed some.

Keep records. Documenting your screening processes and decision-making, especially your responses to positive matches, is of the utmost importance. If you are asked about the export transaction at a later date, you should be able to explain the rationale behind your determinations clearly and confidently, demonstrating that the necessary level of due diligence was employed. Detailed notes regarding your incident response activities are a must so that facts are clear and your decisions are defensible in the event of a company visit or directed compliance audit.

You may know perfectly well that your company screens every single one of its export transactions thoroughly, but if problems should arise at a later date and it turns out there’s no record anywhere of your RPS activity, it might just as well never have happened. Specifics about who you screened, when you screened, which employee performed the screening, how it was done, and what the screening found must be included in your export recordkeeping.

Have a response plan in place. A compliance control process is worthless unless it includes an incident management plan. What should be done when RPS yields a match, and who should do it? What are your company’s policies and procedures for handling this situation? What’s the next step, and who is responsible to take that step? And what’s the step after that?

A positive screening match may be a cause for concern, but it shouldn’t be a cause for alarm. “False positives” are not uncommon, so you first need to ascertain whether the apparent match is genuine or not. Does the name on the sanctions list that was matched with the name of the party you are screening really refer to the same entity? Individuals and companies frequently have the same or similar names, after all. See if any further identifying details are provided in the search result, such as address, date of birth, the citation of an order in the Federal Register, or a photo. If so, you’re in luck! (Don’t get your hopes up too high, though; the information provided for some “parties of concern” is . . . well, disappointingly minimal.) Check your company’s records; they could also contain information that will help you make this determination, if you’ve had previous dealings with the party.

Sometimes identifying false positives is easy, and sometimes it isn’t. You might need to do a bit of detective work to clear up confusion caused by multiple given names, aliases, middle names, nicknames, abbreviations, alternative spellings, misspellings, different transliterations of foreign alphabets, international subsidiaries, branch offices, and divisions. You can’t skip this detective work, but don’t procrastinate or dilly-dally in getting it done either. Holding up orders and postponing shipments to perfectly legitimate customers is a good way to lose repeat business.

If you determine that a match is valid, however—and only trained and qualified employees should make such ultimate determinations—you must place the transaction on hold immediately and investigate further. That doesn’t mean you should panic. Remember that a match doesn’t equal a violation. If you haven’t exported anything yet, then plainly no export violation has occurred. But, equally plainly, the potential for an export control violation does exist, so additional due diligence is required. Proceed with caution.

The significance of a genuine match depends on the list your party’s name was found on. In some cases, exports of all kinds are strictly prohibited: some countries are subject to comprehensive trade embargoes, and some individuals are denied all trading privileges. In other cases, the restrictions are limited in scope, so you might still be able to export to, or do other business with, the sanctioned party, as long as you first apply to the listing agency and secure an export license or other permission. In still other cases, a name has been placed on a list to indicate that a “red flag” is present in the transaction—some information that couldn’t be verified and requires investigation and clarification.

Use software for screening.  If your company engages in more than a handful of export transactions in the course of a year, you should not try to conduct Restricted Party Screening by scanning each party against each of the sanctions lists, one name and one list at a time. Yes, you can do this; and the U.S. Government has even tried to help you recently by creating a Consolidated Screening List (CSL). But it is very foolish and dangerous to go this route. There are simply too many lists to scan, they are changing too frequently, the information they provide about the restricted parties is too sketchy, evaluating the search results without support is too difficult, and the stakes are much too high to risk a human error resulting in a violation. This initial screening is clearly a task for software, not human eyes and brains.

Many kinds of automated systems are available. Which type of software is best will depend on the nature and size of your export business, your budget, and your business model. Some software systems allow your employees to screen transactions individually through a simple browser-based application. Some permit batch uploading and processing of multiple names and transactions. Some can be fully integrated into your company’s existing ERP software system. Some employ extremely sophisticated search algorithms incorporating “fuzzy logic” and phonetic or “sounds-like” name matching. Some UIs are more user-friendly than others.

If you find all this confusing and aren’t sure what kind of screening system would work for your company — which of the advertised features are truly critical to your compliance and which would be a complete waste of money, given your business model — get some independent, objective, and knowledgeable advice before you make this important decision. Hint: Sales reps from software vendors may be knowledgeable – about their software, at least — but they definitely don’t qualify as “independent” or “objective.” There are experienced export compliance professionals out there. Besides giving you an independent and objective assessment of your compliance risks and vulnerabilities, they can also help you sort out the competing claims of RPS service providers and determine the safest and most economical solution for your business.

Even the simplest and most basic software system, however, will surely save you a lot of time, and will guarantee that you are screening against a database that includes all the relevant lists and is automatically updated every day. Most screening software will also allow you to configure your searches to minimize time-wasting false positives and create detailed reports of your screenings that can serve as defensible compliance audit trails.

We have no horse in this race, and we don’t see this as a compliance process where “one software solution fits all.” There are plenty of reputable vendors out there, offering screening products with a wide range of capabilities and features. There is no dearth of choices. Prices vary from downright-reasonable to guaranteed-to-induce-sticker-shock. (We’ve seen a couple of price quotes that really made us gasp — but those were outliers.)

We have only one recommendation: The worst buying decision you can possibly make is choosing not to invest in an adequate RPS software solution for your business. Take it from us – that’s a choice you can’t afford.

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

EXPORT COMPLIANCE IN 11 WORDS (Part 7 of 12)

EXPORT COMPLIANCE IN 11 WORDS

A Series on Export Compliance Essentials

(Part 7 of 12)

SECURE!

 

Wherever your business interfaces with the global marketplace, your workforce should be trained to recognize export-controlled technologies and technical data, and equipped with the know-how and tools to comply with ITAR, EAR, and DoD requirements, as well as industry best practices, for safeguarding sensitive information and combating cyber threats.

Responsible information-handling practices have always been critical to export compliance. In the past few years, however, troubling reports of frequent and successful cyberattacks on U.S. Government agencies and alarming headlines about technical trade secrets stolen from private firms by hackers have moved information security to the top of the priority list for every organization—small, medium-sized, or large.

Under the terms of the ITAR and EAR, manufacturers and exporters are legally responsible to protect certain technical data related to defense articles on the USML (ITAR §120.10), as well as key technologies required for the production, development, or use of items on the CCL (EAR §772.1), against access by unauthorized persons. The disclosure or release of such information without a license, inside and outside company facilities, on the ground and in the cloud, within the U.S. and overseas, constitutes an illegal “export.”

That’s why, if any of your products is export-controlled, you had better make certain that your employees are clearly aware of the fact, that they clearly understand everything it implies, and that this matters to them.

They need to know that they’re responsible for safeguarding technical data of any kind related to the product—engineering drawings and specifications, schematics, blueprints, design analyses, photographs, formulas, performance test results, pilot production schemes, manufacturing procedures, assembly flowcharts, testing and inspection methods, or any other technical information subject to export controls.

They need to know that if they share controlled technical data without appropriate authorization, or if they carelessly allow unauthorized access to it, they’ll be violating U.S. export laws, with potentially serious consequences for the company and for themselves.

You Need to Educate—and Motivate—Your People About IT Security

In today’s business world, technical information is increasingly—in many cases, almost exclusively—digital information, consisting of text, images, numerical data, and formulas stored and distributed electronically via computer networks. That means “information security” and “cybersecurity” are increasingly synonymous, which is why most organizations have made some sort of cybersecurity training for their employees mandatory. While that’s certainly wise, it shouldn’t be grounds for complacency, because “mandatory” and “some sort” are plainly not synonyms for “adequate” and “effective.”

In addition to providing and requiring cybersecurity awareness training for all employees, truly wise managers and administrators conduct regular internal assessments of security awareness to gauge how well their employees understand the nature and seriousness of the security risks and how well prepared they are to respond to cyber threats.

You can test your employees’ understanding of cybersecurity with a survey or questionnaire. Better yet—from the standpoint of accuracy, objectivity, and credibility — get help from qualified professionals in this critical area, and ask them to evaluate the effectiveness of your current cybersecurity awareness training as part of a comprehensive cybersecurity compliance risk assessment of your entire company.

Here are some very basic questions about cybersecurity that all your employees should be able to answer:

  • Who in my company is responsible for cybersecurity?
  • What are the policies and rules that govern my use of the company’s computer system and my access to electronically stored company information? Where can I read them? How can I stay current on changes to those policies and rules?
  • If I suspect I have a cybersecurity issue (e.g., malware, spyware, a compromised password, a sensitive document sent to the wrong person, identity theft, evidence of a co-worker’s carelessness or failure to follow policies and procedures), to whom can I report it? If that person is temporarily unavailable, who is their backup? What should I do immediately to reduce potential damage?
  • Does the company have a policy on bringing personal devices to the workplace and connecting to the company’s system through them? What about accessing the company’s system remotely from home, while traveling, or through an unsecured public network (e.g., coffee shop, library, hotel, university campus?
  • In what ways could my actions (e.g., opening a malicious e-mail attachment, clicking on a link to a compromised website, installing an application that contains a Trojan) endanger the security of the company’s system and sensitive information? What are some things I can do to avoid these dangers?

Those are the easy questions—or rather, they should be. If your employees can’t answer them easily, then give that “mandatory employee awareness training” the failing grade it deserves, roll up your sleeves, and get to work on improving your company’s cybersecurity. Don’t hesitate to get outside help—qualified, professional help—if you need it.

According to a survey of hundreds of U.S. companies, conducted in 2015 by CompTIA, “human error” accounts for 52 percent of security breaches. Turns out it’s a greater cyber threat than malware, hackers, or disgruntled employees—although most managers are surprised when they hear this, and have a hard time believing it.

That recalls another category of “human error”—one that wasn’t included in CompTIA’s survey, though perhaps it should have been. It’s an extremely hazardous condition that our cybersecurity compliance risk assessment team has discovered at more than one facility they visited. If you’re a regular reader of this blog, I’m confident that this cyber hazard is not present at your company, so I offer the following on-site finding, straight from the company officer’s mouth, without further comment:

“I’m not sure our company even has a cybersecurity policy or plan or procedures yet. Do we really need anything like that? We’re not some giant corporation, you know. How would we go about creating such a policy? After all, none of us are techies!”  

You Need to Prioritize Cybersecurity Compliance in 2017

Two recent technological trends have made the job of safeguarding export-restricted information more challenging than ever before:

  • The expansion of “cloud” services from simple file storage and archiving to business software applications of all kinds, infrastructure, and platforms.
  • The proliferation of new mobile IT devices.

These advances in technology make it possible for people to access the data and resources of your organization at any time from anywhere on earth. In other words, not only is your business no longer tied to a single location, it’s not even limited to a finite number of locations. Your firm is Open for Business everywhere.

By allowing unprecedented levels of connectivity between marketing and R&D staff, contractors and subcontractors, manufacturers and suppliers, domestic and foreign offices, salespeople and customers around the globe, Cloud Computing and Mobile Technology promise to help businesses accelerate innovation cycles and reduce time-to-market. At the same time, the adoption of these technologies has created new vulnerabilities and risk areas, exposed enterprises to new legal liabilities, and raised a host of new security concerns, some of which are only beginning to emerge.

Meanwhile, in response to the overwhelming global cyber threat environment, the U.S. Government has been issuing more and more cybersecurity laws and regulations. The DoD, GSA, OMB, NASA, NARA, DHS, and the White House have published, amended, modified, and clarified so many rules, Executive Orders, definitions, standards, and guidelines recently—all of them aimed at requiring Federal contractors and subcontractors to establish more stringent controls and practices for the protection of government data—that “regulatory compliance” became the cybersecurity buzz phrase of the year during 2016, and the topic seems unlikely to leave the limelight in 2017.

The latest driver of regulatory compliance is the need for businesses to implement a somewhat bewildering array of new cybersecurity requirements that apply to most Federal contractors and consultants across a wide range of industries, including both defense and non-defense contractors. The recent surge in regulatory activity has included—

  • A new FAR final rule on “Basic Safeguarding of Contractor Information Systems”).
  • A new BIS final rule, effective September 1, 2016, allowing U.S. companies to use cloud technology and other means of electronic transmission to store and transfer EAR-controlled unclassified “dual use” technology and software without the burden of export control requirements if certain encryption requirements are met.
  • A veritable glossary of new information security terms and definitions, including Federal Contract Information (FCI), Controlled Unclassified Information (CUI), covered contractor information system, Covered Defense Information (CDI), and operationally critical support, and an array of new safeguarding requirements associated with them.
  • New mandatory contract clauses covering cybersecurity, with flowdown to subcontractors and certain other parties (FAR 52.204-21 and DFARS 252.204-7008 – 7012).
  • A new DoD final rule, effective October 21, 2016, regarding network penetration reporting (“cyber incidents”) and contracting for cloud services (DFARS Case 2013-D018).

The above are just a few of the latest regulatory changes in this area. Others appear to be on the way as we head into the new year.

Putting all these rules and definitions together and figuring out which of them applies to your company and its products is a daunting task. Complying with the new regulations—minimizing your risks and liabilities—is an even greater challenge.

Businesses need be asking and finding answers to some important questions, such as—

  • How will our firm comply with the new requirements, such as “adequate security” for CDI/CUI per NIST SP 800-171, and “incident reporting” within 72 hours of discovery through the DoD’s DIBNet portal (including compliance with all the rules for investigating, preserving, and submitting information about the data breach)?
  • Do we try to handle cybersecurity regulatory compliance ourselves, do we seek the services of an outside IT contractor, or do we need some combination of both approaches?
  • Since these new cybersecurity standards appear to be mind-bogglingly difficult to navigate and not entirely coherent, and since a failure to comply with them could have dramatic adverse consequences for our company, should we be looking at a specialized cyber insurance policy to supplement our general and professional liability policies?

The ultimate deadline for full contractor compliance with most of the new cybersecurity requirements for CDI/CUI is December 31, 2017, and that date is not likely to change. But the new cybersecurity regulations are already impacting businesses and contracts, especially those in the defense sector.

While DFARS clause 252.204-7012 allows you to notify the DoD (within 30 days) of any cybersecurity requirements that your company has yet implemented at the time of contract award, the DoD still expects you to be moving toward full compliance as rapidly as possible, and to have a remediation plan in place to achieve it by December 31, 2017.

So, if you haven’t already done the following at your company, you need to do them now:

  • Conduct a risk assessment for cybersecurity regulatory compliance.
  • Develop a cybersecurity action plan, based on the assessment findings.
  • Implement a cybersecurity framework that is appropriate for your organization.

Note: For those who don’t keep up with the latest business jargon, a “framework” includes stuff like organizational infrastructure and job responsibilities; awareness and education programs; organizational culture; and governance (security policies; work processes and procedures; monitoring effectiveness; technical controls; risk assessments and audits; breach response and risk mitigation plans). “Implementing” a framework implies investing company resources in making it happen.

Whether your company is small, mid-sized, or large, if you do business with the Federal government, or with any other companies that do business with the Federal government — have I left anyone out here? — you should prioritize both regulatory compliance and cybersecurity during 2017.

Regulatory compliance is obligatory, of course, because . . . well, it’s the law, folks! But cyber-compliance is not the same as cyber-security, and security is what you really want.

If your goal is simply to avoid fines and penalties, then as long as you’re sure you meet the minimal requirements of compliance, don’t worry.

But if you’re reading this because your goal is to see your company survive and thrive in today’s digitally interconnected business world, and you’re aware of the current security threat landscape, you shouldn’t breathe easy if you’re told that your company is 100% compliant. Breathe easy when you’re confident that your company has good cybersecurity.

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

EXPORT COMPLIANCE IN 11 WORDS (Parts 5 & 6 of 12)

EXPORT COMPLIANCE IN 11 WORDS
A Series on Export Compliance Essentials

(Parts 5 & 6 of 12)

DOCUMENT & COMMUNICATE: SMALL STUFF THAT MATTERS

When it comes to export compliance, it’s often the little things that make a big difference. The reporting requirements of ITAR §122.4, for instance:  has your company already missed the 5-day deadline?

In a speech called “Elephants Don’t Bite!” motivational speaker Joel Weldon reminds his audiences that in the quest for excellence, it’s almost always the small stuff, the stuff that’s easy to miss, not the big stuff, that trips us up. “Raise your hand if you have ever been bitten by a mosquito,” he says. “Has anyone here been bitten by an elephant? . . . That proves my point! It’s the little things that get you, not the big things. The little things come along and cause big problems!” Then, on a more positive note, Weldon adds, “And it’s the little things you do right that can bring you huge rewards.” The moral: pay attention to details!

Among the myriad government rules and regulations for U.S. exporters, the requirements for recordkeeping and reporting might easily be taken for trivial matters. Evidently many companies do take them that way, because changes in the firm’s registration information that have never been reported to the DDTC—as required by ITAR §122.4, “Notification of Changes in Information Furnished by Registrants”— is one of the most common problems our visiting teams discover when they arrive at a client’s headquarters for an on-site risk assessment. And you can be sure that if folks from the State Department arrive at your firm under the Company Visit Program (CVP), as part of their Outreach efforts, they will spot this right away, too, and label it (correctly) as a failure to comply with the requirements of the ITAR.

Here’s the relevant portion of this regulatory requirement in ITAR §122.4 (as amended on August 26, 2013, effective October 25, 2013):

(a) A registrant must, within five days of the event, provide to the Directorate of Defense Trade Controls a written notification, signed by a senior officer (e.g., chief executive officer, president, secretary, partner, member, treasurer, general counsel), if . . .

(2) There is a change in the following information contained in the Statement of Registration:

(i) Registrant’s name;
(ii) Registrant’s address;
(iii) Registrant’s legal organizational structure;
(iv) Ownership or control.

When this section was last revised, in 2013, the State Department also revised ITAR §129.8, which deals with the registration and licensing requirements for brokers, to include some further notification requirements. Here’s the relevant portion of that part of the regulations:

(d) A registrant must, within five days of the event, provide to the Directorate of Defense Trade Controls a written notification, signed by a senior officer (e.g., chief executive officer, president, secretary, partner, member, treasurer, general counsel), if . . .

 (2) There is a change in the following information contained in the Statement of Registration (form DS–2032):

(i) Registrant’s name;
(ii) Registrant’s address;
(iii) Registrant’s legal organization structure;
(iv) Ownership or control;
(v) The establishment, acquisition or divestment of a U.S. or foreign subsidiary or other affiliate who is engaged in brokering activities or otherwise required to be listed in registrant’s Statement of Registration; or
(vi) Board of directors, senior officers, partners and owners.

And finally, here’s what the DDTC is currently saying on their web site about what the agency expects from registrants regarding notifications of changes “as part of the registration renewal process”:

[Registrants are instructed to] notify the Department of the following material changes as part of the registration renewal process: 1) consolidation of a broker registration with a manufacturer/exporter registration; 2) removal of entities not owned or otherwise controlled from registration; and 3) deletions or additions of U.S. Munitions List categories. However, if notification of change is the subject of an internal reorganization, merger, acquisition, or divestiture registrants must notify the Department of all changes in information within five days of the event, including where applicable, the three changes specified above.

The third type of change mentioned in this web notice, “deletions or additions of U.S. Munitions List categories,” is not specifically mentioned in the sections of the ITAR quoted above, but if the change your company is reporting is one involving an internal reorganization, merger, acquisition, or divestiture, you would be well advised to include any such changes in your within-five-days notification to the DDTC as well.

We trust you noted the requirement in all the above citations that these notifications need to be made to the DDTC within five days of the event. If you’re wondering whether that phrase means what it appears to mean, the answer is that it does.

If you’ve been thinking while reading the above that “within five days of the event” seems like an awfully narrow time window for notifying the DDTC of a change at your company, consider this: some required notifications must be made in advance of the event. One such prior reporting requirement—a critically important one, too, and an all-too-common source of violations, in our experience—is found in ITAR §122.4(b). This paragraph applies to any intended (that is, prospective or planned) sale, or transfer of ownership/control, of your business, or of “any entity thereof,” to a foreign party or parties. Here is the relevant passage (we’ve underlined for you a couple of crucial sentences that you might easily have missed, imagining perhaps (incorrectly) that they were “small stuff”):

(b) A registrant must notify the Directorate of Defense Trade Controls by registered mail at least 60 days in advance of any intended sale or transfer to a foreign person of ownership or control of the registrant or any entity thereof. Such notice does not relieve the registrant from obtaining the approval required under this subchapter for the export of defense articles or defense services to a foreign person, including the approval required prior to disclosing technical data. Such notice provides the Directorate of Defense Trade Controls with the information necessary to determine whether the authority of § 38(g)(6) of the Arms Export Control Act regarding licenses or other approvals for certain sales or transfers of defense articles or data on the U.S. Munitions List should be invoked (see §§ 120.10 and 126.1(e) of this subchapter).

(c) The new entity formed when a registrant merges with another company or acquires, or is acquired by, another company or a subsidiary or division of another company shall advise the Directorate of Defense Trade Controls of the following:

(1) The new firm name and all previous firm names being disclosed;

(2) The registration number that will survive and those that are to be discontinued (if any);

(3) The license numbers of all approvals on which unshipped balances will be shipped under the surviving registration number, since any license not the subject of notification will be considered invalid; and

(4) Amendments to agreements approved by the Directorate of Defense Trade Controls to change the name of a party to those agreements. The registrant must, within 60 days of this notification, provide to the Directorate of Defense Trade Controls a signed copy of an amendment to each agreement signed by the new U.S. entity, the former U.S. licensor and the foreign licensee. Any agreements not so amended will be considered invalid.

(d) Prior approval by the Directorate of Defense Trade Controls is required for any amendment making a substantive change.

We hope you noticed that, in addition to the mandatory notification that must be made to the State Department 60 days in advance (“must” and “shall” are such little words that they can easily be missed — “small stuff,” right? — but in government regulations they always translate as “mandatory” and “legally required”), there is also mention of a mandatory follow-up submission required by State no later than 60 days after the first. Any regulatory language that translates as “deadline,” whether the period specified is “before” or “after,” deserves to be underlined or highlighted; it comes under the heading of “small stuff that matters.”

“COMMUNICATE” is one of the 11 key words that we chose to summarize the essentials of export compliance in this blog series. A few synonyms for communicate are notify, report, and disclose. Notifying the State Department within 5 days of changes in your registration information is only one of the multiple notifications that are mandatory and must be made in a timely manner. Reporting semi-annually on your company’s use of the Canadian Exemption (ITAR §126.5), as specified in Supplement No. 1 to Part 126 of the ITAR, Note 14(c), is another example of a mandatory communication. (Don’t let that word “exemption” mislead you here; exemption from a license requirement doesn’t mean you are exempt from reporting and recordkeeping requirements!)  Disclosing information to the DDTC or BIS about a potential or actual export control violation (see ITAR §127.12) is sometimes legally mandatory—in which case neglecting to file such a disclosure would constitute an additional violation. But even when such disclosures are not mandated by law, and when they haven’t been “directed” or ordered by a government agency, they are very strongly encouraged by all the agencies and highly advisable in most cases, since voluntary disclosures will generally be a mitigating factor in determining what administrative penalties, if any, will be imposed.

Whatever synonym is used for it, the failure to communicate critical compliance information to the DDTC, BIS, or OFAC within a specified deadline is one of the most common sources of export violations, and the penalties that can result from such violations are by no means “small stuff”!

“DOCUMENT,” another of our 11 key compliance words, is closely related to what we have been talking about here. A synonym for documenting is creating and keeping records of your exports. Some very specific kinds of recordkeeping for export transactions are mandated by the ITAR, the EAR, and the various OFAC Sanctions programs. Not only do the legally required transaction and licensing records need to be complete, accurate, and secure, they need to kept for a certain time (in most cases, five years) and maintained in a certain way.

For example, ITAR §122.5 states that the information “must be stored in such a manner that none of it may be altered once it is initially recorded without recording all changes, who made them, and when they were made.” Have you checked to see whether your company’s current order processing or ERP software supports this critical ITAR requirement? And, if the software you use does have this tracking and recording capability, have you checked to verify that the feature is appropriately configured and “turned on”?

Another detail worth checking: ITAR §122.5 also says that your export records need to be “available at all times for inspection and copying” in case of a compliance audit or other official visit or investigation. Have you checked lately to see how “available” the legally mandated records are at your company? Which employees know how to access and retrieve them for inspection, if the occasion arises?

The DDTC, BIS, and OFAC most certainly do not consider a company’s failure to keep accurate and complete records of its export transactions, as required by law, to be a trivial matter, or “small stuff.”

In our experience, many companies have not clearly understood that compliance with these recordkeeping requirements is ultimately their responsibility, as the U.S. exporter, or USPPI, and that they cannot simply hand it off to a freight forwarder or shipping agent, and then forget about it. Even if you do employ the services of a third-party freight forwarder to ship your commodities, you still need to make sure that you receive and keep on file copies of all shipping documents, AES/ACE entries, supporting documents, special certifications, and all other required documentation for every export transaction. You should also be periodically checking and comparing the freight forwarder’s records against your purchase orders, invoices, export licenses, agreements, reports of exemption use, etc., to make sure that your exports are fully compliant with U.S. export laws and regulation. In the event of an official visit or compliance audit from one of the regulatory agencies, when the agents request the records of one of your export transactions, “I’m afraid I can’t help you with that; I imagine our freight forwarders must keep that sort of information on file somewhere” will not be an acceptable answer; you might be told that it is a synonym for “export violation.”

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

EXPORT COMPLIANCE IN 11 WORDS (Part 4 of 12)

EXPORT COMPLIANCE IN 11 WORDS (Part 4 of 12):
A Series on Export Compliance Essentials

CLASSIFY!

Sound policies and consistent procedures for classifying your products
will reduce the risk of export control violations

Export compliance managers must be thoroughly familiar with their company’s products, services, and technical data, and they must know which export control requirements apply to each category.

Determining the correct export jurisdiction for your products—State/DDTC, Commerce/BIS, or, in rare instances, another Federal agency—and classifying them accurately according to the U.S. Munitions List (USML) or Commerce Control List (CCL) is a critical element of your corporate export control process, particularly in light of the recent Export Control Reform, which has brought about the migration of many former USML items to the CCL. Solid compliance demands accurate classification.

Even a small mistake in classification can cause big problems. Multiple export control violations resulting from a misclassification may result in wasted time, unhappy customers, heavy fines and penalties, long and costly litigation, a tarnished business reputation, and a record with the regulatory agencies that will be taken into account in any future export enforcement proceedings.

How to Avoid Errors in Product Classification

1. Keep calm and follow the process.

The web-based Decision Tree Tools on the DDTC and BIS sites, especially the USML Order of Review and Specially Designed tools and the CCL Order of Review and Specially Designed tools, are invaluable resources, if used properly. Together they provide a sure roadmap that will guide you through the process of reviewing the USML and CCL in order to classify each of your items correctly, with references to the relevant sections of the ITAR and EAR for you to consult at each step along the way. When you classify your products, make it your policy to follow the statutory Order of Review consistently. Stick to the path, and resist the temptation to take shortcuts!

2. Classify your products in advance to reduce risk.

A policy of classifying your products and services transaction-by-transaction, as needed, upon receipt of an RFQ or order from a foreign customer, puts your company at high risk of double-barreled disaster. What are the risks? For one thing, informing a customer when you’re about to ship his order that you’ve just realized you’ll have to apply for an export license, so it’ll be a while before he sees his goods, is a less-than-optimal practice if repeat business and customer retention are desired. For another thing, allowing shipping deadlines to influence jurisdictional determinations and classification decisions is a tried-and-true recipe for accumulating multiple export control violations and incurring heavy fines and other penalties. “Company discovers potential compliance problem with profitable overseas order, but decides to go ahead and ship anyway because they’re so hot for the sale” is one of the most common export violation scenarios.

A much safer practice is to do your homework in advance by classifying your whole product line and compiling the classifications (USML Category and Subcategory, or ECCN, or classification as “EAR99”) into a Product (or Technology) Classification Matrix, which can then be conveniently maintained in spreadsheet format. If you do this, be sure you include a concise explanation of the rationale for each classification, referencing any associated notes or documentation.

3. Stay connected and current.

The USML Categories and ECCNs you’ve determined for your products and services may not remain valid and accurate forever. Your company’s product specifications may change over time. Changing export laws, regulations, and definitions may also require you to re-classify. Make sure you subscribe to news and updates from all the relevant U.S. Government regulatory agencies, read them carefully as they are published, and put in place timely follow-up procedures for updating your Product Classification Matrix, internal control processes, compliance manual, and employee training, as required.

4. Document everything.

Inadequate recordkeeping is a very common cause of export control violations. If you self-determine the export classifications of your products, your classification procedures and process must generate and maintain documentation to show how and why you came to your conclusions. If you submitted a Commodity Jurisdiction (CJ) Request to State/DDTC or a Commodity Classification Request (CCATS) to the Commerce Department, you need to keep copies of the official rulings they issued, along with the product descriptions and supporting documentation you submitted to them, as well as any related correspondence or notes on conversations with U.S. Government agents. Even for items that you shipped under the NLR designation, you should always keep records justifying your NLR determination, as well as the other details of the export classification, for at least five years.

5. Disabuse yourself of common myths and misconceptions.

“It’s a commercial off-the-shelf item, so it can’t be export-controlled.”  FALSE. Everything in the U.S. (except public domain information) is subject to U.S. export controls. A great many COTS items are highly controlled for export. Full-rate thermal cameras, precision gyroscopes, and CubeSat kits are just a few examples.

“If I take it with me in my carry-on luggage, I won’t have to worry about export controls.”  FALSE. Anything that leaves the U.S. is being exported. There are some exemptions and exceptions for commercial items carried out of the country temporarily for use as “tools of trade” and a few other reasons, but their use requires documentation, and by no means do these exceptions cover everything.

“I work at a university, so what I do is classified as ‘fundamental research,’ making it automatically exempt from export controls.”  FALSE. By no means is it safe to assume that all work carried on at a university is fundamental research, or that technical data and information associated with university work is not export-controlled. University research will usually not be considered “fundamental research” if the university or its researchers accept restrictions on the publication of scientific and technical information resulting from the activity, or if the research is funded by the U.S. Government and specific access and dissemination controls protect information resulting from the activity. Even when the activity itself does qualify as “fundamental research,” export control regulations may still impose restrictions on certain equipment or software used in the course of the research, and on the provision of technical data and training to foreign persons in relation to that hardware or software. Several major U.S. export enforcement actions recently have involved universities and university professors.

“One reason we ship everything through a freight forwarder is so we won’t have to worry about the export classifications of our products. Our shipping agent is responsible for classifying our exports and obtaining licenses, not us.”  FALSE. Your freight forwarder’s job is to move your freight, not to analyze and classify your products and technologies. Even if a freight forwarder or courier is involved in the export transaction, as long as you are the U.S. Principal Party in Interest (USPPI) on the AES record, the ultimate responsibility for determining the proper jurisdiction and classification, obtaining a license, and ensuring compliance with licensing requirements and provisos is still yours. If the freight forwarder makes a mistake in classifying products on your behalf, you will be liable for any export violations that may occur.

“Why, we’ve been making this product for at least 30 years, and this can’t be the first time we’ve exported it, so it must be okay. It couldn’t possibly be export-controlled.”  FALSE. It doesn’t matter how long you’ve been making it —if it needs a license and you export it without one, that’s an export violation. Even if you exported it in the past, the ITAR or EAR requirements might have changed since then. And if nobody ever thought to check on the product’s export classification until now, you may well find that you need to file a Voluntary Disclosure.

“All our company’s products are classified EAR99. In other words, they’re all NLR – No License Required. So we don’t need to worry about export licenses.”  FALSE. “EAR99” is not a synonym for “NLR.” EAR99 is a classification that applies to items that fall under the jurisdiction of the Commerce Department, but are not listed on the Commerce Control List. While it is true that such items can be exported without a license in many cases, whether or not you will need a license to export an item depends on the details of the transaction. You will need a license for an EAR99 item—or your export might even be denied authorization—if you are shipping the item to an embargoed or sanctioned destination, or to a denied party or end-user of concern, or if you have knowledge that the export is in support of a prohibited end-use designated in Part 744 of the EAR, or if any of the Ten General Prohibitions in Part 736 apply to the transaction.

Lest you think the possibility of a license requirement for an EAR99 item is merely theoretical, note that in 2009 a very small New York company agreed to pay $70,000 to settle charges that it shipped $95,335 worth of scrap metal, classified EAR99, without a license to a company in Pakistan that (unbeknownst to the exporter) was on the BIS’s Entity List. According to the BIS, a request for a license to export EAR99 scrap metal to that Pakistani customer would have been routinely approved, but since the exporter shipped without applying for one, they were guilty of an export violation.

6. Don’t try to go it alone.

Product classification is a very serious matter. Yet the U.S. export laws and regulations are fraught with complications, and it’s easy to make mistakes. Read the business section of any newspaper regularly and you’ll see that export violations occur all the time, a great many of them related to products that were classified wrongly.

If you lack the expertise to classify products, or if you are not comfortable reading and interpreting the regulations and the technical specifications of products, or if you lack the time to do those things, then find the best outside experts you can as soon as you can and seek their advice. Export compliance consultants can often help at lesser cost than lawyers. And don’t be afraid to ask the consultants tough questions; after all, that’s what experts are for.

You also need to invest internally in training one or more of your people to handle your company’s product classification process. One strategy is to identify someone already working for you who is not afraid of reading and explaining regulations, such as the quality assurance or safety control or security manager. Then send him or her to export compliance classes and seminars that include hands-on workshops and practical training scenarios in product classification. If none of your current employees looks like the right person for this responsibility, then ask your outside consultant to help you find, hire, and train a qualified new person.

Finally, when necessary, don’t hesitate to seek professional legal advice from a law firm that specializes in international trade and export controls as its primary practice area. It’s true that lawyers can be expensive and legal fees are generally not a cost that any company likes to pay. But it can be a fatal mistake to put off calling a lawyer when you find yourself facing complicated legal questions, contractual issues, potential litigation, mergers and acquisitions, or key strategic decisions, such as voluntary disclosures when dealing with a 126.1 Prohibited Destination. Classifying your products for export control purposes certainly does not normally require the services of a lawyer. In certain cases, however, experienced legal professionals, working in conjunction with technical experts, can provide indispensable assistance in reviewing complex products and radically new technologies, or sorting out ambiguous intellectual property questions, to ascertain the appropriate regulatory jurisdiction and export classification. In dealing with such thorny matters, they can help keep you out of hot water, and the earlier in the process you bring them in, the more they can help.

Product classification is a vast topic. We’ll share some further thoughts with you about how to set up effective classification processes and procedures at your company in future blog posts.

Meanwhile, in the next post of this series on export compliance essentials, “SECURE!” we’ll discuss how you can protect your company’s controlled technical data and information against access by unauthorized persons, both on the ground and in the cloud.

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

EXPORT COMPLIANCE IN 11 WORDS (Part 2 of 12)

EXPORT COMPLIANCE IN 11 WORDS (Part 2 of 12):
A Series on Export Compliance Essentials

Analyze!

A risk analysis is the key to getting your business
ready for export compliance

As we noted in our previous post, there’s no such thing as a one-size-fits-all corporate export compliance system. Processes and procedures that are absolutely critical components of someone else’s compliance strategy might be impracticable and pointless for your company. Yet a compliance program with the wrong focus could weaken your competitive advantage by wasting time, money, and personnel on “protection” you don’t need, while leaving you exposed to being blindsided by severe penalties and crippling financial losses in areas where you actually are vulnerable.

Why Risk Analysis Is the Right Place to Start

Getting a business ready for export compliance is a challenging project. Before you can effectively address the real risks your company faces, you first need to know exactly what those risks are. You need to know how likely it is that you will be involved in a violation of the U.S. export laws, and how serious the consequences of such a violation would be. For that reason, the decision to conduct a comprehensive strategic risk analysis of your business from an export-compliance standpoint — preferably alongside an outside expert — is an indispensable prerequisite to all other compliance decision-making.

The first step in your analysis is an objective evaluation of your current information assets, systems, processes, procedures, people, and documentation. The company’s past, present, and future export customers, products, and services; the relevant U.S. laws and regulations; the likelihood of certain kinds of violation occurring; the nature and adequacy of the internal controls and personnel currently in place; the present regulatory environment and enforcement trends; the potential severity of penalties and fines, as well as other possible consequences for your business — all these issues and others need to be discussed in detail, analyzed, and evaluated before written policies and procedures can be formulated and put in place.

What’s the Difference?  “Risk Assessment” vs. “Directed Compliance Audit”

A directed export compliance audit is usually the outcome of a compliance issue that an exporter has experienced with the U.S. Government, one in which the requirement for an independent compliance audit has been levied or required as part of a settlement. The scope, focus, and completion date are mandated by the regulatory agency with which the issue is being adjudicated—either the DDTC, BIS, or OFAC. The report provided to the company by the auditor must be submitted to the agency, usually within a brief time span.

An export compliance risk assessment is a company-initiated examination of the efficiency and effectiveness of its export control process. The output from such an assessment includes a summary of the applicable U.S. export control requirements, an overall review and commentary on the existing compliance program (if any), and a detailed, process-by-process evaluation, typically presented in traffic-signal format (red, yellow, and green), with process “gaps” highlighted. The report on the findings of a risk assessment always includes recommendations for improvement and/or suggested corrective actions for potentially non-compliant activities that were found in the course of the assessment.

Following those recommendations and implementing those corrective actions is the best way to avoid a directed compliance audit.

What Do These Terms Mean? “Periodic” and “Independent”

The term “risk assessment” implies a formal, systematic process—something more than just an informal sizing-up or casual take on your compliance efforts. Industry “best practices” for ensuring corporate export compliance call for periodic independent compliance risk assessments.

“Periodic,” in this case, starts with annual assessments as a baseline.

“Independent” means that your risk level and the effectiveness of your current program need to be evaluated by a competent outside party.

“Competent” is simply common sense: the individual or team conducting the assessment needs to have the appropriate qualifications and specialized know-how, including a thorough familiarity with U.S. export controls and current risk assessment methodology. Competence may be established through relevant training and/or extensive experience. In the case of a directed compliance audit, the regulatory agency will require evidence of the qualifications of the person you have engaged to perform the audit. The U.S. Government won’t trust just anyone to assess corporate export compliance, and neither should you. So, here’s a hint: if you want to be sure you’re engaging a competent professional to conduct your risk assessment, look for someone whose résumé includes performing directed compliance audits.

“Outside” usually means that the review should be conducted by a person who is not a direct employee of your company. This is crucial, because you need an unbiased, impartial assessment of both the seriousness and likelihood of the non-compliance risks you are facing and the effectiveness of your current program and personnel. You need accurate results and recommendations you can rely on. Plainly, conflicts of interest could impair the objectivity of the findings. Common sense dictates that the more attached someone is to a situation—the more he or she has at stake—the more likely it is that the reliability of the assessment will be affected.

The Four Stages of the Risk Assessment Process

Although the details of every export compliance risk assessment are unique, the overall review process is similar in most cases, and typically involves four stages:

Stage 1:  Advance planning and preparation.

Stage 2:  An on-site visit.

Stage 3:  A report of the findings. This report should include quantitative ratings of your company’s risk of export violations in each area of your business operations. It should conclude with practical recommendations of corrective actions and procedural enhancements to address problem areas and mitigate the risks. The report’s recommendations should be summarized in a step-by-step, actionable plan that highlights the place to start in each business area.

Stage 4:  A scheduled follow-up review.

Why Assessing Compliance and Identifying Risks Is Not a Waste of Time

Perhaps you’re thinking that all this sounds like a significant investment of time, money, manpower, and energy, and wondering whether the investment is justified.  Are risk assessments really all that important? Will they truly add value to my business, or are they just a waste of time?

If you’re a U.S. exporter, periodic export compliance risk assessments, far from being a waste of time and corporate resources, are a valuable strategic tool that’s critical to your company’s continued survival in today’s global marketplace and regulatory environment. Let’s look at some of the reasons why that’s true.

Risk assessments can help you avoid severe penalties and fines. Violations of U.S. export laws can—and often do—result in stiff penalties. Criminal penalties can reach $1,000,000 and 20 years’ imprisonment per violation. Administrative penalties for civil violations are less severe, but can reach the greater of $250,000 per violation or twice the amount of the transaction—and a single non-compliant export transaction typically results in multiple violations.

In addition to fines, individuals and companies that fail to comply with export controls are subject to other administrative sanctions, including denial of their export privileges and suspension of their right to contract with the U.S. Government—penalties that would spell ruin for many U.S. companies.

Perhaps those are some of the reasons no company looks forward to being visited by officials from the BIS’s Office of Export Enforcement or the DDTC’s Office of Defense Trade Controls Compliance, or the Treasury Department’s OFAC.

“Be prepared” is not just a good motto for Boy Scouts; it’s good policy for U.S. exporters, too. The most effective measure you can take to minimize the likelihood of a visit by enforcement officials is to budget for regular export compliance risk assessments of your firm and to take the action recommendations in the assessment report very seriously. Furthermore—and equally important—if your company has been conducting its own comprehensive assessments of its compliance processes all along, and an official visit by government agents does occur, you can be sure that you and your employees will undergo a minimum of stress. You’ll be confident that you can produce any records and documents requested without delay, and you’ll be primed to answer any questions with accurate and up-to-date information. The likelihood of penalties will be small, and the cost in staff time and lost productivity will be greatly reduced.

And while you’re weighing up the negative consequences of non-compliance, here are a few more to put on the scale: avoiding hefty fines and penalties and lessening the chance of official visits and directed audits are not the only reasons you’ll be doing yourself a favor by conducting periodic independent compliance risk assessments and implementing their recommendations. A history of export violations can (1) adversely affect your company’s financial position; (2) hold up or block a sale, merger, or acquisition; (3) scare off potential foreign customers; (4) tarnish your firm’s image and business reputation; and (5) damage your business in many other ways as well.

This is definitely a case where a relatively small investment can save big over future costs and consequences.

The regulatory agencies have made it plain that they don’t consider risk assessments a waste of time. If your company should need to make a Voluntary Disclosure of an export violation you’ve discovered, one of the standard questions the DTCC and OEE will ask when reviewing your case is whether any audits or reviews of your company’s export compliance have been conducted during the past five years. Do you really want to answer “No” to that question? In most settlement agreements, the regulatory agencies require the company to have its export compliance program independently audited and send them a copy of the report within a narrow time frame. Rather than wait for that to happen, doesn’t it seem wiser to be proactive?

Risk assessments produce effective compliance programs—a valuable business asset. An export controls risk assessment by a compliance professional is bound to result in improved compliance. And a good track record and strong reputation for compliance are good for your business. Especially in the defense trade sector, a robust global trade compliance program is recognized as a competitive asset, one that some firms even list on their web sites. Recent studies of the most successful U.S. companies agree on one characteristic they have in common: compliance is part of their corporate culture.

Risk assessments can help your whole business run more efficiently. The compliance risk assessment process and your company’s follow-up on its findings and recommendations will highlight better ways to integrate export-control processes and “best practices” for export compliance into the rest of your business operations, including quality assurance SOPs and other regulatory compliance programs. The likely result will be an uptick in the overall efficiency of all your company’s operations. In particular, the implementation of Restricted Parties Screening (RPS) software and the challenge of integrating screening into your ERP software offers an opportunity to streamline your entire internal structure (including distribution process and supply chain management, inventory control, project planning, services knowledge base, and other critical business management processes). In the course of conducting an export controls risk analysis, many firms have discovered loopholes in their cybersecurity that badly needed strengthening and areas where significant improvement was possible in the networking of company resources.

Stage 1:  Getting Ready for Your Export Compliance Risk Assessment

Step back and think about your whole business.  An export compliance risk assessment should not take place in a bubble. To be fully effective, it needs to be part of a review and examination of your company’s overall business operations. What other week-to-week business processes are likely to be impacted by modifications to your export compliance system? How do you plan to integrate the findings and remediation measures that will be prescribed into your overall quality assurance and regulatory compliance system? What are your long-term corporate goals? How could improvements in your export process help you accomplish them?

Formulate some risk-mitigation proposals of your own.  Consider discussing the risk of export violations and setting down your ideas, suggestions, and tentative plans to improve your company’s export process before the risk assessment, based on your own past experiences and observations. Talk over your ideas with the reviewers before or during the on-site visit stage of the risk assessment. Later on, you can list those ideas side-by-side with the action recommendations in the assessment report, and consider how to combine the two lists into a more successful and export-compliant business.

Find out who’s who when it comes to exports.  Identify the actors within your company. Which individuals or departments are actually responsible for export compliance on a daily basis? Which employees are the points of contact within each department? Having a clear understanding of the role each person plays in export transactions is essential, because commonly, depending on the size of the company, one person may wear multiple hats with regard to export responsibilities. Being able to provide the names and contact information for key actors dealing with exports in your company will help the risk assessment run smoothly and without a hitch.

During the on-site visit phase of the risk assessment, every employee involved with exports in any way should be available and prepared to speak about his or her role, answer any questions the outside reviewer may have about the company’s internal processes, and provide examples of paperwork or electronic records related to exports upon request. Because these employees understand the specific business process and its associated flow firsthand, they can give valuable input when it comes to process improvements and risk mitigation efforts.

Seriously question your cybersecurity.  Controlled technical data stored in electronic form is always an area of potentially high risk that must be scrutinized carefully, because such data and information is easily accessed, copied, and transferred elsewhere. For that reason, some probing questions need to be asked about data storage and access control. Where is your controlled technical information and data stored? What physical and electronic security measures are in place to protect it? What company policies govern data storage? What controls exist to ensure that the granting of access to the company’s export-restricted data is consistent with U.S. regulatory requirements?

Pay attention to documentation and recordkeeping.  Review your company’s recordkeeping system and export documentation in advance of the on-site visit. Many U.S. exporters seem unaware that, according to U.S. export control regulations, recordkeeping and reporting are a very big deal, and a frequent cause of export violations. Exporters are legally required to maintain certain specific documents related to export transactions, and have them accessible for inspection, for at least five years. How and where are your records currently stored? Are they physically stored in an on-site location, or are they accessed electronically through the company servers? How conveniently and quickly can they be accessed? By whom? Each person involved in export compliance processes needs a clear understanding of the mandatory recordkeeping requirements and the company’s recordkeeping policy and practices. Make sure your export-related records will be conveniently available for review during the assessment visit, and consider how your system for saving, storing, and accessing them might be improved.

In the next post of this blog series on export compliance essentials, “EDUCATE!” we’ll discuss employee training—what it needs to cover and why it is critically important to the success of any corporate export compliance program.  

 

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

Export Compliance in 11 Words

EXPORT COMPLIANCE IN 11 WORDS:
Introducing a Twelve-Part Blog Series on Export Compliance Essentials

If you’re a newcomer to the world of U.S. export controls and you’ve just been charged with setting up an export compliance program for your firm, we wouldn’t at all be surprised to hear that you’re feeling a little overwhelmed right now. Does “bewitched, bothered, and bewildered” describe your state of mind as you struggle to make sense of the export laws and regulations and sort out which ones apply to your company? Are you wondering where to start?

If you’re finding export compliance to be a daunting task, rest assured that you’re not alone. The ever-changing complexities of U.S. export laws and regulations, licensing requirements, economic and trade sanctions, arms embargoes, and other legal and regulatory constraints present unique challenges to U.S. exporters as they strive to meet their business objectives while remaining compliant. Actually, taking on those challenges successfully without the proper training and support is more than just daunting, it’s impossible.

At Export Compliance Solutions, we’ve gained quite a lot of experience over the years helping our customers — small and medium-sized businesses and organizations of all kinds, and some of the big guys, too — identify, analyze, resolve and mitigate the regulatory issues and risks of selling in the international marketplace. Based on that experience, we’ve prepared a brand-new blog series for you, in which we share the most important lessons we’ve learned, condensed and summed up in 11 key words. The twelve posts (including this one) that you’ll be reading over the next several weeks will by no means cover everything there is to know, nor will they answer all your questions about export controls. What this series will do for you is lay a solid groundwork for understanding how to protect your business against export violations. “Export Compliance in 11 Words” will provide you with a sound starting-point for formulating an intelligent and practicable export compliance plan tailored to the needs and realities of your business.

Here’s an overview of what’s ahead:

ANALYZE – Because every business is different, there is no such thing as a generic, all-purpose, one-size-fits-all corporate export compliance program. Processes and procedures that are critical components of another company’s compliance strategy may be impracticable in scope and inappropriate in subject matter for yours. A program that doesn’t fit your needs will waste time, money, and personnel, and may even weaken your competitive advantage, while providing little or no protection against violations, fines, and penalties in the areas where your business is actually most vulnerable. But you can’t design a program that effectively addresses the real risks your company faces until you are confident you know what those risks are. That’s why conducting a strategic risk analysis of your business from an export-compliance standpoint — preferably alongside an outside expert — is an indispensable prerequisite to everything else. The company’s past, present, and future export customers, products, and services; the likelihood of certain kinds of violations; the controls and personnel already in place; the current regulatory environment and trends; the potential severity of fines and other consequences — all these issues and others need to be discussed in detail, analyzed, and evaluated before written policies and procedures are formulated and put in place.

EDUCATE – The oversight and management of corporate export compliance in today’s world requires substantial and ongoing professional training, including — but by no means limited to — a thorough familiarity with all the applicable U.S. Government laws and regulations. Once you’ve acquired the necessary training and knowledge yourself, your number one priority as a compliance officer should be training others in your company. The goals of this training should be (1) instilling and maintaining a high level of export compliance awareness company-wide and (2) ensuring that management and employees at all levels understand their export control responsibilities and have the appropriate competencies and skills to carry them out effectively, so that exports are made in compliance with both U.S. laws and regulations and the company’s best interests.

CLASSIFY – Export compliance personnel must know their company’s products and services, clearly identify, flag, and classify those categories of products, services, or technical data which are subject to export controls, and fully understand which regulatory requirements apply to each category. They must also know their company’s customers and be able to pinpoint risks and vulnerabilities from a regulatory standpoint.

SECURE – Responsible information-handling practices are critical to export compliance. You are responsible to protect your company’s controlled technical data and information against access by unauthorized persons, both on the ground and in the cloud, not only inside your facilities, but wherever your business and its workforce interfaces with the global marketplace. Your employees need to know that if they’re sharing technical data, such as plans and blueprints, even within the U.S., or if they’re allowing the visual inspection of ITAR-controlled articles by foreign nationals, they’re exporting technology; and if they’re doing these without proper authorization, they’re committing an export violation.

SCREEN – “Screening” is the process of checking and cross-referencing the parties involved in an export transaction against the many, continually updated lists of restricted or denied parties maintained by various governments and government agencies. If you’re a frequent or regular exporter (or are actively seeking to market your goods and services more widely overseas) and you aren’t routinely using some kind of Restricted-Party Screening (RPS) software to screen your customers, consignees, suppliers, employees, etc., you’re a fool. But you’re an even bigger fool if you are relying on RPS software alone to flag high-risk transactions and detect potential compliance problems. Even with the necessary screening software in place and properly configured to your company’s needs, the dictum remains true: your company’s employees are your ultimate line of defense — which is why their training and motivation is absolutely critical to compliance.

DOCUMENT – Certain specific recordkeeping for export transactions is mandated by the EAR, the ITAR, and the various OFAC Sanctions programs. But an effective corporate compliance program ought to be tracking and documenting much more than that bare minimum. Not only do transaction and licensing records need to be complete, accurate, and secure, they also need to be readily accessible in case of a compliance audit or other investigation.

COMMUNICATE – Proper communications are essential to export compliance. Critical compliance communications include the timely filing of the multiple reports mandated by U.S. export laws and regulations, enforced by the regulatory agencies, as well as having procedures in place for making prompt voluntary disclosures when violations or possible violations are discovered. It also means developing a communications strategy for keeping management, employees, suppliers, and customers in the loop about regulatory changes and all other compliance-related concerns and issues, as needed.

MONITOR – Even the most carefully formulated policies and procedures are meaningless if actual, real-life compliance with them is not checked and verified, and if instances of possible or actual non-compliance are not reported and promptly addressed. Moreover, if the monitoring of internal compliance processes is only sporadic, occasional, or random at best, it is not likely to be effective, and consequently the risk of violations occurring will be high. But reliable, continuous monitoring and control of processes and procedures necessitates building and maintaining an appropriate infrastructure.

ASSESS – A corporate export compliance program is properly focused on identifying and mitigating risks and vulnerabilities. To evaluate the effectiveness of your compliance efforts, frequent internal assessments and audits of processes and procedures are indispensable. So are periodic independent outside reviews of your overall compliance policies and program. It is critically important that the findings and recommendations of these reviews be reported to top management. Short-term and long-term follow-up on the implementation of corrective measures and program improvements should be an integral part of the review process.

ADAPT – Regulatory, technological, and business environments are rapidly and continually changing, and those changes are unavoidably impacting your company. “Innovate or die” is a common adage in the business world, and, while it may sound a bit melodramatic, it expresses a simple truth. If your company is surviving — and, we hope, thriving! — it’s safe to say you’ve made some significant changes over the last couple of years, and that’s all to the good. But if your export compliance program isn’t changing and adapting along with the rest of your business, your company’s survival may be at risk.

OWN – An effective export compliance program requires buy-in, visible involvement, and credible commitment on the part of top management — communicated, among other ways, by the allocation of adequate personnel and resources to the compliance function. When this sort of management commitment is perceived, when employees see that management is taking compliance seriously, company-wide engagement and employee motivation are likely to follow. Your compliance standards and policies, as well as the rationale behind them, should not only be spelled out explicitly in writing, but also well understood and acknowledged by each employee. Individual export compliance responsibilities need to be clearly articulated and included in job descriptions to ensure personal accountability and ownership. Moreover, your employees need to know that rules and procedures will be strictly enforced. The predictable result of not clearly assigning ownership of a process is a failed implementation of the process.

It is often said that without a top-down, pervasive corporate culture of compliance, no export compliance program will ultimately succeed. That may sound trite, and perhaps a bit corny, but it is nonetheless true, and its importance should not be underestimated. The human element remains the key to compliance. If you’re training your employees so they know how to do the right thing and motivating them so they want to do it, you’re on the way to creating a risk-aware corporate culture of compliance—the necessary foundation for any effective export compliance program.

Sound like information you need to know? If you’re new to export compliance responsibilities, or if you’re already dealing with U.S. export controls and would appreciate an update and review of the basics, you won’t want to miss a single one of the posts in this series. Sign up today for a free subscription to An EAR . . . to the ITAR and we’ll notify you of each new installment during the weeks ahead.

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

BIS Proposal Mirrors OFAC Penalty Guidelines: How Will This Impact Your Compliance Program?

On December 28, 2015, the Commerce Department’s Bureau of Industry and Security (BIS) published a Proposed Rule (80 FR 80710) that—if adopted—would revise the agency’s guidance concerning the settlement of civil (a.k.a. administrative) enforcement cases for export violations under the EAR.

The proposed changes would not apply to penalties imposed in civil cases involving Restrictive Trade Practices and Boycotts (Part 760 of the EAR), for which the current enforcement guidance in Supplement No. 2 of Part 766 would still apply; nor would they apply to penalties in criminal cases, which BIS refers to the Department of Justice for prosecution.

BIS will accept comments on this Proposed Rule until February 26.

What is BIS’s reason for revising the current guidelines?

The preamble to the proposal states that this revision is intended “to make administrative penalties more predictable to the public.” A second reason given is perhaps the most important one: to bring the Commerce Department’s enforcement policies into line with the penalty guidelines followed by the Treasury Department’s Office of Foreign Assets Control (OFAC).

In 2009, OFAC put into place a revised set of Economic Enforcement Guidelines for the Treasury Department’s sanctions programs. Since then, “the OFAC Guidelines” have provided a helpful framework of factors used by OFAC to determine whether or not to impose monetary penalties, and if so, how much. What BIS is now proposing is essentially a rewrite of its current “Guidance on Charging and Penalty Determinations in Settlement of Administrative Enforcement Cases” (found in Supplement No. 1 to 15 CFR Part 766) to make it substantially similar to those OFAC guidelines.

Greater transparency to the exporting community, harmonization of licensing policies and definitions among the regulatory agencies, and better coordination of enforcement actions are certainly laudable goals. They were important objectives of Phases I and II the U.S. Government’s Export Control Reform Initiative (ECR) when it was launched in 2010.

What will change if these guidelines are implemented?

Perhaps the most significant change is that the Proposed Rule would amend the factors BIS will consider when deciding whether to pursue administrative charges or settle allegations of EAR violations and when setting penalties in civil enforcement case settlements; it also explains how penalties would be calculated. The current BIS guidelines only list the factors to be taken into account in determining appropriate enforcement. The revised guidelines now under consideration—patterned after OFAC’s Guidelines—would use the transaction value to determine a baseline for assessing a civil penalty, applying a systematic calculation method set out in the Proposed Rule.

Under the proposed guidelines, BIS would first decide whether an enforcement case should be categorized as egregious or non­egregious. (Some of the factors that would enter into their decision are explained in the proposal.) They would also look at whether or not the apparent violations had been voluntarily disclosed by the exporter. These two factors, taken together with the transaction value (defined as the total U.S. dollar value of the transaction) and the maximum applicable penalty for each violation, as fixed by law, would be used to calculate a “base amount” for assessing penalties in the case. (The formulas to be employed in that calculation are explained in detail in the proposal.) Next, the agency would ascertain how many apparent violations of the EAR had occurred.

Finally, the presence of certain aggravating factors (e.g., indications of willfulness or recklessness, extent of harm done to the goals of the regulatory program) and/or mitigating factors (e.g., evidence that effective remedial measures were promptly taken, exceptional cooperation with OEE, likelihood that a license would have been approved if applied for) and/or general factors (e.g., an operational corporate compliance program conforming to the BIS guidelines for exporters)—these would all be considered and weighed to decide whether the penalty should be adjusted downward, or upward (capped by the statutory maximum), and by how much.

The maximum legal penalties for violations of the EAR would not be affected by the Proposed Rule. The Export Administration Act (EAA) of 1979— the legal basis for U.S. export controls on dual use items—actually lapsed in 2001 and has never been reauthorized by Congress. At present BIS derives its statutory authority to administer and enforce the EAR from the International Emergency Economic Powers Act (IEEPA), the same statutory authority by which OFAC implements most of its economic sanctions programs. Under the terms of the IEEPA, the maximum applicable penalty for civil violations can be as high as $250,000 for each violation, or twice the value of the transaction, whichever is greater. (If you are thinking that’s a very steep fine, you’re entirely right. Consider, however, the penalties associated with criminal violations under the IEEPA: a fine of up to $1 million or 20 years in prison. Or both. For each violation.)

Is this proposed change likely to result in higher penalties than we’re seeing now?

That’s a good question, but it’s hard to answer with any certainty. It will largely depend on BIS. Under the Proposed Rule, the penalty amounts would still be determined by the agency on a case-by-case basis, and the revised guidelines allow considerable enforcement discretion. Very considerable discretion.

BIS says it wants to retain sufficient administrative flexibility under the revised guidelines to allow proportionality in its enforcement actions. Instead of being tightly bound to mechanical penalty calculations, the agency will consider the totality of the circumstances in each case and tailor its response to the seriousness of the violation. Be that as it may, the trade-off for greater flexibility in regulations is always less certainty and predictability. That’s one reason why it isn’t entirely clear how the proposed guidelines would affect the size of civil penalties imposed.

One thing is quite clear: the Proposed Rule provides for significantly higher civil penalties in “egregious” cases. BIS assures exporters that it expects the vast majority of apparent violations investigated by its Office of Export Enforcement (OEE) to fall into the “non-egregious” category. Judging by the record of OFAC, which has been following a similar enforcement approach over the last six years, that does seem very likely. But it isn’t as reassuring as it might be. Here’s why: in addition to determining the penalty amount for each violation, BIS expressly retains the administrative discretion to determine how many violations have occurred in an enforcement case. If you’re thinking that this is simply a matter of knowing how to count, think again. Even under the current guidelines, OEE has been known to “pile on” violations in certain cases. What that means is something like this: if the identical incorrect information (say, a wrong EECN, description, or monetary value) has been entered in multiple fields of the AES filing, it may be counted—at OEE’s discretion—either as a single export violation or as multiple separate violations, and be charged accordingly. In this way, even “non-egregious” violations can result in unexpectedly large penalties.

And there are other reasons why it’s hard to predict the impact of the revised guidelines on the size of penalties: the definitions of some key regulatory terms in this Proposed Rule are less than precise. Take the term “transaction value,” for example. Under the Proposed Rule, this value is to be the starting point for most penalty calculations. That means it is critically important that we know precisely how BIS will determine the “transaction value” in a given enforcement case. Regrettably, the definition of this term provided in the Rule raises more questions than it answers:

Transaction value means the U.S. dollar value of a subject transaction, as demonstrated by commercial invoices, bills of lading, signed Customs declarations, or similar documents. Where the transaction value is not otherwise ascertainable, BIS may consider the market value of the items that were the subject of the transaction and/or the economic benefit derived by the Respondent from the transaction, in determining transaction value. In situations involving a lease of U.S.-origin items, the transaction value will generally be the value of the lease. For purposes of these Guidelines, ‘‘transaction value’’ will not necessarily have the same meaning, nor be applied in the same manner, as that term is used for import valuation purposes at 19 CFR 152.103.

What do you think of that definition? Clear . . . or cloudy? Egregious or non-egregious? Once these guidelines have been finalized and implemented, BIS will presumably provide answers to some of the questions exporters will surely be asking about this: What transaction is the “subject transaction”? How will the referenced documents be used in determining its value? What happens when the documents contain inconsistent information? In what circumstances is the transaction value considered to be “not otherwise ascertainable”? How will “market value” and “economic benefit” be evaluated? Which of these two values will be prioritized? Once we know how BIS understands this and other key terms in the revised guidelines, we’ll be in a better position to assess the impact of the changes on penalty amounts.

Should we expect to see more enforcement actions by BIS if this rule is implemented?

Yes, you can definitely expect to see more enforcement actions by BIS, but probably not as a result of these revised guidelines—at least, not directly.

BIS says it does not expect the adoption of this Proposed Rule to increase the number of cases which are charged administratively—and which therefore result in monetary penalties, rather than being closed with a warning letter. We have no reason to doubt that statement. Nevertheless, BIS’s statistics show without a doubt that it has been drastically ramping up its enforcement of the EAR over the past several years. The agency has significantly increased its manpower, enhanced its enforcement tools, and broadened the scope of its investigations. Its pursuit of export violations—both civil and criminal—has intensified each year. There is every reason to believe that trend will continue.

Insofar as clearer rules, more explicit guidance, and greater alignment with other agencies (such as OFAC) will allow more cases to be brought forward, and either settled or charged, we expect the implementation of this Proposed Rule to facilitate the current trend.

Will Voluntary Self-Disclosures still be a mitigating factor under this Proposed Rule?

Technically, no. Voluntary Self-Disclosures are no longer stated to be “mitigating factors” per se.

But actually, yes. And that’s a very definite yes. Under this Proposed Rule, which closely follows the OFAC Guidelines, whether or not the exporter has submitted a VSD is the second most significant component in establishing the base penalty amount. So, this new proposal is entirely in keeping with BIS’s longstanding policy of strongly encouraging voluntary notifications of violations. Export violations that were completely disclosed in timely VSD would be afforded more significant deductions in the base penalty amount than would have been afforded if BIS had discovered the violation independently.

According to BIS, only three percent of VSDs submitted over the past several years have resulted in a civil penalty. In most cases, BIS says, VSDs result in the issuance of warning letters.

BIS’s enforcement statistics, as well as the penalty calculation formulas in the Proposed Rule, indicate that an exporter would be wise to voluntarily self-report as soon as possible whenever a potential violation is discovered. Of course, whether or not a VSD is warranted by your company’s specific circumstances is a matter you should discuss with your corporate legal counsel. Generally speaking, however, submitting a full voluntary self-disclosure, including an account of corrective measures immediately taken to guard against future violations, is likely to limit potential penalties.

One caveat though: BIS does not look favorably on exporters who submit untruthful or misleading VSDs, or attempt to conceal some of the facts.

Would the implementation of this Proposed Rule be good news or bad news for U.S. exporters?

On the whole, probably good news.

Good News #1: Despite the uncertainty and unpredictability we noted above, due to BIS’s broad discretionary power in enforcing the EAR, the new guidelines should aid exporters—at least, to some extent—in estimating the range of likely penalties, especially for export violations that involve both the EAR and OFAC sanctions programs.

Good News #2: The trade-off for uncertainty and unpredictability, as we also noted above, is enforcement flexibility. In settlement negotiations, we would expect the flexibility and discretionary powers retained by BIS under this Proposed Rule to work in an exporter’s favor. In appropriate cases, BIS has the authority to suspend or defer payment of a civil penalty, taking into account whether the Respondent has demonstrated a limited ability to pay, whether the matter is part of a global settlement with other U.S. Government agencies, and/or whether the Respondent has agreed to apply a portion or all of the funds suspended or deferred for purposes of improving the company’s internal compliance program. Should your company ever be the Respondent, we’re certain you’ll see that as good news!

Good News #3: Even now, while the new guidelines are not yet in place, the Proposed Rule is already very helpful to exporters, as an indication of the approach to settlement and penalty determinations that BIS is likely to take in the years ahead.

What else should I take away from this?

One more thing: in case this wasn’t already abundantly clear to you, the Proposed Rule makes it even clearer: creating, maintaining, and prioritizing a comprehensive corporate compliance program that incorporates all the key elements identified in the BIS Compliance Guidelinesincluding written guidelines that tell your company’s employees exactly what is expected of them and provide a framework for senior management to engage intelligently with all compliance issues—is a critical requirement for every U.S. exporter, and is certain to become even more critical in the months and years ahead.

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

The Key Elements of an Effective OFAC Compliance Program

Question: What advice can you offer on how to set up and maintain a successful OFAC compliance program?

Because each company has different risks and different risk tolerances, there is no simple and clear formula for creating a successful OFAC compliance program. Nevertheless, the “Compliance Program Guidelines” issued by DDTC, the “Compliance Guidelines” issued by BIS, and the summary of “Regulations for Exporters and Importers” issued by OFAC identify certain elements that each agency considers essential for a program to be effective. The advice given by the three agencies has a great deal in common. Here are the key elements of any effective corporate export compliance program, with a few comments about each.

Management Commitment and a Strong Compliance Culture

In order for any compliance measures to be effective, the Board of Directors and senior management must buy into and commit to the success of the program. By clearly demonstrating their support and participation, the company’s leadership can set the tone for the entire staff and foster a culture of integrity—which includes transparency and compliance—throughout the organization. That means, among other things, a culture of self-reporting possible violations and inquiring to assess their scope and the extent of program exposure, instead of a culture of covering up and writing off penalties for violations as “a cost of doing business.”

A Qualified and Empowered Export Compliance Officer

Unless your company is very small, the appointment of a dedicated Export Compliance Officer (ECO) with a clear mandate to focus on this critical function is highly desirable. Consider that your ECO is charged with protecting you from risks where penalties can reach hundreds of millions of dollars. With a roster of laws and regulations that is continually changing, managerial staff in internal control roles today have a more challenging job than ever before, with ever-wider responsibilities.

Your company’s ECO should:

—     have a direct line of communication to the Board of Directors and senior management.

—     be knowledgeable concerning the ITAR, EAR, and OFAC regulations, and have a good working understanding of your company’s products, services, technologies, suppliers, and customer base. Don’t hire an inexperienced individual, unqualified for the role, and don’t skimp on his/her ongoing education and training.

—     have full authority to look into all compliance-related matters and put together a project team to address and resolve problems when they arise.

—     have sole responsibility for managing communications with regulatory agencies (such as Commerce/BIS, State/DDTC, and Treasury/OFAC) for all compliance-related issues.

—     be responsible for monitoring official announcements and press releases from DDTC, BIS, and OFAC daily for developments or enforcement actions that could impact your company’s line of business or its suppliers, and for communicating changes in regulations, policies, or procedures to company personnel by means of in-house e-mails, newsletters, announcements, or notices posted on the company intranet.

Thoughtful, Clearly Articulated Internal Policies, Procedures, and Controls

The level of sophistication of your internal compliance controls will naturally depend on the nature and scale of your business. What is essential is that policies, procedures, and controls be carefully thought out, clearly set down in writing, and effectively communicated to all employees, agents, and business partners. Individual compliance responsibilities should also be expressly included in job descriptions and performance evaluations of personnel, as appropriate.

You need to provide your employees with an easy way—such as an anonymous hotline or “help line”—to report potential violations of U.S. export laws and regulations or of the company’s export compliance policies without fear of reprisal; and you need to be consistent in investigating each report, and in implementing disciplinary procedures to address violations when they are encountered.

Effective Use of Information Technology

To avoid OFAC violations, it is crucial that companies have robust screening procedures in place that cover transactions, customers, suppliers, personnel, and business partners. This is a daunting task, because OFAC is concerned not only with a relatively small number of country sanctions (such as those found on BIS’s Commerce Country Chart and DDTC’s Country Policies and Embargoes chart), but also with many thousands of Specially Designated Nationals (SDNs), an ever-changing list of individuals, business entities, groups and organizations, banks, and even ships (or “vessels of concern,” as OFAC calls them). Nor is the SDN List the only list against which transactions should be screened. There are also the BIS’s Denied Persons List, Entity List, and Unverified List, the DDTC’s Debarred Parties List, the FBI’s Most Wanted Terrorist List, United Nations 1267 List, the European Union Sanction List, the HM Treasury Sanction List, and others as well.

Even if your company is small, reliance on manual screening and monitoring processes alone now carries an unacceptably high risk and should no longer be considered a viable option. Today it is imperative that U.S. exporters use information technology to the maximum extent feasible in seeking to implement the know-your-customer rule (KYC) and other due-diligence measures for preventing unlawful diversion and ensuring that their shipments will reach only authorized end-users for authorized end-uses. A reliable screening software solution that uploads changes to the list as close to real-time as possible is a critical element in any company’s compliance program.

Many “off-the-shelf” transaction monitoring systems—most of them web-based—are available, at a wide range of prices and with a range of features that include basic screening against multiple denied parties lists, batch screening, sophisticated search algorithms employing “fuzzy logic,” the ability to generate custom reports of all kinds, automated recordkeeping, and real-time monitoring with immediate notification of any changes. But even with the purchase of commercial software, developing and implementing a screening system that will protect your company effectively is going to require the investment of some time and effort to calibrate, configure, and fine-tune the screening algorithm to match your business’s specific needs. The failure to do so will render even the best screening software ineffective and leave your company at risk. Screening software also brings with it certain inevitable limitations, including the potential for false positives, even after the screening algorithm has been optimally configured for your company’s risk profile. In some cases, it will be necessary to follow up the screening with manual reviews of entities or persons.

In the course of performing compliance audits and risk assessments for exporters, both large and small, in the U.S. and overseas, our audit teams still encounter far too many companies who employ a manual transaction screening procedure that consists of logging on to a series of web sites, screening customers, vendors, personnel, and other entities of concern, one at a time, against a hodgepodge of lists, and then updating the results of the search on a tracking spreadsheet. Not only is this manual method time-consuming and limited in the number of lists you can reasonably screen against, but also it does not lend itself well to compliance records retention. Spreadsheet programs, such as Excel, were never meant to function as databases. They are not secure and are notoriously error-prone. They cannot handle attachments of documents, photos, licenses, verifications, and other evidence. While it is true that they are easy to use and convenient to update, because they lack the ability to track changes over a period of time and have no audit trails for data or formulas, they are an auditor’s nightmare. Even the most basic IT-based screening solution and monitoring is clearly preferable.

Ongoing, Relevant Employee Training

Regular employee training ensuring that all staff understand the applicable laws and regulations as well as the business’s policies, processes, and specific risk profile, has always been a key component of any corporate compliance program. But for OFAC compliance, training is even more critical than it is for ITAR and EAR compliance, due to the dynamic nature of U.S. trade embargoes and the speed with which some programs are announced and evolve. Even automated screening can go only so far in helping to detect sanctions violations. Consider that entities on the SDN List can open fake bank accounts, individuals can create false identities, and both can use proxies or agents to place orders on their behalf internationally. There is always some degree of risk that you are doing business with someone you shouldn’t and are violating OFAC’s rules. Alert trained employees will spot red flags and inconsistencies that software can’t.

For that reason, you need to identify your company’s frontline employees from a compliance perspective—those whose duties require an awareness of ITAR, EAR, and OFAC regulations—and train them to understand the sanctions vulnerabilities you face and how serious these are, spot potential problems quickly, and respond appropriately. Those men and women are your ultimate line of defense. Even when there is a strong commitment on the part of management and when sound internal processes are in place, a work force without proper training will leave your company exposed and at high risk. All the compliance policies, procedures, and “best practices” in the world are worthless unless they are known, correctly understood, and followed by your employees. Even worse, they may create a sense of false security.

Export compliance training needs to start right away, with new employee orientation. Regular retraining events should provide updates to internal polices, procedures, processes, and monitoring systems. In order for compliance awareness training to be fully effective, it needs to include realistic practical illustrations of potential violations and credible scenarios of suspicious activities with “red flags” that should put a transaction on hold and trigger a report to Compliance. For that reason, off-the-shelf employee training materials should never be simply purchased and deployed “out of the box”; they must first be tailored to the specifics of the company’s business. This is definitely not a situation where “one size fits all.”

The following are some of the most common weaknesses our teams have observed when assessing corporate training programs:

—     Employee training is not conducted regularly or frequently enough.

—     Deadlines for completing or renewing training are not enforced.

—     Training content is not being updated.

—     Training is deployed, but without any test or questionnaire to verify knowledge retention.

—     When employees were found to have breached either U.S. export regulations or the company’s stated compliance policy, additional employee training was not conducted to remedy the situation and prevent repetition.

Remember—

“Every one of your employees has the ability to damage—or to protect
and enhance—the reputation of the company.”

Independent Reviews and Risk Assessments

Regular compliance reviews and assessments, conducted by experienced outside auditors, consultants, or other qualified independent parties, are really the only reliable way to verify that your OFAC compliance program is operating as effectively as possible and is fully compliant with the law. It is imperative that these assessments be performed by an individual or team not directly tied to or responsible to the Compliance Department. In very large corporations, they could be conducted by the Internal Audit Department, if one exists, but only if Internal Audit has proper specific export compliance expertise. Otherwise, the company should hire experienced external consultants.

The frequency of these reviews should be commensurate with your company’s risk profile. Every 12 to 18 months is typical. Ask the reviewers to report their findings directly to the Board and/or senior management—not only to the compliance officer or department. And it’s always a good idea to ask that an Executive Summary be included in the written report. The report should aim at giving management practical insight into the programmatic strengths and weaknesses. It should also suggest specific remedial actions to bring the company back into full compliance. Those suggestions should not be ignored.

Remember—

“A single weak or missing element will undermine
your entire OFAC compliance program.”

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

OFAC: The Not to Be Forgotten Part of Export Compliance (Part 3 of 3)

Question: I’m seeing a lot of headlines about OFAC sanctions in the global trade news lately. Why has developing a corporate OFAC compliance program suddenly become so important?

Over the past few years, the U.S. Government has increasingly looked to trade embargoes and economic sanctions programs, which OFAC administers, to help achieve its foreign policy and national security objectives. Sanctions have also served as an integral component of America’s counter-terrorism strategy and campaign to halt the spread of weapons of mass destruction. More recently, they are being employed in innovative ways to combat malicious cyber activity and transnational organized crime.

Not surprisingly, given that America’s economy and capital markets are still the largest in the world, U.S. sanctions have had a dramatic impact on international trade; in multiple instances, they appear to have been effective in influencing the behavior of countries that the government viewed as national security threats. Because of the proven effectiveness of these measures, and probably also because of the nation’s current economic state and a generally war-weary public, sanctions have become a tool of first resort for U.S. foreign policy. Consequently, we have seen OFAC (with help from the Department of Justice) ramping up their sanctions enforcement and aggressively pursuing potential violators throughout the world.

Major prosecutions under the Foreign Corrupt Practices Act have made the headlines several times this past year. Economic sanctions enforcement seems poised to be the next big focus for government regulators. U.S. businesses that operate, or intend to operate, in the global marketplace urgently need to take a close look at their corporate export compliance programs and develop strategies for complying with rapidly changing regulations and enforcement policies in this area.

(1)    Proactive is always better than reactive.

More and more large U.S. and multi-national corporations, especially those who are prime U.S. Government contractors, are now addressing the OFAC compliance challenge and requiring all those with whom they do business—subcontractors, vendors, suppliers, partners—to demonstrate a similar diligence. Addressing the OFAC compliance challenge on your own timeline, rather than waiting until you are obligated by a contract or business transaction to do so, will allow you to choose compliance options that are cost-effective for your company’s business model, circumstances, and goals.

(2)    The recent Yates Memo has sounded a new warning note and made enforcement more personal.

The policy memorandum issued on September 15, 2015 by Deputy Attorney General Sally Quillian Yates appears to signal a more aggressive approach by the U.S. Government that prioritizes the prosecution of individual corporate executives in cases of corporate wrongdoing, including sanctions violations. While the insistence on individual accountability for corporate misdeeds is not new, the policy outlined in the Yates Memorandum places a greater emphasis than before on requiring the corporation’s internal investigation to identify the individual decision-makers who were involved in, or were responsible for, the regulatory noncompliance. Essentially, companies that want any “cooperation credit” from the U.S. Government (i.e., mitigation of penalties) will first need to fully disclose to the prosecutors the results of their internal investigation concerning the employees and senior executives involved.

Although the significance and implications of the Yates Memo are not yet entirely clear, the trend in regulatory enforcement that it represents underscores the need for companies to have more effective export compliance policies and procedures in place. You may want to consider including policies that spotlight individual accountability and processes that facilitate the rapid triage of incident reports and immediate and thorough investigations when appropriate.

Question: In what ways is achieving and maintaining OFAC compliance a greater challenge for a company than ITAR and EAR compliance?

(1)    OFAC sanctions are continually evolving. U.S. trade embargoes and economic sanctions, and the names of entities on the SDN List, can and do change very quickly—even overnight. For that reason, keeping abreast of new and evolving programs and ensuring compliance with recordkeeping, reporting, licensing, and other OFAC requirements can be extraordinarily difficult.

The Treasury Department’s SDN List contains several thousand names, and people or organizations can be removed from it, or added to it, at any time. Several foreign jurisdictions, including the European Union, Canada, and Mexico, also maintain “blocking statutes” that may address the U.S. trade embargoes and sanctions concerns, and a wide range of other restrictive measures as well, so your company’s transactions may need to be screened against multiple lists. What is more, some of these restrictive measures may conflict with U.S. regulations. Due diligence requires continuous, real-time, comprehensive monitoring to ensure that your dealings and transactions with foreign countries and individuals are not in violation of OFAC prohibitions.

(2)    OFAC sanctions are extraordinarily comprehensive. In addition to prohibiting certain transactions, OFAC regulations prohibit U.S. persons from “facilitating” (i.e., assisting, supporting, directing, or approving) a transaction by, or with, a sanctioned entity. The regulatory definition of “facilitation” is quite general, and its concrete interpretation has not been clear, since enforcement actions against companies for “facilitation” violations have been fairly infrequent. That situation has now changed dramatically. In the past few years, the U.S. Government has begun aggressively pursuing criminal actions against individuals and firms that “willfully facilitate” sanctions violations. Referring prohibited business to a foreign party, providing guidance or advice on a prohibited activity, financing or insuring or guaranteeing a prohibited transaction, providing merchandise or services in connection with a prohibited activity—any or all of these may constitute facilitation, and thus violate the OFAC regulations.

Most OFAC Sanctions Programs apply to ‘‘U.S. persons,’’ a term embracing U.S. citizens, permanent resident aliens, entities organized under the laws of the U.S. or any jurisdiction within the U.S. (including foreign branches of U.S. corporations), and any persons in the U.S. However, some sanctions programs state a wider jurisdiction. The Cuban Assets Control Regulations (CACR), 31 C.F.R. Part 515, use a more broadly defined term, ‘‘Persons subject to the jurisdiction of the U.S.,’’ which includes foreign subsidiaries of U.S. companies (see 31 C.F.R §515.329 and §515.330).

(3)    OFAC violations can carry staggering penalties.

Violations of the OFAC regulations may incur either civil or criminal penalties, or both. We have seen a very aggressive enforcement trend over the past few years. Increasingly, the U.S. Government has chosen to pursue criminal charges against violators (or has settled cases using criminal allegations), and a series of record-setting penalties have been imposed for OFAC sanctions violations. Examples within the last year include the almost $1 billion in fines handed down to BNP Paribas, and more recently Commerzbank’s agreement to pay $258 million in fines for falsifying business records for sanctioned countries. Nor is it only banks that have been prosecuted for sanctions violations. The Department of Justice recently agreed to a fine of $232 million to settle criminal charges with Schlumberger Oilfield Holdings Ltd for violating U.S. sanctions. That action and a few others are indications that regulators may soon be turning their attention to U.S. manufacturing companies as well.

* * *

A serious OFAC compliance program demonstrates that your company is aware of the SDN List and sanctions regulations, understands the risks, and is actively trying to prevent OFAC violations. If a violation does occur, it will be a strong mitigating factor against severe penalties. In some recent criminal prosecutions, the U.S. Government has contended—and the Courts have agreed—that failing to have an adequate compliance program in place was an indication of “reckless disregard” and therefore supported prosecution of the company and individual employees for willful, criminal violations of regulations. Depending on the sanctions program, criminal penalties for willful violations can include fines of up to $20 million and imprisonment of up to 30 years. Even worse, a single transaction can produce multiple violations, placing a company at risk of significant liability.

In addition to avoiding draconian penalties, another good reason for making OFAC compliance (and EAR/ITAR compliance) a high priority is minimizing costly and time-consuming investigations. Even if the finding is that no violation has occurred, or if civil penalties are eventually waived due to mitigating factors, responding to U.S. Government queries regarding potential violations and conducting comprehensive internal investigations can place a heavy and damaging burden on corporate resources.

Given those risks, it’s hardly surprising that more and more company boards and senior executives are moving enhanced OFAC compliance measures to the top of their agendas.

Catch next week’s post “The Key Elements of an Effective OFAC Compliance Program” for advice on how to set up and maintain a successful OFAC compliance program.

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)