By Josephine Aiello LeBeau and Anne Seymour
An Overview of U.S. Export Control and Economic Sanctions Laws
Every company that sends its products, software, or technology outside of the United States is subject to US export control and economic sanctions regulations. From the largest multinational corporations to the smallest start-ups, from manufacturers of software to softballs, from toothpicks to pharmaceuticals, from rock candy to rocket fuel, all US companies and their employees—along with anyone present in the United States—US citizens wherever they are located, and companies transferring US-controlled items must familiarize themselves with these regulations to ensure that they understand what is required to comply. In addition, companies that do not export their products can still be subject to these regulations if they employ foreign nationals (individuals who are not US citizens, permanent residents, or refugees) or have prospective customers or other visitors who are foreign nationals. Penalties for inadvertent noncompliance can be steep, with civil monetary penalties of more than $300,000 per violation and even higher criminal penalties.
The US export control regulations were enacted to ensure that transfers of items, technology, or services are accomplished in a manner that is consistent with the US government’s national security and foreign policy goals. The US economic sanctions laws are promulgated to restrict trade, investment, and financial transactions based on these foreign policy and national security goals. Coordinating regulations also restrict a US company’s ability to participate in unsanctioned foreign boycotts.
The purpose of this article is to provide an overview of the primary laws and regulations involved and provide guidance on how to develop and implement policies and procedures that will be effective in helping your organization maintain compliance with these laws. This is, of course, meant to be a broad overview of the export control and economic sanctions laws and related compliance tools. These laws contain many fine points and exceptions, which, although not addressed in this chapter, are important to appreciate if they are relevant to your company’s business. Thus, we urge you to dig deeper into the regulations when a transaction appears to require licensing or if you are to embark on a business strategy where foreign person involvement is required. Finally, we note these laws frequently change in response to changes in US perspective on national security and foreign policy. Therefore, it is essential for companies and individuals engaged in international business transactions to check the official versions of the export control and economic sanctions laws, as well as the Federal Register, on an ongoing basis.
When using the term export control laws, we are primarily talking about the Export Administration Regulations (EAR), administered by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS); the International Traffic in Arms Regulations (ITAR), administered by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC); and trade and economic sanctions administered by the Office of Foreign Assets Control (OFAC) at the U.S. Department of the Treasury.
The Export Administration Regulations
Products, software, and technology that have a primarily commercial use fall under the EAR. The EAR include restrictions on direct exports from the United States; reexports of US-controlled products, software, and technology from one country outside of the United States to another; and the disclosure of US-controlled technology to a foreign person, whether in the United States or abroad. These restrictions include the export, reexport, or transfer of US-controlled products, software, and technology, as well as the reexport or transfer of certain items produced outside of the United States that are either based on certain US-controlled technology or that incorporate a certain amount of US origin parts and components. The restrictions imposed by the EAR generally fall into one of three categories: item-based controls, end-user-based controls, and end-use based controls.
A key feature of the EAR is the Commerce Control List (CCL), a list of products, software, and technologies that are controlled based on their technical parameters. Classification of products, software, or technologies on the CCL generally also provides guidance on the countries to which the export or reexport is controlled and the circumstances under which the products, software, or technologies may be exported or reexported. Thus, consulting the CCL and identifying the applicable Export Control Classification Number (ECCN) is the first and most important step in determining whether a license is required under the EAR. Products, software, and technologies that are subject to the EAR, but not included in a specific ECCN, are classified as EAR99. EAR99 items are still subject to US export controls.
As noted above, the EAR also provide parameters for the export, reexport, or transfer of US-controlled technology. Under the EAR, the term “technology” is broadly defined to include “information necessary for the ‘development,’ ‘production,’ ‘use,’ operation, installation, maintenance, repair, overhaul, or refurbishing … of an item.” Technology includes “written or oral communications, blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, manuals or documentation, electronic media or information revealed through visual inspection.”
Whether a license is required for the export of products, software, and technologies is determined by the item’s classification in combination with the country that it is destined for. Where products, software, and technologies are subject to a licensing requirement under the EAR, one of several license exceptions may be available, thus permitting, in some cases, an export, reexport, or transfer without the need to first obtain a license. A description of these license exceptions can be found in Part 740 of the EAR.
In addition to the item-based controls described above, the EAR also, depending on the particular list that includes the individual or entity, prohibits, requires a license for, or mandates additional due diligence regarding exports, reexports, and transfers of products, software, and technologies subject to the EAR. The US government has determined that these individuals and entities may pose a risk to US national security or foreign policy goals, or that the end user may divert such products, software, and technologies to a program supporting the development or proliferation of weapons of mass destruction. The lists include the following:
Denied Persons List: BIS’s Denied Persons List (DPL) identifies those persons denied export privileges under the EAR by BIS as a consequence for having violated the EAR. Persons on the DPL are prohibited from engaging in any export or reexport transaction involving any products, software, or technologies subject to the EAR or in any other activity subject to the EAR. 
Entity List: The Entity List, maintained by BIS, identifies those persons whose activities BIS has determined pose a risk of diversion to weapons of mass destruction programs, including nuclear, chemical, and biological weapons, as well as missiles and their delivery systems. Placement on the Entity List means that a license is required from BIS before most, if not all, products, software, or technologies subject to EAR can be sent to a listed entity. Generally, BIS has a presumption of denial for such license applications. 
The Unverified List: BIS’s Unverified List (UVL) is a list of persons involved in prior transactions subject to the EAR for which BIS has not determined the legitimacy of that entity or the veracity of the entity’s intention to properly use US-origin products, software, or technologies. Being listed on the UVL neither prohibits a company from receiving US-origin products, software, or technologies, nor imposes a new license requirement, but rather raises a red flag with respect to transactions that include these entities. Companies are required to clear such red flags, through additional due diligence or other assurances, before proceeding with a transaction. If an exporter cannot clear up the red flags, it must apply to BIS for a license for the transaction before proceeding further. 
Additionally, other agencies maintain similar lists of restricted parties. These lists include:
OFAC’s Specially Designated Nationals List and Sectoral Sanctions Identifications List, 
U.S. Department of State’s list of Foreign Terrorist Organizations,  and
List of Statutorily Debarred Parties. 
The licensing requirements for exports, reexports, or transfers to parties on any of the lists typically extend to all products, software, and technologies subject to the EAR, including items listed on the CCL as well as items classified as EAR99.
In addition, to comply with the EAR, prior to exporting, a company should screen for red flags, listed in the EAR’s “BIS’s ‘Know Your Customer’ Guidance and Red Flags.” When present, red flags can “indicate that the export may be destined for an inappropriate end-use, end-user, or destination.” To assess whether such red flags are present, a company should review transaction information provided by a customer with an eye toward identifying anything that may not align with the norm for the particular business or products involved. If red flags appear, a company must conduct additional due diligence into the customer’s representations in an attempt to clear the red flags. If a company is unable to clear a red flag, a company is, under the EAR, now considered to know or have reason to know that a violation may occur and, thus, must mitigate a potential violation by either cancelling the transaction or, prior to exporting, obtain a license or other guidance from BIS.
The EAR also place certain restrictions on exports and reexports to countries embargoed or sanctioned by the US government. Currently, the EAR impose significant restrictions on any transactions involving Cuba, Iran, North Korea, Sudan, Syria, and the Crimea region of the Ukraine.
The EAR also impose a license requirement on the export, reexport, or transfer of any item subject to the EAR (both those on the CCL and classified as EAR99) if, at the time of the export or reexport, the person knows the item will be used directly or indirectly in certain nuclear, missile, chemical, or biological end-uses.