Category Archives: All

State Department Commodity Jurisdiction and ITAR Changes this Week

State Department Commodity Jurisdiction and ITAR changes this week

Tuesday – ITAR Amendments

On Tuesday, November 15, 2016, ITAR amendments published in August will go into effect (81 FR 54732).

Among these amendments, § 120.5 will be revised to clarify that ITAR exemptions can only be used for items subject to the EAR when they are in the same shipment as a defense article.  EAR-controlled items continue to be subject to the EAR, even if shipped under a Department of State license or ITAR exemption.

The Destination Control Statement (DCS) at § 123.9 will also be revised to harmonize the text with the EAR’s DCS at § 758.6.  The DCS must be included as “an integral part of the commercial invoice.”

Additional amendments will be effective December 31, 2016 and the Department of State continues to anticipate separate rulemaking for proposed rules issued during the Export Control Reform process that are not yet final.

Wednesday – CJ Form

The Department of State will no longer accept DS-4076 Commodity Jurisdiction (CJ) requests through the Electronic Form Submission (EFS) application effective Wednesday, November 16, 2016 at 5pm EST.

Starting Monday, November 21, 2016 at 8am EST, CJ requests will be accepted through the Defense Export Control and Compliance System (DECCS).

DECCS submissions are through an interactive, browser-based form.  The status of CJ applications will continue to be tracked through the Department of Defense’s ELISA system.

The Department of State continues to work on new forms for voluntary disclosures, registration changes, and a single license application.

EXPORT COMPLIANCE IN 11 WORDS (Parts 5 & 6 of 12)

EXPORT COMPLIANCE IN 11 WORDS
A Series on Export Compliance Essentials

(Parts 5 & 6 of 12)

DOCUMENT & COMMUNICATE: SMALL STUFF THAT MATTERS

When it comes to export compliance, it’s often the little things that make a big difference. The reporting requirements of ITAR §122.4, for instance:  has your company already missed the 5-day deadline?

In a speech called “Elephants Don’t Bite!” motivational speaker Joel Weldon reminds his audiences that in the quest for excellence, it’s almost always the small stuff, the stuff that’s easy to miss, not the big stuff, that trips us up. “Raise your hand if you have ever been bitten by a mosquito,” he says. “Has anyone here been bitten by an elephant? . . . That proves my point! It’s the little things that get you, not the big things. The little things come along and cause big problems!” Then, on a more positive note, Weldon adds, “And it’s the little things you do right that can bring you huge rewards.” The moral: pay attention to details!

Among the myriad government rules and regulations for U.S. exporters, the requirements for recordkeeping and reporting might easily be taken for trivial matters. Evidently many companies do take them that way, because changes in the firm’s registration information that have never been reported to the DDTC—as required by ITAR §122.4, “Notification of Changes in Information Furnished by Registrants”— is one of the most common problems our visiting teams discover when they arrive at a client’s headquarters for an on-site risk assessment. And you can be sure that if folks from the State Department arrive at your firm under the Company Visit Program (CVP), as part of their Outreach efforts, they will spot this right away, too, and label it (correctly) as a failure to comply with the requirements of the ITAR.

Here’s the relevant portion of this regulatory requirement in ITAR §122.4 (as amended on August 26, 2013, effective October 25, 2013):

(a) A registrant must, within five days of the event, provide to the Directorate of Defense Trade Controls a written notification, signed by a senior officer (e.g., chief executive officer, president, secretary, partner, member, treasurer, general counsel), if . . .

(2) There is a change in the following information contained in the Statement of Registration:

(i) Registrant’s name;
(ii) Registrant’s address;
(iii) Registrant’s legal organizational structure;
(iv) Ownership or control.

When this section was last revised, in 2013, the State Department also revised ITAR §129.8, which deals with the registration and licensing requirements for brokers, to include some further notification requirements. Here’s the relevant portion of that part of the regulations:

(d) A registrant must, within five days of the event, provide to the Directorate of Defense Trade Controls a written notification, signed by a senior officer (e.g., chief executive officer, president, secretary, partner, member, treasurer, general counsel), if . . .

 (2) There is a change in the following information contained in the Statement of Registration (form DS–2032):

(i) Registrant’s name;
(ii) Registrant’s address;
(iii) Registrant’s legal organization structure;
(iv) Ownership or control;
(v) The establishment, acquisition or divestment of a U.S. or foreign subsidiary or other affiliate who is engaged in brokering activities or otherwise required to be listed in registrant’s Statement of Registration; or
(vi) Board of directors, senior officers, partners and owners.

And finally, here’s what the DDTC is currently saying on their web site about what the agency expects from registrants regarding notifications of changes “as part of the registration renewal process”:

[Registrants are instructed to] notify the Department of the following material changes as part of the registration renewal process: 1) consolidation of a broker registration with a manufacturer/exporter registration; 2) removal of entities not owned or otherwise controlled from registration; and 3) deletions or additions of U.S. Munitions List categories. However, if notification of change is the subject of an internal reorganization, merger, acquisition, or divestiture registrants must notify the Department of all changes in information within five days of the event, including where applicable, the three changes specified above.

The third type of change mentioned in this web notice, “deletions or additions of U.S. Munitions List categories,” is not specifically mentioned in the sections of the ITAR quoted above, but if the change your company is reporting is one involving an internal reorganization, merger, acquisition, or divestiture, you would be well advised to include any such changes in your within-five-days notification to the DDTC as well.

We trust you noted the requirement in all the above citations that these notifications need to be made to the DDTC within five days of the event. If you’re wondering whether that phrase means what it appears to mean, the answer is that it does.

If you’ve been thinking while reading the above that “within five days of the event” seems like an awfully narrow time window for notifying the DDTC of a change at your company, consider this: some required notifications must be made in advance of the event. One such prior reporting requirement—a critically important one, too, and an all-too-common source of violations, in our experience—is found in ITAR §122.4(b). This paragraph applies to any intended (that is, prospective or planned) sale, or transfer of ownership/control, of your business, or of “any entity thereof,” to a foreign party or parties. Here is the relevant passage (we’ve underlined for you a couple of crucial sentences that you might easily have missed, imagining perhaps (incorrectly) that they were “small stuff”):

(b) A registrant must notify the Directorate of Defense Trade Controls by registered mail at least 60 days in advance of any intended sale or transfer to a foreign person of ownership or control of the registrant or any entity thereof. Such notice does not relieve the registrant from obtaining the approval required under this subchapter for the export of defense articles or defense services to a foreign person, including the approval required prior to disclosing technical data. Such notice provides the Directorate of Defense Trade Controls with the information necessary to determine whether the authority of § 38(g)(6) of the Arms Export Control Act regarding licenses or other approvals for certain sales or transfers of defense articles or data on the U.S. Munitions List should be invoked (see §§ 120.10 and 126.1(e) of this subchapter).

(c) The new entity formed when a registrant merges with another company or acquires, or is acquired by, another company or a subsidiary or division of another company shall advise the Directorate of Defense Trade Controls of the following:

(1) The new firm name and all previous firm names being disclosed;

(2) The registration number that will survive and those that are to be discontinued (if any);

(3) The license numbers of all approvals on which unshipped balances will be shipped under the surviving registration number, since any license not the subject of notification will be considered invalid; and

(4) Amendments to agreements approved by the Directorate of Defense Trade Controls to change the name of a party to those agreements. The registrant must, within 60 days of this notification, provide to the Directorate of Defense Trade Controls a signed copy of an amendment to each agreement signed by the new U.S. entity, the former U.S. licensor and the foreign licensee. Any agreements not so amended will be considered invalid.

(d) Prior approval by the Directorate of Defense Trade Controls is required for any amendment making a substantive change.

We hope you noticed that, in addition to the mandatory notification that must be made to the State Department 60 days in advance (“must” and “shall” are such little words that they can easily be missed — “small stuff,” right? — but in government regulations they always translate as “mandatory” and “legally required”), there is also mention of a mandatory follow-up submission required by State no later than 60 days after the first. Any regulatory language that translates as “deadline,” whether the period specified is “before” or “after,” deserves to be underlined or highlighted; it comes under the heading of “small stuff that matters.”

“COMMUNICATE” is one of the 11 key words that we chose to summarize the essentials of export compliance in this blog series. A few synonyms for communicate are notify, report, and disclose. Notifying the State Department within 5 days of changes in your registration information is only one of the multiple notifications that are mandatory and must be made in a timely manner. Reporting semi-annually on your company’s use of the Canadian Exemption (ITAR §126.5), as specified in Supplement No. 1 to Part 126 of the ITAR, Note 14(c), is another example of a mandatory communication. (Don’t let that word “exemption” mislead you here; exemption from a license requirement doesn’t mean you are exempt from reporting and recordkeeping requirements!)  Disclosing information to the DDTC or BIS about a potential or actual export control violation (see ITAR §127.12) is sometimes legally mandatory—in which case neglecting to file such a disclosure would constitute an additional violation. But even when such disclosures are not mandated by law, and when they haven’t been “directed” or ordered by a government agency, they are very strongly encouraged by all the agencies and highly advisable in most cases, since voluntary disclosures will generally be a mitigating factor in determining what administrative penalties, if any, will be imposed.

Whatever synonym is used for it, the failure to communicate critical compliance information to the DDTC, BIS, or OFAC within a specified deadline is one of the most common sources of export violations, and the penalties that can result from such violations are by no means “small stuff”!

“DOCUMENT,” another of our 11 key compliance words, is closely related to what we have been talking about here. A synonym for documenting is creating and keeping records of your exports. Some very specific kinds of recordkeeping for export transactions are mandated by the ITAR, the EAR, and the various OFAC Sanctions programs. Not only do the legally required transaction and licensing records need to be complete, accurate, and secure, they need to kept for a certain time (in most cases, five years) and maintained in a certain way.

For example, ITAR §122.5 states that the information “must be stored in such a manner that none of it may be altered once it is initially recorded without recording all changes, who made them, and when they were made.” Have you checked to see whether your company’s current order processing or ERP software supports this critical ITAR requirement? And, if the software you use does have this tracking and recording capability, have you checked to verify that the feature is appropriately configured and “turned on”?

Another detail worth checking: ITAR §122.5 also says that your export records need to be “available at all times for inspection and copying” in case of a compliance audit or other official visit or investigation. Have you checked lately to see how “available” the legally mandated records are at your company? Which employees know how to access and retrieve them for inspection, if the occasion arises?

The DDTC, BIS, and OFAC most certainly do not consider a company’s failure to keep accurate and complete records of its export transactions, as required by law, to be a trivial matter, or “small stuff.”

In our experience, many companies have not clearly understood that compliance with these recordkeeping requirements is ultimately their responsibility, as the U.S. exporter, or USPPI, and that they cannot simply hand it off to a freight forwarder or shipping agent, and then forget about it. Even if you do employ the services of a third-party freight forwarder to ship your commodities, you still need to make sure that you receive and keep on file copies of all shipping documents, AES/ACE entries, supporting documents, special certifications, and all other required documentation for every export transaction. You should also be periodically checking and comparing the freight forwarder’s records against your purchase orders, invoices, export licenses, agreements, reports of exemption use, etc., to make sure that your exports are fully compliant with U.S. export laws and regulation. In the event of an official visit or compliance audit from one of the regulatory agencies, when the agents request the records of one of your export transactions, “I’m afraid I can’t help you with that; I imagine our freight forwarders must keep that sort of information on file somewhere” will not be an acceptable answer; you might be told that it is a synonym for “export violation.”

EXPORT COMPLIANCE IN 11 WORDS (Part 4 of 12)

EXPORT COMPLIANCE IN 11 WORDS (Part 4 of 12):
A Series on Export Compliance Essentials

CLASSIFY!

Sound policies and consistent procedures for classifying your products
will reduce the risk of export control violations

Export compliance managers must be thoroughly familiar with their company’s products, services, and technical data, and they must know which export control requirements apply to each category.

Determining the correct export jurisdiction for your products—State/DDTC, Commerce/BIS, or, in rare instances, another Federal agency—and classifying them accurately according to the U.S. Munitions List (USML) or Commerce Control List (CCL) is a critical element of your corporate export control process, particularly in light of the recent Export Control Reform, which has brought about the migration of many former USML items to the CCL. Solid compliance demands accurate classification.

Even a small mistake in classification can cause big problems. Multiple export control violations resulting from a misclassification may result in wasted time, unhappy customers, heavy fines and penalties, long and costly litigation, a tarnished business reputation, and a record with the regulatory agencies that will be taken into account in any future export enforcement proceedings.

How to Avoid Errors in Product Classification

1. Keep calm and follow the process.

The web-based Decision Tree Tools on the DDTC and BIS sites, especially the USML Order of Review and Specially Designed tools and the CCL Order of Review and Specially Designed tools, are invaluable resources, if used properly. Together they provide a sure roadmap that will guide you through the process of reviewing the USML and CCL in order to classify each of your items correctly, with references to the relevant sections of the ITAR and EAR for you to consult at each step along the way. When you classify your products, make it your policy to follow the statutory Order of Review consistently. Stick to the path, and resist the temptation to take shortcuts!

2. Classify your products in advance to reduce risk.

A policy of classifying your products and services transaction-by-transaction, as needed, upon receipt of an RFQ or order from a foreign customer, puts your company at high risk of double-barreled disaster. What are the risks? For one thing, informing a customer when you’re about to ship his order that you’ve just realized you’ll have to apply for an export license, so it’ll be a while before he sees his goods, is a less-than-optimal practice if repeat business and customer retention are desired. For another thing, allowing shipping deadlines to influence jurisdictional determinations and classification decisions is a tried-and-true recipe for accumulating multiple export control violations and incurring heavy fines and other penalties. “Company discovers potential compliance problem with profitable overseas order, but decides to go ahead and ship anyway because they’re so hot for the sale” is one of the most common export violation scenarios.

A much safer practice is to do your homework in advance by classifying your whole product line and compiling the classifications (USML Category and Subcategory, or ECCN, or classification as “EAR99”) into a Product (or Technology) Classification Matrix, which can then be conveniently maintained in spreadsheet format. If you do this, be sure you include a concise explanation of the rationale for each classification, referencing any associated notes or documentation.

3. Stay connected and current.

The USML Categories and ECCNs you’ve determined for your products and services may not remain valid and accurate forever. Your company’s product specifications may change over time. Changing export laws, regulations, and definitions may also require you to re-classify. Make sure you subscribe to news and updates from all the relevant U.S. Government regulatory agencies, read them carefully as they are published, and put in place timely follow-up procedures for updating your Product Classification Matrix, internal control processes, compliance manual, and employee training, as required.

4. Document everything.

Inadequate recordkeeping is a very common cause of export control violations. If you self-determine the export classifications of your products, your classification procedures and process must generate and maintain documentation to show how and why you came to your conclusions. If you submitted a Commodity Jurisdiction (CJ) Request to State/DDTC or a Commodity Classification Request (CCATS) to the Commerce Department, you need to keep copies of the official rulings they issued, along with the product descriptions and supporting documentation you submitted to them, as well as any related correspondence or notes on conversations with U.S. Government agents. Even for items that you shipped under the NLR designation, you should always keep records justifying your NLR determination, as well as the other details of the export classification, for at least five years.

5. Disabuse yourself of common myths and misconceptions.

“It’s a commercial off-the-shelf item, so it can’t be export-controlled.”  FALSE. Everything in the U.S. (except public domain information) is subject to U.S. export controls. A great many COTS items are highly controlled for export. Full-rate thermal cameras, precision gyroscopes, and CubeSat kits are just a few examples.

“If I take it with me in my carry-on luggage, I won’t have to worry about export controls.”  FALSE. Anything that leaves the U.S. is being exported. There are some exemptions and exceptions for commercial items carried out of the country temporarily for use as “tools of trade” and a few other reasons, but their use requires documentation, and by no means do these exceptions cover everything.

“I work at a university, so what I do is classified as ‘fundamental research,’ making it automatically exempt from export controls.”  FALSE. By no means is it safe to assume that all work carried on at a university is fundamental research, or that technical data and information associated with university work is not export-controlled. University research will usually not be considered “fundamental research” if the university or its researchers accept restrictions on the publication of scientific and technical information resulting from the activity, or if the research is funded by the U.S. Government and specific access and dissemination controls protect information resulting from the activity. Even when the activity itself does qualify as “fundamental research,” export control regulations may still impose restrictions on certain equipment or software used in the course of the research, and on the provision of technical data and training to foreign persons in relation to that hardware or software. Several major U.S. export enforcement actions recently have involved universities and university professors.

“One reason we ship everything through a freight forwarder is so we won’t have to worry about the export classifications of our products. Our shipping agent is responsible for classifying our exports and obtaining licenses, not us.”  FALSE. Your freight forwarder’s job is to move your freight, not to analyze and classify your products and technologies. Even if a freight forwarder or courier is involved in the export transaction, as long as you are the U.S. Principal Party in Interest (USPPI) on the AES record, the ultimate responsibility for determining the proper jurisdiction and classification, obtaining a license, and ensuring compliance with licensing requirements and provisos is still yours. If the freight forwarder makes a mistake in classifying products on your behalf, you will be liable for any export violations that may occur.

“Why, we’ve been making this product for at least 30 years, and this can’t be the first time we’ve exported it, so it must be okay. It couldn’t possibly be export-controlled.”  FALSE. It doesn’t matter how long you’ve been making it —if it needs a license and you export it without one, that’s an export violation. Even if you exported it in the past, the ITAR or EAR requirements might have changed since then. And if nobody ever thought to check on the product’s export classification until now, you may well find that you need to file a Voluntary Disclosure.

“All our company’s products are classified EAR99. In other words, they’re all NLR – No License Required. So we don’t need to worry about export licenses.”  FALSE. “EAR99” is not a synonym for “NLR.” EAR99 is a classification that applies to items that fall under the jurisdiction of the Commerce Department, but are not listed on the Commerce Control List. While it is true that such items can be exported without a license in many cases, whether or not you will need a license to export an item depends on the details of the transaction. You will need a license for an EAR99 item—or your export might even be denied authorization—if you are shipping the item to an embargoed or sanctioned destination, or to a denied party or end-user of concern, or if you have knowledge that the export is in support of a prohibited end-use designated in Part 744 of the EAR, or if any of the Ten General Prohibitions in Part 736 apply to the transaction.

Lest you think the possibility of a license requirement for an EAR99 item is merely theoretical, note that in 2009 a very small New York company agreed to pay $70,000 to settle charges that it shipped $95,335 worth of scrap metal, classified EAR99, without a license to a company in Pakistan that (unbeknownst to the exporter) was on the BIS’s Entity List. According to the BIS, a request for a license to export EAR99 scrap metal to that Pakistani customer would have been routinely approved, but since the exporter shipped without applying for one, they were guilty of an export violation.

6. Don’t try to go it alone.

Product classification is a very serious matter. Yet the U.S. export laws and regulations are fraught with complications, and it’s easy to make mistakes. Read the business section of any newspaper regularly and you’ll see that export violations occur all the time, a great many of them related to products that were classified wrongly.

If you lack the expertise to classify products, or if you are not comfortable reading and interpreting the regulations and the technical specifications of products, or if you lack the time to do those things, then find the best outside experts you can as soon as you can and seek their advice. Export compliance consultants can often help at lesser cost than lawyers. And don’t be afraid to ask the consultants tough questions; after all, that’s what experts are for.

You also need to invest internally in training one or more of your people to handle your company’s product classification process. One strategy is to identify someone already working for you who is not afraid of reading and explaining regulations, such as the quality assurance or safety control or security manager. Then send him or her to export compliance classes and seminars that include hands-on workshops and practical training scenarios in product classification. If none of your current employees looks like the right person for this responsibility, then ask your outside consultant to help you find, hire, and train a qualified new person.

Finally, when necessary, don’t hesitate to seek professional legal advice from a law firm that specializes in international trade and export controls as its primary practice area. It’s true that lawyers can be expensive and legal fees are generally not a cost that any company likes to pay. But it can be a fatal mistake to put off calling a lawyer when you find yourself facing complicated legal questions, contractual issues, potential litigation, mergers and acquisitions, or key strategic decisions, such as voluntary disclosures when dealing with a 126.1 Prohibited Destination. Classifying your products for export control purposes certainly does not normally require the services of a lawyer. In certain cases, however, experienced legal professionals, working in conjunction with technical experts, can provide indispensable assistance in reviewing complex products and radically new technologies, or sorting out ambiguous intellectual property questions, to ascertain the appropriate regulatory jurisdiction and export classification. In dealing with such thorny matters, they can help keep you out of hot water, and the earlier in the process you bring them in, the more they can help.

Product classification is a vast topic. We’ll share some further thoughts with you about how to set up effective classification processes and procedures at your company in future blog posts.

Meanwhile, in the next post of this series on export compliance essentials, “SECURE!” we’ll discuss how you can protect your company’s controlled technical data and information against access by unauthorized persons, both on the ground and in the cloud.

EXPORT COMPLIANCE IN 11 WORDS (Part 3 of 12)

EXPORT COMPLIANCE IN 11 WORDS (Part 3 of 12):

A SERIES ON EXPORT COMPLIANCE ESSENTIALS

EDUCATE!

To ensure full compliance with U.S. export controls
you need to educate and train your employees

 

If you are a U.S. exporter, I have four critically important questions for you:

Does everyone who works for your company have a basic awareness of U.S. export laws and regulations – ITAR, EAR, OFAC Sanctions – and understand why their requirements need to be taken very seriously?

Do they all know who is responsible for the company’s export compliance and how to contact them?

Does every employee involved in export transactions understand his or her individual compliance responsibilities clearly?

Do all those employees have the appropriate competencies, skills, and resources to carry out their compliance responsibilities effectively?

If you confidently answered “Yes” to any or all of these questions, I have one more for you: How do you know that? Unless you have a good answer for that question, scratch the previous “Yes” answers.

In the first post of this series, I said that safeguarding corporate export compliance in today’s world is impossible without substantial and ongoing education and training – not just for empowered officials, export compliance managers, and licensing officers, but for every employee. I cannot emphasize this too strongly: if you are responsible for compliance with export controls in your company, you must make employee education and training your number one priority.

Number one, not number two.

If I seem to be harping on this point, it’s because so many companies don’t seem to get it, and then end up behind the eight ball. If you won’t take my word for this, there’s a simple way you can see for yourself just how crucial a role employee education and training plays in assuring export compliance.

Export Compliance Training: What the Fuss Is All About – and Why You Need to Know

On its web site, the DDTC publishes copies of the final settlement documents – draft charging letters, consent agreements, remediation measures, etc. – for recent ITAR administrative enforcement cases. A close look at exactly how the U.S. Government has dealt with these firms who were found to have committed export violations provides important information about what the DDTC expects from every company when it comes to ITAR compliance. What are the agency’s foremost priorities and concerns? What types of negligence or misconduct are their investigators on the lookout for? What weaknesses or “gaps” in a firm’s internal control processes do they consider to be especially egregious?

In particular, the lists of “directed remediation measures” in these settlement agreements – the specific corrective and preventive actions mandated by the DDTC – contain valuable pointers to the “best practices” that every company ought to consider implementing when reviewing its compliance program.

I’ve examined those lists thoroughly for you, but you can peruse them for yourself, if you wish. Here’s one thing you’ll discover if you do:

The U.S. companies involved in export violations differed greatly in size and in the products and services they exported, and the weak points in each company’s compliance processes were also different. But the DDTC evidently found that their corporate export compliance programs had one major weakness in common: in practically every case, the employees had received inadequate or ineffective training on compliance with U.S. export controls.

Almost every DDTC settlement letter contains language similar to the following:

“Strengthen compliance policies, procedures, and training within ___________ months of settlement, with a focus on the areas of ­­­________________ .”

“Commission an independent evaluation of the effectiveness of the training within prescribed timelines.”

“Implement a formal ITAR compliance program that includes annual training and a compliance manual.”

Submit a training program proposal . . . within one hundred twenty days, which includes: (a) obligations imposed by federal export laws and regulations, including disclosure obligations; (b) proper internal controls and procedures; (c) discovering and recognizing export compliance issues; and (d) obligations assumed by, and responses expected of, employees upon learning of improper or potentially illegal acts relating to export compliance.”

Undertake a training program no later than ninety days after ____________, such that all respondent employees engaged in ITAR-regulated activities are familiar with the AECA and the ITAR, and their own and respondent’s responsibilities thereunder, . . .”

Maintain records of training programs provided, including the names and titles of individuals who received training, for at least five years.”

The examples above all come from cases published on the State Department/DDTC web site. But BIS Export Enforcement regularly posts similar information on how the Commerce Department has dealt with EAR violations. Don’t Let This Happen to You! – a 64-page compilation of reports on recent BIS investigations – makes for interesting and instructive, if sometimes scary, reading. If you’re an export compliance officer, it ought to be on your required reading list. In addition to the multiple references to employee training – or the lack thereof – in these case reports, the BIS web site repeatedly spotlights “ongoing compliance training and awareness” as one of the Nine Key Elements of an Effective Export Compliance Program, and includes “adequate training provided to employees” on its short list of Export Enforcement Mitigating Factors.

OFAC Enforcement also publishes the details of selected settlement agreements on the Treasury Department web site. Those OFAC reports belong on your required reading list as well. [Content Warning: A few of these agreements and enforcement reports contain high settlement amounts and penalties that some compliance officers may find disturbing. EOs and ECOs are advised to sit down before reading.] In each case, OFAC explains how they decided the appropriate penalty for the company, explicitly stating which findings their investigators considered to be “mitigating factors,” “aggravating factors,” or (in some cases) evidence of “reckless disregard.” Since the Treasury Department has taken great pains to provide you with this extremely useful information, wouldn’t it be wise to read it carefully . . . with a pencil or yellow highlighting pen in hand?

In case after case, you’ll see poor (or non-existent) compliance training cited as a significant contributing cause of the violations. In settlement after settlement, you’ll find phrases and sentences similar to these:

Failing to provide training to its employees regarding export controls and sanctions”

“Compliance program did not include any training on OFAC regulations”

Failed to adequately train its employees”

Training is sporadic and does not cover important regulatory and risk areas”

Question: What effect do you think those findings had on the severity of the penalties that OFAC assessed?

On the other hand, in a recent case in which some rather serious sanctions violations occurred, OFAC highlighted their investigators’ finding that the company’s employees had received “frequent training, including in-person training by high-ranking persons within the organization,” and laid the principal blame for the violations on a “rogue employee,” who was found to have made extensive efforts to evade the firm’s internal controls. In this instance, the presence of a robust compliance education and training program (note well: with senior management commitment and involvement!) unquestionably helped save a company from potentially serious damage.

So, why do I keep underscoring the importance of employee education and training in a corporate export compliance program? Because all the U.S. Government regulatory agencies have made it plain that their agents will look at this element closely, and they keep warning us that they consider it to be both a critical factor in preventing export violations and a reliable measure of the seriousness of your commitment to compliance.

“Education” vs. “Training”: What’s the Difference?

Education and training are usually thought of as synonyms, and it is true that they are often used interchangeably. But the terms can be distinguished, and in some contexts the difference between them is far from negligible or irrelevant. The University of Pennsylvania, for example, is proud of its Department of Criminology, where students can get an education about crime that prepares them to deal with criminals and understand the U.S. justice system. The university would probably sue you for defamation, however, if you went around calling their campus a “training ground for crime”! Here’s another example: as some wag has said, when parents are asked to sign a consent form to allow their child to participate in sex education classes at a public school, they generally understand this to mean something different from sex training.

Education is helping someone understand something. It’s about learning the theory; gaining insight into principles of a subject; being able to see the Big Picture and distinguish between the essentials and the details; understanding well enough to analyze, think critically, make judgments, and share your understanding with others. That’s always been the rationale for education in the traditional professions. Lawyers need a legal education – a thorough understanding of the principles of law and how the U.S. legal system operates – before they start offering legal services to the public or defending clients in the courtroom. Surgeons need a medical education – a solid grasp of anatomy, physiology, biochemistry, and many other medical subjects before they pick up a scalpel.

Training is showing someone how to do something; it’s about acquiring the practical skills and competencies needed to carry out a specific task. A training program is designed for people who need the know-how they will acquire in order to perform their jobs more effectively or solve certain problems they are facing.  When employees are charged with implementing a new system, they will generally need training that will equip them to do it. Because training focuses on practical knowledge, it normally involves learning-by-doing, coaching or mentoring by an expert practitioner, hands-on practice, drill, and repetition, as well as ongoing feedback with a view to improving performance. That’s why surgeons and lawyers are required to supplement their law school or medical school education with a period of training –  as an intern, resident, or associate – before they can be licensed and admitted to their professions.

“Education” vs. “Training”: Which Is More Important?

When it comes to corporate export compliance, which of the two is more important—education or training? The best answer, of course, is that both are equally vital.

For employees at all levels, a mandatory program of company-wide export compliance awareness education will supply the necessary background and lay the groundwork for subsequent practical training in specific skills and competencies. This kind of foundational understanding throughout the company is essential, because the actions of all your employees can have a great impact on the effectiveness of your company’s compliance program – positive or negative.

Employees in departments such as human resources, public relations, purchasing, accounting, engineering and design, research and development, manufacturing, quality assurance, information technology, sales and marketing, logistics, planning, maintenance, shipping, and customer service could inadvertently cause the company to violate U.S. export laws and regulations, even if their jobs do not involve export transactions and even if they never have occasion to interact directly with foreign customers. These employees need to have an awareness of and basic education about U.S. export controls – their rationale, their scope, how they operate, how they impinge on the company’s business, which company officials are responsible for ensuring compliance, and other matters – so that they can recognize potential issues and avoid careless violations.

Managers and administrators who are responsible for planning and goal-setting, risk analysis and mitigation, compliance decision-making, and program development need a more advanced education in export controls and a wide range of related issues in order to do their jobs effectively and safeguard compliance.

All these employees, whatever their responsibilities or level in the organizational hierarchy, will also need hands-on, experiential training – via live seminars, interactive lecture-demonstrations, small discussion groups, workshops, case studies, example scenarios, role-playing, on-site one-on-one instruction, personal coaching/mentoring, and other modalities – to acquire the practical skills and competencies specific to their jobs.

The following examples may help you see how education and training can be distinguished from one another. The lists below are by no means complete; these topics are just a sample of the kinds of knowledge, information, and practical skills your employees need in order to safeguard full compliance with export controls. But I hope these examples will persuade you that both education and training are essential to mitigate the risk of export violations and build a successful corporate export compliance program.

Export Compliance “Education” Topics
(“about” knowledge, understanding what the regulations are, insight into how the agencies work, awareness of company policies & job responsibilities)

Overview of the U.S. Export System

Licenses & Export Authorizations Under the ITAR

Licenses & Export Authorizations Under the EAR

Understanding OFAC Sanctions Programs & the SDN List

Understanding the CCL: Categories, Product Groups, ECCNs

The Role of the Empowered Official

Risk Assessments & Compliance Audits

Deemed Exports & the Hiring of Foreign Nationals

Cybersecurity & Export Compliance

Export Compliance Issues in Mergers & Acquisitions

Current Export Enforcement Trends

Export Control Reform: Recent Developments

Export Compliance “Training” Topics
(“how-to” knowledge, specialized skills, practical expertise, ability to perform specific tasks, use relevant software & available resources, identify potential issues)

How to Fill Out a DSP-5 License Application

Classifying a Commodity

Identifying Encryption Items

Filing a Shipment in the Refactored AESDirect System

How to Recognize Export Control “Red Flags”

Marking of Documents That Contain ITAR-Controlled Data

Compliance with EAR & ITAR Recordkeeping Requirements

Steps for Performing a Restricted Party Screening

Visitor Access, NDAs, & Escort Procedures

How to Submit a Voluntary Disclosure

Drafting a Technical Assistance Agreement

In the next post of this blog series on export compliance essentials, “CLASSIFY!” we’ll discuss the importance of properly identifying and classifying the categories of products, services, and technical data that are subject to export controls and understanding the regulatory requirements that apply to each category.

EXPORT COMPLIANCE IN 11 WORDS (Part 2 of 12)

EXPORT COMPLIANCE IN 11 WORDS (Part 2 of 12):
A Series on Export Compliance Essentials

Analyze!

A risk analysis is the key to getting your business
ready for export compliance

As we noted in our previous post, there’s no such thing as a one-size-fits-all corporate export compliance system. Processes and procedures that are absolutely critical components of someone else’s compliance strategy might be impracticable and pointless for your company. Yet a compliance program with the wrong focus could weaken your competitive advantage by wasting time, money, and personnel on “protection” you don’t need, while leaving you exposed to being blindsided by severe penalties and crippling financial losses in areas where you actually are vulnerable.

Why Risk Analysis Is the Right Place to Start

Getting a business ready for export compliance is a challenging project. Before you can effectively address the real risks your company faces, you first need to know exactly what those risks are. You need to know how likely it is that you will be involved in a violation of the U.S. export laws, and how serious the consequences of such a violation would be. For that reason, the decision to conduct a comprehensive strategic risk analysis of your business from an export-compliance standpoint — preferably alongside an outside expert — is an indispensable prerequisite to all other compliance decision-making.

The first step in your analysis is an objective evaluation of your current information assets, systems, processes, procedures, people, and documentation. The company’s past, present, and future export customers, products, and services; the relevant U.S. laws and regulations; the likelihood of certain kinds of violation occurring; the nature and adequacy of the internal controls and personnel currently in place; the present regulatory environment and enforcement trends; the potential severity of penalties and fines, as well as other possible consequences for your business — all these issues and others need to be discussed in detail, analyzed, and evaluated before written policies and procedures can be formulated and put in place.

What’s the Difference?  “Risk Assessment” vs. “Directed Compliance Audit”

A directed export compliance audit is usually the outcome of a compliance issue that an exporter has experienced with the U.S. Government, one in which the requirement for an independent compliance audit has been levied or required as part of a settlement. The scope, focus, and completion date are mandated by the regulatory agency with which the issue is being adjudicated—either the DDTC, BIS, or OFAC. The report provided to the company by the auditor must be submitted to the agency, usually within a brief time span.

An export compliance risk assessment is a company-initiated examination of the efficiency and effectiveness of its export control process. The output from such an assessment includes a summary of the applicable U.S. export control requirements, an overall review and commentary on the existing compliance program (if any), and a detailed, process-by-process evaluation, typically presented in traffic-signal format (red, yellow, and green), with process “gaps” highlighted. The report on the findings of a risk assessment always includes recommendations for improvement and/or suggested corrective actions for potentially non-compliant activities that were found in the course of the assessment.

Following those recommendations and implementing those corrective actions is the best way to avoid a directed compliance audit.

What Do These Terms Mean? “Periodic” and “Independent”

The term “risk assessment” implies a formal, systematic process—something more than just an informal sizing-up or casual take on your compliance efforts. Industry “best practices” for ensuring corporate export compliance call for periodic independent compliance risk assessments.

“Periodic,” in this case, starts with annual assessments as a baseline.

“Independent” means that your risk level and the effectiveness of your current program need to be evaluated by a competent outside party.

“Competent” is simply common sense: the individual or team conducting the assessment needs to have the appropriate qualifications and specialized know-how, including a thorough familiarity with U.S. export controls and current risk assessment methodology. Competence may be established through relevant training and/or extensive experience. In the case of a directed compliance audit, the regulatory agency will require evidence of the qualifications of the person you have engaged to perform the audit. The U.S. Government won’t trust just anyone to assess corporate export compliance, and neither should you. So, here’s a hint: if you want to be sure you’re engaging a competent professional to conduct your risk assessment, look for someone whose résumé includes performing directed compliance audits.

“Outside” usually means that the review should be conducted by a person who is not a direct employee of your company. This is crucial, because you need an unbiased, impartial assessment of both the seriousness and likelihood of the non-compliance risks you are facing and the effectiveness of your current program and personnel. You need accurate results and recommendations you can rely on. Plainly, conflicts of interest could impair the objectivity of the findings. Common sense dictates that the more attached someone is to a situation—the more he or she has at stake—the more likely it is that the reliability of the assessment will be affected.

The Four Stages of the Risk Assessment Process

Although the details of every export compliance risk assessment are unique, the overall review process is similar in most cases, and typically involves four stages:

Stage 1:  Advance planning and preparation.

Stage 2:  An on-site visit.

Stage 3:  A report of the findings. This report should include quantitative ratings of your company’s risk of export violations in each area of your business operations. It should conclude with practical recommendations of corrective actions and procedural enhancements to address problem areas and mitigate the risks. The report’s recommendations should be summarized in a step-by-step, actionable plan that highlights the place to start in each business area.

Stage 4:  A scheduled follow-up review.

Why Assessing Compliance and Identifying Risks Is Not a Waste of Time

Perhaps you’re thinking that all this sounds like a significant investment of time, money, manpower, and energy, and wondering whether the investment is justified.  Are risk assessments really all that important? Will they truly add value to my business, or are they just a waste of time?

If you’re a U.S. exporter, periodic export compliance risk assessments, far from being a waste of time and corporate resources, are a valuable strategic tool that’s critical to your company’s continued survival in today’s global marketplace and regulatory environment. Let’s look at some of the reasons why that’s true.

Risk assessments can help you avoid severe penalties and fines. Violations of U.S. export laws can—and often do—result in stiff penalties. Criminal penalties can reach $1,000,000 and 20 years’ imprisonment per violation. Administrative penalties for civil violations are less severe, but can reach the greater of $250,000 per violation or twice the amount of the transaction—and a single non-compliant export transaction typically results in multiple violations.

In addition to fines, individuals and companies that fail to comply with export controls are subject to other administrative sanctions, including denial of their export privileges and suspension of their right to contract with the U.S. Government—penalties that would spell ruin for many U.S. companies.

Perhaps those are some of the reasons no company looks forward to being visited by officials from the BIS’s Office of Export Enforcement or the DDTC’s Office of Defense Trade Controls Compliance, or the Treasury Department’s OFAC.

“Be prepared” is not just a good motto for Boy Scouts; it’s good policy for U.S. exporters, too. The most effective measure you can take to minimize the likelihood of a visit by enforcement officials is to budget for regular export compliance risk assessments of your firm and to take the action recommendations in the assessment report very seriously. Furthermore—and equally important—if your company has been conducting its own comprehensive assessments of its compliance processes all along, and an official visit by government agents does occur, you can be sure that you and your employees will undergo a minimum of stress. You’ll be confident that you can produce any records and documents requested without delay, and you’ll be primed to answer any questions with accurate and up-to-date information. The likelihood of penalties will be small, and the cost in staff time and lost productivity will be greatly reduced.

And while you’re weighing up the negative consequences of non-compliance, here are a few more to put on the scale: avoiding hefty fines and penalties and lessening the chance of official visits and directed audits are not the only reasons you’ll be doing yourself a favor by conducting periodic independent compliance risk assessments and implementing their recommendations. A history of export violations can (1) adversely affect your company’s financial position; (2) hold up or block a sale, merger, or acquisition; (3) scare off potential foreign customers; (4) tarnish your firm’s image and business reputation; and (5) damage your business in many other ways as well.

This is definitely a case where a relatively small investment can save big over future costs and consequences.

The regulatory agencies have made it plain that they don’t consider risk assessments a waste of time. If your company should need to make a Voluntary Disclosure of an export violation you’ve discovered, one of the standard questions the DTCC and OEE will ask when reviewing your case is whether any audits or reviews of your company’s export compliance have been conducted during the past five years. Do you really want to answer “No” to that question? In most settlement agreements, the regulatory agencies require the company to have its export compliance program independently audited and send them a copy of the report within a narrow time frame. Rather than wait for that to happen, doesn’t it seem wiser to be proactive?

Risk assessments produce effective compliance programs—a valuable business asset. An export controls risk assessment by a compliance professional is bound to result in improved compliance. And a good track record and strong reputation for compliance are good for your business. Especially in the defense trade sector, a robust global trade compliance program is recognized as a competitive asset, one that some firms even list on their web sites. Recent studies of the most successful U.S. companies agree on one characteristic they have in common: compliance is part of their corporate culture.

Risk assessments can help your whole business run more efficiently. The compliance risk assessment process and your company’s follow-up on its findings and recommendations will highlight better ways to integrate export-control processes and “best practices” for export compliance into the rest of your business operations, including quality assurance SOPs and other regulatory compliance programs. The likely result will be an uptick in the overall efficiency of all your company’s operations. In particular, the implementation of Restricted Parties Screening (RPS) software and the challenge of integrating screening into your ERP software offers an opportunity to streamline your entire internal structure (including distribution process and supply chain management, inventory control, project planning, services knowledge base, and other critical business management processes). In the course of conducting an export controls risk analysis, many firms have discovered loopholes in their cybersecurity that badly needed strengthening and areas where significant improvement was possible in the networking of company resources.

Stage 1:  Getting Ready for Your Export Compliance Risk Assessment

Step back and think about your whole business.  An export compliance risk assessment should not take place in a bubble. To be fully effective, it needs to be part of a review and examination of your company’s overall business operations. What other week-to-week business processes are likely to be impacted by modifications to your export compliance system? How do you plan to integrate the findings and remediation measures that will be prescribed into your overall quality assurance and regulatory compliance system? What are your long-term corporate goals? How could improvements in your export process help you accomplish them?

Formulate some risk-mitigation proposals of your own.  Consider discussing the risk of export violations and setting down your ideas, suggestions, and tentative plans to improve your company’s export process before the risk assessment, based on your own past experiences and observations. Talk over your ideas with the reviewers before or during the on-site visit stage of the risk assessment. Later on, you can list those ideas side-by-side with the action recommendations in the assessment report, and consider how to combine the two lists into a more successful and export-compliant business.

Find out who’s who when it comes to exports.  Identify the actors within your company. Which individuals or departments are actually responsible for export compliance on a daily basis? Which employees are the points of contact within each department? Having a clear understanding of the role each person plays in export transactions is essential, because commonly, depending on the size of the company, one person may wear multiple hats with regard to export responsibilities. Being able to provide the names and contact information for key actors dealing with exports in your company will help the risk assessment run smoothly and without a hitch.

During the on-site visit phase of the risk assessment, every employee involved with exports in any way should be available and prepared to speak about his or her role, answer any questions the outside reviewer may have about the company’s internal processes, and provide examples of paperwork or electronic records related to exports upon request. Because these employees understand the specific business process and its associated flow firsthand, they can give valuable input when it comes to process improvements and risk mitigation efforts.

Seriously question your cybersecurity.  Controlled technical data stored in electronic form is always an area of potentially high risk that must be scrutinized carefully, because such data and information is easily accessed, copied, and transferred elsewhere. For that reason, some probing questions need to be asked about data storage and access control. Where is your controlled technical information and data stored? What physical and electronic security measures are in place to protect it? What company policies govern data storage? What controls exist to ensure that the granting of access to the company’s export-restricted data is consistent with U.S. regulatory requirements?

Pay attention to documentation and recordkeeping.  Review your company’s recordkeeping system and export documentation in advance of the on-site visit. Many U.S. exporters seem unaware that, according to U.S. export control regulations, recordkeeping and reporting are a very big deal, and a frequent cause of export violations. Exporters are legally required to maintain certain specific documents related to export transactions, and have them accessible for inspection, for at least five years. How and where are your records currently stored? Are they physically stored in an on-site location, or are they accessed electronically through the company servers? How conveniently and quickly can they be accessed? By whom? Each person involved in export compliance processes needs a clear understanding of the mandatory recordkeeping requirements and the company’s recordkeeping policy and practices. Make sure your export-related records will be conveniently available for review during the assessment visit, and consider how your system for saving, storing, and accessing them might be improved.

In the next post of this blog series on export compliance essentials, “EDUCATE!” we’ll discuss employee training—what it needs to cover and why it is critically important to the success of any corporate export compliance program.  

 

Export Compliance in 11 Words

EXPORT COMPLIANCE IN 11 WORDS:
Introducing a Twelve-Part Blog Series on Export Compliance Essentials

If you’re a newcomer to the world of U.S. export controls and you’ve just been charged with setting up an export compliance program for your firm, we wouldn’t at all be surprised to hear that you’re feeling a little overwhelmed right now. Does “bewitched, bothered, and bewildered” describe your state of mind as you struggle to make sense of the export laws and regulations and sort out which ones apply to your company? Are you wondering where to start?

If you’re finding export compliance to be a daunting task, rest assured that you’re not alone. The ever-changing complexities of U.S. export laws and regulations, licensing requirements, economic and trade sanctions, arms embargoes, and other legal and regulatory constraints present unique challenges to U.S. exporters as they strive to meet their business objectives while remaining compliant. Actually, taking on those challenges successfully without the proper training and support is more than just daunting, it’s impossible.

At Export Compliance Solutions, we’ve gained quite a lot of experience over the years helping our customers — small and medium-sized businesses and organizations of all kinds, and some of the big guys, too — identify, analyze, resolve and mitigate the regulatory issues and risks of selling in the international marketplace. Based on that experience, we’ve prepared a brand-new blog series for you, in which we share the most important lessons we’ve learned, condensed and summed up in 11 key words. The twelve posts (including this one) that you’ll be reading over the next several weeks will by no means cover everything there is to know, nor will they answer all your questions about export controls. What this series will do for you is lay a solid groundwork for understanding how to protect your business against export violations. “Export Compliance in 11 Words” will provide you with a sound starting-point for formulating an intelligent and practicable export compliance plan tailored to the needs and realities of your business.

Here’s an overview of what’s ahead:

ANALYZE – Because every business is different, there is no such thing as a generic, all-purpose, one-size-fits-all corporate export compliance program. Processes and procedures that are critical components of another company’s compliance strategy may be impracticable in scope and inappropriate in subject matter for yours. A program that doesn’t fit your needs will waste time, money, and personnel, and may even weaken your competitive advantage, while providing little or no protection against violations, fines, and penalties in the areas where your business is actually most vulnerable. But you can’t design a program that effectively addresses the real risks your company faces until you are confident you know what those risks are. That’s why conducting a strategic risk analysis of your business from an export-compliance standpoint — preferably alongside an outside expert — is an indispensable prerequisite to everything else. The company’s past, present, and future export customers, products, and services; the likelihood of certain kinds of violations; the controls and personnel already in place; the current regulatory environment and trends; the potential severity of fines and other consequences — all these issues and others need to be discussed in detail, analyzed, and evaluated before written policies and procedures are formulated and put in place.

EDUCATE – The oversight and management of corporate export compliance in today’s world requires substantial and ongoing professional training, including — but by no means limited to — a thorough familiarity with all the applicable U.S. Government laws and regulations. Once you’ve acquired the necessary training and knowledge yourself, your number one priority as a compliance officer should be training others in your company. The goals of this training should be (1) instilling and maintaining a high level of export compliance awareness company-wide and (2) ensuring that management and employees at all levels understand their export control responsibilities and have the appropriate competencies and skills to carry them out effectively, so that exports are made in compliance with both U.S. laws and regulations and the company’s best interests.

CLASSIFY – Export compliance personnel must know their company’s products and services, clearly identify, flag, and classify those categories of products, services, or technical data which are subject to export controls, and fully understand which regulatory requirements apply to each category. They must also know their company’s customers and be able to pinpoint risks and vulnerabilities from a regulatory standpoint.

SECURE – Responsible information-handling practices are critical to export compliance. You are responsible to protect your company’s controlled technical data and information against access by unauthorized persons, both on the ground and in the cloud, not only inside your facilities, but wherever your business and its workforce interfaces with the global marketplace. Your employees need to know that if they’re sharing technical data, such as plans and blueprints, even within the U.S., or if they’re allowing the visual inspection of ITAR-controlled articles by foreign nationals, they’re exporting technology; and if they’re doing these without proper authorization, they’re committing an export violation.

SCREEN – “Screening” is the process of checking and cross-referencing the parties involved in an export transaction against the many, continually updated lists of restricted or denied parties maintained by various governments and government agencies. If you’re a frequent or regular exporter (or are actively seeking to market your goods and services more widely overseas) and you aren’t routinely using some kind of Restricted-Party Screening (RPS) software to screen your customers, consignees, suppliers, employees, etc., you’re a fool. But you’re an even bigger fool if you are relying on RPS software alone to flag high-risk transactions and detect potential compliance problems. Even with the necessary screening software in place and properly configured to your company’s needs, the dictum remains true: your company’s employees are your ultimate line of defense — which is why their training and motivation is absolutely critical to compliance.

DOCUMENT – Certain specific recordkeeping for export transactions is mandated by the EAR, the ITAR, and the various OFAC Sanctions programs. But an effective corporate compliance program ought to be tracking and documenting much more than that bare minimum. Not only do transaction and licensing records need to be complete, accurate, and secure, they also need to be readily accessible in case of a compliance audit or other investigation.

COMMUNICATE – Proper communications are essential to export compliance. Critical compliance communications include the timely filing of the multiple reports mandated by U.S. export laws and regulations, enforced by the regulatory agencies, as well as having procedures in place for making prompt voluntary disclosures when violations or possible violations are discovered. It also means developing a communications strategy for keeping management, employees, suppliers, and customers in the loop about regulatory changes and all other compliance-related concerns and issues, as needed.

MONITOR – Even the most carefully formulated policies and procedures are meaningless if actual, real-life compliance with them is not checked and verified, and if instances of possible or actual non-compliance are not reported and promptly addressed. Moreover, if the monitoring of internal compliance processes is only sporadic, occasional, or random at best, it is not likely to be effective, and consequently the risk of violations occurring will be high. But reliable, continuous monitoring and control of processes and procedures necessitates building and maintaining an appropriate infrastructure.

ASSESS – A corporate export compliance program is properly focused on identifying and mitigating risks and vulnerabilities. To evaluate the effectiveness of your compliance efforts, frequent internal assessments and audits of processes and procedures are indispensable. So are periodic independent outside reviews of your overall compliance policies and program. It is critically important that the findings and recommendations of these reviews be reported to top management. Short-term and long-term follow-up on the implementation of corrective measures and program improvements should be an integral part of the review process.

ADAPT – Regulatory, technological, and business environments are rapidly and continually changing, and those changes are unavoidably impacting your company. “Innovate or die” is a common adage in the business world, and, while it may sound a bit melodramatic, it expresses a simple truth. If your company is surviving — and, we hope, thriving! — it’s safe to say you’ve made some significant changes over the last couple of years, and that’s all to the good. But if your export compliance program isn’t changing and adapting along with the rest of your business, your company’s survival may be at risk.

OWN – An effective export compliance program requires buy-in, visible involvement, and credible commitment on the part of top management — communicated, among other ways, by the allocation of adequate personnel and resources to the compliance function. When this sort of management commitment is perceived, when employees see that management is taking compliance seriously, company-wide engagement and employee motivation are likely to follow. Your compliance standards and policies, as well as the rationale behind them, should not only be spelled out explicitly in writing, but also well understood and acknowledged by each employee. Individual export compliance responsibilities need to be clearly articulated and included in job descriptions to ensure personal accountability and ownership. Moreover, your employees need to know that rules and procedures will be strictly enforced. The predictable result of not clearly assigning ownership of a process is a failed implementation of the process.

It is often said that without a top-down, pervasive corporate culture of compliance, no export compliance program will ultimately succeed. That may sound trite, and perhaps a bit corny, but it is nonetheless true, and its importance should not be underestimated. The human element remains the key to compliance. If you’re training your employees so they know how to do the right thing and motivating them so they want to do it, you’re on the way to creating a risk-aware corporate culture of compliance—the necessary foundation for any effective export compliance program.

Sound like information you need to know? If you’re new to export compliance responsibilities, or if you’re already dealing with U.S. export controls and would appreciate an update and review of the basics, you won’t want to miss a single one of the posts in this series. Sign up today for a free subscription to An EAR . . . to the ITAR and we’ll notify you of each new installment during the weeks ahead.

BIS Proposal Mirrors OFAC Penalty Guidelines: How Will This Impact Your Compliance Program?

On December 28, 2015, the Commerce Department’s Bureau of Industry and Security (BIS) published a Proposed Rule (80 FR 80710) that—if adopted—would revise the agency’s guidance concerning the settlement of civil (a.k.a. administrative) enforcement cases for export violations under the EAR.

The proposed changes would not apply to penalties imposed in civil cases involving Restrictive Trade Practices and Boycotts (Part 760 of the EAR), for which the current enforcement guidance in Supplement No. 2 of Part 766 would still apply; nor would they apply to penalties in criminal cases, which BIS refers to the Department of Justice for prosecution.

BIS will accept comments on this Proposed Rule until February 26.

What is BIS’s reason for revising the current guidelines?

The preamble to the proposal states that this revision is intended “to make administrative penalties more predictable to the public.” A second reason given is perhaps the most important one: to bring the Commerce Department’s enforcement policies into line with the penalty guidelines followed by the Treasury Department’s Office of Foreign Assets Control (OFAC).

In 2009, OFAC put into place a revised set of Economic Enforcement Guidelines for the Treasury Department’s sanctions programs. Since then, “the OFAC Guidelines” have provided a helpful framework of factors used by OFAC to determine whether or not to impose monetary penalties, and if so, how much. What BIS is now proposing is essentially a rewrite of its current “Guidance on Charging and Penalty Determinations in Settlement of Administrative Enforcement Cases” (found in Supplement No. 1 to 15 CFR Part 766) to make it substantially similar to those OFAC guidelines.

Greater transparency to the exporting community, harmonization of licensing policies and definitions among the regulatory agencies, and better coordination of enforcement actions are certainly laudable goals. They were important objectives of Phases I and II the U.S. Government’s Export Control Reform Initiative (ECR) when it was launched in 2010.

What will change if these guidelines are implemented?

Perhaps the most significant change is that the Proposed Rule would amend the factors BIS will consider when deciding whether to pursue administrative charges or settle allegations of EAR violations and when setting penalties in civil enforcement case settlements; it also explains how penalties would be calculated. The current BIS guidelines only list the factors to be taken into account in determining appropriate enforcement. The revised guidelines now under consideration—patterned after OFAC’s Guidelines—would use the transaction value to determine a baseline for assessing a civil penalty, applying a systematic calculation method set out in the Proposed Rule.

Under the proposed guidelines, BIS would first decide whether an enforcement case should be categorized as egregious or non­egregious. (Some of the factors that would enter into their decision are explained in the proposal.) They would also look at whether or not the apparent violations had been voluntarily disclosed by the exporter. These two factors, taken together with the transaction value (defined as the total U.S. dollar value of the transaction) and the maximum applicable penalty for each violation, as fixed by law, would be used to calculate a “base amount” for assessing penalties in the case. (The formulas to be employed in that calculation are explained in detail in the proposal.) Next, the agency would ascertain how many apparent violations of the EAR had occurred.

Finally, the presence of certain aggravating factors (e.g., indications of willfulness or recklessness, extent of harm done to the goals of the regulatory program) and/or mitigating factors (e.g., evidence that effective remedial measures were promptly taken, exceptional cooperation with OEE, likelihood that a license would have been approved if applied for) and/or general factors (e.g., an operational corporate compliance program conforming to the BIS guidelines for exporters)—these would all be considered and weighed to decide whether the penalty should be adjusted downward, or upward (capped by the statutory maximum), and by how much.

The maximum legal penalties for violations of the EAR would not be affected by the Proposed Rule. The Export Administration Act (EAA) of 1979— the legal basis for U.S. export controls on dual use items—actually lapsed in 2001 and has never been reauthorized by Congress. At present BIS derives its statutory authority to administer and enforce the EAR from the International Emergency Economic Powers Act (IEEPA), the same statutory authority by which OFAC implements most of its economic sanctions programs. Under the terms of the IEEPA, the maximum applicable penalty for civil violations can be as high as $250,000 for each violation, or twice the value of the transaction, whichever is greater. (If you are thinking that’s a very steep fine, you’re entirely right. Consider, however, the penalties associated with criminal violations under the IEEPA: a fine of up to $1 million or 20 years in prison. Or both. For each violation.)

Is this proposed change likely to result in higher penalties than we’re seeing now?

That’s a good question, but it’s hard to answer with any certainty. It will largely depend on BIS. Under the Proposed Rule, the penalty amounts would still be determined by the agency on a case-by-case basis, and the revised guidelines allow considerable enforcement discretion. Very considerable discretion.

BIS says it wants to retain sufficient administrative flexibility under the revised guidelines to allow proportionality in its enforcement actions. Instead of being tightly bound to mechanical penalty calculations, the agency will consider the totality of the circumstances in each case and tailor its response to the seriousness of the violation. Be that as it may, the trade-off for greater flexibility in regulations is always less certainty and predictability. That’s one reason why it isn’t entirely clear how the proposed guidelines would affect the size of civil penalties imposed.

One thing is quite clear: the Proposed Rule provides for significantly higher civil penalties in “egregious” cases. BIS assures exporters that it expects the vast majority of apparent violations investigated by its Office of Export Enforcement (OEE) to fall into the “non-egregious” category. Judging by the record of OFAC, which has been following a similar enforcement approach over the last six years, that does seem very likely. But it isn’t as reassuring as it might be. Here’s why: in addition to determining the penalty amount for each violation, BIS expressly retains the administrative discretion to determine how many violations have occurred in an enforcement case. If you’re thinking that this is simply a matter of knowing how to count, think again. Even under the current guidelines, OEE has been known to “pile on” violations in certain cases. What that means is something like this: if the identical incorrect information (say, a wrong EECN, description, or monetary value) has been entered in multiple fields of the AES filing, it may be counted—at OEE’s discretion—either as a single export violation or as multiple separate violations, and be charged accordingly. In this way, even “non-egregious” violations can result in unexpectedly large penalties.

And there are other reasons why it’s hard to predict the impact of the revised guidelines on the size of penalties: the definitions of some key regulatory terms in this Proposed Rule are less than precise. Take the term “transaction value,” for example. Under the Proposed Rule, this value is to be the starting point for most penalty calculations. That means it is critically important that we know precisely how BIS will determine the “transaction value” in a given enforcement case. Regrettably, the definition of this term provided in the Rule raises more questions than it answers:

Transaction value means the U.S. dollar value of a subject transaction, as demonstrated by commercial invoices, bills of lading, signed Customs declarations, or similar documents. Where the transaction value is not otherwise ascertainable, BIS may consider the market value of the items that were the subject of the transaction and/or the economic benefit derived by the Respondent from the transaction, in determining transaction value. In situations involving a lease of U.S.-origin items, the transaction value will generally be the value of the lease. For purposes of these Guidelines, ‘‘transaction value’’ will not necessarily have the same meaning, nor be applied in the same manner, as that term is used for import valuation purposes at 19 CFR 152.103.

What do you think of that definition? Clear . . . or cloudy? Egregious or non-egregious? Once these guidelines have been finalized and implemented, BIS will presumably provide answers to some of the questions exporters will surely be asking about this: What transaction is the “subject transaction”? How will the referenced documents be used in determining its value? What happens when the documents contain inconsistent information? In what circumstances is the transaction value considered to be “not otherwise ascertainable”? How will “market value” and “economic benefit” be evaluated? Which of these two values will be prioritized? Once we know how BIS understands this and other key terms in the revised guidelines, we’ll be in a better position to assess the impact of the changes on penalty amounts.

Should we expect to see more enforcement actions by BIS if this rule is implemented?

Yes, you can definitely expect to see more enforcement actions by BIS, but probably not as a result of these revised guidelines—at least, not directly.

BIS says it does not expect the adoption of this Proposed Rule to increase the number of cases which are charged administratively—and which therefore result in monetary penalties, rather than being closed with a warning letter. We have no reason to doubt that statement. Nevertheless, BIS’s statistics show without a doubt that it has been drastically ramping up its enforcement of the EAR over the past several years. The agency has significantly increased its manpower, enhanced its enforcement tools, and broadened the scope of its investigations. Its pursuit of export violations—both civil and criminal—has intensified each year. There is every reason to believe that trend will continue.

Insofar as clearer rules, more explicit guidance, and greater alignment with other agencies (such as OFAC) will allow more cases to be brought forward, and either settled or charged, we expect the implementation of this Proposed Rule to facilitate the current trend.

Will Voluntary Self-Disclosures still be a mitigating factor under this Proposed Rule?

Technically, no. Voluntary Self-Disclosures are no longer stated to be “mitigating factors” per se.

But actually, yes. And that’s a very definite yes. Under this Proposed Rule, which closely follows the OFAC Guidelines, whether or not the exporter has submitted a VSD is the second most significant component in establishing the base penalty amount. So, this new proposal is entirely in keeping with BIS’s longstanding policy of strongly encouraging voluntary notifications of violations. Export violations that were completely disclosed in timely VSD would be afforded more significant deductions in the base penalty amount than would have been afforded if BIS had discovered the violation independently.

According to BIS, only three percent of VSDs submitted over the past several years have resulted in a civil penalty. In most cases, BIS says, VSDs result in the issuance of warning letters.

BIS’s enforcement statistics, as well as the penalty calculation formulas in the Proposed Rule, indicate that an exporter would be wise to voluntarily self-report as soon as possible whenever a potential violation is discovered. Of course, whether or not a VSD is warranted by your company’s specific circumstances is a matter you should discuss with your corporate legal counsel. Generally speaking, however, submitting a full voluntary self-disclosure, including an account of corrective measures immediately taken to guard against future violations, is likely to limit potential penalties.

One caveat though: BIS does not look favorably on exporters who submit untruthful or misleading VSDs, or attempt to conceal some of the facts.

Would the implementation of this Proposed Rule be good news or bad news for U.S. exporters?

On the whole, probably good news.

Good News #1: Despite the uncertainty and unpredictability we noted above, due to BIS’s broad discretionary power in enforcing the EAR, the new guidelines should aid exporters—at least, to some extent—in estimating the range of likely penalties, especially for export violations that involve both the EAR and OFAC sanctions programs.

Good News #2: The trade-off for uncertainty and unpredictability, as we also noted above, is enforcement flexibility. In settlement negotiations, we would expect the flexibility and discretionary powers retained by BIS under this Proposed Rule to work in an exporter’s favor. In appropriate cases, BIS has the authority to suspend or defer payment of a civil penalty, taking into account whether the Respondent has demonstrated a limited ability to pay, whether the matter is part of a global settlement with other U.S. Government agencies, and/or whether the Respondent has agreed to apply a portion or all of the funds suspended or deferred for purposes of improving the company’s internal compliance program. Should your company ever be the Respondent, we’re certain you’ll see that as good news!

Good News #3: Even now, while the new guidelines are not yet in place, the Proposed Rule is already very helpful to exporters, as an indication of the approach to settlement and penalty determinations that BIS is likely to take in the years ahead.

What else should I take away from this?

One more thing: in case this wasn’t already abundantly clear to you, the Proposed Rule makes it even clearer: creating, maintaining, and prioritizing a comprehensive corporate compliance program that incorporates all the key elements identified in the BIS Compliance Guidelinesincluding written guidelines that tell your company’s employees exactly what is expected of them and provide a framework for senior management to engage intelligently with all compliance issues—is a critical requirement for every U.S. exporter, and is certain to become even more critical in the months and years ahead.

Revising U.S. Export Controls: ISIS Network Poses Challenges

As the year 2015 draws to a close, fifteen of the twenty-one categories on the U.S. Munitions List (USML) have been revised as part of the U.S Government’s Export Control Reform Initiative (ECR). For three others— Categories XII (Fire Control/Sensors/Night Vision), XIV (Toxicological Agents), and XVIII (Directed Energy Weapons)—public comments have been received on new Proposed Rules, but have not yet been acted on. The revisions for the remaining three categories—I (Firearms), II (Artillery), and III (Ammunition)—have not yet been published in proposed form. As was the case with previous changes, the new rules are expected to create positive lists for each category and transfer the export jurisdiction for some types of ammunition, ordnance, and other items from State to Commerce. As the State/DDTC web site explains, the ECR initiative “is designed to better protect America’s most sensitive defense technologies, while reducing unnecessary restrictions on exports of less sensitive items.”

Precisely when these last three categories will be revised, and what the changes will be, is not clear. Work on them continues, but the wait shouldn’t be too long, because State has indicated that its goal is to finalize this initial review and revision of the entire USML in 2016.

What are the actual effects of the revisions so far? That’s a natural question at this point, but measuring and assessing the contribution of ECR is complex and challenging.

The Commerce Department has just made that task a little easier, however. On November 2, the Department’s Office of Technology Evaluation (OTE) launched a new BIS Data Portal, which makes available to the public, for the first time, regularly updated aggregate information on the numbers and kinds of export licenses issued and current U.S. export trends. The new web portal offers a valuable analysis of controlled trade with select countries, charting the ongoing impact of ECR, and exporter compliance, with tables, graphs, and Defense Industrial Base studies that users can download in either PDF or Excel format. Among the encouraging data items posted by BIS are numbers showing a steady decrease in the average processing time for a license, despite a dramatic increase in the number of applications processed.

As for the effects of ECR to date, according to the OTE’s early analyses, the regulatory changes that have been made since the initial implementation went into effect in October 2013 are already speeding up the export process significantly and helping U.S. defense companies export more goods, during a period when the U.S. defense budget is being cut and military spending is declining, while military spending in other parts of the world—especially Asia, the Middle East, Eastern Europe, and Africa—on the rise.

At this stage, it is probably fair to say that the shifting of many controlled items from the USML to the less restrictive Commerce Control List (CCL) has made exporting considerably easier for many small and medium-sized U.S. companies. For large firms in the U.S. defense sector, however, the very welcome expansion of export opportunities has been accompanied by an unwelcome sharp increase in compliance expenditures (in the short term, at least) as they grapple with the complexities and uncertainties of adjusting to the ECR changes, reclassifying products and product lines, reevaluating risk profiles and projected compliance costs vs. anticipated sales revenue, and making sure that the continuing stream of new compliance and cybersecurity requirements “flows down” to their subcontractors.

Transitioning has proved to be somewhat more difficult than anticipated. In recognition of this, on October 3, 2015, the DDTC posted an Industry Notice with updated guidance extending the two-year time periods originally permitted to defense exporters for transitioning to BIS export authorizations.

The extent to which some of the other hoped-for benefits of ECR—such forestalling the offshore outsourcing of high-tech production capabilities and generating jobs for U.S. workers— have been realized is harder to assess at this point.

Meanwhile, on the world scene, an in-depth investigative news story entitled “ISIS: The Munitions Trail” by Erika Solomon and Ahmed Mhidi, published in the Financial Times on November 30, sheds considerable light on how and where the militant movement calling itself the Islamic State, or ISIS, gets its guns, artillery, and ammunition—the three categories of military equipment on the USML that are still awaiting revision. It also raises hair raising questions about the effectiveness of the U.S. export control system, and highlights the enormous and growing challenges it now faces after two years of changes under ECR.

According to the FT investigation, the terrorist group is awash in funds from the sale of oil on the black market and several other sources, and is abundantly furnished with captured light and heavy arms (including a great deal of U.S.-made military equipment). Its most urgent, ongoing need is for vast quantities of ammunition:

ISIS seized weapons worth hundreds of millions dollars when it captured Iraq’s second city, Mosul, in the summer of 2014. Since then, in every battle that it has won, it has acquired more material. Its arsenal includes US-made Abrams tanks, M16 rifles, MK-19 40mm grenade launchers (seized from the Iraqi army) and Russian M-46 130mm field guns (taken from Syrian forces).

“But dealers say despite this, there is one thing ISIS still needs: ammunition. Most in demand are rounds for Kalashnikov assault rifles, medium-calibre machine guns and 14.5mm and 12.5mm anti-aircraft guns. ISIS also buys rocket-propelled grenades and sniper bullets, but in smaller quantities.”

The details of the organization’s operations, as reported in the article, make it evident that any nation or coalition seeking to halt the flow of needed military supplies to ISIS— which (in addition to ammunition) include agricultural chemicals and mining materials that are used to manufacture explosives for the bombs that have made ISIS infamous, and common electronic devices that are made into bomb triggers—faces a nearly impossible task. With a complex, state-like infrastructure, a multinational network of black-market traders, and a sophisticated logistics operation capable of moving large supplies of munitions to its fighting men in many fields with remarkable speed, it would appear that the “world’s richest Jihadi group” is having no difficulty procuring whatever military supplies it requires.

“They buy like mad. They buy every day: morning, afternoon and night,” says Abu Ali, who, like others who have operated inside Isis territories, asked not to be identified by his real name. . . .

These materials come from all over the world, says one Iraqi official: “Just put your finger on a map, and they’ve got something from there.”

Historically, one major stated goal of U.S. defense export controls has always been to make it as difficult as possible for unscrupulous arms dealers, terrorist organizations, and proliferators of weapons of mass destruction to obtain goods that are militarily useful.

A closely related goal has been to deter human rights abuses and prevent the stoking of violent civil disorder in certain countries, or the inflaming of regional instability. For this reason, the State Department has long sought to block the sales of small arms (such as semiautomatic rifles), light weapons (such as artillery rockets), arms parts, artillery shells, and ammunition (i.e., the “less sensitive” defense items controlled by USML Categories I, II, and III), as well as communications and surveillance equipment, and certain other goods, to governments and other entities with a consistent record of committing atrocities.

Still another goal of defense export controls has been to combat illicit arms trafficking and prevent retransfers to transnational criminal organizations via black-market middlemen. Tracking U.S. small arms and other military equipment after export has often led to the apprehension and prosecution of criminals involved in the illicit trafficking of drugs, money, art, and human beings.

Other nations and international organizations are actively involved, along with the U. S., in these arms control, nonproliferation, and international crimefighting efforts.

If the description of the “munitions trail” to ISIS in the November 30 Financial Times report is accurate, however, it plainly casts doubt on the effectiveness of past and present U.S. export controls. It is hard to avoid the conclusion that, whatever measures were taken by the U.S. and other nations to stem the flow of weapons, munitions, and other military equipment to the Islamic State and similar terrorist groups, they have largely been ineffective.

Somehow, an elaborate system of export licensing, re-export and retransfer authorizations, end-user assurances, end-use monitoring, marking, and tracking, not to mention a U.N. arms embargo on ISIS, has failed to prevent the group from acquiring a massive arsenal of weapons and equipment—weapons it has used, and continues to use, to carry out indiscriminate attacks on civilian populations and commit multiple atrocities, posing a dire threat to millions of people in the Middle East region and beyond.

The DDTC has repeated stated that the initial review and revision of the twenty-one USML categories, now in its last phase, is not intended to be the end of reforms to the U.S. export control regime. State readily acknowledges that there is still work to do on ECR; ongoing review and further input from industry and the public is expected and encouraged.

The growing terror threat posed by the Islamic State group strongly underlines the need for a great deal of further thought and discussion of U.S. export controls on arms and munitions with a view to enhancing end-user/end-use controls, ensuring effective monitoring, verification, and enforcement, and minimizing diversion and re-export risks—especially for small arms, light weapons, and ammunition.

The Key Elements of an Effective OFAC Compliance Program

Question: What advice can you offer on how to set up and maintain a successful OFAC compliance program?

Because each company has different risks and different risk tolerances, there is no simple and clear formula for creating a successful OFAC compliance program. Nevertheless, the “Compliance Program Guidelines” issued by DDTC, the “Compliance Guidelines” issued by BIS, and the summary of “Regulations for Exporters and Importers” issued by OFAC identify certain elements that each agency considers essential for a program to be effective. The advice given by the three agencies has a great deal in common. Here are the key elements of any effective corporate export compliance program, with a few comments about each.

Management Commitment and a Strong Compliance Culture

In order for any compliance measures to be effective, the Board of Directors and senior management must buy into and commit to the success of the program. By clearly demonstrating their support and participation, the company’s leadership can set the tone for the entire staff and foster a culture of integrity—which includes transparency and compliance—throughout the organization. That means, among other things, a culture of self-reporting possible violations and inquiring to assess their scope and the extent of program exposure, instead of a culture of covering up and writing off penalties for violations as “a cost of doing business.”

A Qualified and Empowered Export Compliance Officer

Unless your company is very small, the appointment of a dedicated Export Compliance Officer (ECO) with a clear mandate to focus on this critical function is highly desirable. Consider that your ECO is charged with protecting you from risks where penalties can reach hundreds of millions of dollars. With a roster of laws and regulations that is continually changing, managerial staff in internal control roles today have a more challenging job than ever before, with ever-wider responsibilities.

Your company’s ECO should:

—     have a direct line of communication to the Board of Directors and senior management.

—     be knowledgeable concerning the ITAR, EAR, and OFAC regulations, and have a good working understanding of your company’s products, services, technologies, suppliers, and customer base. Don’t hire an inexperienced individual, unqualified for the role, and don’t skimp on his/her ongoing education and training.

—     have full authority to look into all compliance-related matters and put together a project team to address and resolve problems when they arise.

—     have sole responsibility for managing communications with regulatory agencies (such as Commerce/BIS, State/DDTC, and Treasury/OFAC) for all compliance-related issues.

—     be responsible for monitoring official announcements and press releases from DDTC, BIS, and OFAC daily for developments or enforcement actions that could impact your company’s line of business or its suppliers, and for communicating changes in regulations, policies, or procedures to company personnel by means of in-house e-mails, newsletters, announcements, or notices posted on the company intranet.

Thoughtful, Clearly Articulated Internal Policies, Procedures, and Controls

The level of sophistication of your internal compliance controls will naturally depend on the nature and scale of your business. What is essential is that policies, procedures, and controls be carefully thought out, clearly set down in writing, and effectively communicated to all employees, agents, and business partners. Individual compliance responsibilities should also be expressly included in job descriptions and performance evaluations of personnel, as appropriate.

You need to provide your employees with an easy way—such as an anonymous hotline or “help line”—to report potential violations of U.S. export laws and regulations or of the company’s export compliance policies without fear of reprisal; and you need to be consistent in investigating each report, and in implementing disciplinary procedures to address violations when they are encountered.

Effective Use of Information Technology

To avoid OFAC violations, it is crucial that companies have robust screening procedures in place that cover transactions, customers, suppliers, personnel, and business partners. This is a daunting task, because OFAC is concerned not only with a relatively small number of country sanctions (such as those found on BIS’s Commerce Country Chart and DDTC’s Country Policies and Embargoes chart), but also with many thousands of Specially Designated Nationals (SDNs), an ever-changing list of individuals, business entities, groups and organizations, banks, and even ships (or “vessels of concern,” as OFAC calls them). Nor is the SDN List the only list against which transactions should be screened. There are also the BIS’s Denied Persons List, Entity List, and Unverified List, the DDTC’s Debarred Parties List, the FBI’s Most Wanted Terrorist List, United Nations 1267 List, the European Union Sanction List, the HM Treasury Sanction List, and others as well.

Even if your company is small, reliance on manual screening and monitoring processes alone now carries an unacceptably high risk and should no longer be considered a viable option. Today it is imperative that U.S. exporters use information technology to the maximum extent feasible in seeking to implement the know-your-customer rule (KYC) and other due-diligence measures for preventing unlawful diversion and ensuring that their shipments will reach only authorized end-users for authorized end-uses. A reliable screening software solution that uploads changes to the list as close to real-time as possible is a critical element in any company’s compliance program.

Many “off-the-shelf” transaction monitoring systems—most of them web-based—are available, at a wide range of prices and with a range of features that include basic screening against multiple denied parties lists, batch screening, sophisticated search algorithms employing “fuzzy logic,” the ability to generate custom reports of all kinds, automated recordkeeping, and real-time monitoring with immediate notification of any changes. But even with the purchase of commercial software, developing and implementing a screening system that will protect your company effectively is going to require the investment of some time and effort to calibrate, configure, and fine-tune the screening algorithm to match your business’s specific needs. The failure to do so will render even the best screening software ineffective and leave your company at risk. Screening software also brings with it certain inevitable limitations, including the potential for false positives, even after the screening algorithm has been optimally configured for your company’s risk profile. In some cases, it will be necessary to follow up the screening with manual reviews of entities or persons.

In the course of performing compliance audits and risk assessments for exporters, both large and small, in the U.S. and overseas, our audit teams still encounter far too many companies who employ a manual transaction screening procedure that consists of logging on to a series of web sites, screening customers, vendors, personnel, and other entities of concern, one at a time, against a hodgepodge of lists, and then updating the results of the search on a tracking spreadsheet. Not only is this manual method time-consuming and limited in the number of lists you can reasonably screen against, but also it does not lend itself well to compliance records retention. Spreadsheet programs, such as Excel, were never meant to function as databases. They are not secure and are notoriously error-prone. They cannot handle attachments of documents, photos, licenses, verifications, and other evidence. While it is true that they are easy to use and convenient to update, because they lack the ability to track changes over a period of time and have no audit trails for data or formulas, they are an auditor’s nightmare. Even the most basic IT-based screening solution and monitoring is clearly preferable.

Ongoing, Relevant Employee Training

Regular employee training ensuring that all staff understand the applicable laws and regulations as well as the business’s policies, processes, and specific risk profile, has always been a key component of any corporate compliance program. But for OFAC compliance, training is even more critical than it is for ITAR and EAR compliance, due to the dynamic nature of U.S. trade embargoes and the speed with which some programs are announced and evolve. Even automated screening can go only so far in helping to detect sanctions violations. Consider that entities on the SDN List can open fake bank accounts, individuals can create false identities, and both can use proxies or agents to place orders on their behalf internationally. There is always some degree of risk that you are doing business with someone you shouldn’t and are violating OFAC’s rules. Alert trained employees will spot red flags and inconsistencies that software can’t.

For that reason, you need to identify your company’s frontline employees from a compliance perspective—those whose duties require an awareness of ITAR, EAR, and OFAC regulations—and train them to understand the sanctions vulnerabilities you face and how serious these are, spot potential problems quickly, and respond appropriately. Those men and women are your ultimate line of defense. Even when there is a strong commitment on the part of management and when sound internal processes are in place, a work force without proper training will leave your company exposed and at high risk. All the compliance policies, procedures, and “best practices” in the world are worthless unless they are known, correctly understood, and followed by your employees. Even worse, they may create a sense of false security.

Export compliance training needs to start right away, with new employee orientation. Regular retraining events should provide updates to internal polices, procedures, processes, and monitoring systems. In order for compliance awareness training to be fully effective, it needs to include realistic practical illustrations of potential violations and credible scenarios of suspicious activities with “red flags” that should put a transaction on hold and trigger a report to Compliance. For that reason, off-the-shelf employee training materials should never be simply purchased and deployed “out of the box”; they must first be tailored to the specifics of the company’s business. This is definitely not a situation where “one size fits all.”

The following are some of the most common weaknesses our teams have observed when assessing corporate training programs:

—     Employee training is not conducted regularly or frequently enough.

—     Deadlines for completing or renewing training are not enforced.

—     Training content is not being updated.

—     Training is deployed, but without any test or questionnaire to verify knowledge retention.

—     When employees were found to have breached either U.S. export regulations or the company’s stated compliance policy, additional employee training was not conducted to remedy the situation and prevent repetition.

Remember—

“Every one of your employees has the ability to damage—or to protect
and enhance—the reputation of the company.”

Independent Reviews and Risk Assessments

Regular compliance reviews and assessments, conducted by experienced outside auditors, consultants, or other qualified independent parties, are really the only reliable way to verify that your OFAC compliance program is operating as effectively as possible and is fully compliant with the law. It is imperative that these assessments be performed by an individual or team not directly tied to or responsible to the Compliance Department. In very large corporations, they could be conducted by the Internal Audit Department, if one exists, but only if Internal Audit has proper specific export compliance expertise. Otherwise, the company should hire experienced external consultants.

The frequency of these reviews should be commensurate with your company’s risk profile. Every 12 to 18 months is typical. Ask the reviewers to report their findings directly to the Board and/or senior management—not only to the compliance officer or department. And it’s always a good idea to ask that an Executive Summary be included in the written report. The report should aim at giving management practical insight into the programmatic strengths and weaknesses. It should also suggest specific remedial actions to bring the company back into full compliance. Those suggestions should not be ignored.

Remember—

“A single weak or missing element will undermine
your entire OFAC compliance program.”

OFAC: The Not to Be Forgotten Part of Export Compliance (Part 3 of 3)

Question: I’m seeing a lot of headlines about OFAC sanctions in the global trade news lately. Why has developing a corporate OFAC compliance program suddenly become so important?

Over the past few years, the U.S. Government has increasingly looked to trade embargoes and economic sanctions programs, which OFAC administers, to help achieve its foreign policy and national security objectives. Sanctions have also served as an integral component of America’s counter-terrorism strategy and campaign to halt the spread of weapons of mass destruction. More recently, they are being employed in innovative ways to combat malicious cyber activity and transnational organized crime.

Not surprisingly, given that America’s economy and capital markets are still the largest in the world, U.S. sanctions have had a dramatic impact on international trade; in multiple instances, they appear to have been effective in influencing the behavior of countries that the government viewed as national security threats. Because of the proven effectiveness of these measures, and probably also because of the nation’s current economic state and a generally war-weary public, sanctions have become a tool of first resort for U.S. foreign policy. Consequently, we have seen OFAC (with help from the Department of Justice) ramping up their sanctions enforcement and aggressively pursuing potential violators throughout the world.

Major prosecutions under the Foreign Corrupt Practices Act have made the headlines several times this past year. Economic sanctions enforcement seems poised to be the next big focus for government regulators. U.S. businesses that operate, or intend to operate, in the global marketplace urgently need to take a close look at their corporate export compliance programs and develop strategies for complying with rapidly changing regulations and enforcement policies in this area.

(1)    Proactive is always better than reactive.

More and more large U.S. and multi-national corporations, especially those who are prime U.S. Government contractors, are now addressing the OFAC compliance challenge and requiring all those with whom they do business—subcontractors, vendors, suppliers, partners—to demonstrate a similar diligence. Addressing the OFAC compliance challenge on your own timeline, rather than waiting until you are obligated by a contract or business transaction to do so, will allow you to choose compliance options that are cost-effective for your company’s business model, circumstances, and goals.

(2)    The recent Yates Memo has sounded a new warning note and made enforcement more personal.

The policy memorandum issued on September 15, 2015 by Deputy Attorney General Sally Quillian Yates appears to signal a more aggressive approach by the U.S. Government that prioritizes the prosecution of individual corporate executives in cases of corporate wrongdoing, including sanctions violations. While the insistence on individual accountability for corporate misdeeds is not new, the policy outlined in the Yates Memorandum places a greater emphasis than before on requiring the corporation’s internal investigation to identify the individual decision-makers who were involved in, or were responsible for, the regulatory noncompliance. Essentially, companies that want any “cooperation credit” from the U.S. Government (i.e., mitigation of penalties) will first need to fully disclose to the prosecutors the results of their internal investigation concerning the employees and senior executives involved.

Although the significance and implications of the Yates Memo are not yet entirely clear, the trend in regulatory enforcement that it represents underscores the need for companies to have more effective export compliance policies and procedures in place. You may want to consider including policies that spotlight individual accountability and processes that facilitate the rapid triage of incident reports and immediate and thorough investigations when appropriate.

Question: In what ways is achieving and maintaining OFAC compliance a greater challenge for a company than ITAR and EAR compliance?

(1)    OFAC sanctions are continually evolving. U.S. trade embargoes and economic sanctions, and the names of entities on the SDN List, can and do change very quickly—even overnight. For that reason, keeping abreast of new and evolving programs and ensuring compliance with recordkeeping, reporting, licensing, and other OFAC requirements can be extraordinarily difficult.

The Treasury Department’s SDN List contains several thousand names, and people or organizations can be removed from it, or added to it, at any time. Several foreign jurisdictions, including the European Union, Canada, and Mexico, also maintain “blocking statutes” that may address the U.S. trade embargoes and sanctions concerns, and a wide range of other restrictive measures as well, so your company’s transactions may need to be screened against multiple lists. What is more, some of these restrictive measures may conflict with U.S. regulations. Due diligence requires continuous, real-time, comprehensive monitoring to ensure that your dealings and transactions with foreign countries and individuals are not in violation of OFAC prohibitions.

(2)    OFAC sanctions are extraordinarily comprehensive. In addition to prohibiting certain transactions, OFAC regulations prohibit U.S. persons from “facilitating” (i.e., assisting, supporting, directing, or approving) a transaction by, or with, a sanctioned entity. The regulatory definition of “facilitation” is quite general, and its concrete interpretation has not been clear, since enforcement actions against companies for “facilitation” violations have been fairly infrequent. That situation has now changed dramatically. In the past few years, the U.S. Government has begun aggressively pursuing criminal actions against individuals and firms that “willfully facilitate” sanctions violations. Referring prohibited business to a foreign party, providing guidance or advice on a prohibited activity, financing or insuring or guaranteeing a prohibited transaction, providing merchandise or services in connection with a prohibited activity—any or all of these may constitute facilitation, and thus violate the OFAC regulations.

Most OFAC Sanctions Programs apply to ‘‘U.S. persons,’’ a term embracing U.S. citizens, permanent resident aliens, entities organized under the laws of the U.S. or any jurisdiction within the U.S. (including foreign branches of U.S. corporations), and any persons in the U.S. However, some sanctions programs state a wider jurisdiction. The Cuban Assets Control Regulations (CACR), 31 C.F.R. Part 515, use a more broadly defined term, ‘‘Persons subject to the jurisdiction of the U.S.,’’ which includes foreign subsidiaries of U.S. companies (see 31 C.F.R §515.329 and §515.330).

(3)    OFAC violations can carry staggering penalties.

Violations of the OFAC regulations may incur either civil or criminal penalties, or both. We have seen a very aggressive enforcement trend over the past few years. Increasingly, the U.S. Government has chosen to pursue criminal charges against violators (or has settled cases using criminal allegations), and a series of record-setting penalties have been imposed for OFAC sanctions violations. Examples within the last year include the almost $1 billion in fines handed down to BNP Paribas, and more recently Commerzbank’s agreement to pay $258 million in fines for falsifying business records for sanctioned countries. Nor is it only banks that have been prosecuted for sanctions violations. The Department of Justice recently agreed to a fine of $232 million to settle criminal charges with Schlumberger Oilfield Holdings Ltd for violating U.S. sanctions. That action and a few others are indications that regulators may soon be turning their attention to U.S. manufacturing companies as well.

* * *

A serious OFAC compliance program demonstrates that your company is aware of the SDN List and sanctions regulations, understands the risks, and is actively trying to prevent OFAC violations. If a violation does occur, it will be a strong mitigating factor against severe penalties. In some recent criminal prosecutions, the U.S. Government has contended—and the Courts have agreed—that failing to have an adequate compliance program in place was an indication of “reckless disregard” and therefore supported prosecution of the company and individual employees for willful, criminal violations of regulations. Depending on the sanctions program, criminal penalties for willful violations can include fines of up to $20 million and imprisonment of up to 30 years. Even worse, a single transaction can produce multiple violations, placing a company at risk of significant liability.

In addition to avoiding draconian penalties, another good reason for making OFAC compliance (and EAR/ITAR compliance) a high priority is minimizing costly and time-consuming investigations. Even if the finding is that no violation has occurred, or if civil penalties are eventually waived due to mitigating factors, responding to U.S. Government queries regarding potential violations and conducting comprehensive internal investigations can place a heavy and damaging burden on corporate resources.

Given those risks, it’s hardly surprising that more and more company boards and senior executives are moving enhanced OFAC compliance measures to the top of their agendas.

Catch next week’s post “The Key Elements of an Effective OFAC Compliance Program” for advice on how to set up and maintain a successful OFAC compliance program.