An Overview of US Export Control and Economic Sanctions Laws
Every company that sends its products, software, or technology outside of the United States is subject to US export control and economic sanctions regulations. From the largest multinational corporations to the smallest start-ups, from manufacturers of software to softballs, from toothpicks to pharmaceuticals, from rock candy to rocket fuel, all US companies and their employees, along with anyone present in the United States, US citizens wherever they are located, and companies transferring US-controlled items must familiarize themselves with these regulations to ensure that they understand what is required to comply. In addition, companies that do not export products can still be subject to these regulations if they employ foreign nationals (individuals who are not US citizens, permanent residents, or refugees), have prospective customers or other visitors who are foreign nationals, or provide a service available outside of the US. Penalties for inadvertent noncompliance can be steep, with civil monetary penalties of more than $300,000 per violation and even higher criminal penalties.
The US export control regulations were enacted to ensure that transfers of items, technology, or services are accomplished in a manner that is consistent with the US government’s national security and foreign policy goals. The US economic sanctions laws are promulgated to restrict trade, investment, and financial transactions based on these foreign policy and national security goals. Coordinating regulations also restrict a US company’s ability to participate in unsanctioned foreign boycotts.
The purpose of this article is to provide an overview of the primary laws and regulations involved and provide guidance on how to develop and implement policies and procedures that will be effective in helping your organization maintain compliance with these laws. This article is, of course, meant to be a broad overview of the export control and economic sanctions laws and related compliance tools. These laws contain many fine points and exceptions, which, although not addressed in this chapter, are important to appreciate if they are relevant to your company’s business. Thus, we urge you to dig deeper into the regulations when a transaction appears to require licensing or if you are to embark on a business strategy where foreign person involvement is required. Finally, we note these laws frequently change in response to changes in US perspective on national security and foreign policy. Therefore, it is essential for companies and individuals engaged in international business transactions to check the official versions of the export control and economic sanctions laws, as well as the Federal Register, on an ongoing basis.
When using the term export control laws, we are primarily talking about the Export Administration Regulations (EAR), administered by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS); the International Traffic in Arms Regulations (ITAR), administered by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC); and trade and economic sanctions administered by the Office of Foreign Assets Control (OFAC) at the U.S. Department of the Treasury.
The Export Administration Regulations
Products, software, and technology that have a primarily commercial use fall under the EAR. The EAR include restrictions on direct exports from the United States; reexports of US-controlled products, software, and technology from one country outside of the United States to another; and the disclosure of US-controlled technology to a foreign person, whether in the United States or abroad. These restrictions include the export, reexport, or transfer of US-controlled products, software, and technology, as well as the reexport or transfer of certain items produced outside of the United States that are either based on certain US-controlled technology or that incorporate a certain amount of US origin parts and components. The restrictions imposed by the EAR generally fall into one of three categories: item-based controls, end-user-based controls, and end-use-based controls.
A key feature of the EAR is the Commerce Control List (CCL), a list of products, software, and technologies that are controlled based on their technical parameters. Classification of products, software, or technologies on the CCL generally also provides guidance on the countries to which the export or reexport is controlled and the circumstances under which the products, software, or technologies may be exported or reexported. Thus, consulting the CCL and identifying the applicable Export Control Classification Number (ECCN) is the first and most important step in determining whether a license is required under the EAR. Products, software, and technologies that are subject to the EAR, but not included in a specific ECCN, are classified as EAR99. EAR99 items are still subject to US export controls.
As noted above, the EAR also provide parameters for the export, reexport, or transfer of US-controlled technology. Under the EAR, the term “technology” is broadly defined to include “information necessary for the ‘development,’ ‘production,’ ‘use,’ operation, installation, maintenance, repair, overhaul, or refurbishing…of an item.” Technology includes “written or oral communications, blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, manuals or documentation, electronic media or information revealed through visual inspection.”
Whether a license is required for the export of products, software, and technologies is determined by the item’s classification in combination with the country that it is destined for. Where products, software, and technologies are subject to a licensing requirement under the EAR, one of several license exceptions may be available, thus permitting, in some cases, an export, reexport, or transfer without the need to first obtain a license. A description of these license exceptions can be found in Part 740 of the EAR.
In addition to the item-based controls described above, the EAR also includes end-user-based controls that prohibit, require a license for, or mandate additional due diligence regarding exports, reexports, and transfers of products, software, and technologies subject to the EAR, depending on the particular list that includes the individual or entity. The US government has determined that these individuals and entities may pose a risk to US national security or foreign policy goals or that the end user may divert such products, software, and technologies to a program supporting the development or proliferation of weapons of mass destruction. The lists include the following:
Denied Persons List: BIS’s Denied Persons List (DPL) identifies those persons denied export privileges under the EAR by BIS as a consequence for having violated the EAR. Persons on the DPL are prohibited from engaging in any export or reexport transaction involving any products, software, or technologies subject to the EAR or in any other activity subject to the EAR.
Entity List: The Entity List, maintained by BIS, identifies those persons whose activities BIS has determined pose a risk of diversion to weapons of mass destruction programs, including nuclear, chemical, and biological weapons, as well as missiles and their delivery systems. Placement on the Entity List means that a license is required from BIS before most, if not all, products, software, or technologies subject to EAR can be sent to a listed entity. Generally, BIS has a presumption of denial for such license applications.
The Unverified List: BIS’s Unverified List (UVL) is a list of persons involved in prior transactions subject to the EAR for which BIS has not determined the legitimacy of that entity or the veracity of the entity’s intention to properly use US-origin products, software, or technologies. Being listed on the UVL neither prohibits a company from receiving US-origin products, software, or technologies, nor imposes a new license requirement, but rather raises a red flag with respect to transactions that include these entities. Companies are required to clear such red flags, through additional due diligence or other assurances, before proceeding with a transaction. If an exporter cannot clear up the red flags, it must apply to BIS for a license for the transaction before proceeding further.
Additionally, other agencies maintain similar lists of restricted parties. These lists include:
OFAC’s Specially Designated Nationals List and Sectoral Sanctions Identifications List, and
U.S. Department of State’s list of Foreign Terrorist Organizations and List of Statutorily Debarred Parties.
The licensing requirements for exports, reexports, or transfers to parties on any of the lists typically extend to all products, software, and technologies subject to the EAR, including items listed on the CCL as well as items classified as EAR99.
In addition, to comply with the EAR, prior to exporting, a company should screen for red flags, listed in the EAR’s “BIS’s ‘Know Your Customer’ Guidance and Red Flags.” When present, red flags can “indicate that the export may be destined for an inappropriate end-use, end-user, or destination.” To assess whether such red flags are present, a company should review transaction information provided by a customer with an eye toward identifying anything that may not align with the norm for the particular business or products involved. If red flags appear, a company must conduct additional due diligence into the customer’s representations in an attempt to clear the red flags. If a company is unable to clear a red flag, a company is, under the EAR, now considered to know or have reason to know that a violation may occur and, thus, must mitigate a potential violation by either cancelling the transaction or, prior to exporting, obtain a license or other guidance from BIS.
The EAR also place certain restrictions on exports and reexports to countries embargoed or sanctioned by the US government. Currently, the EAR impose significant restrictions on any transactions involving Cuba, Iran, North Korea, Syria, and sanctioned regions of Ukraine including Crimea.
The EAR also impose a license requirement on the export, reexport, or transfer of any item subject to the EAR (both those on the CCL and classified as EAR99) if, at the time of the export or reexport, the person knows the item will be used directly or indirectly in certain nuclear, missile, chemical, or biological end uses. Additional end-use (and end-user) controls exists on exports of items having specified classifications to be used in military end uses (or provided to military end users) in Belarus, Burma, Cambodia, China, Russia, and Venezuela. These restrictions apply even to EAR99 items when a military intelligence end use or end user is involved.
The International Traffic in Arms Regulations
The export, reexport, or transfer of products, software, technical data, and services that are primarily useful for military purposes often fall under International Traffic in Arms Regulations (ITAR). These items, called defense articles and controlled under the ITAR, are listed on the United States Munitions List. Additionally, the ITAR control “defense services.” These defense services include “[t]he furnishing of assistance (including training) to foreign persons, whether in the United States or abroad in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles.” Thus, it is important to note that if you are working with a military customer, whether US military or foreign military, the ITAR may apply unless you are strictly selling unmodified, unconfigured, commercial off-the-shelf equipment without installation or integration services.
The ITAR include restrictions on any exports from the United States or reexport or transfer to a third country of US-origin, ITAR-controlled products, software, technical data, or services as well as the transfer to non-US nationals, whether in the United States or abroad, of US-origin technical data or services. Export licensing policies under the ITAR are, not surprisingly, more restrictive than under the EAR, and there are many countries, including China, that cannot receive licenses under the ITAR.
These regulations also impose registration requirements for exporters, manufacturers, and brokers of ITAR- controlled goods and a mandate to report fees and commissions paid in connection with certain sales of US origin defense articles, defense services, and related technology.
Economic Sanctions and Other Trade-Related Sanctions
Trade and economic sanctions laws and regulations deal with country-specific restrictions or prohibitions administered by the U.S. Department of the Treasury’s OFAC. These rules restrict trade, investment, and financial transactions with certain countries by US citizens and US companies, including branches outside of the United States and, in some instances, US-owned or controlled subsidiaries.
Simply put, there are two main categories of OFAC sanctions. First, a short list of countries (and one region) are subject to comprehensive embargoes on the export and import of goods, technology, and services. These areas include Cuba, Iran, North Korea, Syria, and sanctioned regions of Ukraine including Crimea. In additional countries, the property of listed individuals and entities is “blocked,” financial transaction are prohibited or restricted, or other restrictions exist on the export of products, technology, and services to certain listed individuals and entities. In these countries, there is no restriction on export to or import from these countries unless the parties involved are listed on a restricted parties list.
In general, OFAC regulations, beyond prohibiting exports and reexports to sanctioned countries, prohibit nearly all trade (imports and exports), investment, exchange of services, and any other form of activity or transaction between “US persons” and any sanctions target. The prohibition on the provision of services would include many online services and products hosted on the internet, even if no software is available for download. However, the regulations include some authorizations for the export of certain items and services, including information and informational materials and personal or internet-based communications services, software, and equipment.
It is important to note that both BIS and OFAC may have jurisdiction and licensing requirements for exports and reexports to the embargoed countries. It is, therefore, important to consult both the EAR and OFAC regulations to determine how to proceed with a transaction involving an embargoed country.
Both BIS and the Department of the Treasury’s Internal Revenue Service administer antiboycott regulations that are designed principally to counter the Arab League boycott of Israel and Israeli goods. These laws apply directly to US-owned or controlled subsidiaries.