Category Archives: Compliance

EXPORT COMPLIANCE IN 11 WORDS (Part 4 of 12)

EXPORT COMPLIANCE IN 11 WORDS (Part 4 of 12):
A Series on Export Compliance Essentials

CLASSIFY!

Sound policies and consistent procedures for classifying your products
will reduce the risk of export control violations

Export compliance managers must be thoroughly familiar with their company’s products, services, and technical data, and they must know which export control requirements apply to each category.

Determining the correct export jurisdiction for your products—State/DDTC, Commerce/BIS, or, in rare instances, another Federal agency—and classifying them accurately according to the U.S. Munitions List (USML) or Commerce Control List (CCL) is a critical element of your corporate export control process, particularly in light of the recent Export Control Reform, which has brought about the migration of many former USML items to the CCL. Solid compliance demands accurate classification.

Even a small mistake in classification can cause big problems. Multiple export control violations resulting from a misclassification may result in wasted time, unhappy customers, heavy fines and penalties, long and costly litigation, a tarnished business reputation, and a record with the regulatory agencies that will be taken into account in any future export enforcement proceedings.

How to Avoid Errors in Product Classification

1. Keep calm and follow the process.

The web-based Decision Tree Tools on the DDTC and BIS sites, especially the USML Order of Review and Specially Designed tools and the CCL Order of Review and Specially Designed tools, are invaluable resources, if used properly. Together they provide a sure roadmap that will guide you through the process of reviewing the USML and CCL in order to classify each of your items correctly, with references to the relevant sections of the ITAR and EAR for you to consult at each step along the way. When you classify your products, make it your policy to follow the statutory Order of Review consistently. Stick to the path, and resist the temptation to take shortcuts!

2. Classify your products in advance to reduce risk.

A policy of classifying your products and services transaction-by-transaction, as needed, upon receipt of an RFQ or order from a foreign customer, puts your company at high risk of double-barreled disaster. What are the risks? For one thing, informing a customer when you’re about to ship his order that you’ve just realized you’ll have to apply for an export license, so it’ll be a while before he sees his goods, is a less-than-optimal practice if repeat business and customer retention are desired. For another thing, allowing shipping deadlines to influence jurisdictional determinations and classification decisions is a tried-and-true recipe for accumulating multiple export control violations and incurring heavy fines and other penalties. “Company discovers potential compliance problem with profitable overseas order, but decides to go ahead and ship anyway because they’re so hot for the sale” is one of the most common export violation scenarios.

A much safer practice is to do your homework in advance by classifying your whole product line and compiling the classifications (USML Category and Subcategory, or ECCN, or classification as “EAR99”) into a Product (or Technology) Classification Matrix, which can then be conveniently maintained in spreadsheet format. If you do this, be sure you include a concise explanation of the rationale for each classification, referencing any associated notes or documentation.

3. Stay connected and current.

The USML Categories and ECCNs you’ve determined for your products and services may not remain valid and accurate forever. Your company’s product specifications may change over time. Changing export laws, regulations, and definitions may also require you to re-classify. Make sure you subscribe to news and updates from all the relevant U.S. Government regulatory agencies, read them carefully as they are published, and put in place timely follow-up procedures for updating your Product Classification Matrix, internal control processes, compliance manual, and employee training, as required.

4. Document everything.

Inadequate recordkeeping is a very common cause of export control violations. If you self-determine the export classifications of your products, your classification procedures and process must generate and maintain documentation to show how and why you came to your conclusions. If you submitted a Commodity Jurisdiction (CJ) Request to State/DDTC or a Commodity Classification Request (CCATS) to the Commerce Department, you need to keep copies of the official rulings they issued, along with the product descriptions and supporting documentation you submitted to them, as well as any related correspondence or notes on conversations with U.S. Government agents. Even for items that you shipped under the NLR designation, you should always keep records justifying your NLR determination, as well as the other details of the export classification, for at least five years.

5. Disabuse yourself of common myths and misconceptions.

“It’s a commercial off-the-shelf item, so it can’t be export-controlled.”  FALSE. Everything in the U.S. (except public domain information) is subject to U.S. export controls. A great many COTS items are highly controlled for export. Full-rate thermal cameras, precision gyroscopes, and CubeSat kits are just a few examples.

“If I take it with me in my carry-on luggage, I won’t have to worry about export controls.”  FALSE. Anything that leaves the U.S. is being exported. There are some exemptions and exceptions for commercial items carried out of the country temporarily for use as “tools of trade” and a few other reasons, but their use requires documentation, and by no means do these exceptions cover everything.

“I work at a university, so what I do is classified as ‘fundamental research,’ making it automatically exempt from export controls.”  FALSE. By no means is it safe to assume that all work carried on at a university is fundamental research, or that technical data and information associated with university work is not export-controlled. University research will usually not be considered “fundamental research” if the university or its researchers accept restrictions on the publication of scientific and technical information resulting from the activity, or if the research is funded by the U.S. Government and specific access and dissemination controls protect information resulting from the activity. Even when the activity itself does qualify as “fundamental research,” export control regulations may still impose restrictions on certain equipment or software used in the course of the research, and on the provision of technical data and training to foreign persons in relation to that hardware or software. Several major U.S. export enforcement actions recently have involved universities and university professors.

“One reason we ship everything through a freight forwarder is so we won’t have to worry about the export classifications of our products. Our shipping agent is responsible for classifying our exports and obtaining licenses, not us.”  FALSE. Your freight forwarder’s job is to move your freight, not to analyze and classify your products and technologies. Even if a freight forwarder or courier is involved in the export transaction, as long as you are the U.S. Principal Party in Interest (USPPI) on the AES record, the ultimate responsibility for determining the proper jurisdiction and classification, obtaining a license, and ensuring compliance with licensing requirements and provisos is still yours. If the freight forwarder makes a mistake in classifying products on your behalf, you will be liable for any export violations that may occur.

“Why, we’ve been making this product for at least 30 years, and this can’t be the first time we’ve exported it, so it must be okay. It couldn’t possibly be export-controlled.”  FALSE. It doesn’t matter how long you’ve been making it —if it needs a license and you export it without one, that’s an export violation. Even if you exported it in the past, the ITAR or EAR requirements might have changed since then. And if nobody ever thought to check on the product’s export classification until now, you may well find that you need to file a Voluntary Disclosure.

“All our company’s products are classified EAR99. In other words, they’re all NLR – No License Required. So we don’t need to worry about export licenses.”  FALSE. “EAR99” is not a synonym for “NLR.” EAR99 is a classification that applies to items that fall under the jurisdiction of the Commerce Department, but are not listed on the Commerce Control List. While it is true that such items can be exported without a license in many cases, whether or not you will need a license to export an item depends on the details of the transaction. You will need a license for an EAR99 item—or your export might even be denied authorization—if you are shipping the item to an embargoed or sanctioned destination, or to a denied party or end-user of concern, or if you have knowledge that the export is in support of a prohibited end-use designated in Part 744 of the EAR, or if any of the Ten General Prohibitions in Part 736 apply to the transaction.

Lest you think the possibility of a license requirement for an EAR99 item is merely theoretical, note that in 2009 a very small New York company agreed to pay $70,000 to settle charges that it shipped $95,335 worth of scrap metal, classified EAR99, without a license to a company in Pakistan that (unbeknownst to the exporter) was on the BIS’s Entity List. According to the BIS, a request for a license to export EAR99 scrap metal to that Pakistani customer would have been routinely approved, but since the exporter shipped without applying for one, they were guilty of an export violation.

6. Don’t try to go it alone.

Product classification is a very serious matter. Yet the U.S. export laws and regulations are fraught with complications, and it’s easy to make mistakes. Read the business section of any newspaper regularly and you’ll see that export violations occur all the time, a great many of them related to products that were classified wrongly.

If you lack the expertise to classify products, or if you are not comfortable reading and interpreting the regulations and the technical specifications of products, or if you lack the time to do those things, then find the best outside experts you can as soon as you can and seek their advice. Export compliance consultants can often help at lesser cost than lawyers. And don’t be afraid to ask the consultants tough questions; after all, that’s what experts are for.

You also need to invest internally in training one or more of your people to handle your company’s product classification process. One strategy is to identify someone already working for you who is not afraid of reading and explaining regulations, such as the quality assurance or safety control or security manager. Then send him or her to export compliance classes and seminars that include hands-on workshops and practical training scenarios in product classification. If none of your current employees looks like the right person for this responsibility, then ask your outside consultant to help you find, hire, and train a qualified new person.

Finally, when necessary, don’t hesitate to seek professional legal advice from a law firm that specializes in international trade and export controls as its primary practice area. It’s true that lawyers can be expensive and legal fees are generally not a cost that any company likes to pay. But it can be a fatal mistake to put off calling a lawyer when you find yourself facing complicated legal questions, contractual issues, potential litigation, mergers and acquisitions, or key strategic decisions, such as voluntary disclosures when dealing with a 126.1 Prohibited Destination. Classifying your products for export control purposes certainly does not normally require the services of a lawyer. In certain cases, however, experienced legal professionals, working in conjunction with technical experts, can provide indispensable assistance in reviewing complex products and radically new technologies, or sorting out ambiguous intellectual property questions, to ascertain the appropriate regulatory jurisdiction and export classification. In dealing with such thorny matters, they can help keep you out of hot water, and the earlier in the process you bring them in, the more they can help.

Product classification is a vast topic. We’ll share some further thoughts with you about how to set up effective classification processes and procedures at your company in future blog posts.

Meanwhile, in the next post of this series on export compliance essentials, “SECURE!” we’ll discuss how you can protect your company’s controlled technical data and information against access by unauthorized persons, both on the ground and in the cloud.

EXPORT COMPLIANCE IN 11 WORDS (Part 2 of 12)

EXPORT COMPLIANCE IN 11 WORDS (Part 2 of 12):
A Series on Export Compliance Essentials

Analyze!

A risk analysis is the key to getting your business
ready for export compliance

As we noted in our previous post, there’s no such thing as a one-size-fits-all corporate export compliance system. Processes and procedures that are absolutely critical components of someone else’s compliance strategy might be impracticable and pointless for your company. Yet a compliance program with the wrong focus could weaken your competitive advantage by wasting time, money, and personnel on “protection” you don’t need, while leaving you exposed to being blindsided by severe penalties and crippling financial losses in areas where you actually are vulnerable.

Why Risk Analysis Is the Right Place to Start

Getting a business ready for export compliance is a challenging project. Before you can effectively address the real risks your company faces, you first need to know exactly what those risks are. You need to know how likely it is that you will be involved in a violation of the U.S. export laws, and how serious the consequences of such a violation would be. For that reason, the decision to conduct a comprehensive strategic risk analysis of your business from an export-compliance standpoint — preferably alongside an outside expert — is an indispensable prerequisite to all other compliance decision-making.

The first step in your analysis is an objective evaluation of your current information assets, systems, processes, procedures, people, and documentation. The company’s past, present, and future export customers, products, and services; the relevant U.S. laws and regulations; the likelihood of certain kinds of violation occurring; the nature and adequacy of the internal controls and personnel currently in place; the present regulatory environment and enforcement trends; the potential severity of penalties and fines, as well as other possible consequences for your business — all these issues and others need to be discussed in detail, analyzed, and evaluated before written policies and procedures can be formulated and put in place.

What’s the Difference?  “Risk Assessment” vs. “Directed Compliance Audit”

A directed export compliance audit is usually the outcome of a compliance issue that an exporter has experienced with the U.S. Government, one in which the requirement for an independent compliance audit has been levied or required as part of a settlement. The scope, focus, and completion date are mandated by the regulatory agency with which the issue is being adjudicated—either the DDTC, BIS, or OFAC. The report provided to the company by the auditor must be submitted to the agency, usually within a brief time span.

An export compliance risk assessment is a company-initiated examination of the efficiency and effectiveness of its export control process. The output from such an assessment includes a summary of the applicable U.S. export control requirements, an overall review and commentary on the existing compliance program (if any), and a detailed, process-by-process evaluation, typically presented in traffic-signal format (red, yellow, and green), with process “gaps” highlighted. The report on the findings of a risk assessment always includes recommendations for improvement and/or suggested corrective actions for potentially non-compliant activities that were found in the course of the assessment.

Following those recommendations and implementing those corrective actions is the best way to avoid a directed compliance audit.

What Do These Terms Mean? “Periodic” and “Independent”

The term “risk assessment” implies a formal, systematic process—something more than just an informal sizing-up or casual take on your compliance efforts. Industry “best practices” for ensuring corporate export compliance call for periodic independent compliance risk assessments.

“Periodic,” in this case, starts with annual assessments as a baseline.

“Independent” means that your risk level and the effectiveness of your current program need to be evaluated by a competent outside party.

“Competent” is simply common sense: the individual or team conducting the assessment needs to have the appropriate qualifications and specialized know-how, including a thorough familiarity with U.S. export controls and current risk assessment methodology. Competence may be established through relevant training and/or extensive experience. In the case of a directed compliance audit, the regulatory agency will require evidence of the qualifications of the person you have engaged to perform the audit. The U.S. Government won’t trust just anyone to assess corporate export compliance, and neither should you. So, here’s a hint: if you want to be sure you’re engaging a competent professional to conduct your risk assessment, look for someone whose résumé includes performing directed compliance audits.

“Outside” usually means that the review should be conducted by a person who is not a direct employee of your company. This is crucial, because you need an unbiased, impartial assessment of both the seriousness and likelihood of the non-compliance risks you are facing and the effectiveness of your current program and personnel. You need accurate results and recommendations you can rely on. Plainly, conflicts of interest could impair the objectivity of the findings. Common sense dictates that the more attached someone is to a situation—the more he or she has at stake—the more likely it is that the reliability of the assessment will be affected.

The Four Stages of the Risk Assessment Process

Although the details of every export compliance risk assessment are unique, the overall review process is similar in most cases, and typically involves four stages:

Stage 1:  Advance planning and preparation.

Stage 2:  An on-site visit.

Stage 3:  A report of the findings. This report should include quantitative ratings of your company’s risk of export violations in each area of your business operations. It should conclude with practical recommendations of corrective actions and procedural enhancements to address problem areas and mitigate the risks. The report’s recommendations should be summarized in a step-by-step, actionable plan that highlights the place to start in each business area.

Stage 4:  A scheduled follow-up review.

Why Assessing Compliance and Identifying Risks Is Not a Waste of Time

Perhaps you’re thinking that all this sounds like a significant investment of time, money, manpower, and energy, and wondering whether the investment is justified.  Are risk assessments really all that important? Will they truly add value to my business, or are they just a waste of time?

If you’re a U.S. exporter, periodic export compliance risk assessments, far from being a waste of time and corporate resources, are a valuable strategic tool that’s critical to your company’s continued survival in today’s global marketplace and regulatory environment. Let’s look at some of the reasons why that’s true.

Risk assessments can help you avoid severe penalties and fines. Violations of U.S. export laws can—and often do—result in stiff penalties. Criminal penalties can reach $1,000,000 and 20 years’ imprisonment per violation. Administrative penalties for civil violations are less severe, but can reach the greater of $250,000 per violation or twice the amount of the transaction—and a single non-compliant export transaction typically results in multiple violations.

In addition to fines, individuals and companies that fail to comply with export controls are subject to other administrative sanctions, including denial of their export privileges and suspension of their right to contract with the U.S. Government—penalties that would spell ruin for many U.S. companies.

Perhaps those are some of the reasons no company looks forward to being visited by officials from the BIS’s Office of Export Enforcement or the DDTC’s Office of Defense Trade Controls Compliance, or the Treasury Department’s OFAC.

“Be prepared” is not just a good motto for Boy Scouts; it’s good policy for U.S. exporters, too. The most effective measure you can take to minimize the likelihood of a visit by enforcement officials is to budget for regular export compliance risk assessments of your firm and to take the action recommendations in the assessment report very seriously. Furthermore—and equally important—if your company has been conducting its own comprehensive assessments of its compliance processes all along, and an official visit by government agents does occur, you can be sure that you and your employees will undergo a minimum of stress. You’ll be confident that you can produce any records and documents requested without delay, and you’ll be primed to answer any questions with accurate and up-to-date information. The likelihood of penalties will be small, and the cost in staff time and lost productivity will be greatly reduced.

And while you’re weighing up the negative consequences of non-compliance, here are a few more to put on the scale: avoiding hefty fines and penalties and lessening the chance of official visits and directed audits are not the only reasons you’ll be doing yourself a favor by conducting periodic independent compliance risk assessments and implementing their recommendations. A history of export violations can (1) adversely affect your company’s financial position; (2) hold up or block a sale, merger, or acquisition; (3) scare off potential foreign customers; (4) tarnish your firm’s image and business reputation; and (5) damage your business in many other ways as well.

This is definitely a case where a relatively small investment can save big over future costs and consequences.

The regulatory agencies have made it plain that they don’t consider risk assessments a waste of time. If your company should need to make a Voluntary Disclosure of an export violation you’ve discovered, one of the standard questions the DTCC and OEE will ask when reviewing your case is whether any audits or reviews of your company’s export compliance have been conducted during the past five years. Do you really want to answer “No” to that question? In most settlement agreements, the regulatory agencies require the company to have its export compliance program independently audited and send them a copy of the report within a narrow time frame. Rather than wait for that to happen, doesn’t it seem wiser to be proactive?

Risk assessments produce effective compliance programs—a valuable business asset. An export controls risk assessment by a compliance professional is bound to result in improved compliance. And a good track record and strong reputation for compliance are good for your business. Especially in the defense trade sector, a robust global trade compliance program is recognized as a competitive asset, one that some firms even list on their web sites. Recent studies of the most successful U.S. companies agree on one characteristic they have in common: compliance is part of their corporate culture.

Risk assessments can help your whole business run more efficiently. The compliance risk assessment process and your company’s follow-up on its findings and recommendations will highlight better ways to integrate export-control processes and “best practices” for export compliance into the rest of your business operations, including quality assurance SOPs and other regulatory compliance programs. The likely result will be an uptick in the overall efficiency of all your company’s operations. In particular, the implementation of Restricted Parties Screening (RPS) software and the challenge of integrating screening into your ERP software offers an opportunity to streamline your entire internal structure (including distribution process and supply chain management, inventory control, project planning, services knowledge base, and other critical business management processes). In the course of conducting an export controls risk analysis, many firms have discovered loopholes in their cybersecurity that badly needed strengthening and areas where significant improvement was possible in the networking of company resources.

Stage 1:  Getting Ready for Your Export Compliance Risk Assessment

Step back and think about your whole business.  An export compliance risk assessment should not take place in a bubble. To be fully effective, it needs to be part of a review and examination of your company’s overall business operations. What other week-to-week business processes are likely to be impacted by modifications to your export compliance system? How do you plan to integrate the findings and remediation measures that will be prescribed into your overall quality assurance and regulatory compliance system? What are your long-term corporate goals? How could improvements in your export process help you accomplish them?

Formulate some risk-mitigation proposals of your own.  Consider discussing the risk of export violations and setting down your ideas, suggestions, and tentative plans to improve your company’s export process before the risk assessment, based on your own past experiences and observations. Talk over your ideas with the reviewers before or during the on-site visit stage of the risk assessment. Later on, you can list those ideas side-by-side with the action recommendations in the assessment report, and consider how to combine the two lists into a more successful and export-compliant business.

Find out who’s who when it comes to exports.  Identify the actors within your company. Which individuals or departments are actually responsible for export compliance on a daily basis? Which employees are the points of contact within each department? Having a clear understanding of the role each person plays in export transactions is essential, because commonly, depending on the size of the company, one person may wear multiple hats with regard to export responsibilities. Being able to provide the names and contact information for key actors dealing with exports in your company will help the risk assessment run smoothly and without a hitch.

During the on-site visit phase of the risk assessment, every employee involved with exports in any way should be available and prepared to speak about his or her role, answer any questions the outside reviewer may have about the company’s internal processes, and provide examples of paperwork or electronic records related to exports upon request. Because these employees understand the specific business process and its associated flow firsthand, they can give valuable input when it comes to process improvements and risk mitigation efforts.

Seriously question your cybersecurity.  Controlled technical data stored in electronic form is always an area of potentially high risk that must be scrutinized carefully, because such data and information is easily accessed, copied, and transferred elsewhere. For that reason, some probing questions need to be asked about data storage and access control. Where is your controlled technical information and data stored? What physical and electronic security measures are in place to protect it? What company policies govern data storage? What controls exist to ensure that the granting of access to the company’s export-restricted data is consistent with U.S. regulatory requirements?

Pay attention to documentation and recordkeeping.  Review your company’s recordkeeping system and export documentation in advance of the on-site visit. Many U.S. exporters seem unaware that, according to U.S. export control regulations, recordkeeping and reporting are a very big deal, and a frequent cause of export violations. Exporters are legally required to maintain certain specific documents related to export transactions, and have them accessible for inspection, for at least five years. How and where are your records currently stored? Are they physically stored in an on-site location, or are they accessed electronically through the company servers? How conveniently and quickly can they be accessed? By whom? Each person involved in export compliance processes needs a clear understanding of the mandatory recordkeeping requirements and the company’s recordkeeping policy and practices. Make sure your export-related records will be conveniently available for review during the assessment visit, and consider how your system for saving, storing, and accessing them might be improved.

In the next post of this blog series on export compliance essentials, “EDUCATE!” we’ll discuss employee training—what it needs to cover and why it is critically important to the success of any corporate export compliance program.  

 

Export Compliance in 11 Words

EXPORT COMPLIANCE IN 11 WORDS:
Introducing a Twelve-Part Blog Series on Export Compliance Essentials

If you’re a newcomer to the world of U.S. export controls and you’ve just been charged with setting up an export compliance program for your firm, we wouldn’t at all be surprised to hear that you’re feeling a little overwhelmed right now. Does “bewitched, bothered, and bewildered” describe your state of mind as you struggle to make sense of the export laws and regulations and sort out which ones apply to your company? Are you wondering where to start?

If you’re finding export compliance to be a daunting task, rest assured that you’re not alone. The ever-changing complexities of U.S. export laws and regulations, licensing requirements, economic and trade sanctions, arms embargoes, and other legal and regulatory constraints present unique challenges to U.S. exporters as they strive to meet their business objectives while remaining compliant. Actually, taking on those challenges successfully without the proper training and support is more than just daunting, it’s impossible.

At Export Compliance Solutions, we’ve gained quite a lot of experience over the years helping our customers — small and medium-sized businesses and organizations of all kinds, and some of the big guys, too — identify, analyze, resolve and mitigate the regulatory issues and risks of selling in the international marketplace. Based on that experience, we’ve prepared a brand-new blog series for you, in which we share the most important lessons we’ve learned, condensed and summed up in 11 key words. The twelve posts (including this one) that you’ll be reading over the next several weeks will by no means cover everything there is to know, nor will they answer all your questions about export controls. What this series will do for you is lay a solid groundwork for understanding how to protect your business against export violations. “Export Compliance in 11 Words” will provide you with a sound starting-point for formulating an intelligent and practicable export compliance plan tailored to the needs and realities of your business.

Here’s an overview of what’s ahead:

ANALYZE – Because every business is different, there is no such thing as a generic, all-purpose, one-size-fits-all corporate export compliance program. Processes and procedures that are critical components of another company’s compliance strategy may be impracticable in scope and inappropriate in subject matter for yours. A program that doesn’t fit your needs will waste time, money, and personnel, and may even weaken your competitive advantage, while providing little or no protection against violations, fines, and penalties in the areas where your business is actually most vulnerable. But you can’t design a program that effectively addresses the real risks your company faces until you are confident you know what those risks are. That’s why conducting a strategic risk analysis of your business from an export-compliance standpoint — preferably alongside an outside expert — is an indispensable prerequisite to everything else. The company’s past, present, and future export customers, products, and services; the likelihood of certain kinds of violations; the controls and personnel already in place; the current regulatory environment and trends; the potential severity of fines and other consequences — all these issues and others need to be discussed in detail, analyzed, and evaluated before written policies and procedures are formulated and put in place.

EDUCATE – The oversight and management of corporate export compliance in today’s world requires substantial and ongoing professional training, including — but by no means limited to — a thorough familiarity with all the applicable U.S. Government laws and regulations. Once you’ve acquired the necessary training and knowledge yourself, your number one priority as a compliance officer should be training others in your company. The goals of this training should be (1) instilling and maintaining a high level of export compliance awareness company-wide and (2) ensuring that management and employees at all levels understand their export control responsibilities and have the appropriate competencies and skills to carry them out effectively, so that exports are made in compliance with both U.S. laws and regulations and the company’s best interests.

CLASSIFY – Export compliance personnel must know their company’s products and services, clearly identify, flag, and classify those categories of products, services, or technical data which are subject to export controls, and fully understand which regulatory requirements apply to each category. They must also know their company’s customers and be able to pinpoint risks and vulnerabilities from a regulatory standpoint.

SECURE – Responsible information-handling practices are critical to export compliance. You are responsible to protect your company’s controlled technical data and information against access by unauthorized persons, both on the ground and in the cloud, not only inside your facilities, but wherever your business and its workforce interfaces with the global marketplace. Your employees need to know that if they’re sharing technical data, such as plans and blueprints, even within the U.S., or if they’re allowing the visual inspection of ITAR-controlled articles by foreign nationals, they’re exporting technology; and if they’re doing these without proper authorization, they’re committing an export violation.

SCREEN – “Screening” is the process of checking and cross-referencing the parties involved in an export transaction against the many, continually updated lists of restricted or denied parties maintained by various governments and government agencies. If you’re a frequent or regular exporter (or are actively seeking to market your goods and services more widely overseas) and you aren’t routinely using some kind of Restricted-Party Screening (RPS) software to screen your customers, consignees, suppliers, employees, etc., you’re a fool. But you’re an even bigger fool if you are relying on RPS software alone to flag high-risk transactions and detect potential compliance problems. Even with the necessary screening software in place and properly configured to your company’s needs, the dictum remains true: your company’s employees are your ultimate line of defense — which is why their training and motivation is absolutely critical to compliance.

DOCUMENT – Certain specific recordkeeping for export transactions is mandated by the EAR, the ITAR, and the various OFAC Sanctions programs. But an effective corporate compliance program ought to be tracking and documenting much more than that bare minimum. Not only do transaction and licensing records need to be complete, accurate, and secure, they also need to be readily accessible in case of a compliance audit or other investigation.

COMMUNICATE – Proper communications are essential to export compliance. Critical compliance communications include the timely filing of the multiple reports mandated by U.S. export laws and regulations, enforced by the regulatory agencies, as well as having procedures in place for making prompt voluntary disclosures when violations or possible violations are discovered. It also means developing a communications strategy for keeping management, employees, suppliers, and customers in the loop about regulatory changes and all other compliance-related concerns and issues, as needed.

MONITOR – Even the most carefully formulated policies and procedures are meaningless if actual, real-life compliance with them is not checked and verified, and if instances of possible or actual non-compliance are not reported and promptly addressed. Moreover, if the monitoring of internal compliance processes is only sporadic, occasional, or random at best, it is not likely to be effective, and consequently the risk of violations occurring will be high. But reliable, continuous monitoring and control of processes and procedures necessitates building and maintaining an appropriate infrastructure.

ASSESS – A corporate export compliance program is properly focused on identifying and mitigating risks and vulnerabilities. To evaluate the effectiveness of your compliance efforts, frequent internal assessments and audits of processes and procedures are indispensable. So are periodic independent outside reviews of your overall compliance policies and program. It is critically important that the findings and recommendations of these reviews be reported to top management. Short-term and long-term follow-up on the implementation of corrective measures and program improvements should be an integral part of the review process.

ADAPT – Regulatory, technological, and business environments are rapidly and continually changing, and those changes are unavoidably impacting your company. “Innovate or die” is a common adage in the business world, and, while it may sound a bit melodramatic, it expresses a simple truth. If your company is surviving — and, we hope, thriving! — it’s safe to say you’ve made some significant changes over the last couple of years, and that’s all to the good. But if your export compliance program isn’t changing and adapting along with the rest of your business, your company’s survival may be at risk.

OWN – An effective export compliance program requires buy-in, visible involvement, and credible commitment on the part of top management — communicated, among other ways, by the allocation of adequate personnel and resources to the compliance function. When this sort of management commitment is perceived, when employees see that management is taking compliance seriously, company-wide engagement and employee motivation are likely to follow. Your compliance standards and policies, as well as the rationale behind them, should not only be spelled out explicitly in writing, but also well understood and acknowledged by each employee. Individual export compliance responsibilities need to be clearly articulated and included in job descriptions to ensure personal accountability and ownership. Moreover, your employees need to know that rules and procedures will be strictly enforced. The predictable result of not clearly assigning ownership of a process is a failed implementation of the process.

It is often said that without a top-down, pervasive corporate culture of compliance, no export compliance program will ultimately succeed. That may sound trite, and perhaps a bit corny, but it is nonetheless true, and its importance should not be underestimated. The human element remains the key to compliance. If you’re training your employees so they know how to do the right thing and motivating them so they want to do it, you’re on the way to creating a risk-aware corporate culture of compliance—the necessary foundation for any effective export compliance program.

Sound like information you need to know? If you’re new to export compliance responsibilities, or if you’re already dealing with U.S. export controls and would appreciate an update and review of the basics, you won’t want to miss a single one of the posts in this series. Sign up today for a free subscription to An EAR . . . to the ITAR and we’ll notify you of each new installment during the weeks ahead.

BIS Proposal Mirrors OFAC Penalty Guidelines: How Will This Impact Your Compliance Program?

On December 28, 2015, the Commerce Department’s Bureau of Industry and Security (BIS) published a Proposed Rule (80 FR 80710) that—if adopted—would revise the agency’s guidance concerning the settlement of civil (a.k.a. administrative) enforcement cases for export violations under the EAR.

The proposed changes would not apply to penalties imposed in civil cases involving Restrictive Trade Practices and Boycotts (Part 760 of the EAR), for which the current enforcement guidance in Supplement No. 2 of Part 766 would still apply; nor would they apply to penalties in criminal cases, which BIS refers to the Department of Justice for prosecution.

BIS will accept comments on this Proposed Rule until February 26.

What is BIS’s reason for revising the current guidelines?

The preamble to the proposal states that this revision is intended “to make administrative penalties more predictable to the public.” A second reason given is perhaps the most important one: to bring the Commerce Department’s enforcement policies into line with the penalty guidelines followed by the Treasury Department’s Office of Foreign Assets Control (OFAC).

In 2009, OFAC put into place a revised set of Economic Enforcement Guidelines for the Treasury Department’s sanctions programs. Since then, “the OFAC Guidelines” have provided a helpful framework of factors used by OFAC to determine whether or not to impose monetary penalties, and if so, how much. What BIS is now proposing is essentially a rewrite of its current “Guidance on Charging and Penalty Determinations in Settlement of Administrative Enforcement Cases” (found in Supplement No. 1 to 15 CFR Part 766) to make it substantially similar to those OFAC guidelines.

Greater transparency to the exporting community, harmonization of licensing policies and definitions among the regulatory agencies, and better coordination of enforcement actions are certainly laudable goals. They were important objectives of Phases I and II the U.S. Government’s Export Control Reform Initiative (ECR) when it was launched in 2010.

What will change if these guidelines are implemented?

Perhaps the most significant change is that the Proposed Rule would amend the factors BIS will consider when deciding whether to pursue administrative charges or settle allegations of EAR violations and when setting penalties in civil enforcement case settlements; it also explains how penalties would be calculated. The current BIS guidelines only list the factors to be taken into account in determining appropriate enforcement. The revised guidelines now under consideration—patterned after OFAC’s Guidelines—would use the transaction value to determine a baseline for assessing a civil penalty, applying a systematic calculation method set out in the Proposed Rule.

Under the proposed guidelines, BIS would first decide whether an enforcement case should be categorized as egregious or non­egregious. (Some of the factors that would enter into their decision are explained in the proposal.) They would also look at whether or not the apparent violations had been voluntarily disclosed by the exporter. These two factors, taken together with the transaction value (defined as the total U.S. dollar value of the transaction) and the maximum applicable penalty for each violation, as fixed by law, would be used to calculate a “base amount” for assessing penalties in the case. (The formulas to be employed in that calculation are explained in detail in the proposal.) Next, the agency would ascertain how many apparent violations of the EAR had occurred.

Finally, the presence of certain aggravating factors (e.g., indications of willfulness or recklessness, extent of harm done to the goals of the regulatory program) and/or mitigating factors (e.g., evidence that effective remedial measures were promptly taken, exceptional cooperation with OEE, likelihood that a license would have been approved if applied for) and/or general factors (e.g., an operational corporate compliance program conforming to the BIS guidelines for exporters)—these would all be considered and weighed to decide whether the penalty should be adjusted downward, or upward (capped by the statutory maximum), and by how much.

The maximum legal penalties for violations of the EAR would not be affected by the Proposed Rule. The Export Administration Act (EAA) of 1979— the legal basis for U.S. export controls on dual use items—actually lapsed in 2001 and has never been reauthorized by Congress. At present BIS derives its statutory authority to administer and enforce the EAR from the International Emergency Economic Powers Act (IEEPA), the same statutory authority by which OFAC implements most of its economic sanctions programs. Under the terms of the IEEPA, the maximum applicable penalty for civil violations can be as high as $250,000 for each violation, or twice the value of the transaction, whichever is greater. (If you are thinking that’s a very steep fine, you’re entirely right. Consider, however, the penalties associated with criminal violations under the IEEPA: a fine of up to $1 million or 20 years in prison. Or both. For each violation.)

Is this proposed change likely to result in higher penalties than we’re seeing now?

That’s a good question, but it’s hard to answer with any certainty. It will largely depend on BIS. Under the Proposed Rule, the penalty amounts would still be determined by the agency on a case-by-case basis, and the revised guidelines allow considerable enforcement discretion. Very considerable discretion.

BIS says it wants to retain sufficient administrative flexibility under the revised guidelines to allow proportionality in its enforcement actions. Instead of being tightly bound to mechanical penalty calculations, the agency will consider the totality of the circumstances in each case and tailor its response to the seriousness of the violation. Be that as it may, the trade-off for greater flexibility in regulations is always less certainty and predictability. That’s one reason why it isn’t entirely clear how the proposed guidelines would affect the size of civil penalties imposed.

One thing is quite clear: the Proposed Rule provides for significantly higher civil penalties in “egregious” cases. BIS assures exporters that it expects the vast majority of apparent violations investigated by its Office of Export Enforcement (OEE) to fall into the “non-egregious” category. Judging by the record of OFAC, which has been following a similar enforcement approach over the last six years, that does seem very likely. But it isn’t as reassuring as it might be. Here’s why: in addition to determining the penalty amount for each violation, BIS expressly retains the administrative discretion to determine how many violations have occurred in an enforcement case. If you’re thinking that this is simply a matter of knowing how to count, think again. Even under the current guidelines, OEE has been known to “pile on” violations in certain cases. What that means is something like this: if the identical incorrect information (say, a wrong EECN, description, or monetary value) has been entered in multiple fields of the AES filing, it may be counted—at OEE’s discretion—either as a single export violation or as multiple separate violations, and be charged accordingly. In this way, even “non-egregious” violations can result in unexpectedly large penalties.

And there are other reasons why it’s hard to predict the impact of the revised guidelines on the size of penalties: the definitions of some key regulatory terms in this Proposed Rule are less than precise. Take the term “transaction value,” for example. Under the Proposed Rule, this value is to be the starting point for most penalty calculations. That means it is critically important that we know precisely how BIS will determine the “transaction value” in a given enforcement case. Regrettably, the definition of this term provided in the Rule raises more questions than it answers:

Transaction value means the U.S. dollar value of a subject transaction, as demonstrated by commercial invoices, bills of lading, signed Customs declarations, or similar documents. Where the transaction value is not otherwise ascertainable, BIS may consider the market value of the items that were the subject of the transaction and/or the economic benefit derived by the Respondent from the transaction, in determining transaction value. In situations involving a lease of U.S.-origin items, the transaction value will generally be the value of the lease. For purposes of these Guidelines, ‘‘transaction value’’ will not necessarily have the same meaning, nor be applied in the same manner, as that term is used for import valuation purposes at 19 CFR 152.103.

What do you think of that definition? Clear . . . or cloudy? Egregious or non-egregious? Once these guidelines have been finalized and implemented, BIS will presumably provide answers to some of the questions exporters will surely be asking about this: What transaction is the “subject transaction”? How will the referenced documents be used in determining its value? What happens when the documents contain inconsistent information? In what circumstances is the transaction value considered to be “not otherwise ascertainable”? How will “market value” and “economic benefit” be evaluated? Which of these two values will be prioritized? Once we know how BIS understands this and other key terms in the revised guidelines, we’ll be in a better position to assess the impact of the changes on penalty amounts.

Should we expect to see more enforcement actions by BIS if this rule is implemented?

Yes, you can definitely expect to see more enforcement actions by BIS, but probably not as a result of these revised guidelines—at least, not directly.

BIS says it does not expect the adoption of this Proposed Rule to increase the number of cases which are charged administratively—and which therefore result in monetary penalties, rather than being closed with a warning letter. We have no reason to doubt that statement. Nevertheless, BIS’s statistics show without a doubt that it has been drastically ramping up its enforcement of the EAR over the past several years. The agency has significantly increased its manpower, enhanced its enforcement tools, and broadened the scope of its investigations. Its pursuit of export violations—both civil and criminal—has intensified each year. There is every reason to believe that trend will continue.

Insofar as clearer rules, more explicit guidance, and greater alignment with other agencies (such as OFAC) will allow more cases to be brought forward, and either settled or charged, we expect the implementation of this Proposed Rule to facilitate the current trend.

Will Voluntary Self-Disclosures still be a mitigating factor under this Proposed Rule?

Technically, no. Voluntary Self-Disclosures are no longer stated to be “mitigating factors” per se.

But actually, yes. And that’s a very definite yes. Under this Proposed Rule, which closely follows the OFAC Guidelines, whether or not the exporter has submitted a VSD is the second most significant component in establishing the base penalty amount. So, this new proposal is entirely in keeping with BIS’s longstanding policy of strongly encouraging voluntary notifications of violations. Export violations that were completely disclosed in timely VSD would be afforded more significant deductions in the base penalty amount than would have been afforded if BIS had discovered the violation independently.

According to BIS, only three percent of VSDs submitted over the past several years have resulted in a civil penalty. In most cases, BIS says, VSDs result in the issuance of warning letters.

BIS’s enforcement statistics, as well as the penalty calculation formulas in the Proposed Rule, indicate that an exporter would be wise to voluntarily self-report as soon as possible whenever a potential violation is discovered. Of course, whether or not a VSD is warranted by your company’s specific circumstances is a matter you should discuss with your corporate legal counsel. Generally speaking, however, submitting a full voluntary self-disclosure, including an account of corrective measures immediately taken to guard against future violations, is likely to limit potential penalties.

One caveat though: BIS does not look favorably on exporters who submit untruthful or misleading VSDs, or attempt to conceal some of the facts.

Would the implementation of this Proposed Rule be good news or bad news for U.S. exporters?

On the whole, probably good news.

Good News #1: Despite the uncertainty and unpredictability we noted above, due to BIS’s broad discretionary power in enforcing the EAR, the new guidelines should aid exporters—at least, to some extent—in estimating the range of likely penalties, especially for export violations that involve both the EAR and OFAC sanctions programs.

Good News #2: The trade-off for uncertainty and unpredictability, as we also noted above, is enforcement flexibility. In settlement negotiations, we would expect the flexibility and discretionary powers retained by BIS under this Proposed Rule to work in an exporter’s favor. In appropriate cases, BIS has the authority to suspend or defer payment of a civil penalty, taking into account whether the Respondent has demonstrated a limited ability to pay, whether the matter is part of a global settlement with other U.S. Government agencies, and/or whether the Respondent has agreed to apply a portion or all of the funds suspended or deferred for purposes of improving the company’s internal compliance program. Should your company ever be the Respondent, we’re certain you’ll see that as good news!

Good News #3: Even now, while the new guidelines are not yet in place, the Proposed Rule is already very helpful to exporters, as an indication of the approach to settlement and penalty determinations that BIS is likely to take in the years ahead.

What else should I take away from this?

One more thing: in case this wasn’t already abundantly clear to you, the Proposed Rule makes it even clearer: creating, maintaining, and prioritizing a comprehensive corporate compliance program that incorporates all the key elements identified in the BIS Compliance Guidelinesincluding written guidelines that tell your company’s employees exactly what is expected of them and provide a framework for senior management to engage intelligently with all compliance issues—is a critical requirement for every U.S. exporter, and is certain to become even more critical in the months and years ahead.

The Key Elements of an Effective OFAC Compliance Program

Question: What advice can you offer on how to set up and maintain a successful OFAC compliance program?

Because each company has different risks and different risk tolerances, there is no simple and clear formula for creating a successful OFAC compliance program. Nevertheless, the “Compliance Program Guidelines” issued by DDTC, the “Compliance Guidelines” issued by BIS, and the summary of “Regulations for Exporters and Importers” issued by OFAC identify certain elements that each agency considers essential for a program to be effective. The advice given by the three agencies has a great deal in common. Here are the key elements of any effective corporate export compliance program, with a few comments about each.

Management Commitment and a Strong Compliance Culture

In order for any compliance measures to be effective, the Board of Directors and senior management must buy into and commit to the success of the program. By clearly demonstrating their support and participation, the company’s leadership can set the tone for the entire staff and foster a culture of integrity—which includes transparency and compliance—throughout the organization. That means, among other things, a culture of self-reporting possible violations and inquiring to assess their scope and the extent of program exposure, instead of a culture of covering up and writing off penalties for violations as “a cost of doing business.”

A Qualified and Empowered Export Compliance Officer

Unless your company is very small, the appointment of a dedicated Export Compliance Officer (ECO) with a clear mandate to focus on this critical function is highly desirable. Consider that your ECO is charged with protecting you from risks where penalties can reach hundreds of millions of dollars. With a roster of laws and regulations that is continually changing, managerial staff in internal control roles today have a more challenging job than ever before, with ever-wider responsibilities.

Your company’s ECO should:

—     have a direct line of communication to the Board of Directors and senior management.

—     be knowledgeable concerning the ITAR, EAR, and OFAC regulations, and have a good working understanding of your company’s products, services, technologies, suppliers, and customer base. Don’t hire an inexperienced individual, unqualified for the role, and don’t skimp on his/her ongoing education and training.

—     have full authority to look into all compliance-related matters and put together a project team to address and resolve problems when they arise.

—     have sole responsibility for managing communications with regulatory agencies (such as Commerce/BIS, State/DDTC, and Treasury/OFAC) for all compliance-related issues.

—     be responsible for monitoring official announcements and press releases from DDTC, BIS, and OFAC daily for developments or enforcement actions that could impact your company’s line of business or its suppliers, and for communicating changes in regulations, policies, or procedures to company personnel by means of in-house e-mails, newsletters, announcements, or notices posted on the company intranet.

Thoughtful, Clearly Articulated Internal Policies, Procedures, and Controls

The level of sophistication of your internal compliance controls will naturally depend on the nature and scale of your business. What is essential is that policies, procedures, and controls be carefully thought out, clearly set down in writing, and effectively communicated to all employees, agents, and business partners. Individual compliance responsibilities should also be expressly included in job descriptions and performance evaluations of personnel, as appropriate.

You need to provide your employees with an easy way—such as an anonymous hotline or “help line”—to report potential violations of U.S. export laws and regulations or of the company’s export compliance policies without fear of reprisal; and you need to be consistent in investigating each report, and in implementing disciplinary procedures to address violations when they are encountered.

Effective Use of Information Technology

To avoid OFAC violations, it is crucial that companies have robust screening procedures in place that cover transactions, customers, suppliers, personnel, and business partners. This is a daunting task, because OFAC is concerned not only with a relatively small number of country sanctions (such as those found on BIS’s Commerce Country Chart and DDTC’s Country Policies and Embargoes chart), but also with many thousands of Specially Designated Nationals (SDNs), an ever-changing list of individuals, business entities, groups and organizations, banks, and even ships (or “vessels of concern,” as OFAC calls them). Nor is the SDN List the only list against which transactions should be screened. There are also the BIS’s Denied Persons List, Entity List, and Unverified List, the DDTC’s Debarred Parties List, the FBI’s Most Wanted Terrorist List, United Nations 1267 List, the European Union Sanction List, the HM Treasury Sanction List, and others as well.

Even if your company is small, reliance on manual screening and monitoring processes alone now carries an unacceptably high risk and should no longer be considered a viable option. Today it is imperative that U.S. exporters use information technology to the maximum extent feasible in seeking to implement the know-your-customer rule (KYC) and other due-diligence measures for preventing unlawful diversion and ensuring that their shipments will reach only authorized end-users for authorized end-uses. A reliable screening software solution that uploads changes to the list as close to real-time as possible is a critical element in any company’s compliance program.

Many “off-the-shelf” transaction monitoring systems—most of them web-based—are available, at a wide range of prices and with a range of features that include basic screening against multiple denied parties lists, batch screening, sophisticated search algorithms employing “fuzzy logic,” the ability to generate custom reports of all kinds, automated recordkeeping, and real-time monitoring with immediate notification of any changes. But even with the purchase of commercial software, developing and implementing a screening system that will protect your company effectively is going to require the investment of some time and effort to calibrate, configure, and fine-tune the screening algorithm to match your business’s specific needs. The failure to do so will render even the best screening software ineffective and leave your company at risk. Screening software also brings with it certain inevitable limitations, including the potential for false positives, even after the screening algorithm has been optimally configured for your company’s risk profile. In some cases, it will be necessary to follow up the screening with manual reviews of entities or persons.

In the course of performing compliance audits and risk assessments for exporters, both large and small, in the U.S. and overseas, our audit teams still encounter far too many companies who employ a manual transaction screening procedure that consists of logging on to a series of web sites, screening customers, vendors, personnel, and other entities of concern, one at a time, against a hodgepodge of lists, and then updating the results of the search on a tracking spreadsheet. Not only is this manual method time-consuming and limited in the number of lists you can reasonably screen against, but also it does not lend itself well to compliance records retention. Spreadsheet programs, such as Excel, were never meant to function as databases. They are not secure and are notoriously error-prone. They cannot handle attachments of documents, photos, licenses, verifications, and other evidence. While it is true that they are easy to use and convenient to update, because they lack the ability to track changes over a period of time and have no audit trails for data or formulas, they are an auditor’s nightmare. Even the most basic IT-based screening solution and monitoring is clearly preferable.

Ongoing, Relevant Employee Training

Regular employee training ensuring that all staff understand the applicable laws and regulations as well as the business’s policies, processes, and specific risk profile, has always been a key component of any corporate compliance program. But for OFAC compliance, training is even more critical than it is for ITAR and EAR compliance, due to the dynamic nature of U.S. trade embargoes and the speed with which some programs are announced and evolve. Even automated screening can go only so far in helping to detect sanctions violations. Consider that entities on the SDN List can open fake bank accounts, individuals can create false identities, and both can use proxies or agents to place orders on their behalf internationally. There is always some degree of risk that you are doing business with someone you shouldn’t and are violating OFAC’s rules. Alert trained employees will spot red flags and inconsistencies that software can’t.

For that reason, you need to identify your company’s frontline employees from a compliance perspective—those whose duties require an awareness of ITAR, EAR, and OFAC regulations—and train them to understand the sanctions vulnerabilities you face and how serious these are, spot potential problems quickly, and respond appropriately. Those men and women are your ultimate line of defense. Even when there is a strong commitment on the part of management and when sound internal processes are in place, a work force without proper training will leave your company exposed and at high risk. All the compliance policies, procedures, and “best practices” in the world are worthless unless they are known, correctly understood, and followed by your employees. Even worse, they may create a sense of false security.

Export compliance training needs to start right away, with new employee orientation. Regular retraining events should provide updates to internal polices, procedures, processes, and monitoring systems. In order for compliance awareness training to be fully effective, it needs to include realistic practical illustrations of potential violations and credible scenarios of suspicious activities with “red flags” that should put a transaction on hold and trigger a report to Compliance. For that reason, off-the-shelf employee training materials should never be simply purchased and deployed “out of the box”; they must first be tailored to the specifics of the company’s business. This is definitely not a situation where “one size fits all.”

The following are some of the most common weaknesses our teams have observed when assessing corporate training programs:

—     Employee training is not conducted regularly or frequently enough.

—     Deadlines for completing or renewing training are not enforced.

—     Training content is not being updated.

—     Training is deployed, but without any test or questionnaire to verify knowledge retention.

—     When employees were found to have breached either U.S. export regulations or the company’s stated compliance policy, additional employee training was not conducted to remedy the situation and prevent repetition.

Remember—

“Every one of your employees has the ability to damage—or to protect
and enhance—the reputation of the company.”

Independent Reviews and Risk Assessments

Regular compliance reviews and assessments, conducted by experienced outside auditors, consultants, or other qualified independent parties, are really the only reliable way to verify that your OFAC compliance program is operating as effectively as possible and is fully compliant with the law. It is imperative that these assessments be performed by an individual or team not directly tied to or responsible to the Compliance Department. In very large corporations, they could be conducted by the Internal Audit Department, if one exists, but only if Internal Audit has proper specific export compliance expertise. Otherwise, the company should hire experienced external consultants.

The frequency of these reviews should be commensurate with your company’s risk profile. Every 12 to 18 months is typical. Ask the reviewers to report their findings directly to the Board and/or senior management—not only to the compliance officer or department. And it’s always a good idea to ask that an Executive Summary be included in the written report. The report should aim at giving management practical insight into the programmatic strengths and weaknesses. It should also suggest specific remedial actions to bring the company back into full compliance. Those suggestions should not be ignored.

Remember—

“A single weak or missing element will undermine
your entire OFAC compliance program.”

OFAC: The Not to Be Forgotten Part of Export Compliance (Part 3 of 3)

Question: I’m seeing a lot of headlines about OFAC sanctions in the global trade news lately. Why has developing a corporate OFAC compliance program suddenly become so important?

Over the past few years, the U.S. Government has increasingly looked to trade embargoes and economic sanctions programs, which OFAC administers, to help achieve its foreign policy and national security objectives. Sanctions have also served as an integral component of America’s counter-terrorism strategy and campaign to halt the spread of weapons of mass destruction. More recently, they are being employed in innovative ways to combat malicious cyber activity and transnational organized crime.

Not surprisingly, given that America’s economy and capital markets are still the largest in the world, U.S. sanctions have had a dramatic impact on international trade; in multiple instances, they appear to have been effective in influencing the behavior of countries that the government viewed as national security threats. Because of the proven effectiveness of these measures, and probably also because of the nation’s current economic state and a generally war-weary public, sanctions have become a tool of first resort for U.S. foreign policy. Consequently, we have seen OFAC (with help from the Department of Justice) ramping up their sanctions enforcement and aggressively pursuing potential violators throughout the world.

Major prosecutions under the Foreign Corrupt Practices Act have made the headlines several times this past year. Economic sanctions enforcement seems poised to be the next big focus for government regulators. U.S. businesses that operate, or intend to operate, in the global marketplace urgently need to take a close look at their corporate export compliance programs and develop strategies for complying with rapidly changing regulations and enforcement policies in this area.

(1)    Proactive is always better than reactive.

More and more large U.S. and multi-national corporations, especially those who are prime U.S. Government contractors, are now addressing the OFAC compliance challenge and requiring all those with whom they do business—subcontractors, vendors, suppliers, partners—to demonstrate a similar diligence. Addressing the OFAC compliance challenge on your own timeline, rather than waiting until you are obligated by a contract or business transaction to do so, will allow you to choose compliance options that are cost-effective for your company’s business model, circumstances, and goals.

(2)    The recent Yates Memo has sounded a new warning note and made enforcement more personal.

The policy memorandum issued on September 15, 2015 by Deputy Attorney General Sally Quillian Yates appears to signal a more aggressive approach by the U.S. Government that prioritizes the prosecution of individual corporate executives in cases of corporate wrongdoing, including sanctions violations. While the insistence on individual accountability for corporate misdeeds is not new, the policy outlined in the Yates Memorandum places a greater emphasis than before on requiring the corporation’s internal investigation to identify the individual decision-makers who were involved in, or were responsible for, the regulatory noncompliance. Essentially, companies that want any “cooperation credit” from the U.S. Government (i.e., mitigation of penalties) will first need to fully disclose to the prosecutors the results of their internal investigation concerning the employees and senior executives involved.

Although the significance and implications of the Yates Memo are not yet entirely clear, the trend in regulatory enforcement that it represents underscores the need for companies to have more effective export compliance policies and procedures in place. You may want to consider including policies that spotlight individual accountability and processes that facilitate the rapid triage of incident reports and immediate and thorough investigations when appropriate.

Question: In what ways is achieving and maintaining OFAC compliance a greater challenge for a company than ITAR and EAR compliance?

(1)    OFAC sanctions are continually evolving. U.S. trade embargoes and economic sanctions, and the names of entities on the SDN List, can and do change very quickly—even overnight. For that reason, keeping abreast of new and evolving programs and ensuring compliance with recordkeeping, reporting, licensing, and other OFAC requirements can be extraordinarily difficult.

The Treasury Department’s SDN List contains several thousand names, and people or organizations can be removed from it, or added to it, at any time. Several foreign jurisdictions, including the European Union, Canada, and Mexico, also maintain “blocking statutes” that may address the U.S. trade embargoes and sanctions concerns, and a wide range of other restrictive measures as well, so your company’s transactions may need to be screened against multiple lists. What is more, some of these restrictive measures may conflict with U.S. regulations. Due diligence requires continuous, real-time, comprehensive monitoring to ensure that your dealings and transactions with foreign countries and individuals are not in violation of OFAC prohibitions.

(2)    OFAC sanctions are extraordinarily comprehensive. In addition to prohibiting certain transactions, OFAC regulations prohibit U.S. persons from “facilitating” (i.e., assisting, supporting, directing, or approving) a transaction by, or with, a sanctioned entity. The regulatory definition of “facilitation” is quite general, and its concrete interpretation has not been clear, since enforcement actions against companies for “facilitation” violations have been fairly infrequent. That situation has now changed dramatically. In the past few years, the U.S. Government has begun aggressively pursuing criminal actions against individuals and firms that “willfully facilitate” sanctions violations. Referring prohibited business to a foreign party, providing guidance or advice on a prohibited activity, financing or insuring or guaranteeing a prohibited transaction, providing merchandise or services in connection with a prohibited activity—any or all of these may constitute facilitation, and thus violate the OFAC regulations.

Most OFAC Sanctions Programs apply to ‘‘U.S. persons,’’ a term embracing U.S. citizens, permanent resident aliens, entities organized under the laws of the U.S. or any jurisdiction within the U.S. (including foreign branches of U.S. corporations), and any persons in the U.S. However, some sanctions programs state a wider jurisdiction. The Cuban Assets Control Regulations (CACR), 31 C.F.R. Part 515, use a more broadly defined term, ‘‘Persons subject to the jurisdiction of the U.S.,’’ which includes foreign subsidiaries of U.S. companies (see 31 C.F.R §515.329 and §515.330).

(3)    OFAC violations can carry staggering penalties.

Violations of the OFAC regulations may incur either civil or criminal penalties, or both. We have seen a very aggressive enforcement trend over the past few years. Increasingly, the U.S. Government has chosen to pursue criminal charges against violators (or has settled cases using criminal allegations), and a series of record-setting penalties have been imposed for OFAC sanctions violations. Examples within the last year include the almost $1 billion in fines handed down to BNP Paribas, and more recently Commerzbank’s agreement to pay $258 million in fines for falsifying business records for sanctioned countries. Nor is it only banks that have been prosecuted for sanctions violations. The Department of Justice recently agreed to a fine of $232 million to settle criminal charges with Schlumberger Oilfield Holdings Ltd for violating U.S. sanctions. That action and a few others are indications that regulators may soon be turning their attention to U.S. manufacturing companies as well.

* * *

A serious OFAC compliance program demonstrates that your company is aware of the SDN List and sanctions regulations, understands the risks, and is actively trying to prevent OFAC violations. If a violation does occur, it will be a strong mitigating factor against severe penalties. In some recent criminal prosecutions, the U.S. Government has contended—and the Courts have agreed—that failing to have an adequate compliance program in place was an indication of “reckless disregard” and therefore supported prosecution of the company and individual employees for willful, criminal violations of regulations. Depending on the sanctions program, criminal penalties for willful violations can include fines of up to $20 million and imprisonment of up to 30 years. Even worse, a single transaction can produce multiple violations, placing a company at risk of significant liability.

In addition to avoiding draconian penalties, another good reason for making OFAC compliance (and EAR/ITAR compliance) a high priority is minimizing costly and time-consuming investigations. Even if the finding is that no violation has occurred, or if civil penalties are eventually waived due to mitigating factors, responding to U.S. Government queries regarding potential violations and conducting comprehensive internal investigations can place a heavy and damaging burden on corporate resources.

Given those risks, it’s hardly surprising that more and more company boards and senior executives are moving enhanced OFAC compliance measures to the top of their agendas.

Catch next week’s post “The Key Elements of an Effective OFAC Compliance Program” for advice on how to set up and maintain a successful OFAC compliance program.

OFAC: The Not To Be Forgotten Element of Export Compliance (Part 1 of 3)

Question: I read in the Daily Bugle recently about a small family-owned business in Maryland with only ten employees that had to pay a $78,750 penalty for alleged export violations. The article said they had shipped three HVAC duct fabrication machines to a company in China and received payments for them “without authorization from OFAC.” Can you tell me what this is all about? I’m familiar with ITAR and EAR export controls, of course. As a U.S. manufacturer and exporter, my company is registered with the State Department’s DDTC, and we’ve applied for multiple BIS export licenses using the SNAP-R system, but this was new to me. How much do I need to know about OFAC? Bottom line: how critical is this for my company?

Yes, you should know about this. Not knowing can be costly and painful, as that company you read about in the news—Precision Products Inc. (PPI) of Charlotte Hall, Maryland—learned to their dismay earlier this year. You, too, are among those to whom OFAC regulations apply.

OFAC, the Office of Foreign Assets Control, is an often overlooked but extremely powerful and far-reaching agency of the Treasury Department. Its mission is to administer and enforce economic and trade sanctions based on U.S. foreign policy and national security goals. Many of these sanctions programs—prohibitions on financial dealing—have been put in place by the U.S. Government to ensure that companies don’t unwittingly do business with terrorist organizations, sanctioned countries, nationals of some countries, and other specified entities who are engaged in activities related to the proliferation of weapons of mass destruction or other threats. Some OFAC sanctions are based on United Nations and other international mandates, and are therefore multilateral in scope, involving close cooperation with allied governments.

OFAC acts under Presidential wartime and national emergency powers, as well as authority granted by specific legislation. The agency has the authority to prohibit U.S. citizens and corporations from making payments, or providing anything of value, to embargoed countries, businesses, organizations, or individuals. It has the power to impose controls on business transactions of all kinds and freeze any assets that are under U.S. jurisdiction. It publishes the constantly updated list of over 6,000 names–the Specially Designated Nationals List (“SDN List”)–of companies and individuals whose assets are blocked. This is a “black list”: Americans are expressly forbidden to enter into transactions with any of these companies and individuals. U.S. exporters and importers are required to exercise due diligence in searching the SDN List and confirming that dealings with foreign countries are not in violation of OFAC sanctions programs.

In addition, OFAC prohibits travel to, and certain other dealings with, embargoed countries and entities. There are a handful of countries commonly referred to as “OFAC countries” or “embargoed destinations”—a few of the most widely known in recent years have been Cuba, Iran, North Korea, Sudan, and Syria—to whom comprehensive trade sanctions, administered by OFAC, have been applied. In other cases, the economic sanctions have taken a variety of forms, including arms embargoes, capital restraints, asset freezes, and trade restrictions.

Has OFAC been around for a long time? As an arm of the Treasury Department that sets out and enforces trade sanctions issued by the U.S. Government, OFAC is arguably one of the oldest law enforcement agencies in the country. It dates back prior to the War of 1812, when Treasury was first authorized to administer U.S. economic sanctions imposed against a hostile foreign power—in that case, Great Britain, which was harassing American sailors. In more recent times, between 1940 and 1947, Foreign Funds Control (FFC) and the Office of International Finance (OIF) were established as units of the Treasury Department, with legal authority deriving from the Trading with the Enemy Act (TWEA). FFC administered controls over enemy assets and restrictions on trade with enemy states during World War II. It was abolished in 1947, and its functions were transferred to the OIF. In 1950, the OIF morphed into the Division of Foreign Assets Control, when President Truman declared a national emergency and blocked all Chinese and North Korean assets subject to U.S. jurisdiction following the entry of the People’s Republic of China into the Korean War. In 1962, the Treasury Department changed the agency’s name to OFAC.

How critical is OFAC compliance? Absolutely critical. Understanding and monitoring OFAC compliance is a must for U.S. businesses who have foreign suppliers, customers, or clients, or who work with overseas partners. Exporters and importers who are “U.S. persons”—a regulatory term that should be well known to any compliance officer acquainted with the ITAR—are responsible for following OFAC regulations designed to halt terrorist and other illegal funds from circulating. In certain cases, foreign subsidiaries owned by U.S. companies and foreign persons in possession of U.S.-origin goods are also required to comply. So, if you are a small business owner or an individual doing business overseas, you need to familiarize yourself with OFAC. And if you are a company officer or manager in an industry with significant foreign trade, you need to make sure that OFAC compliance is an essential component of your corporate compliance program.

Penalties for violating the regulations administered by OFAC are serious, and have grown even more serious in the last few years. Depending on the sanctions program, potential criminal penalties for willful violations include fines ranging up to $20 million and imprisonment of up to 30 years. Civil penalties for violations of the Trading With the Enemy Act (TWEA) can be as much as $65,000 for each violation. Civil penalties for violations of the International Emergency Economic Powers Act (IEEPA) can range up to $250,000 for each violation, or twice the gain from the violation, whichever is greater. Over the past several years, the number and monetary value of enforcement actions by OFAC have increased dramatically: civil penalties and settlements rose from about $3.5 million in 2008 to more than $1.2 billion in 2014. These are not penalties that can simply be written off as “the cost of doing business”!

Yet OFAC compliance is the most commonly misunderstood and most likely to be forgotten element in corporate export compliance programs. Discussions of U.S. export controls are frequently dominated by and focused on ensuring compliance with the ITAR and EAR, while OFAC regulations are overlooked or undervalued. Yet OFAC rules generally override all other export controls, and OFAC restrictions may apply even when an EAR license exception or ITAR exemption is available.

The widespread tendency to underestimate the importance of monitoring OFAC compliance is especially problematic because OFAC’s programs are dynamic: the embargoes and sanctions, the scope and details of the restrictions, and the names on the SDN List and other lists change very frequently. What is more, new lists may appear at any time, as U.S. foreign policy refocuses in response to a rapidly changing world scene—witness the Sectoral Sanctions Identification List (“SSI List”) that OFAC issued in 2014, targeting transactions with persons in four sectors of the Russian economy: financial services, energy, defense, and mining. It is essential therefore that exporters check the Treasury web site frequently and have the necessary processes and internal controls in place to monitor compliance continuously. Firms with weak processes and controls limit their ability to prevent violations, or to detect and quickly deal with them if they do occur. They run significant risks of heavy fines and other damaging consequences.

In Part Two of this post, we’ll take a look at the three kinds of OFAC export authorizations available to U.S. companies—Exemptions, General Licenses, and Special Licenses, explain when you may need an OFAC Special License and how you can apply for one, and clear up a couple of common misconceptions. (No, OFAC requirements don’t impact only banks and financial institutions!)

In Part Three, we’ll look at the essential ingredients of a robust corporate OFAC compliance program. (Hint: simply checking your customers’ names and addresses against the SDN List is not enough!)

In today’s challenging international environment, the economic and trade sanctions administered by OFAC are likely to play a larger and larger role in cross-border transactions. It will be important for U.S. exporters to understand these controls thoroughly and keep abreast of changing requirements in order to focus on maintaining full compliance. The Export Compliance Solutions Training Academy provides a variety of training options—including 2-day regional seminars, in-house training, and live web-based seminars—that afford comprehensive coverage of ITAR, EAR, and OFAC controls, supplemented by case studies, practical advice, and help with strategic planning for your business. Check out the information on our web site about course offerings and online video training in export compliance awareness for your employees. Contact us by phone or e-mail to learn more. The ECS staff represents the most recognized expertise in the compliance field. We’re here to help!

Redefining EAR and ITAR Terms: Little Changes Could Make a Big Difference for Exporters

Question: Thanks for the heads-up last week about the compliance risks of storing sensitive data in the cloud—and the good news that regulatory changes may be ahead. Are there other revisions to the EAR and ITAR in the works that are likely to impact my company’s policies for safeguarding export-controlled technology and technical data? As I look at the Proposed Rules published by State and Commerce on June 3, I get the impression that they’re mostly about definitions—clarifying the meanings of certain technical terms. How important is all that stuff, practically speaking, to a firm like ours?

Very important. Compliance requirements and potential violations often hinge on the definition of a single word! So you really need to review these proposed new definitions carefully—both the Commerce Department’s proposed revisions to the definitions in the EAR and the State Department’s proposed revisions to definitions in the ITAR— to determine what impact they would have on your operations and compliance obligations, should they be adopted.

As I’m sure you’re well aware, U.S. export controls under the ITAR for defense articles and services contrast sharply with the (generally) more liberal controls under the EAR for “dual-use” commodities, software, and technology. For that reason, it’s critically important that you determine accurately whether or not the items or technical data you plan to ship or transfer internationally are subject to ITAR controls. Making that jurisdictional determination requires paying careful attention to the current USML and the appropriate categories within the USML that apply to the export in question.

That’s one of the reasons it’s also vital that you follow closely all the recent changes that have been made to the USML—and the “600 series” ECCNs of the CCL— due to the ongoing Export Control Reform initiative, as well as those changes that are still being made. And that most emphatically includes proposed revisions to the definitions of terms!

The Proposed Rule published by the DDTC on June 3 is notable for its length (14 pages of hard copy in the small print of the triple-columned Federal Register) and for the unusually large number of revisions to the ITAR that are proposed. It contains a plethora of new definitions for regulatory terms, making it a veritable dictionary. Many of the proposed revisions are meant to harmonize the ITAR rules with those of the EAR. The BIS published a similar Proposed Rule with conforming amendments.

The key terms and phrases that would be redefined, clarified, updated, or adopted under the June 3 Proposed Rules include the following:

Technology
Technical Data
Public Domain
Fundamental, Basic, and Applied Research
Development
Production
Required
Defense Article
Defense Service
Characteristics and Functions (of an item)
Peculiarly Responsible
Export
Reexport
Release
Transfer (in-country)
Retransfer
End-to-end Encryption

For exports controlled by the ITAR, two of the proposed new definitions are especially noteworthy: “public domain” (vs. “technical data”) and “defense service.” That’s because these definitions potentially apply to every single category of the U.S. Munitions List.

We’ll take a closer look at the first of these this week, and discuss the second and more controversial of the two in a future post.

Revisiting “Public Domain”

The State Department proposes to revise the definition of “public domain” in ITAR Section 120.11 in order to simplify, update, and introduce greater versatility into the definition. The current version of ITAR Section 120.11 enumerates the ways in which “public domain” information might be published. State says that it now believes that defining “public domain” by a list such as this is unnecessarily limiting in scope and insufficiently flexible, given the continually evolving array of physical and electronic media and communication technologies by which information can be disseminated. The new definition they propose is intended to be more versatile than the list-based approach to identifying public-domain information sources.

Under the State Department’s proposed revisions to definitions in the ITAR, unclassified information and software are considered to be in the public domain—and thus not technical data or software subject to the ITAR—“when they have been made available to the public without restrictions upon their further dissemination such as through any of the following . . . .” Among the means of dissemination mentioned, 120.11(a)(4) is of special interest, as it includes in the “public domain” information available on publicly accessible web sites:

(4) Public dissemination (i.e., unlimited distribution) in any form (e.g., not necessarily in published form), including posting on the Internet on sites available to the public;

There are some important qualifications that should be carefully noted, however.

One well-known consequence of the open, uncontrolled nature of the internet is that a vast amount of information can be found online that was uploaded illegally, in violation of a wide range of national and international laws governing copyrights, patents, privacy, public safety, national security, and many other matters. Plainly, the discovery of certain technical data, information, or software on a web site carries no guarantee that the individual or organization posting it hasn’t done so in violation of U.S. export laws and regulations.

With regard to such contingencies, a note to the proposed revision to ITAR Section 120.11 warns that anyone exporting, reexporting, or retransferring export-controlled information found on the internet, or otherwise making it available to the public, will be committing an export violation.

Taken together, the new definition and the warning that accompanies it raise the specter of inadvertent illegal exports of ITAR-controlled technical data by U.S. exporters who had no reason to suspect that the information they were making use of was not in the public domain, given that it was already freely available to the public via the internet. Evidently foreseeing this concern, the DDTC immediately reassures exporters, in a second note to the new Section 120.11, that in such cases a person will not be considered guilty of an export violation . . . unless — as described in the revised Section 127.1(a)(6) — “such person has knowledge that the technical data or software was made publicly available without an authorization.”

But here’s the rub: how can your company be certain that any item of technical information found on the internet was properly cleared for public release before being uploaded? And if your company should inadvertently disseminate technical data that later turns out to have been controlled by the ITAR and uploaded to the internet by somebody else without DDTC authorization, how would you be able to prove that you did not “have knowledge” that it was export-controlled? Those are just a few of the questions and concerns that have been raised about the language of this proposed revision to ITAR Section 120.11. Discussions of these concerns between the regulatory agencies, the defense industry, the research universities, and the legal community are ongoing. It is possible that the language in the Proposed Rules will be revised as a result of those discussions. Whenever the DDTC and BIS publish their Final Rules on the definitions of these key terms — possibly within the next few months — we may find that some of these points have been addressed and further clarified.

Stay on the Safe Side

Be that as it may, here is what we recommend to you as the safest policy and procedure for your company under the current regulations — and none of the revisions currently under consideration by the DDTC or BIS is likely to change this greatly: before posting to the internet any technical information about your company’s products or research, other than non-proprietary general system descriptions or information on the basic function or purpose of an item, thoroughly review the USML and the CCL to determine if the information falls under U.S. export controls. If there is doubt about export jurisdiction, request a Commodity Jurisdiction determination from the DDTC; and if State should determine that ITAR controls apply, obtain an export license for the technical data, or request authorization for “release” of the document you want to post online from the appropriate agency, as described in Section 120.11(b).

Remember that knowingly uploading controlled technical data to the internet without appropriate authorization is a export violation that could have extremely serious penalties and consequences, for both you and your company, whether or not there is any evidence that a foreign national has read or downloaded the data. Don’t needlessly put yourself and your company at risk.

Paragraph (b) of the revised definition explicitly sets forth the DDTC’s requirement of authorization to release information into the “public domain.” This requirement is not new: it also exists under the current rules; the revised rules would state it more explicitly and amend some definitions to clarify the scope of the information covered, but the requirement is already there. Before you can make such information available, the U.S. Government must approve the release through one of the following agencies: (1) The State Department’s DDTC; (2) the DoD’s Office of Security Review (OSR); (3) a relevant U.S. Government contracting authority, if one exists, with the authority to allow the technical data or software to be made available to the public; or (4) another U.S. Government official with the proper authority for this.

In many cases, we believe that requesting a security review by the OSR will be the best and wisest route you can take in order to safeguard your company against the risk of an export violation. Guidelines for submitting documents for review can be found on their web site.

The experienced compliance professionals at Export Compliance Solutions (ECS) are well-positioned to advise you regarding the impact that the revised definitions in the June 3 Proposed Rules are likely to have on your operations and corporate export compliance programs, and to assist you with other export control issues as well. Our consultants frequently work with ECS clients to review their current classification policies and procedures, conduct large-scale or multi-national classification projects, train employees in navigating complex reporting and recordkeeping requirements, discover ways to enhance and streamline administrative processes, and more effectively implement internal compliance audits and assessments. As America’s premier trainers and consultants in EAR and ITAR compliance, we can help you make sure that your company maintains full compliance with the changing Commerce and State Department regulations.

Export-Controlled Data – Store It in the Cloud or Keep It Down Home?

Question: Is there any reason that our company can’t use a cloud storage service provider, such as Dropbox, Google Drive, Box, or Microsoft Office 365, to store and share export-controlled information and technical data? Most businesses are using the cloud these days. Are there any problems with this?

The simple answer is, Yes, there are problems. Serious ones. Uploading your ITAR-controlled technical data, or controlled technology subject to the EAR, to “the Cloud” while maintaining full compliance with U.S. export laws and regulations is very challenging, and carries with it a high risk of violations and penalties. As we’ll be explaining on this blog, regulatory changes appear to be on the way. In the not-too-distant future, U.S. companies may be able to use cloud computing and other online digital services, subject to certain encryption requirements, to transfer and store their unclassified technical data without the need to obtain licenses or other authorizations. Hope is on the horizon. At present, however—yes, there are problems.

Even though cloud computing is a rapidly advancing technology at present, with more and more businesses routinely using Dropbox, Google Drive, and similar online services, this has been—and still is—a confusing regulatory area for which State and Commerce have provided very limited guidance until recently. We’re glad that appears to be changing now.

Nevertheless—even after the long-awaited publication of new Proposed Rules by the DDTC and BIS on June 3 containing multiple clarifications and definitions, and even after the issuance of an interim rule by the DoD on August 26 addressing requirements for cloud computing services—it is still far from clear how exporters can be certain they are fully compliant with the EAR and ITAR and avoid inadvertent violations when uploading controlled data to the cloud. A storm of controversy continues to swirl around the subject of cloud computing, IT security, and export controls. Discussions between the defense industry, research universities, the legal community, and the regulatory agencies are intense and ongoing.

Until the dust settles on this, we recommend extreme caution in using any commercial cloud storage service for information storage and transmission when export controls apply. Without clear regulatory guidance, contracting with a third-party for transferring and storing your ITAR-controlled and EAR-controlled data and technology electronically may expose you and your organization to the risk of violating U.S. export laws, with severe penalties and consequences.

But my cloud service provider assures me that my data is absolutely secure—so secure that they themselves have no way to decrypt my files without my password, even if I asked them to.

Yes, Dropbox, Google Drive, Microsoft Office 365, and similar services offer a secure and convenient online environment for storing and sharing documents, and are widely used and trusted in industry for work collaboration, file sharing, and data maintenance. And it is true that they typically provide multiple security precautions, including using SSL for transmitting content and their own separate layer of AES-256 bit encryption server-side.

Nevertheless, even though these IT companies have strict internal security policies limiting access by their employees to their customers’ files, it is evident in many cases that user-data files stored on their servers are in principle accessible by their staff—which may include individuals who are not U.S. persons as defined by the ITAR.

Read the terms of your storage provider’s user agreement and privacy policy carefully. Those legal documents frequently include such warnings as the following: “If we are required to provide your files to a court or law enforcement agency, which we may do under the conditions set forth above, we will remove the encryption from the files before providing them to the authorized government officials.” You’ll also see various disclaimers of responsibility in case of data-security breaches, and statements indicating that the provider has a process in place for contingencies when their system is compromised. Some cloud storage providers claim in their promotional materials that your data is absolutely secure, but remember that what they advertise and what you agree to when you open an account are two different things.

The convenience, economy, and popularity of online services notwithstanding, the use of third-party providers for storing and sharing ITAR-controlled technical data remains problematic. Why?

Here’s one reason: U.S. export control regulations prohibit the unauthorized sharing of controlled technical data with non-U.S persons or foreign nationals, and also prohibit transactions with certain foreign individuals and states. This prohibition includes any form of sharing, including electronic “transmission,” and including even theoretical access to such data by IT administrators or employees who maintain the electronic data storage and transmission systems and who could potentially monitor them. Whenever you store or transmit controlled technical data via non-company servers, you are, in effect, sending your data through cyberspace on the back of a virtual postcard, and you are liable for any access to that data by unlicensed foreign nationals while it is in storage or transit—even if the access is unintentional, and even if you were not aware that the access was occurring.

Remember that commercial cloud computing and online data storage services are not U.S. defense firms; they are unlikely to have segregated systems to protect ITAR-controlled information from foreign-person access. Under the export regulations currently in effect—ignoring, for the moment, proposed revisions to the EAR and ITAR that are under consideration but haven’t been finalized—even high-level encryption is not an adequate security measure for protecting your company’s controlled technical data on non-company servers. Currently, transfer of the data to a server or network location outside the U.S. constitutes an “export” even if the data is encrypted. Furthermore, providing employees who are not U.S. persons, whether they are employed in the U.S. or at non-U.S. offices, with the ability to access ITAR-controlled data (even if they don’t actually access the data) may constitute an “export,” even if the data is protected by encryption.

Here’s another reason: using external providers of cloud storage and file-sharing services, such as Dropbox, Box, or Google Drive, for ITAR-restricted data is problematic because it is difficult or impossible to know where their servers are physically located (that is, whether they are in the U.S. or overseas), how they route data traffic (particularly during peak hours or off-times), or whether their security procedures are truly adequate all along the line to prohibit access to your data by foreign nationals. Most—if not all—cloud computing services routinely use a network of servers that extends beyond U.S. borders. In reality, you have no idea where your data is currently stored—and wherever that may be, it could change tomorrow. Yet any transfer of data from the user to a server outside the U.S., as well as any transfer of the controlled data between two foreign-located servers, constitutes a “transmission,” and thus an unauthorized export, according to current U.S. laws.

But didn’t all that change this year? I read in the news that BIS and DDTC have relaxed their rules now, in recognition of the growing popularity of cloud computing, and that the export regulations have been amended to permit cloud storage of ITAR and EAR data in certain circumstances. Did I hear you right? Are you telling me that’s not true?

You heard me right. That’s not true. Those amendments to the ITAR and the EAR you heard about have not been made—at least, not yet. Here’s what is true:

On June 3, 2015, both the Commerce Department and State Department published long-awaited proposals for revising the EAR and ITAR in order to provide security standards for the transmission and storage of ITAR- and EAR-controlled data and information. If these Proposed Rules are adopted and finalized, they could well represent an important step towards clarifying what exporters need to do in order to comply with U.S. export controls with regard to the transmission, storage, and “cloud” processing of export-controlled technical data, technology, and software.

Among other things, if the revisions proposed on June 3 are eventually adopted and published as final rules, transmitting or storing electronic data in a way that meets certain specified security standards will no longer constitute an “export” of the data, and therefore will not require a prior export authorization or be subject to some other restrictions. Specifically, the June 3 proposals from State and Commerce both say that sending, taking, or storing technical data, technology, or software will not be considered an export when the following conditions are met:

(1) The data must be unclassified;

(2) The data must be secured using “end-to-end encryption” (as defined in the proposed new rule);

(3) The data must be secured using cryptographic modules compliant with a certain encryption standard—FIPS 140–2, or its successors [in stating this condition, the BIS proposal adds the phrase “or other similar cryptographic means,” whereas the DDTC doesn’t wish to add that phrase]; and

(4) The data must not be stored in certain prohibited countries [for the BIS, this means the server locations can’t be in countries listed in Country Group D:5 (see Supplement No. 1 to Part 740 of the EAR) or in the Russian Federation; for the DDTC, this means no data should be stored on servers situated in ITAR Section 126.1 Proscribed Countries or in the Russian Federation].

At first glance, these proposed changes look very hopeful. By providing clarity and legal certainty in this regulatory area, they promise to simplify the compliance process greatly. If implemented, these provisions could offer U.S. companies the option of using the new cloud technologies for transmitting and storing export-controlled data without the risk of export violations, as long they exercise due diligence to ensure that those data security requirements are met.

On closer examination, however, there are some notable caveats in these Proposed Rules:

(1)        Both proposals make it clear that if information should be “released” that permits foreign persons to access your encrypted controlled data (e.g., decryption keys, network access codes, passwords, etc.), then this data transmission or storage will be considered an export, and will be subject to all applicable licensing requirements and restrictions—and penalties for export violations.

(2)        To qualify for this exclusion, your transmission or storage must utilize “end-to-end encryption.” In both the State and Commerce proposals, this means that cryptographic protection of the export-controlled data must be continuous and uninterrupted between the originator and the intended recipient (who could be the originator himself, in the case of simple file storage or archiving). At no point in the process can access in unencrypted form be given to any third parties. That includes internet service providers (ISPs), application providers (such as Microsoft Office 360 or Google Office), or cloud storage providers (such as Dropbox or Box), or any other online services.

(Note: BIS and DDTC are insisting on this condition because they are have found that the methods and procedures currently used by third-party digital service providers, including popular cloud software providers and some e-mail services may allow the data transmitted to be encrypted and decrypted multiple times before it reaches its intended recipient. BIS and DDTC both believe this presents an unacceptable risk of unauthorized release. Keeping the data encrypted from start to finish is the simplest and surest way to minimize the possibility that a foreign cloud service provider or a non-U.S. person employee of a domestic cloud service provider will get access to your ITAR-controlled data or EAR-controlled technology or software in unencrypted form.)

(3)        To qualify for this exclusion, your export-controlled data cannot be stored on, or pass through, any servers in certain specified countries that pose significant national security risks, including the Russian Federation.

On the whole, the provisions in the June 3 Proposed Rules allowing the transfer and storage of properly encrypted technical data are good news for U.S. exporters and should be welcomed. These changes would allow controlled technical data originating in the U.S. to be stored in one or more countries outside of the United States without export licensing, provided the data has been properly encrypted and isn’t stored in arms-embargoed countries or Russia. The proposed security requirements are strict and would almost certainly create complications for the current business model of most cloud storage providers, forcing them to make some changes in the way they operate if they want to serve customers with EAR- and ITAR-compliance requirements. But the requisite changes would appear to be within their capabilities, and the potential benefits of the new rules—which include, among other things, considerably reduced administrative burdens for U.S. manufacturers and suppliers of defense articles and services— are great.

Remember, however, that until State and Commerce have finalized their proposed amendments, the current regulations remain in effect. Until they have been changed, we recommend using locally hosted applications for storing and sharing sensitive technical data. The pundits may well be right when they tell us that the future of data storage is in the cloud, but for now, if your data is export-controlled, the safest place for it is in-house.

There are other important regulatory changes in the works with the potential to impact cloud computing, IT security, and export controls. Next week we’ll look at a few of them. Sign up today for notifications of future posts—and join the discussion by sending your own questions about export compliance to “An EAR . . . to the ITAR.”